魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-01-12 21:21:39 2019-01-12 21:24:07 148 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-2 win7-sp1-x64-hpdapp01-2 KVM 2019-01-12 21:21:42 2019-01-12 21:24:09
魔盾分数

0.75

正常的

文件详细信息

文件名 Win7网吧专用登录器.zip
文件大小 320787 字节
文件类型 Zip archive data, at least v2.0 to extract
CRC32 208A5BE7
MD5 c28d5b9a9e0d0158f7cdb97fc3fdebc7
SHA1 845f5d4737cbbaf118d0faec2e3463eadee85b1f
SHA256 e5ad38af170010fd2fe54b3753c2dc7341a576a749f9f359fa3518290cd3ab44
SHA512 4b7679df70eba3969f8ee4141c996bcb3f7d4ef3663da07529759f85039abe3c223fab6b1360b7ac8c6e6c43cdab686df1fb8b5936db54ccc595520d818540d8
Ssdeep 6144:Xny88U0pyvaVdMxca9jzsKdgVeAXYorcKTmb5p2poiE:Xn2BpyvabMC4fdwdrpon2poiE
PEiD 无匹配
Yara
  • without_attachments (Detected no presence of any attachment)
  • without_images (Detected no presence of any image)
  • without_urls (Detected no presence of any url)
VirusTotal 无此文件扫描结果

特征

创建RWX内存
通过进程尝试延迟分析任务
Process: downloader.exe tried to sleep 60 seconds, actually delayed analysis time by 0 seconds
魔盾安全Yara检测结果 - 普通
Informational: Detected no presence of any attachment
Informational: Detected no presence of any image
Informational: Detected no presence of any url

运行截图

网络分析

无信息

静态分析

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

cmd.exe PID: 2488, 上一级进程 PID: 2288

downloader.exe PID: 2556, 上一级进程 PID: 2488

访问的文件
  • C:\Windows\System32\MSCOREE.DLL.local
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
  • C:\Windows\Microsoft.NET\Framework\*
  • C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
  • C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
  • C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
  • C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Users\test\AppData\Local\Temp\tbz01.09b\xe7\xae\x80\xe6\x98\x93\xe7\x89\x88\downloader.exe.config
  • C:\Users\test\AppData\Local\Temp\tbz01.09b\xe7\xae\x80\xe6\x98\x93\xe7\x89\x88\downloader.exe
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
  • C:\Windows\System32\MSVCR120_CLR0400.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll.aux
  • C:\Users
  • C:\Users\test
  • C:\Users\test\AppData
  • C:\Users\test\AppData\Local
  • C:\Users\test\AppData\Local\Temp
  • C:\Users\test\AppData\Local\Temp\tbz01.09b\xe7\xae\x80\xe6\x98\x93\xe7\x89\x88
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
  • \Device\KsecDD
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\downloader\*
  • C:\Users\test\AppData\Local\Temp\tbz01.09b\xe7\xae\x80\xe6\x98\x93\xe7\x89\x88\downloader.INI
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
  • C:\Windows\assembly\pubpol49.dat
  • C:\Windows\assembly\GAC\PublisherPolicy.tme
  • C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\fb06ad4bc55b9c3ca68a3f9259d826cd\System.Windows.Forms.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\fb06ad4bc55b9c3ca68a3f9259d826cd\System.Windows.Forms.ni.dll.aux
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\1be7a15b1f33bf22e4f53aaf45518c77\System.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\1be7a15b1f33bf22e4f53aaf45518c77\System.ni.dll.aux
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\1d52bd4ac5e0a6422058a5d62c9f6d9d\System.Drawing.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\1d52bd4ac5e0a6422058a5d62c9f6d9d\System.Drawing.ni.dll.aux
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll
  • C:\Users\test\AppData\Local\Temp\tbz01.09b\xe7\xae\x80\xe6\x98\x93\xe7\x89\x88\downloader.exe.Local\
  • C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
  • C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
  • C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
  • C:\Windows\Fonts\AGENCYR.TTF
  • C:\Windows\Fonts\simsun.ttc
  • C:\Windows\Fonts\micross.ttf
  • C:\Windows\Fonts\segoeui.ttf
  • C:\Windows\Fonts\msyh.ttf
  • C:\Windows\Fonts\malgun.ttf
  • C:\Windows\Fonts\msjh.ttf
  • C:\Windows\Fonts\tahoma.ttf
  • C:\Windows\Fonts\EUDC.TTE
  • C:\Users\test\AppData\Local\Temp\tbz01.09b\xe7\xae\x80\xe6\x98\x93\xe7\x89\x88\EUDC.TTE
  • C:\Users\test\AppData\Local\Temp\EUDC.TTE
  • C:\Windows\System32\EUDC.TTE
  • C:\Windows\system\EUDC.TTE
  • C:\Windows\EUDC.TTE
  • C:\ProgramData\Oracle\Java\javapath\EUDC.TTE
  • C:\Windows\System32\wbem\EUDC.TTE
  • C:\Windows\System32\WindowsPowerShell\v1.0\EUDC.TTE
  • C:\Program Files (x86)\WinRAR\EUDC.TTE
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\misc\card.txt
  • C:\Windows\assembly\GAC_64
  • C:\Windows\assembly\GAC_64\mscorlib.resources
  • C:\Windows\assembly\GAC_32
  • C:\Windows\assembly\GAC_32\mscorlib.resources
  • C:\Windows\assembly\GAC_MSIL
  • C:\Windows\assembly\GAC_MSIL\mscorlib.resources
  • C:\Windows\assembly\GAC_MSIL\mscorlib.resources\*
  • C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_zh-CHS_b77a5c561934e089\mscorlib.resources.dll
  • C:\Windows\assembly\GAC
  • C:\Windows\assembly\GAC\mscorlib.resources
  • C:\Windows\Microsoft.Net\assembly\GAC_64
  • C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib.resources
  • C:\Windows\Microsoft.Net\assembly\GAC_32
  • C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib.resources
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources\*
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources\v4.0_4.0.0.0_zh-Hans_b77a5c561934e089\mscorlib.resources.dll
  • C:\Windows\Microsoft.Net\assembly\GAC
  • C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib.resources\v4.0_4.0.0.0_zh-Hans_b77a5c561934e089\mscorlib.resources.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib.resources\*
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources\v4.0_4.0.0.0_zh-Hans_b77a5c561934e089\mscorlib.resources.INI
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\imm32.dll
读取的文件
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
  • C:\Users\test\AppData\Local\Temp\tbz01.09b\xe7\xae\x80\xe6\x98\x93\xe7\x89\x88\downloader.exe.config
  • C:\Users\test\AppData\Local\Temp\tbz01.09b\xe7\xae\x80\xe6\x98\x93\xe7\x89\x88\downloader.exe
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Windows\System32\MSVCR120_CLR0400.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
  • \Device\KsecDD
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
  • C:\Windows\assembly\pubpol49.dat
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\fb06ad4bc55b9c3ca68a3f9259d826cd\System.Windows.Forms.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\1be7a15b1f33bf22e4f53aaf45518c77\System.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\1be7a15b1f33bf22e4f53aaf45518c77\System.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\1d52bd4ac5e0a6422058a5d62c9f6d9d\System.Drawing.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\1d52bd4ac5e0a6422058a5d62c9f6d9d\System.Drawing.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\fb06ad4bc55b9c3ca68a3f9259d826cd\System.Windows.Forms.ni.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
  • C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
  • C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
  • C:\Windows\Fonts\simsun.ttc
  • C:\Windows\Fonts\micross.ttf
  • C:\Windows\Fonts\segoeui.ttf
  • C:\Windows\Fonts\msyh.ttf
  • C:\Windows\Fonts\malgun.ttf
  • C:\Windows\Fonts\msjh.ttf
  • C:\Windows\Fonts\tahoma.ttf
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\misc\card.txt
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources\v4.0_4.0.0.0_zh-Hans_b77a5c561934e089\mscorlib.resources.dll
修改的文件
  • C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
  • HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
  • Policy\Standards
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\downloader.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
  • HKEY_CURRENT_USER\Software\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
  • HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index49
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
  • HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
  • HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_CURRENT_USER\EUDC\936
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Microsoft Sans Serif
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_CURRENT_USER\Software\Classes
  • HKEY_CURRENT_USER\Software\Classes\AppID\downloader.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
  • HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\7904F555
  • HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-CHS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-CHS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.mscorlib.resources_zh-Hans_b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.mscorlib.resources_zh-Hans_b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\downloader.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index49
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
  • HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\7904F555
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-CHS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-CHS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • advapi32.dll.RegEnumKeyExW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsFree
  • kernel32.dll.FlsGetValue
  • kernel32.dll.FlsSetValue
  • kernel32.dll.InitializeCriticalSectionEx
  • kernel32.dll.CreateEventExW
  • kernel32.dll.CreateSemaphoreExW
  • kernel32.dll.SetThreadStackGuarantee
  • kernel32.dll.CreateThreadpoolTimer
  • kernel32.dll.SetThreadpoolTimer
  • kernel32.dll.WaitForThreadpoolTimerCallbacks
  • kernel32.dll.CloseThreadpoolTimer
  • kernel32.dll.CreateThreadpoolWait
  • kernel32.dll.SetThreadpoolWait
  • kernel32.dll.CloseThreadpoolWait
  • kernel32.dll.FlushProcessWriteBuffers
  • kernel32.dll.FreeLibraryWhenCallbackReturns
  • kernel32.dll.GetCurrentProcessorNumber
  • kernel32.dll.GetLogicalProcessorInformation
  • kernel32.dll.CreateSymbolicLinkW
  • kernel32.dll.EnumSystemLocalesEx
  • kernel32.dll.CompareStringEx
  • kernel32.dll.GetDateFormatEx
  • kernel32.dll.GetLocaleInfoEx
  • kernel32.dll.GetTimeFormatEx
  • kernel32.dll.GetUserDefaultLocaleName
  • kernel32.dll.IsValidLocaleName
  • kernel32.dll.LCMapStringEx
  • kernel32.dll.GetTickCount64
  • kernel32.dll.AcquireSRWLockExclusive
  • kernel32.dll.ReleaseSRWLockExclusive
  • advapi32.dll.EventRegister
  • mscoree.dll.#142
  • mscoreei.dll.RegisterShimImplCallback
  • mscoreei.dll.OnShimDllMainCalled
  • mscoreei.dll._CorExeMain
  • shlwapi.dll.UrlIsW
  • version.dll.GetFileVersionInfoSizeW
  • version.dll.GetFileVersionInfoW
  • version.dll.VerQueryValueW
  • clr.dll.SetRuntimeInfo
  • clr.dll._CorExeMain
  • mscoree.dll.CreateConfigStream
  • mscoreei.dll.CreateConfigStream
  • kernel32.dll.GetNumaHighestNodeNumber
  • kernel32.dll.GetSystemWindowsDirectoryW
  • advapi32.dll.AllocateAndInitializeSid
  • advapi32.dll.OpenProcessToken
  • advapi32.dll.GetTokenInformation
  • advapi32.dll.InitializeAcl
  • advapi32.dll.AddAccessAllowedAce
  • advapi32.dll.FreeSid
  • kernel32.dll.AddSIDToBoundaryDescriptor
  • kernel32.dll.CreateBoundaryDescriptorW
  • kernel32.dll.CreatePrivateNamespaceW
  • kernel32.dll.OpenPrivateNamespaceW
  • kernel32.dll.DeleteBoundaryDescriptor
  • kernel32.dll.WerRegisterRuntimeExceptionModule
  • kernel32.dll.RaiseException
  • mscoree.dll.#24
  • mscoreei.dll.#24
  • ntdll.dll.NtSetSystemInformation
  • psapi.dll.GetProcessMemoryInfo
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • kernel32.dll.GetNativeSystemInfo
  • ole32.dll.CoInitializeEx
  • cryptbase.dll.SystemFunction036
  • ole32.dll.CoGetContextToken
  • clrjit.dll.sxsJitStartup
  • clrjit.dll.getJit
  • kernel32.dll.LocaleNameToLCID
  • kernel32.dll.LCIDToLocaleName
  • kernel32.dll.GetUserPreferredUILanguages
  • nlssorting.dll.SortGetHandle
  • nlssorting.dll.SortCloseHandle
  • kernel32.dll.LocalFree
  • kernel32.dll.LocalAlloc
  • kernel32.dll.GetFullPathNameW
  • uxtheme.dll.IsAppThemed
  • kernel32.dll.CreateActCtxA
  • ole32.dll.CoTaskMemAlloc
  • ole32.dll.CoTaskMemFree
  • user32.dll.RegisterWindowMessageW
  • user32.dll.GetSystemMetrics
  • kernel32.dll.GetModuleHandleW
  • kernel32.dll.LoadLibraryW
  • user32.dll.AdjustWindowRectEx
  • kernel32.dll.GetCurrentProcess
  • kernel32.dll.GetCurrentThread
  • kernel32.dll.DuplicateHandle
  • kernel32.dll.GetCurrentThreadId
  • kernel32.dll.GetCurrentActCtx
  • kernel32.dll.ActivateActCtx
  • kernel32.dll.GetProcAddress
  • kernel32.dll.WideCharToMultiByte
  • user32.dll.DefWindowProcW
  • gdi32.dll.GetStockObject
  • user32.dll.RegisterClassW
  • mscoree.dll.GetProcessExecutableHeap
  • mscoreei.dll.GetProcessExecutableHeap
  • user32.dll.CreateWindowExW
  • user32.dll.SetWindowLongW
  • user32.dll.GetWindowLongW
  • user32.dll.CallWindowProcW
  • user32.dll.GetClientRect
  • user32.dll.GetWindowRect
  • user32.dll.GetParent
  • kernel32.dll.DeactivateActCtx
  • kernel32.dll.GetSystemDefaultLCID
  • gdi32.dll.GetObjectW
  • user32.dll.GetDC
  • gdiplus.dll.GdiplusStartup
  • kernel32.dll.IsProcessorFeaturePresent
  • user32.dll.GetWindowInfo
  • user32.dll.GetAncestor
  • user32.dll.GetMonitorInfoA
  • user32.dll.EnumDisplayMonitors
  • user32.dll.EnumDisplayDevicesA
  • gdi32.dll.ExtTextOutW
  • gdi32.dll.GdiIsMetaPrintDC
  • gdiplus.dll.GdipCreateFontFromLogfontW
  • kernel32.dll.RegOpenKeyExW
  • kernel32.dll.RegQueryInfoKeyA
  • kernel32.dll.RegCloseKey
  • kernel32.dll.RegCreateKeyExW
  • kernel32.dll.RegQueryValueExW
  • mscoree.dll.ND_RI2
  • mscoreei.dll.ND_RI2
  • mscoree.dll.ND_RU1
  • mscoreei.dll.ND_RU1
  • gdiplus.dll.GdipGetFontUnit
  • gdiplus.dll.GdipGetFontSize
  • gdiplus.dll.GdipGetFontStyle
  • gdiplus.dll.GdipGetFamily
  • user32.dll.ReleaseDC
  • gdiplus.dll.GdipCreateFromHDC
  • gdiplus.dll.GdipGetDpiY
  • gdiplus.dll.GdipGetFontHeight
  • gdiplus.dll.GdipGetEmHeight
  • gdiplus.dll.GdipGetLineSpacing
  • gdiplus.dll.GdipDeleteGraphics
  • gdiplus.dll.GdipCreateFont
  • gdiplus.dll.GdipDeleteFont
  • gdiplus.dll.GdipCreateFontFamilyFromName
  • kernel32.dll.RegEnumValueW
  • kernel32.dll.RegQueryInfoKeyW
  • gdiplus.dll.GdipGetGenericFontFamilySansSerif
  • user32.dll.GetProcessWindowStation
  • user32.dll.GetUserObjectInformationA
  • kernel32.dll.SetConsoleCtrlHandler
  • user32.dll.GetClassInfoW
  • user32.dll.GetSysColor
  • gdiplus.dll.GdipGetFamilyName
  • gdi32.dll.CreateCompatibleDC
  • gdi32.dll.GetCurrentObject
  • gdi32.dll.SaveDC
  • gdi32.dll.GetDeviceCaps
  • gdi32.dll.CreateFontIndirectW
  • gdi32.dll.SelectObject
  • gdi32.dll.GetMapMode
  • gdi32.dll.GetTextMetricsW
  • user32.dll.DrawTextExW
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegQueryValueExA
  • gdi32.dll.GetTextExtentExPointWPri
  • gdiplus.dll.GdipGetLogFontW
  • gdi32.dll.GetTextExtentPoint32W
  • gdi32.dll.DeleteDC
  • kernel32.dll.GetCurrentDirectoryW
  • kernel32.dll.SetThreadErrorMode
  • kernel32.dll.CreateFileW
  • kernel32.dll.CloseHandle
  • kernel32.dll.CompareStringOrdinal
  • kernel32.dll.GetFileAttributesExW
  • clr.dll.CreateAssemblyNameObject
  • ole32.dll.CoGetObjectContext
  • sechost.dll.LookupAccountNameLocalW
  • advapi32.dll.LookupAccountSidW
  • sechost.dll.LookupAccountSidLocalW
  • cryptsp.dll.CryptAcquireContextW
  • cryptsp.dll.CryptGenRandom
  • ole32.dll.NdrOleInitializeExtension
  • ole32.dll.CoGetClassObject
  • ole32.dll.CoGetMarshalSizeMax
  • ole32.dll.CoMarshalInterface
  • ole32.dll.CoUnmarshalInterface
  • ole32.dll.StringFromIID
  • ole32.dll.CoGetPSClsid
  • ole32.dll.CoCreateInstance
  • ole32.dll.CoReleaseMarshalData
  • ole32.dll.DcomChannelSetHResult
  • rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
  • clr.dll.CreateAssemblyEnum
  • kernel32.dll.ResolveLocaleName
  • user32.dll.SetWindowTextW
  • kernel32.dll.GetStartupInfoW
  • user32.dll.CreateIconFromResourceEx
  • user32.dll.SendMessageW
  • user32.dll.GetSystemMenu
  • user32.dll.GetWindowPlacement
  • user32.dll.EnableMenuItem
  • user32.dll.GetWindowTextLengthW
  • user32.dll.GetWindowTextW
  • user32.dll.SetWindowPos
  • user32.dll.RedrawWindow
  • user32.dll.ShowWindow
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • user32.dll.GetWindow
  • user32.dll.MapWindowPoints
  • imm32.dll.ImmIsIME
  • mscoree.dll.ND_WU1
  • mscoreei.dll.ND_WU1
  • user32.dll.GetWindowThreadProcessId
  • user32.dll.PostMessageW
  • ole32.dll.OleInitialize
  • ole32.dll.CoRegisterMessageFilter
  • user32.dll.GetFocus
  • user32.dll.SetFocus
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • imm32.dll.ImmGetContext
  • imm32.dll.ImmLockIMC
  • imm32.dll.ImmUnlockIMC
  • imm32.dll.ImmReleaseContext
  • user32.dll.GetKeyboardLayout
  • imm32.dll.ImmGetOpenStatus
  • imm32.dll.ImmSetCompositionFontW
  • gdi32.dll.SetTextColor
  • gdi32.dll.SetBkColor
  • user32.dll.GetSysColorBrush
  • imm32.dll.ImmGetCompositionWindow
  • imm32.dll.ImmSetCompositionWindow
  • user32.dll.GetKeyState
  • user32.dll.GetMonitorInfoW
  • gdi32.dll.CreateDCW
  • gdi32.dll.GetNearestColor
  • gdi32.dll.CreateSolidBrush
  • user32.dll.FillRect
  • gdi32.dll.DeleteObject
  • gdi32.dll.RestoreDC
  • user32.dll.PeekMessageW
  • user32.dll.IsWindowUnicode
  • user32.dll.GetMessageW
  • user32.dll.TranslateMessage
  • user32.dll.DispatchMessageW
  • user32.dll.GetMessageA
  • user32.dll.DispatchMessageA
  • user32.dll.BeginPaint
  • gdiplus.dll.GdipCreateHalftonePalette
  • gdi32.dll.SelectPalette
  • user32.dll.EndPaint
  • uxtheme.dll.BufferedPaintInit
  • uxtheme.dll.BeginBufferedPaint
  • user32.dll.WaitMessage