魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2019-01-22 03:22:29 | 2019-01-22 03:24:55 | 146 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp01-1 | win7-sp1-x64-hpdapp01-1 | KVM | 2019-01-22 03:22:32 | 2019-01-22 03:24:57 |
| 魔盾分数 |
|---|
9.1恶意的 |
文件详细信息
| 文件名 | Cache.dat |
|---|---|
| 文件大小 | 25600 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | BA19E30D |
| MD5 | b52e877559dfebbba89463df013645f4 |
| SHA1 | eac06aa100e22ca474c2a14999ad1bb697a9a21b |
| SHA256 | 22dbbb0fac94da2aac1dd6763ba9acf1f41cc81f8a679e0b109f29f83b1c78cf |
| SHA512 | 8ce7047d7ab8c34c5d441c996f2e339df2b119fa672212bbe99055bd89452e869a823774afb108c0a5f352174940accf65bd93f0a00c7e1c50c82a360e1c5e01 |
| Ssdeep | 384:G4vo0B5ugihbUgVmDh4bGBoRlFvWcpmdCUwQZdJNqnWi7UB8E1oOOuK+wy+y:+02UgIeKBSU/Xis8EQy+y |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | 无此文件扫描结果 |
特征
魔盾wping.org 域名信誉系统
Neutral: baidu.com
强制将一个创建的进程加载为另一个不相关进程的子进程
从磁盘上删除自身的原始二进制
将自己装载到Windows开机自动启动项目
service name: 111
service path: C:\Windows\system32\cmekse.exe
通过进程尝试长时间延迟分析任务
Process: cmekse.exe tried to sleep 627 seconds, actually delayed analysis time by 0 seconds
生成一个自己的复制文件
copy: C:\Windows\System32\cmekse.exe
魔盾安全Yara规则检测结果 - 高危
Informational: Detected Rich Signature
Informational: Create a new process
Warning: File downloader/dropper
Warning: Affect system registries
Critical: Detects system change with a file drop
Critical: Detects malicious behaviors from a small size app
Informational: Detected no presence of any attachment
Informational: Detected no presence of any image
Informational: Detected no presence of any url
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 否 | 123.125.115.110 | China |
域名解析
| 域名 | 响应 |
|---|---|
| baidu.com |
A 123.125.115.110
A 220.181.57.216 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00404f9f |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x0000743b |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2015-01-28 17:43:36 |
| 载入哈希 | 8569656ff3314023cf8db4198febb66e |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000041ba | 0x00004200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.13 |
| .rdata | 0x00006000 | 0x0000102c | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.51 |
| .data | 0x00008000 | 0x00000c34 | 0x00000c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.84 |
导入
库 KERNEL32.dll:
• 0x406038 - lstrcatA
• 0x40603c - lstrcpyA
• 0x406040 - GetEnvironmentVariableA
• 0x406044 - GetShortPathNameA
• 0x406048 - GetModuleFileNameA
• 0x40604c - ExitProcess
• 0x406050 - GetLastError
• 0x406054 - CreateMutexA
• 0x406058 - GetCurrentProcess
• 0x40605c - CopyFileA
• 0x406060 - GetSystemDirectoryA
• 0x406064 - GlobalMemoryStatusEx
• 0x406068 - GetComputerNameA
• 0x40606c - GetSystemDefaultUILanguage
• 0x406070 - GetModuleHandleA
• 0x406074 - TerminateProcess
• 0x406078 - SetPriorityClass
• 0x40607c - GetCurrentThread
• 0x406080 - SetThreadPriority
• 0x406084 - CreateProcessA
• 0x406088 - ResumeThread
• 0x40608c - WaitForSingleObject
• 0x406090 - CloseHandle
• 0x406094 - GetTempPathA
• 0x406098 - LoadLibraryA
• 0x40609c - GetProcAddress
• 0x4060a0 - WinExec
• 0x4060a4 - CreateThread
• 0x4060a8 - lstrlenA
• 0x4060ac - Sleep
• 0x4060b0 - ExitThread
• 0x4060b4 - GetTickCount
• 0x4060b8 - GetStartupInfoA
库 USER32.dll:
• 0x406144 - wsprintfA
库 ADVAPI32.dll:
• 0x406000 - OpenSCManagerA
• 0x406004 - CreateServiceA
• 0x406008 - OpenServiceA
• 0x40600c - StartServiceA
• 0x406010 - RegOpenKeyA
• 0x406014 - RegSetValueExA
• 0x406018 - CloseServiceHandle
• 0x40601c - RegCloseKey
• 0x406020 - RegOpenKeyExA
• 0x406024 - StartServiceCtrlDispatcherA
• 0x406028 - RegisterServiceCtrlHandlerA
• 0x40602c - SetServiceStatus
• 0x406030 - RegQueryValueExA
库 WS2_32.dll:
• 0x40614c - WSAStartup
• 0x406150 - send
• 0x406154 - select
• 0x406158 - __WSAFDIsSet
• 0x40615c - recv
• 0x406160 - setsockopt
• 0x406164 - connect
• 0x406168 - closesocket
• 0x40616c - WSAIoctl
• 0x406170 - socket
• 0x406174 - htons
• 0x406178 - gethostbyname
• 0x40617c - inet_addr
• 0x406180 - sendto
• 0x406184 - WSASocketA
• 0x406188 - htonl
库 MSVCRT.dll:
• 0x4060c0 - rand
• 0x4060c4 - __p__commode
• 0x4060c8 - _controlfp
• 0x4060cc - ??1type_info@@UAE@XZ
• 0x4060d0 - ??3@YAXPAX@Z
• 0x4060d4 - __set_app_type
• 0x4060d8 - memcpy
• 0x4060dc - atoi
• 0x4060e0 - strcpy
• 0x4060e4 - strncpy
• 0x4060e8 - strcspn
• 0x4060ec - strstr
• 0x4060f0 - strcat
• 0x4060f4 - sprintf
• 0x4060f8 - localtime
• 0x4060fc - time
• 0x406100 - exit
• 0x406104 - memset
• 0x406108 - strncmp
• 0x40610c - strlen
• 0x406110 - _except_handler3
• 0x406114 - _adjust_fdiv
• 0x406118 - malloc
• 0x40611c - __CxxFrameHandler
• 0x406120 - _CxxThrowException
• 0x406124 - _exit
• 0x406128 - _XcptFilter
• 0x40612c - _acmdln
• 0x406130 - __getmainargs
• 0x406134 - _initterm
• 0x406138 - __setusermatherr
• 0x40613c - __p__fmode
投放文件
cmekse.exe
| 文件名 | cmekse.exe |
|---|---|
| 相关文件 |
|
| 文件大小 | 25600 bytes |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | b52e877559dfebbba89463df013645f4 |
| SHA1 | eac06aa100e22ca474c2a14999ad1bb697a9a21b |
| SHA256 | 22dbbb0fac94da2aac1dd6763ba9acf1f41cc81f8a679e0b109f29f83b1c78cf |
| SHA512 | 8ce7047d7ab8c34c5d441c996f2e339df2b119fa672212bbe99055bd89452e869a823774afb108c0a5f352174940accf65bd93f0a00c7e1c50c82a360e1c5e01 |
| Ssdeep | 384:G4vo0B5ugihbUgVmDh4bGBoRlFvWcpmdCUwQZdJNqnWi7UB8E1oOOuK+wy+y:+02UgIeKBSU/Xis8EQy+y |
| VirusTotal | 搜索相关分析 |
行为分析
互斥量(Mutexes)
- 111
执行的命令
- C:\Windows\system32\cmd.exe /c del C:\Users\test\AppData\Local\Temp\Cache.dat > nul
- C:\Windows\SysWOW64\cmekse.exe
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
- C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
- C:\Windows\system32\sppsvc.exe
创建的服务
- 111
启动的服务
- 111
进程
Cache.dat PID: 2424, 上一级进程 PID: 2296
services.exe PID: 428, 上一级进程 PID: 332
cmekse.exe PID: 2572, 上一级进程 PID: 428
cmd.exe PID: 2664, 上一级进程 PID: 2424
mscorsvw.exe PID: 2080, 上一级进程 PID: 428
mscorsvw.exe PID: 2400, 上一级进程 PID: 428
访问的文件
- C:\Users\test\AppData\Local\Temp\Cache.dat
- C:\Windows\System32\cmekse.exe
- C:\Windows\Temp
- C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp
- C:\Windows\ServiceProfiles
- C:\Windows\ServiceProfiles\LocalService
- C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp
- C:\Windows\ServiceProfiles\NetworkService
- C:\Windows\System32\tzres.dll
- C:\Users\test\AppData\Local\Temp
- C:\Users
- C:\Users\test
- C:\Users\test\AppData
- C:\Users\test\AppData\Local
- \??\nul
- C:\
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ndpsetup.bat
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ndpsetup.bat
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
读取的文件
- C:\Users\test\AppData\Local\Temp\Cache.dat
- C:\Windows\System32\tzres.dll
修改的文件
- C:\Windows\System32\cmekse.exe
- \??\nul
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
删除的文件
- C:\Users\test\AppData\Local\Temp\Cache.dat
注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\111
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\Description
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\WOW64
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
- HKEY_USERS\S-1-5-18
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_USERS\.DEFAULT\Environment
- HKEY_USERS\.DEFAULT\Volatile Environment
- HKEY_USERS\.DEFAULT\Volatile Environment\0
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\WOW64
- HKEY_USERS\S-1-5-19
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19\ProfileImagePath
- HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_USERS\S-1-5-19\Environment
- HKEY_USERS\S-1-5-19\Volatile Environment
- HKEY_USERS\S-1-5-19\Volatile Environment\0
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\WOW64
- HKEY_USERS\S-1-5-20
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\ProfileImagePath
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_USERS\S-1-5-20\Environment
- HKEY_USERS\S-1-5-20\Volatile Environment
- HKEY_USERS\S-1-5-20\Volatile Environment\0
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Group
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductName
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
- HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
- HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenServiceDebugLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\Install
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DefaultVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Version
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ZapSet
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGenService\Roots
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGENService\State
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN32\Default
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN32\Default
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenServiceDebugLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NicPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\RegistryRoot
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DefaultVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Version
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ZapSet
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN64\Default
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN64\Default
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\WOW64
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19\ProfileImagePath
- HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\ProfileImagePath
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Group
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductName
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenServiceDebugLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\Install
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DefaultVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Version
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ZapSet
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenServiceDebugLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NicPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\RegistryRoot
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DefaultVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Version
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ZapSet
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
修改的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\111\Description
删除的注册表键
无信息
API解析
- kernel32.dll.SetThreadUILanguage
- kernel32.dll.CopyFileExW
- kernel32.dll.IsDebuggerPresent
- kernel32.dll.SetConsoleInputExeNameW
- advapi32.dll.StartServiceCtrlDispatcherW
- advapi32.dll.RegisterServiceCtrlHandlerExW
- advapi32.dll.SetServiceStatus