OH Examples |
|
| Open Command Prompt | |
To function properly, OH must enable a kernel option that maintains a linked list of all objects sorted by object type. To set the kernel option, type the following at the command line:
oh
Output similar to the following is displayed in the command window:
Enabled maintaining a list of objects for each type.
Will take effect next time you boot.
Until then, OH is unable to query useful information
Restart your computer, and you can then use OH.
To generate a list of handles for open windows and send the output to the file C:\Output\Ohall.txt, type the following at the command line:
oh /o c:\output\ohall.txt
Looking in Ohall.txt, you then see output similar to the following:
00000004 System Key 000c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\WPA
00000004 System Key 0010 \REGISTRY
00000004 System Key 0014
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session
Manager\WPA\SigningHash-PRCRFTFJWDC27Q
00000004 System Key 0018
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter
00000004 System Key 001c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Executive
00000004 System Key 0020 \REGISTRY\MACHINE\SYSTEM\Setup
00000004 System Key 0024
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ProductOptions
00000004 System Key 0028
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog
00000004 System Event 002c \Security\TRKWKS_EVENT
00000004 System File 0034
\WINDOWS\system32\config\software
00000004 System Key 0040
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB\3&29761208&0\Device
Parameters
00000004 System File 0044 \WINDOWS\system32\config\SAM.LOG
00000004 System Key 0048
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_7112&SUBSYS_00000000&REV_01\2&ebb567f&0&22\Device
Parameters
00000004 System Key 004c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_7112&SUBSYS_00000000&REV_01\2&ebb567f&0&22\Device
Parameters
00000004 System Key 0050
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0000
00000004 System Key 0054
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0000
00000004 System Key 0058
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Video\{67BA24C1-E772-4266-BBE5-D44FE7A9D9A4}\0000\VolatileSettings
00000004 System Key 005c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0000
00000004 System Key 006c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Memory
Management\PrefetchParameters
00000004 System File 007c
\WINDOWS\system32\config\SECURITY
00000004 System File 0084
\WINDOWS\system32\config\default.LOG
00000004 System File 0088 \WINDOWS\system32\config\SAM
00000004 System Event 008c
\Device\DmControl\VxKernel2VoldEvent
00000004 System File 0090 \WINDOWS\system32\config\default
00000004 System Directory 0094 \Device\WinDfs
00000004 System Directory 009c \Device\Harddisk0
00000004 System File 00a0
\WINDOWS\system32\config\system.LOG
00000004 System File 00b8
\WINDOWS\system32\config\software.LOG
00000004 System Port 00d0 \SeRmCommandPort
00000004 System Event 00d4 \LanmanServerAnnounceEvent
00000004 System File 00d8 \pagefile.sys
00000004 System File 00f4
\WINDOWS\system32\config\SECURITY.LOG
00000004 System File 01a4 \Documents and
Settings\LocalService.NT AUTHORITY\NTUSER.DAT
00000004 System File 01b0 \Documents and
Settings\NetworkService.NT AUTHORITY\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System File 01b4 \Documents and
Settings\LocalService.NT AUTHORITY\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
00000004 System File 01bc \Documents and
Settings\NetworkService.NT AUTHORITY\NTUSER.DAT
00000004 System File 01c0 \Documents and
Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG
00000004 System File 01c8 \Documents and
Settings\NetworkService.NT AUTHORITY\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
00000004 System File 01cc \Documents and
Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG
00000004 System File 01d0 \Documents and
Settings\LocalService.NT AUTHORITY\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System File 0238 \WINDOWS\system32\config\system
00000004 System File 02fc
\WINDOWS\system32\MsDtc\Trace\dtctrace.log
00000004 System File 0390 \Documents and
Settings\NetShowServices\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
00000004 System Directory 0394 \Device\Http
00000004 System File 03a0 \Documents and
Settings\NetShowServices\NTUSER.DAT
00000004 System File 03a4 \Documents and
Settings\NetShowServices\ntuser.dat.LOG
00000004 System File 03b4 \Documents and
Settings\NetShowServices\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System File 03b8 \
00000004 System File 0498 \WINDOWS\DfsSvcLogFile
00000004 System File 04a8 \255
00000004 System File 0c3c \Documents and
Settings\user.XP\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
00000004 System File 0c44 \Documents and
Settings\user.XP\ntuser.dat.LOG
00000004 System File 0c48 \Documents and
Settings\user.XP\NTUSER.DAT
00000004 System File 0c4c \Documents and
Settings\user.XP\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System File 0dcc
\WINDOWS\system32\LogFiles\W3SVC1\ex010522.log
00000004 System File 0ddc \Topology
00000004 System File 0dfc \47
000000C0 smss.exe File 0010 \WINDOWS
000000C0 smss.exe Port 0014 \SmApiPort
000000C0 smss.exe Directory 001c \GLOBAL??
000000C0 smss.exe Directory 0020 \Sessions
000000C0 smss.exe File 0024 \WINDOWS\system32
000000C0 smss.exe Directory 0028 \KnownDlls
000000C0 smss.exe SymbolicLink 002c \KnownDlls\KnownDllPath
000000C0 smss.exe Key 0030
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000000C0 smss.exe Key 0034
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CrashControl
000000C0 smss.exe Event 0038 \UniqueSessionIdEvent
000000D8 csrss.exe Directory 0010 \KnownDlls
000000D8 csrss.exe File 0014 \WINDOWS\system32
000000D8 csrss.exe Directory 0018 \Sessions\BNOLINKS
000000D8 csrss.exe SymbolicLink 0020 \Sessions\BNOLINKS\0
000000D8 csrss.exe Directory 0024 \Sessions\0
000000D8 csrss.exe Directory 0028 \Sessions\0\DosDevices
000000D8 csrss.exe Directory 002c \Windows
000000D8 csrss.exe Directory 003c \BaseNamedObjects
000000D8 csrss.exe Directory 0040 \BaseNamedObjects\Restricted
000000D8 csrss.exe Mutant 0044 \NlsCacheMutant
000000D8 csrss.exe Mutant 004c \NlsCacheMutant
000000D8 csrss.exe Section 0050 \NLS\NlsSectionUnicode
000000D8 csrss.exe Section 0054 \NLS\NlsSectionLocale
000000D8 csrss.exe Section 0058 \NLS\NlsSectionCType
000000D8 csrss.exe Section 005c \NLS\NlsSectionSortkey
000000D8 csrss.exe Section 0060 \NLS\NlsSectionSortTbls
000000D8 csrss.exe Directory 0080 \BaseNamedObjects
000000D8 csrss.exe Key 00a0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\PriorityControl
000000D8 csrss.exe Port 00a4 \Windows\ApiPort
000000D8 csrss.exe Port 00a8 \Windows\SbApiPort
000000D8 csrss.exe Event 00dc
\BaseNamedObjects\WinSta0_DesktopSwitch
000000D8 csrss.exe Desktop 00f0 \Disconnect
000000D8 csrss.exe WindowStation 00f4 \Windows\WindowStations\WinSta0
000000D8 csrss.exe Desktop 04e4 \Default
000000D8 csrss.exe Key 0650 \REGISTRY\MACHINE
000000D8 csrss.exe Key 0680
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
000000D8 csrss.exe Key 0684
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
000000D8 csrss.exe Key 0688
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
000000D8 csrss.exe Key 0698
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Control
Panel\International
000000D8 csrss.exe Key 069c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Control
Panel\International
000000D8 csrss.exe File 0728 \WINDOWS\system32\ega.cpi
000000D8 csrss.exe Desktop 0734 \Default
000000D8 csrss.exe WindowStation 08a8 \Windows\WindowStations\WinSta0
000000E0 winlogon.exe Directory 0010 \KnownDlls
000000E0 winlogon.exe Directory 0018 \Windows
000000E0 winlogon.exe Mutant 0024 \NlsCacheMutant
000000E0 winlogon.exe Key 0030 \REGISTRY\MACHINE
000000E0 winlogon.exe Directory 004c \BaseNamedObjects
000000E0 winlogon.exe Event 0050 \BaseNamedObjects\userenv: User
Profile setup event
000000E0 winlogon.exe Mutant 0054 \BaseNamedObjects\userenv:
machine policy mutex
000000E0 winlogon.exe Event 0058 \BaseNamedObjects\userenv:
Machine Group Policy has been applied
000000E0 winlogon.exe Event 005c \BaseNamedObjects\userenv:
Machine Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe Event 0060 \BaseNamedObjects\userenv:
Machine Group Policy Processing is done
000000E0 winlogon.exe Event 0064 \BaseNamedObjects\userenv:
Machine Policy Foreground Done Event
000000E0 winlogon.exe Mutant 0068 \BaseNamedObjects\userenv: user
policy mutex
000000E0 winlogon.exe Event 006c \BaseNamedObjects\userenv: User
Group Policy has been applied
000000E0 winlogon.exe Event 0070 \BaseNamedObjects\userenv: User
Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe Event 0074 \BaseNamedObjects\userenv: User
Group Policy Processing is done
000000E0 winlogon.exe Event 0078 \BaseNamedObjects\userenv: User
Policy Foreground Done Event
000000E0 winlogon.exe Event 007c
\BaseNamedObjects\crypt32LogoffEvent
000000E0 winlogon.exe Event 0088 \Security\NetworkProviderLoad
000000E0 winlogon.exe Event 008c \BaseNamedObjects\TS-WPAAE
000000E0 winlogon.exe WindowStation 0090 \Windows\WindowStations\WinSta0
000000E0 winlogon.exe Desktop 0094 \Winlogon
000000E0 winlogon.exe WindowStation 0098 \Windows\WindowStations\WinSta0
000000E0 winlogon.exe Desktop 009c \Disconnect
000000E0 winlogon.exe Desktop 00a0 \Default
000000E0 winlogon.exe Mutant 00a4 \BaseNamedObjects\SingleSesMutex
000000E0 winlogon.exe Event 00a8 \BaseNamedObjects\ReconEvent
000000E0 winlogon.exe Key 00b0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000000E0 winlogon.exe File 00b4
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000E0 winlogon.exe Key 00b8 \REGISTRY\USER\.DEFAULT
000000E0 winlogon.exe Mutant 00bc \BaseNamedObjects\winlogon:
Logon UserProfileMapping Mutex
000000E0 winlogon.exe Key 00dc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\crypt32chain
000000E0 winlogon.exe Key 00e0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\cryptnet
000000E0 winlogon.exe Key 00f0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sclgntfy
000000E0 winlogon.exe Key 00fc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa
000000E0 winlogon.exe Section 013c \RPC Control\DSECe0
000000E0 winlogon.exe Port 0148 \RPC Control\IUserProfile
000000E0 winlogon.exe Port 0154 \RPC Control\sclogonrpc
000000E0 winlogon.exe File 01a4 \InitShutdown
000000E0 winlogon.exe File 01a8 \InitShutdown
000000E0 winlogon.exe Section 01bc
\BaseNamedObjects\ShimSharedMemory[S-1-5-18]
000000E0 winlogon.exe Mutant 01c4
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
000000E0 winlogon.exe Key 01d0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe Key 01e0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000000E0 winlogon.exe Desktop 01e8 \Default
000000E0 winlogon.exe Event 01ec \BaseNamedObjects\DINPUTWINMM
000000E0 winlogon.exe Key 020c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe Event 0218
\BaseNamedObjects\WinSta0_DesktopSwitch
000000E0 winlogon.exe Event 0234
\BaseNamedObjects\WFP_IDLE_TRIGGER
000000E0 winlogon.exe File 0244 \WINDOWS\system32\dllcache
000000E0 winlogon.exe Event 025c \BaseNamedObjects\Microsoft
Smart Card Resource Manager Started
000000E0 winlogon.exe File 0260 \WINDOWS\AppPatch
000000E0 winlogon.exe File 0264 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\isapi\_vti_adm
000000E0 winlogon.exe File 0270 \svcctl
000000E0 winlogon.exe File 0274 \ntsvcs
000000E0 winlogon.exe File 0280 \svcctl
000000E0 winlogon.exe File 0284 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\_vti_bin\_vti_adm
000000E0 winlogon.exe File 0288 \WINDOWS\system32
000000E0 winlogon.exe File 028c \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\isapi\_vti_aut
000000E0 winlogon.exe File 0290 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\_vti_bin\_vti_aut
000000E0 winlogon.exe File 0294 \WINDOWS\system32\inetsrv
000000E0 winlogon.exe File 0298 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\bin
000000E0 winlogon.exe File 029c \WINDOWS\Fonts
000000E0 winlogon.exe File 02a0 \WINDOWS\system32\drivers
000000E0 winlogon.exe File 02a4 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\servsupp
000000E0 winlogon.exe File 02a8 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\bots\vinavbar
000000E0 winlogon.exe File 02ac \Program Files\Microsoft
FrontPage\version3.0\bin
000000E0 winlogon.exe File 02b0 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\_vti_bin
000000E0 winlogon.exe File 02b4 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\bin\1033
000000E0 winlogon.exe File 02b8 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\isapi
000000E0 winlogon.exe File 02bc \WINDOWS
000000E0 winlogon.exe File 02c0 \Program Files\Common
Files\Microsoft Shared\DAO
000000E0 winlogon.exe File 02c4 \Program Files\Windows Media
Player
000000E0 winlogon.exe File 02c8 \Program Files\Common
Files\System\msadc
000000E0 winlogon.exe File 02cc \Program Files\Common
Files\System\ado
000000E0 winlogon.exe File 02d0 \Program Files\Common
Files\System\Ole DB
000000E0 winlogon.exe File 02d4 \WINDOWS\inf
000000E0 winlogon.exe File 02d8 \WINDOWS\system32\Setup
000000E0 winlogon.exe Event 02dc
\BaseNamedObjects\ThemesStartEvent
000000E0 winlogon.exe Key 02e0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Credentials
000000E0 winlogon.exe Event 02e4 \BaseNamedObjects\msgina:
ReturnToWelcome
000000E0 winlogon.exe File 02f8
\WINDOWS\system32\clients\tsclient\win16
000000E0 winlogon.exe File 02fc
\WINDOWS\Microsoft.NET\Framework\v1.0.2706
000000E0 winlogon.exe File 0300 \WINDOWS\Application
Compatibility Scripts
000000E0 winlogon.exe File 0304
\WINDOWS\system32\clients\tsclient\win32\acme351
000000E0 winlogon.exe File 0308 \WINDOWS\msagent
000000E0 winlogon.exe File 030c \WINDOWS\msagent\intl
000000E0 winlogon.exe File 0310 \WINDOWS\system32\netmon\parsers
000000E0 winlogon.exe File 0314 \WINDOWS\system
000000E0 winlogon.exe File 0318 \WINDOWS\system32\netmon
000000E0 winlogon.exe File 031c \WINDOWS\Help
000000E0 winlogon.exe File 0320
\WINDOWS\PCHEALTH\HELPCTR\Binaries
000000E0 winlogon.exe File 0324 \Program Files\NetMeeting
000000E0 winlogon.exe File 0328 \WINDOWS\system32\drivers\disdn
000000E0 winlogon.exe File 032c \WINDOWS\ime\chtime\applets
000000E0 winlogon.exe File 0330 \WINDOWS\system32\wbem
000000E0 winlogon.exe File 0334 \WINDOWS\Cluster
000000E0 winlogon.exe File 0338 \WINDOWS\system32\Com
000000E0 winlogon.exe File 033c \WINDOWS\ime\imjp8_1
000000E0 winlogon.exe File 0340 \Program Files\Common
Files\Microsoft Shared\Triedit
000000E0 winlogon.exe File 0344 \Program Files\Windows NT
000000E0 winlogon.exe File 0348 \Program Files\Common
Files\System
000000E0 winlogon.exe File 034c \WINDOWS\system32\1033
000000E0 winlogon.exe File 0350 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\admcgi\scripts
000000E0 winlogon.exe File 0354 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\admisapi\scripts
000000E0 winlogon.exe File 0358 \WINDOWS\ime\imkr6_1\dicts
000000E0 winlogon.exe File 035c \WINDOWS\system32\mui\0009
000000E0 winlogon.exe File 0360 \Program Files\Internet Explorer
000000E0 winlogon.exe File 0364 \WINDOWS\ime\imjp8_1\applets
000000E0 winlogon.exe File 0368 \WINDOWS\ime\imkr6_1\applets
000000E0 winlogon.exe File 036c \Program Files\Internet
Explorer\Connection Wizard
000000E0 winlogon.exe File 0370 \Program Files\Common
Files\Microsoft Shared\MSInfo
000000E0 winlogon.exe File 0374 \Program Files\Common
Files\Microsoft Shared\Smart Tag
000000E0 winlogon.exe File 0378 \WINDOWS\ime\imkr6_1
000000E0 winlogon.exe File 037c \WINDOWS\ime\shared
000000E0 winlogon.exe File 0380 \WINDOWS\system32\reminst
000000E0 winlogon.exe File 0384 \WINDOWS\system32\ime\pintlgnt
000000E0 winlogon.exe File 0388
\WINDOWS\system32\clients\tsclient\win32
000000E0 winlogon.exe File 038c \Program Files\Common
Files\SpeechEngines\Microsoft\Lexicon\1033
000000E0 winlogon.exe File 0390 \WINDOWS\Resources\Themes\Luna
000000E0 winlogon.exe File 0394 \WINDOWS\ime
000000E0 winlogon.exe File 0398 \Program Files\Outlook Express
000000E0 winlogon.exe File 039c \Program Files\MSN\SmartTag
000000E0 winlogon.exe File 03a0 \WINDOWS\system32\oobe
000000E0 winlogon.exe File 03a4 \WINDOWS\mui
000000E0 winlogon.exe File 03a8 \WINDOWS\system32\npp
000000E0 winlogon.exe File 03ac \WINDOWS\ime\shared\res
000000E0 winlogon.exe File 03b0 \WINDOWS\system32\rocket
000000E0 winlogon.exe File 03b4 \WINDOWS\ime\chsime\applets
000000E0 winlogon.exe File 03b8 \WINDOWS\system32\rpcproxy
000000E0 winlogon.exe File 03bc \Program Files\Common
Files\SpeechEngines\Microsoft\TTS\1033
000000E0 winlogon.exe File 03c0 \Program Files\Common
Files\Microsoft Shared\Speech
000000E0 winlogon.exe File 03c4
\WINDOWS\system32\certsrv\certcontrol\ia64
000000E0 winlogon.exe File 03c8
\WINDOWS\system32\certsrv\certcontrol\w2k
000000E0 winlogon.exe File 03cc
\WINDOWS\system32\certsrv\certcontrol\x86
000000E0 winlogon.exe File 03d0
\WINDOWS\system32\spool\prtprocs\w32x86
000000E0 winlogon.exe File 03d4
\WINDOWS\Resources\Themes\Luna\Shell
000000E0 winlogon.exe File 03d8 \WINDOWS\system32\wbem\snmp
000000E0 winlogon.exe File 03dc \Program Files\Common
Files\SpeechEngines\Microsoft
000000E0 winlogon.exe File 03e0 \Program Files\Common
Files\Microsoft Shared\Speech\1033
000000E0 winlogon.exe File 03e4
\WINDOWS\system32\spool\drivers\color
000000E0 winlogon.exe File 03e8 \WINDOWS\system32\ime\tintlgnt
000000E0 winlogon.exe File 03ec \WINDOWS\Help\Tours
000000E0 winlogon.exe File 03f0 \WINDOWS\system32\wbem\AdStatus
000000E0 winlogon.exe File 03f4
\WINDOWS\PCHEALTH\UploadLB\Binaries
000000E0 winlogon.exe File 03f8 \Program Files\Common
Files\Microsoft Shared\VGX
000000E0 winlogon.exe File 0400
\WINDOWS\Microsoft.NET\Framework\v1.0.2706\1033
000000E0 winlogon.exe File 0404 \WINDOWS\system32\wbem\xml
000000E0 winlogon.exe File 0410 \Program Files\Windows
NT\Accessories
000000E0 winlogon.exe File 0428 \WINDOWS\WinSxS
000000E0 winlogon.exe File 05d0 \SfcApi
000000E0 winlogon.exe File 05d4 \SfcApi
000000E0 winlogon.exe Mutant 05ec \BaseNamedObjects\mxrapi
000000E0 winlogon.exe Key 05f0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#ISAPNP#CTL0070_DEV0000#FFFFFFFF#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device
Parameters\Mixer
000000E0 winlogon.exe Event 05f4
\BaseNamedObjects\hardwaremixercallback
000000E0 winlogon.exe Key 05f8 \REGISTRY\USER
000000E0 winlogon.exe Section 05fc
\BaseNamedObjects\WDMAUD_Device_Interface_Path
000000E0 winlogon.exe Mutant 0600
\BaseNamedObjects\GuardMutexmmGlobalPnpInfoGuard
000000E0 winlogon.exe Event 0604
\BaseNamedObjects\GuardEventmmGlobalPnpInfoGuard
000000E0 winlogon.exe Semaphore 0608
\BaseNamedObjects\GuardSemmmGlobalPnpInfoGuard
000000E0 winlogon.exe Section 060c
\BaseNamedObjects\mmGlobalPnpInfo
000000E0 winlogon.exe Section 0610
\BaseNamedObjects\WDMAUD_Path_Size
000000E0 winlogon.exe Section 0618
\BaseNamedObjects\WDMAUD_Callbacks
000000E0 winlogon.exe File 0640
\{9B365890-165F-11D0-A195-0020AFD156E4}
000000E0 winlogon.exe Event 0648 \BaseNamedObjects\mixercallback
000000E0 winlogon.exe Semaphore 064c
\BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
000000E0 winlogon.exe Key 0650
\REGISTRY\MACHINE\SOFTWARE\Classes
000000E0 winlogon.exe Mutant 0658
\BaseNamedObjects\MidiMapper_Configure
000000E0 winlogon.exe Mutant 0660
\BaseNamedObjects\MidiMapper_modLongMessage_RefCnt
000000E0 winlogon.exe Mutant 0668
\BaseNamedObjects\WPA_LICSTORE_MUTEX
000000E0 winlogon.exe Mutant 066c \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe Mutant 0674 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe Mutant 0678 \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe Mutant 0680 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe Mutant 0684 \BaseNamedObjects\WPA_PR_MUTEX
000000E0 winlogon.exe Mutant 0688 \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe Mutant 068c \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe File 06b4 \ProfMapApi
000000E0 winlogon.exe File 06b8 \ProfMapApi
000000E0 winlogon.exe Key 06c4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
000000E0 winlogon.exe Event 06d0 \BaseNamedObjects\winlogon:
machine GPO Event 49931
000000E0 winlogon.exe Event 06dc \BaseNamedObjects\userenv:
Machine Group Policy has been applied
000000E0 winlogon.exe Event 06e4 \BaseNamedObjects\userenv:
machine policy refresh event
000000E0 winlogon.exe Event 06e8 \BaseNamedObjects\userenv:
machine policy force refresh event
000000E0 winlogon.exe Event 06ec \BaseNamedObjects\userenv:
Machine Group Policy has been applied
000000E0 winlogon.exe Event 06f0 \BaseNamedObjects\userenv:
Machine Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe Event 06f4 \BaseNamedObjects\userenv:
Machine Group Policy Processing is done
000000E0 winlogon.exe Event 0704
\BaseNamedObjects\jjCSCSharedEvent_UM_KM
000000E0 winlogon.exe Event 070c
\BaseNamedObjects\jjCSCSharedFillEvent_UM_KM
000000E0 winlogon.exe Event 0714
\BaseNamedObjects\WkssvcToAgentStartEvent
000000E0 winlogon.exe Event 0718
\BaseNamedObjects\WkssvcToAgentStopEvent
000000E0 winlogon.exe Event 071c
\BaseNamedObjects\AgentExistsEvent
000000E0 winlogon.exe Event 0724
\BaseNamedObjects\AgentToWkssvcEvent
000000E0 winlogon.exe Timer 072c \BaseNamedObjects\userenv:
refresh timer for 224:784
000000E0 winlogon.exe File 0758 \winlogonrpc
000000E0 winlogon.exe File 075c \winlogonrpc
000000E0 winlogon.exe Event 0760 \BaseNamedObjects\SENS Started
Event
000000E0 winlogon.exe Key 0774
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\ScCertProp
000000E0 winlogon.exe Key 0790
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
000000E0 winlogon.exe File 0794
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000E0 winlogon.exe Semaphore 0798
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
000000E0 winlogon.exe Key 079c
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
000000E0 winlogon.exe Key 07a0
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam
000000E0 winlogon.exe Event 07a4 \BaseNamedObjects\winlogon:
User GPO Event 73045
000000E0 winlogon.exe Desktop 07a8 \Default
000000E0 winlogon.exe Event 07b0 \BaseNamedObjects\userenv: User
Group Policy has been applied
000000E0 winlogon.exe Event 07b8 \BaseNamedObjects\userenv: user
policy refresh event
000000E0 winlogon.exe Event 07bc \BaseNamedObjects\userenv: user
policy force refresh event
000000E0 winlogon.exe Event 07c0 \BaseNamedObjects\userenv: User
Group Policy has been applied
000000E0 winlogon.exe Event 07c4 \BaseNamedObjects\userenv: User
Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe Event 07c8 \BaseNamedObjects\userenv: User
Group Policy Processing is done
000000E0 winlogon.exe Mutant 07e4
\BaseNamedObjects\WPA_LICSTORE_MUTEX
000000E0 winlogon.exe Timer 080c \BaseNamedObjects\userenv:
refresh timer for 224:1684
000000E0 winlogon.exe File 0828 \AudioSrv
000000E0 winlogon.exe Mutant 0834 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe Key 0838
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe Mutant 083c \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe Mutant 0840 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe Mutant 0844 \BaseNamedObjects\WPA_PR_MUTEX
000000E0 winlogon.exe Mutant 0848 \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe Mutant 084c \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe Section 08ec
\BaseNamedObjects\__R_000000000013_SMem__
000000E0 winlogon.exe File 0914 \WINDOWS\system32
000000E0 winlogon.exe Port 0920 \RPC Control\OLE10
00000110 services.exe Directory 0010 \KnownDlls
00000110 services.exe File 0014 \WINDOWS\system32
00000110 services.exe Directory 0024 \Windows
00000110 services.exe Mutant 0030 \NlsCacheMutant
00000110 services.exe Key 0038 \REGISTRY\MACHINE
00000110 services.exe WindowStation 0044
\Windows\WindowStations\Service-0x0-3e7$
00000110 services.exe Desktop 0048 \Default
00000110 services.exe WindowStation 004c
\Windows\WindowStations\Service-0x0-3e7$
00000110 services.exe Directory 0060 \BaseNamedObjects
00000110 services.exe Event 0064 \BaseNamedObjects\userenv: User
Profile setup event
00000110 services.exe Key 0068
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
00000110 services.exe Key 006c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
00000110 services.exe Key 0070
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
00000110 services.exe Key 0074
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum
00000110 services.exe Key 007c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services
00000110 services.exe Key 0080
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class
00000110 services.exe Key 0084
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\PerHwIdStorage
00000110 services.exe Event 018c
\BaseNamedObjects\SC_AutoStartComplete
00000110 services.exe Key 0190
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\Order
00000110 services.exe Event 01b4
\BaseNamedObjects\SvcctrlStartEvent_A3752DX
00000110 services.exe Key 01d4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ServiceGroupOrder
00000110 services.exe File 0204 \ntsvcs
00000110 services.exe Event 0218 \BaseNamedObjects\ScNetDrvMsg
00000110 services.exe Section 0220 \RPC Control\DSEC110
00000110 services.exe Port 0230 \RPC Control\ntsvcs
00000110 services.exe File 0260 \ntsvcs
00000110 services.exe File 0264 \ntsvcs
00000110 services.exe File 02bc \scerpc
00000110 services.exe File 02c0 \scerpc
00000110 services.exe File 02c4 \ntsvcs
00000110 services.exe File 02dc \lsarpc
00000110 services.exe Event 02f0
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
00000110 services.exe File 0314 \svcctl
00000110 services.exe Key 031c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent
00000110 services.exe File 0320 \net\NtControlPipe1
00000110 services.exe File 0328 \ntsvcs
00000110 services.exe File 0330 \ntsvcs
00000110 services.exe File 033c \net\NtControlPipe2
00000110 services.exe Key 0348
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog
00000110 services.exe File 0350 \ntsvcs
00000110 services.exe File 0354 \net\NtControlPipe3
00000110 services.exe File 0360 \net\NtControlPipe3
00000110 services.exe Key 036c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
00000110 services.exe File 0388
\WINDOWS\system32\config\AppEvent.Evt
00000110 services.exe File 0398
\WINDOWS\system32\config\SecEvent.Evt
00000110 services.exe File 03b0
\WINDOWS\system32\config\SysEvent.Evt
00000110 services.exe File 03c8 \net\NtControlPipe4
00000110 services.exe Port 03cc \ErrorLogPort
00000110 services.exe Event 03d8
\BaseNamedObjects\PnP_No_Pending_Install_Events
00000110 services.exe File 03e0 \ntsvcs
00000110 services.exe Mutant 0400 \BaseNamedObjects\PnP_Init_Mutex
00000110 services.exe Key 042c \REGISTRY\USER
00000110 services.exe Key 0430 \REGISTRY\USER\S-1-5-20
00000110 services.exe Mutant 043c
\BaseNamedObjects\ShimCacheMutex[S-1-5-20]
00000110 services.exe Section 0440
\BaseNamedObjects\ShimSharedMemory[S-1-5-20]
00000110 services.exe File 0444 \net\NtControlPipe5
00000110 services.exe File 044c \ntsvcs
00000110 services.exe Key 0454 \REGISTRY\USER\S-1-5-19
00000110 services.exe File 0460 \net\NtControlPipe6
00000110 services.exe File 0468 \ntsvcs
00000110 services.exe File 0470 \ntsvcs
00000110 services.exe File 0490 \ntsvcs
00000110 services.exe File 0494 \ntsvcs
00000110 services.exe File 04a0 \net\NtControlPipe0
00000110 services.exe File 04a4 \ntsvcs
00000110 services.exe File 04b4 \net\NtControlPipe7
00000110 services.exe File 04b8 \ntsvcs
00000110 services.exe Key 04c0 \REGISTRY\USER\S-1-5-20
00000110 services.exe File 04cc \net\NtControlPipe8
00000110 services.exe File 04d4 \ntsvcs
00000110 services.exe File 04e4 \ntsvcs
00000110 services.exe File 0500 \ntsvcs
00000110 services.exe File 0508 \net\NtControlPipe9
00000110 services.exe File 050c \ntsvcs
00000110 services.exe Key 051c \REGISTRY\USER\S-1-5-20
00000110 services.exe File 0528 \net\NtControlPipe10
00000110 services.exe Key 0544
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
00000110 services.exe File 0550 \ntsvcs
00000110 services.exe Key 055c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe File 0564 \net\NtControlPipe11
00000110 services.exe File 0568 \ntsvcs
00000110 services.exe Key 0570
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe File 0588 \net\NtControlPipe12
00000110 services.exe File 05b8 \ntsvcs
00000110 services.exe Key 05c4 \REGISTRY\USER\S-1-5-19
00000110 services.exe File 05d0 \net\NtControlPipe13
00000110 services.exe File 05d8 \ntsvcs
00000110 services.exe File 05e0 \net\NtControlPipe14
00000110 services.exe File 05ec \ntsvcs
00000110 services.exe File 05f8 \ntsvcs
00000110 services.exe File 0600 \net\NtControlPipe15
00000110 services.exe File 060c \ntsvcs
00000110 services.exe Key 0614
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe File 0620 \net\NtControlPipe16
00000110 services.exe File 0628 \ntsvcs
00000110 services.exe File 0630 \ntsvcs
00000110 services.exe Key 0640
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe File 0648 \net\NtControlPipe18
00000110 services.exe File 064c \net\NtControlPipe17
00000110 services.exe File 0658 \ntsvcs
00000110 services.exe File 0668 \ntsvcs
00000110 services.exe File 0678 \ntsvcs
00000110 services.exe File 0694 \ntsvcs
00000110 services.exe File 06ac \ntsvcs
00000110 services.exe File 06bc \ntsvcs
00000110 services.exe File 06c0 \net\NtControlPipe21
00000110 services.exe File 06dc \ntsvcs
00000110 services.exe File 06e0 \net\NtControlPipe20
00000110 services.exe File 06ec \ntsvcs
00000110 services.exe File 06f4 \ntsvcs
00000110 services.exe File 0708 \ntsvcs
00000110 services.exe File 070c \ntsvcs
00000110 services.exe File 072c \ntsvcs
00000110 services.exe File 073c \PIPE_EVENTROOT\CIMV2SCM EVENT
PROVIDER
0000011C lsass.exe Directory 0010 \KnownDlls
0000011C lsass.exe File 0014 \WINDOWS\system32
0000011C lsass.exe Directory 0024 \Windows
0000011C lsass.exe Mutant 0030 \NlsCacheMutant
0000011C lsass.exe Key 0038 \REGISTRY\MACHINE
0000011C lsass.exe WindowStation 004c
\Windows\WindowStations\Service-0x0-3e7$
0000011C lsass.exe Desktop 0050 \Default
0000011C lsass.exe WindowStation 0054
\Windows\WindowStations\Service-0x0-3e7$
0000011C lsass.exe Key 0060
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
0000011C lsass.exe Directory 0074 \BaseNamedObjects
0000011C lsass.exe File 0078 \net\NtControlPipe0
0000011C lsass.exe Key 0084
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll
0000011C lsass.exe Key 0088
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll
0000011C lsass.exe Key 008c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll
0000011C lsass.exe Key 00a8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa
0000011C lsass.exe Port 00b8 \SeLsaCommandPort
0000011C lsass.exe Event 00bc \SeLsaInitEvent
0000011C lsass.exe Key 00dc \REGISTRY\MACHINE\SECURITY
0000011C lsass.exe Key 00e0 \REGISTRY\MACHINE\SECURITY\RXACT
0000011C lsass.exe Key 0110
\REGISTRY\MACHINE\SECURITY\Policy
0000011C lsass.exe Section 012c
\BaseNamedObjects\Debug.Memory.11c
0000011C lsass.exe Key 0130
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos
0000011C lsass.exe Key 0164
\REGISTRY\MACHINE\SECURITY\Policy
0000011C lsass.exe Key 016c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos\SidCache
0000011C lsass.exe Key 017c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Domains
0000011C lsass.exe Key 018c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000011C lsass.exe Key 0194
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000011C lsass.exe Key 01a4
\REGISTRY\MACHINE\SECURITY\Policy
0000011C lsass.exe Key 01b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa
0000011C lsass.exe Key 01b8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\MSV1_0
0000011C lsass.exe File 01c0 \WINDOWS\Debug\PASSWD.LOG
0000011C lsass.exe Event 01e8
\BaseNamedObjects\crypt32LogoffEvent
0000011C lsass.exe Event 01f8 \BaseNamedObjects\userenv: User
Profile setup event
0000011C lsass.exe Section 01fc \RPC Control\DSEC11c
0000011C lsass.exe Port 0260 \LsaAuthenticationPort
0000011C lsass.exe Event 027c
\BaseNamedObjects\LSA_RPC_SERVER_ACTIVE
0000011C lsass.exe File 0284 \lsass
0000011C lsass.exe File 0288 \lsass
0000011C lsass.exe Key 02a0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
0000011C lsass.exe Port 02b4 \RPC Control\protected_storage
0000011C lsass.exe File 02e4 \protected_storage
0000011C lsass.exe File 02e8 \protected_storage
0000011C lsass.exe File 035c \lsarpc
0000011C lsass.exe File 0370 \lsass
0000011C lsass.exe Key 0384 \REGISTRY\MACHINE\SAM\SAM
0000011C lsass.exe Key 0388 \REGISTRY\MACHINE\SAM\SAM\RXACT
0000011C lsass.exe Key 038c
\REGISTRY\MACHINE\SAM\SAM\Domains\Builtin
0000011C lsass.exe Key 0390
\REGISTRY\MACHINE\SAM\SAM\Domains\Account
0000011C lsass.exe File 0398 \lsass
0000011C lsass.exe File 03b0 \lsass
0000011C lsass.exe Event 03cc \SAM_SERVICE_STARTED
0000011C lsass.exe Key 03e4 \REGISTRY\USER\S-1-5-20
0000011C lsass.exe File 03e8
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000011C lsass.exe Key 03f0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000011C lsass.exe Key 03f8 \REGISTRY\USER
0000011C lsass.exe File 0410 \lsass
0000011C lsass.exe File 0460 \lsass
0000011C lsass.exe File 0478 \lsass
0000011C lsass.exe Key 04a0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
0000011C lsass.exe Key 04a4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
0000011C lsass.exe Key 04a8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
0000011C lsass.exe Key 04ac
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
0000011C lsass.exe Event 04d0
\BaseNamedObjects\PS_SERVICE_STARTED
0000011C lsass.exe Event 04dc
\BaseNamedObjects\IPSEC_POLICY_CHANGE_EVENT
0000011C lsass.exe Event 04e8
\BaseNamedObjects\IPSEC_POLICY_CHANGE_NOTIFY
0000011C lsass.exe File 04f8 \Endpoint
0000011C lsass.exe File 0508 \svcctl
0000011C lsass.exe File 0510 \WINDOWS\Debug\oakley.log
0000011C lsass.exe File 0514 \lsass
0000011C lsass.exe File 0544 \Endpoint
0000011C lsass.exe File 0558 \Endpoint
0000011C lsass.exe File 055c \255
0000011C lsass.exe File 05a0 \ipsec
0000011C lsass.exe File 05a4 \ipsec
0000011C lsass.exe Port 05ac \RPC Control\ipsec
0000011C lsass.exe File 05b8 \lsass
0000011C lsass.exe File 0608 \lsass
0000011C lsass.exe File 0618 \lsass
000001A0 svchost.exe Directory 0010 \KnownDlls
000001A0 svchost.exe File 0014 \WINDOWS\system32
000001A0 svchost.exe Directory 001c \Windows
000001A0 svchost.exe Mutant 0024 \NlsCacheMutant
000001A0 svchost.exe Key 002c \REGISTRY\MACHINE
000001A0 svchost.exe File 0054 \net\NtControlPipe1
000001A0 svchost.exe Directory 0070 \BaseNamedObjects
000001A0 svchost.exe WindowStation 0088
\Windows\WindowStations\Service-0x0-3e7$
000001A0 svchost.exe Desktop 008c \Default
000001A0 svchost.exe WindowStation 0090
\Windows\WindowStations\Service-0x0-3e7$
000001A0 svchost.exe Event 00ac \BaseNamedObjects\userenv: User
Profile setup event
000001A0 svchost.exe Key 00b0
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe Key 00c8
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000001A0 svchost.exe Key 00d0
\REGISTRY\MACHINE\SOFTWARE\Classes\AppID
000001A0 svchost.exe Key 00f4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Ole
000001A0 svchost.exe Section 00fc \RPC Control\DSEC1a0
000001A0 svchost.exe Port 0108 \RPC Control\epmapper
000001A0 svchost.exe Key 0120
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000001A0 svchost.exe Key 0128
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000001A0 svchost.exe File 0154 \Endpoint
000001A0 svchost.exe File 015c \Endpoint
000001A0 svchost.exe File 0168
\Winsock2\CatalogChangeListener-1a0-0
000001A0 svchost.exe File 0170 \Endpoint
000001A0 svchost.exe File 0184 \Endpoint
000001A0 svchost.exe Key 0190
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
000001A0 svchost.exe Key 01b0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
000001A0 svchost.exe Key 01b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
000001A0 svchost.exe Key 01b8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000001A0 svchost.exe Section 01d0 \BaseNamedObjects\RotHintTable
000001A0 svchost.exe File 01d4 \Endpoint
000001A0 svchost.exe Event 01d8
\BaseNamedObjects\ScmCreatedEvent
000001A0 svchost.exe Key 0214
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe Key 021c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe Key 0228 \REGISTRY\USER
000001A0 svchost.exe Key 022c
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe Key 0238
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe Key 0240
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe Key 0248
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000001A0 svchost.exe Key 0250
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe Key 0258
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe Key 0264
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe Key 026c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe Key 0274
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000001A0 svchost.exe Section 027c
\BaseNamedObjects\__R_000000000013_SMem__
000001A0 svchost.exe File 02bc \epmapper
000001A0 svchost.exe File 02c0 \epmapper
000001A0 svchost.exe File 0358 \Endpoint
000001A0 svchost.exe File 0438 \svcctl
000001A0 svchost.exe Mutant 04c0
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
000001A0 svchost.exe Section 04c4
\BaseNamedObjects\ShimSharedMemory[S-1-5-18]
000001BC svchost.exe Directory 0010 \KnownDlls
000001BC svchost.exe File 0014 \WINDOWS\system32
000001BC svchost.exe Directory 001c \Windows
000001BC svchost.exe Mutant 0024 \NlsCacheMutant
000001BC svchost.exe Key 002c \REGISTRY\MACHINE
000001BC svchost.exe WindowStation 003c
\Windows\WindowStations\Service-0x0-3e7$
000001BC svchost.exe Desktop 0040 \Default
000001BC svchost.exe WindowStation 0044
\Windows\WindowStations\Service-0x0-3e7$
000001BC svchost.exe Directory 0048 \BaseNamedObjects
000001BC svchost.exe File 008c \net\NtControlPipe2
000001BC svchost.exe File 00a0 \svcctl
000001BC svchost.exe Event 00bc
\BaseNamedObjects\crypt32LogoffEvent
000001BC svchost.exe Event 00c0
\BaseNamedObjects\TermSrvReadyEvent
000001BC svchost.exe Mutant 00cc
\BaseNamedObjects\746bbf3569adEncrypt
000001BC svchost.exe Key 00ec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing
Core
000001BC svchost.exe Key 0108
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters
000001BC svchost.exe Section 011c \RPC Control\DSEC1bc
000001BC svchost.exe Port 0124 \RPC Control\LcRpc
000001BC svchost.exe File 0154 \TermSrv_Licensing_Core
000001BC svchost.exe File 0158 \TermSrv_Licensing_Core
000001BC svchost.exe Port 0170 \SmSsWinStationApiPort
000001BC svchost.exe Key 0180
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000001BC svchost.exe Key 0188
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000001BC svchost.exe File 019c \lsarpc
000001BC svchost.exe Event 01dc
\BaseNamedObjects\WinMMConsoleAudioEvent
000001BC svchost.exe Event 01f0 \BaseNamedObjects\ReconEvent
000001BC svchost.exe Event 01f4 \BaseNamedObjects\TermSrv:
machine GP event
000001BC svchost.exe Port 0200 \RPC Control\IcaApi
000001BC svchost.exe File 0230 \Ctx_WinStation_API_service
000001BC svchost.exe File 0234 \Ctx_WinStation_API_service
000001BC svchost.exe Event 0238 \BaseNamedObjects\userenv: User
Profile setup event
000001BC svchost.exe Event 0244 \BaseNamedObjects\userenv:
Machine Group Policy has been applied
000001BC svchost.exe Key 0260
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
000001BC svchost.exe Key 0274
\REGISTRY\MACHINE\SOFTWARE\Policies
000001BC svchost.exe Event 028c
\Sessions\1\BaseNamedObjects\CsrStartEvent
000001BC svchost.exe Event 0290
\Sessions\1\BaseNamedObjects\ReconEvent
000001BC svchost.exe Event 02c8
\Sessions\2\BaseNamedObjects\CsrStartEvent
000001BC svchost.exe Event 02cc
\Sessions\2\BaseNamedObjects\ReconEvent
000001BC svchost.exe Key 02fc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\AddIns
000001BC svchost.exe Key 0364 \REGISTRY\USER
00000200 svchost.exe Directory 0010 \KnownDlls
00000200 svchost.exe File 0014 \WINDOWS\system32
00000200 svchost.exe Directory 001c \Windows
00000200 svchost.exe Mutant 0024 \NlsCacheMutant
00000200 svchost.exe Key 002c \REGISTRY\MACHINE
00000200 svchost.exe WindowStation 003c
\Windows\WindowStations\Service-0x0-3e7$
00000200 svchost.exe Desktop 0040 \Default
00000200 svchost.exe WindowStation 0044 \Windows\WindowStations\WinSta0
00000200 svchost.exe Directory 0048 \BaseNamedObjects
00000200 svchost.exe File 008c \net\NtControlPipe4
00000200 svchost.exe File 00a0 \svcctl
00000200 svchost.exe Key 00a8 \REGISTRY\USER\.DEFAULT
00000200 svchost.exe File 00ac
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
00000200 svchost.exe Key 00b8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
00000200 svchost.exe Port 00bc \ThemeApiPort
00000200 svchost.exe Key 0108
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
00000200 svchost.exe Key 010c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
00000200 svchost.exe Key 0110
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
00000200 svchost.exe Key 0114
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
00000200 svchost.exe Key 012c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
00000200 svchost.exe Key 0134
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
00000200 svchost.exe Key 0140
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Parameters
00000200 svchost.exe Key 0144
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
00000200 svchost.exe Key 0148
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Parameters\Options
00000200 svchost.exe Key 014c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services
00000200 svchost.exe Event 015c
\BaseNamedObjects\DHCPNEWIPADDRESS
00000200 svchost.exe File 0164 \DhcpClient
00000200 svchost.exe Key 0178
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters
00000200 svchost.exe Key 0194
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{81A3AA37-6FFD-4907-99BB-47F19F605A44}
00000200 svchost.exe Event 0198
\BaseNamedObjects\AgentToWkssvcEvent
00000200 svchost.exe Event 01d0
\BaseNamedObjects\WkssvcToAgentStartEvent
00000200 svchost.exe Event 01d4
\BaseNamedObjects\ShellHWDetection'sEvent
00000200 svchost.exe Event 01d8
\BaseNamedObjects\CGenericServiceManager__Init
00000200 svchost.exe Key 01f8
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe Key 0200
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe Key 020c \REGISTRY\USER
00000200 svchost.exe Key 0210
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe Key 021c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe Key 0224
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe Key 022c
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000200 svchost.exe Key 0234
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe Key 023c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe Key 0248
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe Key 0250
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe Key 0258
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000200 svchost.exe File 0260
\WINDOWS\Registration\R000000000013.clb
00000200 svchost.exe Section 0264
\BaseNamedObjects\__R_000000000013_SMem__
00000200 svchost.exe Key 0268
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe Event 026c
\BaseNamedObjects\ShellHWDetection'sEvent
00000200 svchost.exe Section 0270 \RPC Control\DSEC200
00000200 svchost.exe Port 0278 \RPC Control\OLE3
00000200 svchost.exe File 028c \svcctl
00000200 svchost.exe Event 02b4 \BaseNamedObjects\userenv: User
Profile setup event
00000200 svchost.exe File 02d0 \lsarpc
00000200 svchost.exe File 02d8 \ntsvcs
00000200 svchost.exe File 02dc \WINDOWS\SchedLgU.Txt
00000200 svchost.exe Event 02e0
\BaseNamedObjects\ShellHWDetectionInitCompleted
00000200 svchost.exe Desktop 02ec \SADesktop
00000200 svchost.exe WindowStation 0300 \Windows\WindowStations\SAWinSta
00000200 svchost.exe File 0354 \Endpoint
00000200 svchost.exe File 0364
\Winsock2\CatalogChangeListener-200-0
00000200 svchost.exe File 0394 \Endpoint
00000200 svchost.exe File 0398 \atsvc
00000200 svchost.exe File 039c \atsvc
00000200 svchost.exe File 03c0 \WINDOWS\Tasks
00000200 svchost.exe Event 03e0
\BaseNamedObjects\WkssvcToAgentStopEvent
00000200 svchost.exe File 0460 \wkssvc
00000200 svchost.exe File 0464 \wkssvc
00000200 svchost.exe Event 046c \BaseNamedObjects\wkssvc: MUP
finished initializing event
00000200 svchost.exe Key 0478
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters
00000200 svchost.exe Event 0490
\BaseNamedObjects\crypt32LogoffEvent
00000200 svchost.exe File 04dc \AudioSrv
00000200 svchost.exe File 04e0 \AudioSrv
00000200 svchost.exe Event 04e4 \BaseNamedObjects\DmServerStop
00000200 svchost.exe File 0518 \keysvc
00000200 svchost.exe File 051c \keysvc
00000200 svchost.exe Port 0524 \RPC Control\keysvc
00000200 svchost.exe Event 0540 \BaseNamedObjects\ReSyncKernel
00000200 svchost.exe Event 0548
\Device\DmControl\VxKernel2VoldEvent
00000200 svchost.exe Mutant 054c
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
00000200 svchost.exe Section 0550
\BaseNamedObjects\ShimSharedMemory[S-1-5-18]
00000200 svchost.exe Mutant 0564
\BaseNamedObjects\0CADFD67AF62496dB34264F000F5624A
00000200 svchost.exe Mutant 0568
\BaseNamedObjects\4FCC0DEFE22C4f138FB9D5AF25FD9398
00000200 svchost.exe Key 0570
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting
00000200 svchost.exe File 057c \PCHHangRepExecPipe
00000200 svchost.exe File 058c \PCHFaultRepExecPipe
00000200 svchost.exe Port 05b8 \XactSrvLpcPort
00000200 svchost.exe File 05e4 \srvsvc
00000200 svchost.exe File 05e8 \srvsvc
00000200 svchost.exe Event 05f0 \LanmanServerAnnounceEvent
00000200 svchost.exe File 05f4 \AudioSrv
00000200 svchost.exe Semaphore 0614
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
00000200 svchost.exe Key 0630
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
00000200 svchost.exe File 0674 \SECLOGON
00000200 svchost.exe File 0678 \SECLOGON
00000200 svchost.exe WaitablePort 069c \Security\TRKWKS_PORT
00000200 svchost.exe Event 06a0 \Security\TRKWKS_EVENT
00000200 svchost.exe File 06c8 \trkwks
00000200 svchost.exe File 06cc \trkwks
00000200 svchost.exe Port 06d4 \RPC Control\trkwks
00000200 svchost.exe File 06ec \$Extend\$ObjId
00000200 svchost.exe Event 06f4 \BaseNamedObjects\SENS Started
Event
00000200 svchost.exe Section 06f8 \BaseNamedObjects\SENS
Information Cache
00000200 svchost.exe Port 070c \RPC Control\senssvc
00000200 svchost.exe Key 0710
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}
00000200 svchost.exe File 0714 \System Volume
Information\tracking.log
00000200 svchost.exe Event 0724 \BaseNamedObjects\Sens Hidden
Window Cleanup Event
00000200 svchost.exe Key 0740
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses
00000200 svchost.exe File 0790 \W32TIME
00000200 svchost.exe File 0794 \W32TIME
00000200 svchost.exe File 07f4 \Endpoint
00000200 svchost.exe File 0804 \Endpoint
00000200 svchost.exe Key 0860
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\EAPOL
00000200 svchost.exe Key 0868
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions
00000200 svchost.exe File 08c0 \wzcsvc
00000200 svchost.exe File 08c4 \wzcsvc
00000200 svchost.exe Port 08cc \RPC Control\wzcsvc
00000200 svchost.exe Key 08f0
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings
00000200 svchost.exe File 0910 \WMDMPMSPpipe
00000200 svchost.exe File 0978 \srvsvc
00000200 svchost.exe File 0980 \srvsvc
00000200 svchost.exe File 09cc \wkssvc
00000200 svchost.exe File 09d0
\{9B365890-165F-11D0-A195-0020AFD156E4}
00000200 svchost.exe File 09ec \wkssvc
00000200 svchost.exe File 0a04 \srvsvc
00000200 svchost.exe File 0a2c \wkssvc
00000200 svchost.exe File 0a44 \browser
00000200 svchost.exe File 0a48 \browser
00000200 svchost.exe Key 0a4c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Browser\Parameters
00000200 svchost.exe Key 0a60
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
00000200 svchost.exe Mutant 0a70 \BaseNamedObjects\RasPbFile
00000200 svchost.exe Key 0a94
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASTLS
00000200 svchost.exe Key 0aa4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASCHAP
00000200 svchost.exe Key 0abc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces
00000200 svchost.exe File 0ad4 \winlogonrpc
00000200 svchost.exe Desktop 0aec \Default
00000200 svchost.exe WindowStation 0af0 \Windows\WindowStations\WinSta0
00000200 svchost.exe File 0af8
\Winsock2\CatalogChangeListener-200-1
00000200 svchost.exe File 0b64 \svcctl
00000200 svchost.exe WaitablePort 0b88 \NLAPublicPort
00000200 svchost.exe WaitablePort 0b8c \NLAPrivatePort
00000200 svchost.exe Key 0b98
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Network\Location Awareness
00000200 svchost.exe Key 0bc0
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows
NT\CurrentVersion\Network\Location Awareness
00000200 svchost.exe Key 0bc4
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows
NT\CurrentVersion\Network\Location Awareness
00000200 svchost.exe Key 0bc8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
00000200 svchost.exe Key 0be8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
00000200 svchost.exe Key 0bf8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
00000200 svchost.exe File 0c08 \EVENTLOG
00000200 svchost.exe Key 0c1c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASTAPI
00000200 svchost.exe Key 0c3c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\tapi32
00000200 svchost.exe Mutant 0c68 \BaseNamedObjects\RAS_MO_02
00000200 svchost.exe Mutant 0c6c \BaseNamedObjects\RAS_MO_01
00000200 svchost.exe File 0c98 \ROUTER
00000200 svchost.exe File 0c9c \ROUTER
00000200 svchost.exe Key 0cb8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASMAN
00000200 svchost.exe Key 0cd0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\PPP
00000200 svchost.exe Key 0ce0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BAP
00000200 svchost.exe Key 0cec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RasMan\PPP
00000200 svchost.exe Key 0cfc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASSPAP
00000200 svchost.exe Key 0d0c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASPAP
00000200 svchost.exe Key 0d1c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASEAP
00000200 svchost.exe Key 0d2c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASCCP
00000200 svchost.exe Key 0d3c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASBACP
00000200 svchost.exe File 0d48 \wkssvc
00000200 svchost.exe Key 0d68
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASIPHLP
00000200 svchost.exe Key 0d80
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
00000200 svchost.exe Key 0d90
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASIPCP
00000200 svchost.exe File 0da8 \wkssvc
00000200 svchost.exe File 0db0 \srvsvc
00000200 svchost.exe Mutant 0df4
\BaseNamedObjects\_!MSFTHISTORY!_
00000200 svchost.exe File 0df8 \Documents and Settings\Default
User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\index.dat
00000200 svchost.exe Mutant 0dfc \BaseNamedObjects\c:!documents
and settings!default user.windows!local settings!temporary internet
files!content.ie5!
00000200 svchost.exe Section 0e00 \BaseNamedObjects\C:_Documents
and Settings_Default User.WINDOWS_Local Settings_Temporary Internet
Files_Content.IE5_index.dat_32768
00000200 svchost.exe Mutant 0e04 \BaseNamedObjects\c:!documents
and settings!default user.windows!cookies!
00000200 svchost.exe Mutant 0e08 \BaseNamedObjects\c:!documents
and settings!default user.windows!local settings!history!history.ie5!
00000200 svchost.exe File 0e0c \Documents and Settings\Default
User.WINDOWS\Cookies\index.dat
00000200 svchost.exe File 0e10 \Documents and Settings\Default
User.WINDOWS\Local Settings\History\History.IE5\index.dat
00000200 svchost.exe Section 0e14 \BaseNamedObjects\C:_Documents
and Settings_Default User.WINDOWS_Local
Settings_History_History.IE5_index.dat_16384
00000200 svchost.exe Mutant 0e1c
\BaseNamedObjects\WininetStartupMutex
00000200 svchost.exe Section 0e20 \BaseNamedObjects\C:_Documents
and Settings_Default User.WINDOWS_Cookies_index.dat_16384
00000200 svchost.exe Mutant 0e2c
\BaseNamedObjects\WininetProxyRegistryMutex
00000200 svchost.exe Key 0e30
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
00000200 svchost.exe Section 0e34 \BaseNamedObjects\SENS
Information Cache
00000200 svchost.exe File 0e50 \ROUTER
00000230 csrss.exe Directory 0010 \KnownDlls
00000230 csrss.exe File 0014 \WINDOWS\system32
00000230 csrss.exe Directory 0018 \Sessions\BNOLINKS
00000230 csrss.exe SymbolicLink 0020 \Sessions\BNOLINKS\1
00000230 csrss.exe Directory 0024 \Sessions\1
00000230 csrss.exe Directory 0028 \Sessions\1\DosDevices
00000230 csrss.exe Directory 002c \Sessions\1\Windows
00000230 csrss.exe Directory 003c \Sessions\1\BaseNamedObjects
00000230 csrss.exe SymbolicLink 0040
\Sessions\1\BaseNamedObjects\Global
00000230 csrss.exe SymbolicLink 0044
\Sessions\1\BaseNamedObjects\Local
00000230 csrss.exe SymbolicLink 0048
\Sessions\1\BaseNamedObjects\Session
00000230 csrss.exe Directory 004c
\Sessions\1\BaseNamedObjects\Restricted
00000230 csrss.exe Mutant 0050 \Sessions\1\NlsCacheMutant
00000230 csrss.exe Mutant 0058 \Sessions\1\NlsCacheMutant
00000230 csrss.exe Directory 0070
\Sessions\1\Windows\WindowStations
00000230 csrss.exe Directory 007c \Sessions\1\BaseNamedObjects
00000230 csrss.exe Port 0098 \Sessions\1\Windows\ApiPort
00000230 csrss.exe Port 009c \Sessions\1\Windows\SbApiPort
00000230 csrss.exe Event 00c4
\Sessions\1\BaseNamedObjects\ScNetDrvMsg
00000230 csrss.exe Key 00c8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\PriorityControl
00000234 winlogon.exe Directory 0010 \KnownDlls
00000234 winlogon.exe File 0014 \WINDOWS\system32
00000234 winlogon.exe Directory 0018 \Sessions\1\Windows
00000234 winlogon.exe Mutant 0024 \Sessions\1\NlsCacheMutant
00000234 winlogon.exe Key 0030 \REGISTRY\MACHINE
00000234 winlogon.exe Directory 004c \Sessions\1\BaseNamedObjects
00000234 winlogon.exe Event 0050 \BaseNamedObjects\userenv: User
Profile setup event
00000234 winlogon.exe Mutant 0054 \BaseNamedObjects\userenv:
machine policy mutex
00000234 winlogon.exe Event 0058 \BaseNamedObjects\userenv:
Machine Group Policy has been applied
00000234 winlogon.exe Event 005c \BaseNamedObjects\userenv:
Machine Group Policy ForcedRefresh Needs Foreground Processing
00000234 winlogon.exe Event 0060 \BaseNamedObjects\userenv:
Machine Group Policy Processing is done
00000234 winlogon.exe Event 0064 \BaseNamedObjects\userenv:
Machine Policy Foreground Done Event
00000234 winlogon.exe Mutant 0068
\Sessions\1\BaseNamedObjects\userenv: user policy mutex
00000234 winlogon.exe Event 006c
\Sessions\1\BaseNamedObjects\userenv: User Group Policy has been applied
00000234 winlogon.exe Event 0070
\Sessions\1\BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs
Foreground Processing
00000234 winlogon.exe Event 0074
\Sessions\1\BaseNamedObjects\userenv: User Group Policy Processing is done
00000234 winlogon.exe Event 0078
\Sessions\1\BaseNamedObjects\userenv: User Policy Foreground Done Event
00000234 winlogon.exe Event 007c
\BaseNamedObjects\crypt32LogoffEvent
0000025C csrss.exe Directory 0010 \KnownDlls
0000025C csrss.exe File 0014 \WINDOWS\system32
0000025C csrss.exe Directory 0018 \Sessions\BNOLINKS
0000025C csrss.exe SymbolicLink 0020 \Sessions\BNOLINKS\2
0000025C csrss.exe Directory 0024 \Sessions\2
0000025C csrss.exe Directory 0028 \Sessions\2\DosDevices
0000025C csrss.exe Directory 002c \Sessions\2\Windows
0000025C csrss.exe Directory 003c \Sessions\2\BaseNamedObjects
0000025C csrss.exe SymbolicLink 0040
\Sessions\2\BaseNamedObjects\Global
0000025C csrss.exe SymbolicLink 0044
\Sessions\2\BaseNamedObjects\Local
0000025C csrss.exe SymbolicLink 0048
\Sessions\2\BaseNamedObjects\Session
0000025C csrss.exe Directory 004c
\Sessions\2\BaseNamedObjects\Restricted
0000025C csrss.exe Mutant 0050 \Sessions\2\NlsCacheMutant
0000025C csrss.exe Mutant 0058 \Sessions\2\NlsCacheMutant
0000025C csrss.exe Directory 0070
\Sessions\2\Windows\WindowStations
0000025C csrss.exe Directory 007c \Sessions\2\BaseNamedObjects
0000025C csrss.exe Port 0098 \Sessions\2\Windows\ApiPort
0000025C csrss.exe Port 009c \Sessions\2\Windows\SbApiPort
0000025C csrss.exe Event 00c4
\Sessions\2\BaseNamedObjects\ScNetDrvMsg
0000025C csrss.exe Key 00c8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\PriorityControl
00000260 winlogon.exe Directory 0010 \KnownDlls
00000260 winlogon.exe File 0014 \WINDOWS\system32
00000260 winlogon.exe Directory 0018 \Sessions\2\Windows
00000260 winlogon.exe Mutant 0024 \Sessions\2\NlsCacheMutant
00000260 winlogon.exe Key 0030 \REGISTRY\MACHINE
00000260 winlogon.exe Directory 004c \Sessions\2\BaseNamedObjects
00000260 winlogon.exe Event 0050 \BaseNamedObjects\userenv: User
Profile setup event
00000260 winlogon.exe Mutant 0054 \BaseNamedObjects\userenv:
machine policy mutex
00000260 winlogon.exe Event 0058 \BaseNamedObjects\userenv:
Machine Group Policy has been applied
00000260 winlogon.exe Event 005c \BaseNamedObjects\userenv:
Machine Group Policy ForcedRefresh Needs Foreground Processing
00000260 winlogon.exe Event 0060 \BaseNamedObjects\userenv:
Machine Group Policy Processing is done
00000260 winlogon.exe Event 0064 \BaseNamedObjects\userenv:
Machine Policy Foreground Done Event
00000260 winlogon.exe Mutant 0068
\Sessions\2\BaseNamedObjects\userenv: user policy mutex
00000260 winlogon.exe Event 006c
\Sessions\2\BaseNamedObjects\userenv: User Group Policy has been applied
00000260 winlogon.exe Event 0070
\Sessions\2\BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs
Foreground Processing
00000260 winlogon.exe Event 0074
\Sessions\2\BaseNamedObjects\userenv: User Group Policy Processing is done
00000260 winlogon.exe Event 0078
\Sessions\2\BaseNamedObjects\userenv: User Policy Foreground Done Event
00000260 winlogon.exe Event 007c
\BaseNamedObjects\crypt32LogoffEvent
00000294 svchost.exe Directory 0010 \KnownDlls
00000294 svchost.exe File 0014 \WINDOWS\system32
00000294 svchost.exe Key 0018 \REGISTRY\MACHINE
00000294 svchost.exe Directory 0024 \Windows
00000294 svchost.exe Mutant 0030 \NlsCacheMutant
00000294 svchost.exe File 0038 \net\NtControlPipe5
00000294 svchost.exe Directory 0078 \BaseNamedObjects
00000294 svchost.exe File 0080 \svcctl
00000294 svchost.exe WindowStation 0090
\Windows\WindowStations\Service-0x0-3e4$
00000294 svchost.exe Desktop 0094 \Default
00000294 svchost.exe WindowStation 0098
\Windows\WindowStations\Service-0x0-3e4$
00000294 svchost.exe Key 00b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
00000294 svchost.exe Key 00b8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
00000294 svchost.exe Key 00bc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
00000294 svchost.exe Key 00c0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
00000294 svchost.exe Key 00d8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
00000294 svchost.exe Key 00e0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
00000294 svchost.exe File 00fc \WINDOWS\system32\drivers\etc
00000294 svchost.exe Section 0108 \RPC Control\DSEC294
00000294 svchost.exe File 0130 \DNSRSLVR
00000294 svchost.exe File 0134 \DNSRSLVR
00000294 svchost.exe File 0144 \DNSRSLVR
00000294 svchost.exe File 0148 \svcctl
00000294 svchost.exe File 0164 \DNSRSLVR
00000294 svchost.exe File 0198 \DNSRSLVR
0000029C svchost.exe Directory 0010 \KnownDlls
0000029C svchost.exe File 0014 \WINDOWS\system32
0000029C svchost.exe Key 0018 \REGISTRY\MACHINE
0000029C svchost.exe Directory 0024 \Windows
0000029C svchost.exe Mutant 0030 \NlsCacheMutant
0000029C svchost.exe File 0038 \net\NtControlPipe6
0000029C svchost.exe Directory 0078 \BaseNamedObjects
0000029C svchost.exe File 0080 \svcctl
0000029C svchost.exe WindowStation 0090
\Windows\WindowStations\Service-0x0-3e5$
0000029C svchost.exe Desktop 0094 \Default
0000029C svchost.exe WindowStation 0098
\Windows\WindowStations\Service-0x0-3e5$
0000029C svchost.exe Key 00b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
0000029C svchost.exe Key 00b8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
0000029C svchost.exe Key 00bc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
0000029C svchost.exe Key 00c0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
0000029C svchost.exe Key 00f0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000029C svchost.exe Key 00f8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000029C svchost.exe File 0110 \Alerter
0000029C svchost.exe File 0128
\Winsock2\CatalogChangeListener-29c-0
0000029C svchost.exe File 0168 \messngr
0000029C svchost.exe Section 0170 \RPC Control\DSEC29c
0000029C svchost.exe File 0194 \msgsvc
0000029C svchost.exe File 0198 \msgsvc
0000029C svchost.exe File 01d0 \Endpoint
0000029C svchost.exe Key 01e8
\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings
0000029C svchost.exe Key 01f0 \REGISTRY\USER\S-1-5-19
0000029C svchost.exe Event 01f4
\BaseNamedObjects\crypt32LogoffEvent
0000029C svchost.exe File 01fc \lsarpc
0000029C svchost.exe File 0204 \ntsvcs
0000029C svchost.exe Key 0214
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000029C svchost.exe File 0218
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000029C svchost.exe Semaphore 0220
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
0000029C svchost.exe Mutant 0228
\BaseNamedObjects\_!MSFTHISTORY!_
0000029C svchost.exe File 022c \Documents and
Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet
Files\Content.IE5\index.dat
0000029C svchost.exe Mutant 0230 \BaseNamedObjects\c:!documents
and settings!localservice.nt authority!local settings!temporary internet
files!content.ie5!
0000029C svchost.exe Section 0234 \BaseNamedObjects\C:_Documents
and Settings_LocalService.NT AUTHORITY_Local Settings_Temporary Internet
Files_Content.IE5_index.dat_32768
0000029C svchost.exe Mutant 0238 \BaseNamedObjects\c:!documents
and settings!localservice.nt authority!cookies!
0000029C svchost.exe File 023c \Documents and
Settings\LocalService.NT AUTHORITY\Cookies\index.dat
0000029C svchost.exe Section 0240 \BaseNamedObjects\C:_Documents
and Settings_LocalService.NT AUTHORITY_Cookies_index.dat_16384
0000029C svchost.exe Mutant 0244 \BaseNamedObjects\c:!documents
and settings!localservice.nt authority!local settings!history!history.ie5!
0000029C svchost.exe File 0248 \Documents and
Settings\LocalService.NT AUTHORITY\Local
Settings\History\History.IE5\index.dat
0000029C svchost.exe Section 024c \BaseNamedObjects\C:_Documents
and Settings_LocalService.NT AUTHORITY_Local
Settings_History_History.IE5_index.dat_16384
0000029C svchost.exe Mutant 0254
\BaseNamedObjects\WininetStartupMutex
0000029C svchost.exe Mutant 0260
\BaseNamedObjects\WininetProxyRegistryMutex
0000029C svchost.exe File 02ac \DAV RPC SERVICE
0000029C svchost.exe File 02b0 \DAV RPC SERVICE
0000029C svchost.exe File 02b4 \msgsvc
0000029C svchost.exe File 02c0 \DNSRSLVR
0000029C svchost.exe Mutant 02d0 \BaseNamedObjects\RasPbFile
0000029C svchost.exe Key 02f8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
0000029C svchost.exe Section 0308 \BaseNamedObjects\SENS
Information Cache
0000029C svchost.exe Key 0310 \REGISTRY\USER
0000029C svchost.exe Key 0314
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
0000029C svchost.exe Key 0318
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
0000029C svchost.exe File 0358 \ROUTER
000002D8 spoolsv.exe Directory 0010 \KnownDlls
000002D8 spoolsv.exe File 0014 \WINDOWS\system32
000002D8 spoolsv.exe Directory 001c \Windows
000002D8 spoolsv.exe Mutant 0024 \NlsCacheMutant
000002D8 spoolsv.exe Key 0030 \REGISTRY\MACHINE
000002D8 spoolsv.exe WindowStation 003c \Windows\WindowStations\WinSta0
000002D8 spoolsv.exe Desktop 0040 \Default
000002D8 spoolsv.exe WindowStation 0044 \Windows\WindowStations\WinSta0
000002D8 spoolsv.exe File 0048 \net\NtControlPipe7
000002D8 spoolsv.exe Directory 0088 \BaseNamedObjects
000002D8 spoolsv.exe File 0090 \svcctl
000002D8 spoolsv.exe Event 00a0
\BaseNamedObjects\RouterPreInitEvent
000002D8 spoolsv.exe Section 00a4 \RPC Control\DSEC2d8
000002D8 spoolsv.exe File 00cc \spoolss
000002D8 spoolsv.exe File 00d0 \spoolss
000002D8 spoolsv.exe Port 00e4 \RPC Control\spoolss
000002D8 spoolsv.exe Event 0120
\BaseNamedObjects\crypt32LogoffEvent
000002D8 spoolsv.exe File 0150 \DNSRSLVR
000002D8 spoolsv.exe Key 0190
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print
000002D8 spoolsv.exe Key 0194
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Print\Printers
000002D8 spoolsv.exe Key 01c0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard
TCP/IP Port
000002D8 spoolsv.exe Key 01c8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000002D8 spoolsv.exe Key 01d0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000002D8 spoolsv.exe Key 01ec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
000002D8 spoolsv.exe File 0200 \lsarpc
000002D8 spoolsv.exe File 0208 \ntsvcs
000002D8 spoolsv.exe Key 0220
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe Key 0228
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe Key 0234 \REGISTRY\USER
000002D8 spoolsv.exe Key 0238
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe Key 0244
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe Key 024c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe Key 0254
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002D8 spoolsv.exe Key 025c
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe Key 0264
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe Key 0270
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe Key 0278
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe Key 0280
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002D8 spoolsv.exe Section 0288
\BaseNamedObjects\__R_000000000013_SMem__
000002D8 spoolsv.exe Key 028c
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe Port 02ac \RPC Control\OLE4
000002D8 spoolsv.exe Key 02e4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
000002D8 spoolsv.exe Key 02e8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
000002D8 spoolsv.exe Key 02ec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
000002D8 spoolsv.exe Key 02f0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000002D8 spoolsv.exe Key 0328
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000002D8 spoolsv.exe File 0330
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000002D8 spoolsv.exe Key 0334 \REGISTRY\USER\.DEFAULT
000002D8 spoolsv.exe Semaphore 0338
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
000002D8 spoolsv.exe Event 0350 \BaseNamedObjects\userenv: User
Profile setup event
000002FC msdtc.exe Directory 0010 \KnownDlls
000002FC msdtc.exe File 0014 \WINDOWS\system32
000002FC msdtc.exe Directory 0024 \Windows
000002FC msdtc.exe Mutant 0030 \NlsCacheMutant
000002FC msdtc.exe Key 0038 \REGISTRY\MACHINE
000002FC msdtc.exe WindowStation 0044
\Windows\WindowStations\Service-0x0-3e4$
000002FC msdtc.exe Desktop 0048 \Default
000002FC msdtc.exe WindowStation 004c
\Windows\WindowStations\Service-0x0-3e4$
000002FC msdtc.exe Directory 0058 \BaseNamedObjects
000002FC msdtc.exe Key 00ac
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000002FC msdtc.exe File 00c0 \net\NtControlPipe8
000002FC msdtc.exe File 00d4 \svcctl
000002FC msdtc.exe Event 00f8
\BaseNamedObjects\EVENT_MSDTC_STARTING
000002FC msdtc.exe Key 0104
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000002FC msdtc.exe Key 010c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000002FC msdtc.exe Key 013c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Tracing\MSDTC\Changed
000002FC msdtc.exe Section 0150 \RPC Control\DSEC2fc
000002FC msdtc.exe Port 0158 \RPC
Control\LRPC000002fc.00000001
000002FC msdtc.exe File 018c \Endpoint
000002FC msdtc.exe File 01a8
\Winsock2\CatalogChangeListener-2fc-0
000002FC msdtc.exe File 01ac \Endpoint
000002FC msdtc.exe Key 01b0
\REGISTRY\MACHINE\SOFTWARE\Classes\CID\41b1f46c-db5e-48b5-b9a7-90c0b862411d
000002FC msdtc.exe Key 01d0
\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\ced2de40-bff6-11ce-9de8-00aa00a3f464
000002FC msdtc.exe Key 01d4
\REGISTRY\MACHINE\SOFTWARE\Classes\CID\41b1f46c-db5e-48b5-b9a7-90c0b862411d
000002FC msdtc.exe Key 01d8
\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\ced2de40-bff6-11ce-9de8-00aa00a3f464
000002FC msdtc.exe Key 01dc
\REGISTRY\MACHINE\SOFTWARE\Classes\CID\41b1f46c-db5e-48b5-b9a7-90c0b862411d
000002FC msdtc.exe Key 01e0
\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\ced2de40-bff6-11ce-9de8-00aa00a3f464
000002FC msdtc.exe Key 0208
\REGISTRY\MACHINE\SOFTWARE\Classes
000002FC msdtc.exe Key 0210
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe Key 021c \REGISTRY\USER
000002FC msdtc.exe Key 0220
\REGISTRY\MACHINE\SOFTWARE\Classes
000002FC msdtc.exe Key 022c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe Key 0234
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe Key 023c
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002FC msdtc.exe Key 0244
\REGISTRY\MACHINE\SOFTWARE\Classes
000002FC msdtc.exe Key 024c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe Key 0258
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe Key 0260
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe Key 0268
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002FC msdtc.exe Section 0270
\BaseNamedObjects\__R_000000000013_SMem__
000002FC msdtc.exe Key 0274 \REGISTRY\USER\S-1-5-20_CLASSES
000002FC msdtc.exe File 0284
\WINDOWS\system32\MsDtc\MSDTC.LOG
000002FC msdtc.exe Event 02d8
\BaseNamedObjects\MSDTC_NAMED_EVENT
000003B8 inetinfo.exe Directory 0010 \KnownDlls
000003B8 inetinfo.exe File 0014 \WINDOWS\system32
000003B8 inetinfo.exe Directory 001c \Windows
000003B8 inetinfo.exe Mutant 0024 \NlsCacheMutant
000003B8 inetinfo.exe Key 0030 \REGISTRY\MACHINE
000003B8 inetinfo.exe WindowStation 003c
\Windows\WindowStations\Service-0x0-3e7$
000003B8 inetinfo.exe Desktop 0040 \Default
000003B8 inetinfo.exe WindowStation 0044
\Windows\WindowStations\__X78B95_89_IW
000003B8 inetinfo.exe Directory 0048 \BaseNamedObjects
000003B8 inetinfo.exe Event 0064
\BaseNamedObjects\W3SVCStartW3WP-aae415e7-4598-4294-a382-0a435d5b32c5
000003B8 inetinfo.exe File 006c \net\NtControlPipe9
000003B8 inetinfo.exe File 00b0 \svcctl
000003B8 inetinfo.exe File 00c0 \svcctl
000003B8 inetinfo.exe Key 00cc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000003B8 inetinfo.exe File 00d0
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000003B8 inetinfo.exe Key 00d4 \REGISTRY\USER\.DEFAULT
000003B8 inetinfo.exe Desktop 00e8 \__A8D9S1_42_ID
000003B8 inetinfo.exe WindowStation 00ec
\Windows\WindowStations\__X78B95_89_IW
000003B8 inetinfo.exe Key 0124
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe Key 012c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe Key 0138 \REGISTRY\USER
000003B8 inetinfo.exe Key 013c
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe Key 0148
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe Key 0150
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe Key 0158
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000003B8 inetinfo.exe Key 0160
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe Key 0168
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe Key 0174
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe Key 017c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe Key 0184
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000003B8 inetinfo.exe Section 018c
\BaseNamedObjects\__R_000000000013_SMem__
000003B8 inetinfo.exe File 01c0
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01c8
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01d0
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01d8
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01e0
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01e8
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01f0
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01f8
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 0200
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 0208
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe Key 0228
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters
000003B8 inetinfo.exe Semaphore 026c
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
000003B8 inetinfo.exe Event 0284 \BaseNamedObjects\userenv: User
Profile setup event
000003B8 inetinfo.exe Event 0288
\BaseNamedObjects\crypt32LogoffEvent
000003B8 inetinfo.exe Section 02d0 \RPC Control\DSEC3b8
000003B8 inetinfo.exe Port 02d8 \RPC Control\OLE5
000003B8 inetinfo.exe Key 0350
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000003B8 inetinfo.exe Key 0358
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000003B8 inetinfo.exe Mutant 051c \BaseNamedObjects\DBWinMutex
000003B8 inetinfo.exe Port 05bc \RPC Control\INETINFO_LPC
000003B8 inetinfo.exe File 05ec \Endpoint
000003B8 inetinfo.exe File 05fc
\Winsock2\CatalogChangeListener-3b8-0
000003B8 inetinfo.exe File 0610 \Endpoint
000003B8 inetinfo.exe File 0638 \INETINFO
000003B8 inetinfo.exe File 063c \INETINFO
000003B8 inetinfo.exe Key 065c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\MosTrace\CurrentVersion\DebugAsyncTrace
000003B8 inetinfo.exe File 0668 \EVENTLOG
000003B8 inetinfo.exe Key 0674
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Parameters
000003B8 inetinfo.exe File 0698 \Endpoint
000003B8 inetinfo.exe Key 06c0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip
000003B8 inetinfo.exe Key 06dc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Parameters
000003B8 inetinfo.exe File 071c \Inetpub\ftproot
000003B8 inetinfo.exe Event 072c
\BaseNamedObjects\MicrosoftInternetNewsServerVersion2BootCheckEvent
000003B8 inetinfo.exe File 073c \Endpoint
000003B8 inetinfo.exe File 0740 \Endpoint
000003B8 inetinfo.exe File 0744 \Endpoint
000003B8 inetinfo.exe File 0748 \Endpoint
000003B8 inetinfo.exe File 074c \Endpoint
000003B8 inetinfo.exe File 0750 \Endpoint
000003B8 inetinfo.exe File 0754 \Endpoint
000003B8 inetinfo.exe File 0758 \Endpoint
000003B8 inetinfo.exe File 075c \Endpoint
000003B8 inetinfo.exe File 0760 \Endpoint
000003B8 inetinfo.exe File 0764 \Endpoint
000003B8 inetinfo.exe File 076c \Endpoint
000003B8 inetinfo.exe Port 07f0 \RPC Control\SMTPSVC_LPC
000003B8 inetinfo.exe File 0824 \SMTPSVC
000003B8 inetinfo.exe File 0828 \SMTPSVC
000003B8 inetinfo.exe Port 0830 \RPC Control\NNTPSVC_LPC
000003B8 inetinfo.exe Section 0858 \BaseNamedObjects\RotHintTable
000003B8 inetinfo.exe Key 0860
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe File 0874 \Endpoint
000003B8 inetinfo.exe File 08ec \Endpoint
000003B8 inetinfo.exe File 08f0 \Endpoint
000003B8 inetinfo.exe File 08f4 \Endpoint
000003B8 inetinfo.exe File 08f8 \Endpoint
000003B8 inetinfo.exe File 08fc \Endpoint
000003B8 inetinfo.exe File 0900 \Endpoint
000003B8 inetinfo.exe File 0918 \Inetpub\mailroot\Pickup
000003B8 inetinfo.exe Section 091c \BaseNamedObjects\NTFSDrv
000003B8 inetinfo.exe Section 0920 \BaseNamedObjects\NTFSDRV_OBJ0
000003B8 inetinfo.exe File 093c \Endpoint
000003B8 inetinfo.exe File 0944 \Endpoint
000003B8 inetinfo.exe File 0948 \Endpoint
000003B8 inetinfo.exe File 094c \Endpoint
000003B8 inetinfo.exe File 0950 \Endpoint
000003B8 inetinfo.exe File 0954 \Endpoint
000003B8 inetinfo.exe File 0958 \Endpoint
000003B8 inetinfo.exe File 095c \Endpoint
000003B8 inetinfo.exe File 0960 \Endpoint
000003B8 inetinfo.exe File 0964 \Endpoint
000003B8 inetinfo.exe File 0968 \Endpoint
000003B8 inetinfo.exe Key 0978
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Parameters
000003B8 inetinfo.exe File 0994 \Inetpub\nntpfile\groupvar.lst
000003B8 inetinfo.exe File 0998 \Inetpub\nntpfile\group.lst
000003B8 inetinfo.exe File 099c \Inetpub\nntpfile\article.hsh
000003B8 inetinfo.exe File 09a4 \Inetpub\nntpfile\history.hsh
000003B8 inetinfo.exe File 09ac \Inetpub\nntpfile\xover.hsh
000003B8 inetinfo.exe Key 09dc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ContentIndex
000003B8 inetinfo.exe File 09e0
\Inetpub\nntpfile\root\control\group.vpp
000003B8 inetinfo.exe File 09e4 \Inetpub\nntpfile\root\control
000003B8 inetinfo.exe File 09f0 \Inetpub\nntpfile\pickup
000003B8 inetinfo.exe File 09fc
\Inetpub\nntpfile\root\_slavegroup
000003B8 inetinfo.exe File 0a00 \Inetpub\nntpfile\root
000003B8 inetinfo.exe File 0a04 \Inetpub\nntpfile\root\control
000003B8 inetinfo.exe File 0a10 \Endpoint
000003B8 inetinfo.exe File 0a18 \Endpoint
000003B8 inetinfo.exe File 0a1c \Endpoint
000003B8 inetinfo.exe File 0a20 \Endpoint
000003B8 inetinfo.exe File 0a24
\Inetpub\nntpfile\root\_slavegroup\group.vpp
000003B8 inetinfo.exe File 0a28
\Inetpub\nntpfile\root\_slavegroup
000003B8 inetinfo.exe File 0a30 \Inetpub\nntpfile\root\group.vpp
000003B8 inetinfo.exe File 0a34 \Inetpub\nntpfile\root
000003B8 inetinfo.exe File 0a3c \Endpoint
000003B8 inetinfo.exe File 0a40 \Endpoint
000003B8 inetinfo.exe File 0a44 \Endpoint
000003B8 inetinfo.exe File 0a48 \Endpoint
000003B8 inetinfo.exe File 0a4c \Endpoint
000003B8 inetinfo.exe File 0a50 \Endpoint
000003B8 inetinfo.exe File 0a54 \Endpoint
000003B8 inetinfo.exe File 0a5c \Endpoint
000003B8 inetinfo.exe File 0a64 \Endpoint
000003B8 inetinfo.exe File 0a68 \Endpoint
000003B8 inetinfo.exe File 0a6c \Endpoint
000003B8 inetinfo.exe File 0a70 \Endpoint
000003B8 inetinfo.exe File 0a74 \Endpoint
000003B8 inetinfo.exe File 0a78 \Endpoint
000003B8 inetinfo.exe File 0a7c \Endpoint
000003B8 inetinfo.exe File 0a80 \Endpoint
000003B8 inetinfo.exe File 0a84 \Endpoint
000003B8 inetinfo.exe File 0a88 \Endpoint
000003B8 inetinfo.exe File 0ae0 \NNTPSVC
000003B8 inetinfo.exe File 0ae4 \NNTPSVC
000003B8 inetinfo.exe File 0b60 \DefaultAppPool
000003B8 inetinfo.exe File 0b88 \iisipm
000003B8 inetinfo.exe Key 0bb8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Parameters
000003B8 inetinfo.exe Key 0bc8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters
000003B8 inetinfo.exe File 0bdc \IISCgiStdOut952
000003B8 inetinfo.exe File 0be4 \IISCgiStdIn952
000003B8 inetinfo.exe File 0c10 \SSLFilterChannel
000003CC llssrv.exe Directory 0010 \KnownDlls
000003CC llssrv.exe File 0014 \WINDOWS\system32
000003CC llssrv.exe Directory 0024 \Windows
000003CC llssrv.exe Mutant 0030 \NlsCacheMutant
000003CC llssrv.exe Key 0038 \REGISTRY\MACHINE
000003CC llssrv.exe WindowStation 004c
\Windows\WindowStations\Service-0x0-3e4$
000003CC llssrv.exe Desktop 0050 \Default
000003CC llssrv.exe WindowStation 0054
\Windows\WindowStations\Service-0x0-3e4$
000003CC llssrv.exe Directory 005c \BaseNamedObjects
000003CC llssrv.exe File 0068 \net\NtControlPipe10
000003CC llssrv.exe File 00ac \svcctl
000003CC llssrv.exe Key 0120
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000003CC llssrv.exe Key 0128
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000003CC llssrv.exe Section 0140 \RPC Control\DSEC3cc
000003CC llssrv.exe Port 014c \RPC Control\llslpc
000003CC llssrv.exe File 017c \llsrpc
000003CC llssrv.exe File 0180 \llsrpc
000003A8 NSPMON.exe Directory 0010 \KnownDlls
000003A8 NSPMON.exe File 0014 \WINDOWS\system32
000003A8 NSPMON.exe Key 0018 \REGISTRY\MACHINE
000003A8 NSPMON.exe Directory 0024 \Windows
000003A8 NSPMON.exe Mutant 0030 \NlsCacheMutant
000003A8 NSPMON.exe WindowStation 0040
\Windows\WindowStations\Service-0x0-b39a$
000003A8 NSPMON.exe Desktop 0044 \Default
000003A8 NSPMON.exe WindowStation 0048
\Windows\WindowStations\Service-0x0-b39a$
000003A8 NSPMON.exe Directory 0050 \BaseNamedObjects
000003A8 NSPMON.exe Key 005c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000003A8 NSPMON.exe Key 0064
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000003A8 NSPMON.exe File 0068 \net\NtControlPipe11
000003A8 NSPMON.exe File 00ac \svcctl
000003A8 NSPMON.exe File 00e8 \Endpoint
000003A8 NSPMON.exe File 00f0 \Endpoint
0000041C NSCM.exe Directory 0010 \KnownDlls
0000041C NSCM.exe File 0014 \WINDOWS\system32
0000041C NSCM.exe Key 0018 \REGISTRY\MACHINE
0000041C NSCM.exe Directory 0024 \Windows
0000041C NSCM.exe Mutant 0030 \NlsCacheMutant
0000041C NSCM.exe WindowStation 0040
\Windows\WindowStations\Service-0x0-b80d$
0000041C NSCM.exe Desktop 0044 \Default
0000041C NSCM.exe WindowStation 0048
\Windows\WindowStations\Service-0x0-b80d$
0000041C NSCM.exe Directory 0050 \BaseNamedObjects
0000041C NSCM.exe Mutant 0054
\BaseNamedObjects\McmServPERF_REGISTRY_MUTEX
0000041C NSCM.exe Key 0058
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
0000041C NSCM.exe Key 005c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
0000041C NSCM.exe File 0068
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\Perflib_Perfdata_41c.dat
0000041C NSCM.exe Section 006c
\BaseNamedObjects\Perflib_Perfdata_41c
0000041C NSCM.exe Key 00ac
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
0000041C NSCM.exe Event 00b0
\BaseNamedObjects\McmServPerf_RegChangeEvent
0000041C NSCM.exe Key 00b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ASP\Performance
0000041C NSCM.exe Mutant 00b8
\BaseNamedObjects\ASP_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 00bc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentFilter\Performance
0000041C NSCM.exe Mutant 00c0
\BaseNamedObjects\ContentFilter_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 00c4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentIndex\Performance
0000041C NSCM.exe Mutant 00c8
\BaseNamedObjects\ContentIndex_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 00cc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Performance
0000041C NSCM.exe Mutant 00d0
\BaseNamedObjects\InetInfo_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 00d4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ISAPISearch\Performance
0000041C NSCM.exe Mutant 00d8
\BaseNamedObjects\ISAPISearch_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 00dc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC\Performance
0000041C NSCM.exe Mutant 00e0
\BaseNamedObjects\MSDTC_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 00e4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Performance
0000041C NSCM.exe Mutant 00e8
\BaseNamedObjects\MSFtpsvc_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 00ec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Performance
0000041C NSCM.exe Mutant 00f0
\BaseNamedObjects\NntpSvc_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 00f4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
0000041C NSCM.exe Mutant 00f8
\BaseNamedObjects\nsstation_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 00fc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
0000041C NSCM.exe Mutant 0100
\BaseNamedObjects\nsunicast_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 0104
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NTFSDRV\Performance
0000041C NSCM.exe Mutant 0108
\BaseNamedObjects\NTFSDRV_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 010c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfDisk\Performance
0000041C NSCM.exe Mutant 0110
\BaseNamedObjects\PerfDisk_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 0114
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfNet\Performance
0000041C NSCM.exe Mutant 0118
\BaseNamedObjects\PerfNet_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 011c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfOS\Performance
0000041C NSCM.exe Mutant 0120
\BaseNamedObjects\PerfOS_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 0124
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance
0000041C NSCM.exe Mutant 0128
\BaseNamedObjects\PerfProc_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 012c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Performance
0000041C NSCM.exe Mutant 0130
\BaseNamedObjects\RemoteAccess_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 0134
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance
0000041C NSCM.exe Mutant 0138
\BaseNamedObjects\RSVP_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 013c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMTPSVC\Performance
0000041C NSCM.exe Mutant 0140
\BaseNamedObjects\SMTPSVC_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 0144
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\Performance
0000041C NSCM.exe Mutant 0148
\BaseNamedObjects\Spooler_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 014c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TapiSrv\Performance
0000041C NSCM.exe Mutant 0150
\BaseNamedObjects\TapiSrv_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 0154
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Performance
0000041C NSCM.exe Mutant 0158
\BaseNamedObjects\Tcpip_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 015c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Performance
0000041C NSCM.exe Mutant 0160
\BaseNamedObjects\TermService_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 0164
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Performance
0000041C NSCM.exe Mutant 0168
\BaseNamedObjects\W3SVC_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Key 016c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance
0000041C NSCM.exe Mutant 0170
\BaseNamedObjects\WmiApRpl_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0174
\BaseNamedObjects\McmServPERF_INFO_MUTEX
0000041C NSCM.exe File 017c \net\NtControlPipe12
0000041C NSCM.exe File 0190 \svcctl
0000041C NSCM.exe Key 019c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000041C NSCM.exe Key 01a4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000041C NSCM.exe Key 01b0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation
0000041C NSCM.exe Key 01b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Parameters
0000041C NSCM.exe Key 01c4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\AllowDistribution
0000041C NSCM.exe Key 01cc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\DisallowDistribution
0000041C NSCM.exe Section 01d4 \BaseNamedObjects\McmServ
PerfAPI Global Info ShMem
0000041C NSCM.exe Mutant 01f4 \BaseNamedObjects\Shared Mutex
for McmServ Data Collection_0
0000041C NSCM.exe Section 01f8 \BaseNamedObjects\McmServ
Counter Name ShMem
0000041C NSCM.exe Section 01fc \BaseNamedObjects\McmServ
Counter Help ShMem
0000041C NSCM.exe Section 0200 \BaseNamedObjects\McmServ
PerfAPI Counter Data ShMem_Windows Media Station Service
0000041C NSCM.exe Key 0218
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Stations
0000041C NSCM.exe File 0220 \Endpoint
0000041C NSCM.exe File 0228 \Endpoint
0000041C NSCM.exe Section 0250 \RPC Control\DSEC41c
0000041C NSCM.exe Port 0254 \RPC Control\OLE9
0000041C NSCM.exe Key 0278
\REGISTRY\MACHINE\SOFTWARE\Classes
0000041C NSCM.exe Key 0280
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe Key 028c \REGISTRY\USER
0000041C NSCM.exe Key 0290
\REGISTRY\MACHINE\SOFTWARE\Classes
0000041C NSCM.exe Key 029c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe Key 02a4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe Key 02ac
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000041C NSCM.exe Key 02b4
\REGISTRY\MACHINE\SOFTWARE\Classes
0000041C NSCM.exe Key 02bc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe Key 02c8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe Key 02d0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe Key 02d8
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000041C NSCM.exe Section 02e0
\BaseNamedObjects\__R_000000000013_SMem__
0000041C NSCM.exe Key 02e4
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000_CLASSES
0000041C NSCM.exe File 02f0 \lsarpc
0000046C svchost.exe Directory 0010 \KnownDlls
0000046C svchost.exe File 0014 \WINDOWS\system32
0000046C svchost.exe Key 0018 \REGISTRY\MACHINE
0000046C svchost.exe Directory 0024 \Windows
0000046C svchost.exe Mutant 0030 \NlsCacheMutant
0000046C svchost.exe File 0038 \net\NtControlPipe13
0000046C svchost.exe Directory 0078 \BaseNamedObjects
0000046C svchost.exe File 0080 \svcctl
0000046C svchost.exe Section 0098 \RPC Control\DSEC46c
0000046C svchost.exe File 00c0 \winreg
0000046C svchost.exe File 00c4 \winreg
0000046C svchost.exe Event 00d0
\BaseNamedObjects\Microsoft.RPC_Registry_Server
000004C0 svchost.exe Directory 0010 \KnownDlls
000004C0 svchost.exe File 0014 \WINDOWS\system32
000004C0 svchost.exe Directory 001c \Windows
000004C0 svchost.exe Mutant 0024 \NlsCacheMutant
000004C0 svchost.exe Key 002c \REGISTRY\MACHINE
000004C0 svchost.exe WindowStation 003c
\Windows\WindowStations\Service-0x0-3e7$
000004C0 svchost.exe Desktop 0040 \Default
000004C0 svchost.exe WindowStation 0044
\Windows\WindowStations\Service-0x0-3e7$
000004C0 svchost.exe Directory 0048 \BaseNamedObjects
000004C0 svchost.exe File 008c \net\NtControlPipe14
000004C0 svchost.exe File 00a0 \svcctl
000004C0 svchost.exe Event 00cc
\BaseNamedObjects\WINMGMT_COREDLL_CANSHUTDOWN
000004C0 svchost.exe File 00d0 \WINDOWS\system32\wbem\mof
000004C0 svchost.exe Event 00d4
\BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
000004C0 svchost.exe Event 00d8
\BaseNamedObjects\WINMGMT_COREDLL_UNLOADED
000004C0 svchost.exe Event 00dc
\BaseNamedObjects\WINMGMT_COREDLL_LOADED
000004C0 svchost.exe Event 00e0
\BaseNamedObjects\WINMGMT_MARSHALLING_SERVER_TERMINATE
000004C0 svchost.exe Mutant 00e4
\BaseNamedObjects\WINMGMT_MARSHALLING_SERVER
000004C0 svchost.exe Event 00e8
\BaseNamedObjects\WINMGMT_NEED_REGISTRATION
000004C0 svchost.exe Event 00ec
\BaseNamedObjects\WINMGMT_REGISTRATION_DONE
000004C0 svchost.exe Mutant 00f0
\BaseNamedObjects\WINMGMT_KEEP_NEW_CLIENTS_AT_BAY
000004C0 svchost.exe Event 00f4
\BaseNamedObjects\WMI_SysEvent_LodCtr
000004C0 svchost.exe Event 00f8
\BaseNamedObjects\WMI_SysEvent_UnLodCtr
000004C0 svchost.exe Section 0100 \RPC Control\DSEC4c0
000004C0 svchost.exe Port 0104 \RPC Control\OLEa
000004C0 svchost.exe Key 0124
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe Key 012c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe Key 0138 \REGISTRY\USER
000004C0 svchost.exe Key 013c
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe Key 0148
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe Key 0150
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe Key 0158
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004C0 svchost.exe Key 0160
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe Key 0168
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe Key 0174
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe Key 017c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe Key 0184
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004C0 svchost.exe Section 018c
\BaseNamedObjects\__R_000000000013_SMem__
000004C0 svchost.exe Key 0190
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe Key 0214
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
000004C0 svchost.exe Key 021c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
000004C0 svchost.exe Key 0220
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
000004C0 svchost.exe Mutant 0238 \BaseNamedObjects\WINMGMT_ACTIVE
000004C0 svchost.exe File 025c
\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
000004C0 svchost.exe File 0260
\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
000004C0 svchost.exe Key 027c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
000004C0 svchost.exe Section 0284 \BaseNamedObjects\Wmi Provider
Sub System Counters
000004C0 svchost.exe Event 029c
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe Event 02b4
\BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
000004C0 svchost.exe Job 02b8
\BaseNamedObjects\WmiProviderSubSystemHostJob
000004C0 svchost.exe Event 02e4
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe Event 02ec
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe Event 04e0
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe Event 0500
\BaseNamedObjects\EVENT_READYROOT/CIMV2SCM EVENT PROVIDER
000004C0 svchost.exe File 050c \PIPE_EVENTROOT\CIMV2SCM EVENT
PROVIDER
000004C0 svchost.exe Event 0518
\BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
000004C0 svchost.exe Event 0524
\BaseNamedObjects\EVENT_READYROOT/CIMV2WMI SELF-INSTRUMENTATION EVENT
PROVIDER
000004C0 svchost.exe Event 0530
\BaseNamedObjects\EVENT_READYROOT/CIMV2STANDARD NON-COM EVENT PROVIDER
000004C0 svchost.exe File 0538 \PIPE_EVENTROOT\CIMV2SCM EVENT
PROVIDER
000003DC dfssvc.exe Directory 0010 \KnownDlls
000003DC dfssvc.exe File 0014 \WINDOWS\system32
000003DC dfssvc.exe Directory 0018 \Windows
000003DC dfssvc.exe Mutant 0024 \NlsCacheMutant
000003DC dfssvc.exe Key 0030 \REGISTRY\MACHINE
000003DC dfssvc.exe WindowStation 0044
\Windows\WindowStations\Service-0x0-3e7$
000003DC dfssvc.exe Desktop 0048 \Default
000003DC dfssvc.exe WindowStation 004c
\Windows\WindowStations\Service-0x0-3e7$
000003DC dfssvc.exe Directory 0050 \BaseNamedObjects
000003DC dfssvc.exe Event 0064 \BaseNamedObjects\userenv: User
Profile setup event
000003DC dfssvc.exe File 0070 \net\NtControlPipe15
000003DC dfssvc.exe File 00b4 \svcctl
000003DC dfssvc.exe Section 00d0 \RPC Control\DSEC3dc
000003DC dfssvc.exe File 00fc \netdfs
000003DC dfssvc.exe File 0100 \netdfs
000003DC dfssvc.exe File 0110 \wkssvc
000004F0 NSUM.exe Directory 0010 \KnownDlls
000004F0 NSUM.exe File 0014 \WINDOWS\system32
000004F0 NSUM.exe Key 001c \REGISTRY\MACHINE
000004F0 NSUM.exe Directory 0024 \Windows
000004F0 NSUM.exe Mutant 0030 \NlsCacheMutant
000004F0 NSUM.exe WindowStation 0040
\Windows\WindowStations\Service-0x0-c3f3$
000004F0 NSUM.exe Desktop 0044 \Default
000004F0 NSUM.exe WindowStation 0048
\Windows\WindowStations\Service-0x0-c3f3$
000004F0 NSUM.exe Directory 0050 \BaseNamedObjects
000004F0 NSUM.exe Mutant 0054
\BaseNamedObjects\AsfServPERF_REGISTRY_MUTEX
000004F0 NSUM.exe Key 0058
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000004F0 NSUM.exe Key 005c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000004F0 NSUM.exe File 0068
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\Perflib_Perfdata_4f0.dat
000004F0 NSUM.exe Section 006c
\BaseNamedObjects\Perflib_Perfdata_4f0
000004F0 NSUM.exe Key 00ac
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
000004F0 NSUM.exe Event 00b0
\BaseNamedObjects\AsfServPerf_RegChangeEvent
000004F0 NSUM.exe Key 00b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ASP\Performance
000004F0 NSUM.exe Mutant 00b8
\BaseNamedObjects\ASP_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 00bc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentFilter\Performance
000004F0 NSUM.exe Mutant 00c0
\BaseNamedObjects\ContentFilter_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 00c4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentIndex\Performance
000004F0 NSUM.exe Mutant 00c8
\BaseNamedObjects\ContentIndex_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 00cc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Performance
000004F0 NSUM.exe Mutant 00d0
\BaseNamedObjects\InetInfo_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 00d4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ISAPISearch\Performance
000004F0 NSUM.exe Mutant 00d8
\BaseNamedObjects\ISAPISearch_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 00dc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC\Performance
000004F0 NSUM.exe Mutant 00e0
\BaseNamedObjects\MSDTC_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 00e4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Performance
000004F0 NSUM.exe Mutant 00e8
\BaseNamedObjects\MSFtpsvc_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 00ec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Performance
000004F0 NSUM.exe Mutant 00f0
\BaseNamedObjects\NntpSvc_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 00f4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
000004F0 NSUM.exe Mutant 00f8
\BaseNamedObjects\nsstation_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 00fc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
000004F0 NSUM.exe Mutant 0100
\BaseNamedObjects\nsunicast_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 0104
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NTFSDRV\Performance
000004F0 NSUM.exe Mutant 0108
\BaseNamedObjects\NTFSDRV_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 010c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfDisk\Performance
000004F0 NSUM.exe Mutant 0110
\BaseNamedObjects\PerfDisk_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 0114
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfNet\Performance
000004F0 NSUM.exe Mutant 0118
\BaseNamedObjects\PerfNet_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 011c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfOS\Performance
000004F0 NSUM.exe Mutant 0120
\BaseNamedObjects\PerfOS_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 0124
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance
000004F0 NSUM.exe Mutant 0128
\BaseNamedObjects\PerfProc_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 012c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Performance
000004F0 NSUM.exe Mutant 0130
\BaseNamedObjects\RemoteAccess_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 0134
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance
000004F0 NSUM.exe Mutant 0138
\BaseNamedObjects\RSVP_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 013c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMTPSVC\Performance
000004F0 NSUM.exe Mutant 0140
\BaseNamedObjects\SMTPSVC_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 0144
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\Performance
000004F0 NSUM.exe Mutant 0148
\BaseNamedObjects\Spooler_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 014c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TapiSrv\Performance
000004F0 NSUM.exe Mutant 0150
\BaseNamedObjects\TapiSrv_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 0154
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Performance
000004F0 NSUM.exe Mutant 0158
\BaseNamedObjects\Tcpip_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 015c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Performance
000004F0 NSUM.exe Mutant 0160
\BaseNamedObjects\TermService_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 0164
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Performance
000004F0 NSUM.exe Mutant 0168
\BaseNamedObjects\W3SVC_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Key 016c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance
000004F0 NSUM.exe Mutant 0170
\BaseNamedObjects\WmiApRpl_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0174
\BaseNamedObjects\AsfServPERF_INFO_MUTEX
000004F0 NSUM.exe Key 0180
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000004F0 NSUM.exe File 0184 \net\NtControlPipe16
000004F0 NSUM.exe File 019c \svcctl
000004F0 NSUM.exe Key 01c4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000004F0 NSUM.exe Key 01d0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000004F0 NSUM.exe Section 01d8 \BaseNamedObjects\AsfServ
PerfAPI Global Info ShMem
000004F0 NSUM.exe Mutant 01dc \BaseNamedObjects\Shared Mutex
for AsfServ Data Collection_0
000004F0 NSUM.exe Section 01e0 \BaseNamedObjects\AsfServ
Counter Name ShMem
000004F0 NSUM.exe Section 01e4 \BaseNamedObjects\AsfServ
Counter Help ShMem
000004F0 NSUM.exe Section 01e8 \BaseNamedObjects\AsfServ
PerfAPI Counter Data ShMem_Windows Media Unicast Service
000004F0 NSUM.exe Key 0228
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Parameters\Virtual
Roots
000004F0 NSUM.exe Key 022c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Parameters
000004F0 NSUM.exe Key 023c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\AllowUnicastClients
000004F0 NSUM.exe Key 0240
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\DisallowUnicastClients
000004F0 NSUM.exe Key 0248
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\AllowDistribution
000004F0 NSUM.exe Key 0250
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\DisallowDistribution
000004F0 NSUM.exe File 0278 \Endpoint
000004F0 NSUM.exe File 0280 \Endpoint
000004F0 NSUM.exe File 0284 \Endpoint
000004F0 NSUM.exe File 028c \Endpoint
000004F0 NSUM.exe File 0290 \Endpoint
000004F0 NSUM.exe Section 029c \RPC Control\DSEC4f0
000004F0 NSUM.exe Port 02ac \RPC Control\OLEb
000004F0 NSUM.exe Key 02b8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Event
Notification\ACL Check
000004F0 NSUM.exe Key 02cc
\REGISTRY\MACHINE\SOFTWARE\Classes
000004F0 NSUM.exe Key 02d4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe Key 02e0 \REGISTRY\USER
000004F0 NSUM.exe Key 02e4
\REGISTRY\MACHINE\SOFTWARE\Classes
000004F0 NSUM.exe Key 02f0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe Key 02f8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe Key 0300
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004F0 NSUM.exe Key 0308
\REGISTRY\MACHINE\SOFTWARE\Classes
000004F0 NSUM.exe Key 0310
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe Key 031c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe Key 0324
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe Key 032c
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004F0 NSUM.exe Section 0334
\BaseNamedObjects\__R_000000000013_SMem__
000004F0 NSUM.exe Key 0338
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000_CLASSES
000004F0 NSUM.exe Key 033c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Authentication\HTTP
BASIC-Membership
000004F0 NSUM.exe Key 0340
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Authentication\HTTP
BASIC-NTLM
000004F0 NSUM.exe Key 0344
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Authentication\NTLM-NTLM
00000548 nspm.exe Directory 0010 \KnownDlls
00000548 nspm.exe File 0014 \WINDOWS\system32
00000548 nspm.exe Key 0018 \REGISTRY\MACHINE
00000548 nspm.exe Directory 0024 \Windows
00000548 nspm.exe Mutant 0030 \NlsCacheMutant
00000548 nspm.exe WindowStation 0044
\Windows\WindowStations\Service-0x0-ce4b$
00000548 nspm.exe Desktop 0048 \Default
00000548 nspm.exe WindowStation 004c
\Windows\WindowStations\Service-0x0-ce4b$
00000548 nspm.exe Directory 0050 \BaseNamedObjects
00000548 nspm.exe Key 005c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
00000548 nspm.exe Key 0068
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000\Control
Panel\International
00000548 nspm.exe File 00c0 \net\NtControlPipe17
00000548 nspm.exe File 00c4 \svcctl
00000548 nspm.exe Key 00e8
\REGISTRY\MACHINE\SOFTWARE\Classes
00000548 nspm.exe Key 00f0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe Key 00fc \REGISTRY\USER
00000548 nspm.exe Key 0100
\REGISTRY\MACHINE\SOFTWARE\Classes
00000548 nspm.exe Key 010c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe Key 0114
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe Key 011c
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000548 nspm.exe Key 0124
\REGISTRY\MACHINE\SOFTWARE\Classes
00000548 nspm.exe Key 012c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe Key 0138
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe Key 0140
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe Key 0148
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000548 nspm.exe Section 0150
\BaseNamedObjects\__R_000000000013_SMem__
00000548 nspm.exe Key 0154
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000_CLASSES
00000548 nspm.exe Section 0160 \RPC Control\DSEC548
00000548 nspm.exe Port 0168 \RPC Control\OLEd
00000548 nspm.exe Key 0198
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000548 nspm.exe File 019c
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
00000548 nspm.exe Key 01a0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
00000548 nspm.exe Key 01a8
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process
0x548 Thread 0x5d0 DBC 0x37684 Jet
00000548 nspm.exe Key 01c0
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process
0x548 Thread 0x5d0 DBC 0x37684 Jet\Engines\Jet
00000548 nspm.exe File 01d8
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\JETA66.tmp
00000548 nspm.exe File 01f8
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\JET1.tmp
00000548 nspm.exe File 0218 \WINDOWS\system32\Windows
Media\Server\ASDB\mdsas.mdb
00000548 nspm.exe File 021c \WINDOWS\system32\Windows
Media\Server\ASDB\mdsas.ldb
000005C8 svchost.exe Directory 0010 \KnownDlls
000005C8 svchost.exe File 0014 \WINDOWS\system32
000005C8 svchost.exe Directory 001c \Windows
000005C8 svchost.exe Mutant 0024 \NlsCacheMutant
000005C8 svchost.exe Key 002c \REGISTRY\MACHINE
000005C8 svchost.exe WindowStation 003c \Windows\WindowStations\WinSta0
000005C8 svchost.exe Desktop 0040 \Default
000005C8 svchost.exe WindowStation 0044 \Windows\WindowStations\WinSta0
000005C8 svchost.exe Directory 0048 \BaseNamedObjects
000005C8 svchost.exe File 008c \net\NtControlPipe18
000005C8 svchost.exe File 00a0 \svcctl
000005C8 svchost.exe Event 00b8
\BaseNamedObjects\crypt32LogoffEvent
000005C8 svchost.exe Event 00e0 \BaseNamedObjects\userenv: User
Profile setup event
000005C8 svchost.exe Key 00e4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters
000005C8 svchost.exe File 014c \SSLFilterChannel
000005C8 svchost.exe Key 0164
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe Key 016c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe Key 0178 \REGISTRY\USER
000005C8 svchost.exe Key 017c
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe Key 0188
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe Key 0190
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe Key 0198
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000005C8 svchost.exe Key 01a0
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe Key 01a8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe Key 01b4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe Key 01bc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe Key 01c4
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000005C8 svchost.exe Section 01cc
\BaseNamedObjects\__R_000000000013_SMem__
000005C8 svchost.exe Key 01d0
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe Section 01d4 \RPC Control\DSEC5c8
000005C8 svchost.exe Port 01e0 \RPC Control\OLEf
000005C8 svchost.exe Section 0214
\BaseNamedObjects\IISCacheCounters-c205a604-4df5-42b6-8fe9-dbfe18f022a0_1_A
000005C8 svchost.exe Section 0218
\BaseNamedObjects\IISCounterControlBlock-46382a23-095e-4559-8d63-6fdeaf552c23
000005C8 svchost.exe Event 0220
\BaseNamedObjects\W3SVCStartW3WP-aae415e7-4598-4294-a382-0a435d5b32c5
000005C8 svchost.exe Key 0228
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000005C8 svchost.exe File 022c
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000005C8 svchost.exe Key 0230 \REGISTRY\USER\.DEFAULT
000005C8 svchost.exe Semaphore 0234
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
000005C8 svchost.exe File 0278 \DefaultAppPool
000005C8 svchost.exe Section 02a4
\BaseNamedObjects\IISCacheCounters-c205a604-4df5-42b6-8fe9-dbfe18f022a0_1_B
000005C8 svchost.exe Section 02a8
\BaseNamedObjects\IISSitesCounters-99c62c38-377d-4a73-af40-6ea7ed1f5896_1_A
000005C8 svchost.exe Section 02ac
\BaseNamedObjects\IISSitesCounters-99c62c38-377d-4a73-af40-6ea7ed1f5896_1_B
000005C8 svchost.exe Event 02b0
\BaseNamedObjects\WASPerfCount-c40da922-9c0a-4def-8aba-cd0bb5f093e1
000005C8 svchost.exe File 02bc \iisipm
000000F8 explorer.exe Directory 0010 \KnownDlls
000000F8 explorer.exe File 0014 \Documents and
Settings\user.XP
000000F8 explorer.exe Directory 0018 \Windows
000000F8 explorer.exe Mutant 0024 \NlsCacheMutant
000000F8 explorer.exe Key 0030 \REGISTRY\MACHINE
000000F8 explorer.exe WindowStation 003c \Windows\WindowStations\WinSta0
000000F8 explorer.exe Desktop 0040 \Default
000000F8 explorer.exe WindowStation 0044 \Windows\WindowStations\WinSta0
000000F8 explorer.exe Key 0048
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe File 004c
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe Key 0050
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
000000F8 explorer.exe Directory 0054 \BaseNamedObjects
000000F8 explorer.exe Key 0058
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010_CLASSES
000000F8 explorer.exe File 005c
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe Key 0060
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe File 0064
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe File 0068
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe Key 006c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows
NT\CurrentVersion\Windows
000000F8 explorer.exe Mutant 0070
\BaseNamedObjects\ExplorerIsShellMutex
000000F8 explorer.exe Semaphore 0074
\BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
000000F8 explorer.exe Semaphore 0080
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
000000F8 explorer.exe Key 0094
\REGISTRY\MACHINE\SOFTWARE\Classes
000000F8 explorer.exe Key 009c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe Key 00a8 \REGISTRY\USER
000000F8 explorer.exe Key 00ac
\REGISTRY\MACHINE\SOFTWARE\Classes
000000F8 explorer.exe Key 00b8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe Key 00c0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe Key 00c8
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000000F8 explorer.exe Key 00d0
\REGISTRY\MACHINE\SOFTWARE\Classes
000000F8 explorer.exe Key 00d8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe Key 00e4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe Key 00ec
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe Key 00f4
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000000F8 explorer.exe Section 00fc
\BaseNamedObjects\__R_000000000013_SMem__
000000F8 explorer.exe Semaphore 0104
\BaseNamedObjects\shell.{090851A5-EB96-11D2-8BE4-00C04FA31A66}
000000F8 explorer.exe File 0108
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe Section 0150 \RPC Control\DSECf8
000000F8 explorer.exe Port 0164 \RPC Control\OLE11
000000F8 explorer.exe Key 0188
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
000000F8 explorer.exe File 018c \Documents and Settings\All
Users.WINDOWS\Desktop
000000F8 explorer.exe Key 0190
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe Semaphore 0198
\BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
000000F8 explorer.exe File 01a0 \Documents and
Settings\user.XP\Desktop
000000F8 explorer.exe Event 01c4 \BaseNamedObjects\userenv: User
Profile setup event
000000F8 explorer.exe Key 01c8
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet
Explorer\Security\P3Global
000000F8 explorer.exe Key 01cc
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet
Explorer\Security\P3Sites
000000F8 explorer.exe Key 01d8
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000000F8 explorer.exe Key 01dc
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\Shell
000000F8 explorer.exe Key 01e4
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\ShellNoRoam
000000F8 explorer.exe Key 01e8
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\ShellNoRoam\MUICache
000000F8 explorer.exe File 01f0 \Documents and Settings\All
Users.WINDOWS\Start Menu
000000F8 explorer.exe Key 0200
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu
000000F8 explorer.exe File 0204 \Documents and
Settings\user.XP\Start Menu
000000F8 explorer.exe Semaphore 020c
\BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
000000F8 explorer.exe File 0218 \Documents and
Settings\user.XP\Application Data\Microsoft\Internet Explorer\Quick
Launch
000000F8 explorer.exe Key 0224
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
000000F8 explorer.exe Section 022c
\BaseNamedObjects\ShimSharedMemory[S-1-5-21-484763869-113007714-839522115-1010]
000000F8 explorer.exe Key 0230
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe Key 023c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
000000F8 explorer.exe Key 0250
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe File 0258
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe Mutant 025c
\BaseNamedObjects\_!MSFTHISTORY!_
000000F8 explorer.exe File 0264 \srvsvc
000000F8 explorer.exe Semaphore 0274
\BaseNamedObjects\PowerProfileRegistrySemaphore
000000F8 explorer.exe File 02a4 \Documents and
Settings\user.XP\Cookies\index.dat
000000F8 explorer.exe Key 02a8
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Accessories
000000F8 explorer.exe Mutant 02b0 \BaseNamedObjects\_SHuassist.mtx
000000F8 explorer.exe Section 02b8 \BaseNamedObjects\C:_Documents
and Settings_user.XP_Cookies_index.dat_32768
000000F8 explorer.exe Mutant 02bc \BaseNamedObjects\c:!documents
and settings!user.xp!local
settings!history!history.ie5!mshist012001052220010523!
000000F8 explorer.exe File 02d0 \lsarpc
000000F8 explorer.exe Event 02dc
\BaseNamedObjects\ShellReadyEvent
000000F8 explorer.exe File 02e0
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe File 02e4
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe Key 02e8
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Accessories\Entertainment
000000F8 explorer.exe Mutant 02f0
\BaseNamedObjects\ShimCacheMutex[S-1-5-21-484763869-113007714-839522115-1010]
000000F8 explorer.exe Key 02f4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000000F8 explorer.exe Key 0300
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
000000F8 explorer.exe Mutant 0304
\BaseNamedObjects\GuardMutexmmGlobalPnpInfoGuard
000000F8 explorer.exe Event 0308
\BaseNamedObjects\GuardEventmmGlobalPnpInfoGuard
000000F8 explorer.exe Semaphore 030c
\BaseNamedObjects\GuardSemmmGlobalPnpInfoGuard
000000F8 explorer.exe Section 0310
\BaseNamedObjects\mmGlobalPnpInfo
000000F8 explorer.exe Section 0314
\BaseNamedObjects\WDMAUD_Path_Size
000000F8 explorer.exe Section 0318
\BaseNamedObjects\WDMAUD_Path_Size
000000F8 explorer.exe Section 031c
\BaseNamedObjects\WDMAUD_Path_Size
000000F8 explorer.exe File 0320
\{9B365890-165F-11D0-A195-0020AFD156E4}
000000F8 explorer.exe Section 0324
\BaseNamedObjects\WDMAUD_Callbacks
000000F8 explorer.exe Mutant 0328 \BaseNamedObjects\mxrapi
000000F8 explorer.exe Event 032c \BaseNamedObjects\mixercallback
000000F8 explorer.exe Key 0330
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#ISAPNP#CTL0070_DEV0000#FFFFFFFF#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device
Parameters\Mixer
000000F8 explorer.exe Event 0334
\BaseNamedObjects\hardwaremixercallback
000000F8 explorer.exe Event 0350
\BaseNamedObjects\HPlugEjectEvent
000000F8 explorer.exe File 0364 \ntsvcs
000000F8 explorer.exe File 0380 \AudioSrv
000000F8 explorer.exe File 0388
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe File 038c \wkssvc
000000F8 explorer.exe File 03c8 \Documents and
Settings\user.XP\PrintHood
000000F8 explorer.exe Key 03e0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
000000F8 explorer.exe Key 03e4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
000000F8 explorer.exe Key 03e8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
000000F8 explorer.exe Key 03ec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000000F8 explorer.exe Key 0414
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\1
000000F8 explorer.exe Key 0424
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions
000000F8 explorer.exe File 042c
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe Key 0434
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\2
000000F8 explorer.exe Key 0438
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\1
000000F8 explorer.exe Key 0444
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\2
000000F8 explorer.exe Mutant 0448 \BaseNamedObjects\c:!documents
and settings!user.xp!cookies!
000000F8 explorer.exe Key 044c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs
000000F8 explorer.exe Event 0450
\BaseNamedObjects\crypt32LogoffEvent
000000F8 explorer.exe Key 0454
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
000000F8 explorer.exe Key 046c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Internet
Settings
000000F8 explorer.exe Mutant 0470 \BaseNamedObjects\c:!documents
and settings!user.xp!local settings!temporary internet files!content.ie5!
000000F8 explorer.exe Section 0478 \BaseNamedObjects\C:_Documents
and Settings_user.XP_Local Settings_Temporary Internet
Files_Content.IE5_index.dat_278528
000000F8 explorer.exe File 0488 \Documents and
Settings\user.XP\Local Settings\History\History.IE5\index.dat
000000F8 explorer.exe File 048c \Documents and
Settings\user.XP\Local Settings\Temporary Internet
Files\Content.IE5\index.dat
000000F8 explorer.exe Mutant 0498 \BaseNamedObjects\c:!documents
and settings!user.xp!local settings!history!history.ie5!
000000F8 explorer.exe Mutant 04a0
\BaseNamedObjects\_!SHMSFTHISTORY!_
000000F8 explorer.exe File 04a4 \Documents and
Settings\user.XP\Local
Settings\History\History.IE5\MSHist012001052220010523\index.dat
000000F8 explorer.exe Section 04a8 \BaseNamedObjects\C:_Documents
and Settings_user.XP_Local Settings_History_History.IE5_index.dat_98304
000000F8 explorer.exe Section 04ac \BaseNamedObjects\C:_Documents
and Settings_user.XP_Local
Settings_History_History.IE5_MSHist012001052220010523_index.dat_32768
00000720 idwlog.exe Directory 0010 \KnownDlls
00000720 idwlog.exe File 0014 \Documents and
Settings\user.XP
00000720 idwlog.exe Directory 0024 \Windows
00000720 idwlog.exe Mutant 0030 \NlsCacheMutant
00000720 idwlog.exe Key 0038 \REGISTRY\MACHINE
00000720 idwlog.exe WindowStation 0044 \Windows\WindowStations\WinSta0
00000720 idwlog.exe Desktop 0048 \Default
00000720 idwlog.exe WindowStation 004c \Windows\WindowStations\WinSta0
00000720 idwlog.exe Key 006c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
00000720 idwlog.exe File 0078 \Idwlog.log
00000720 idwlog.exe File 007c \WINDOWS\system32
00000720 idwlog.exe File 0084 \WINDOWS\system32
00000720 idwlog.exe File 00c4 \ntsvcs
00000720 idwlog.exe File 00d0 \WINDOWS\system32
00000720 idwlog.exe Key 00e0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\World
Full Access Shared Parameters
00000720 idwlog.exe Directory 00ec \BaseNamedObjects
00000720 idwlog.exe File 00f8 \DAV RPC SERVICE
0000079C svchost.exe Directory 0010 \KnownDlls
0000079C svchost.exe File 0014 \WINDOWS\system32
0000079C svchost.exe Directory 001c \Windows
0000079C svchost.exe Mutant 0024 \NlsCacheMutant
0000079C svchost.exe Key 002c \REGISTRY\MACHINE
0000079C svchost.exe File 0054 \net\NtControlPipe20
0000079C svchost.exe Directory 0070 \BaseNamedObjects
0000079C svchost.exe File 0078 \svcctl
0000079C svchost.exe WindowStation 0088
\Windows\WindowStations\Service-0x0-3e7$
0000079C svchost.exe Desktop 008c \Default
0000079C svchost.exe WindowStation 0090
\Windows\WindowStations\Service-0x0-3e7$
0000079C svchost.exe Key 00c0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\tapisrv
0000079C svchost.exe Event 00dc
\BaseNamedObjects\SC_AutoStartComplete
0000079C svchost.exe Section 00e4 \RPC Control\DSEC79c
0000079C svchost.exe File 010c \tapsrv
0000079C svchost.exe File 0110 \tapsrv
0000079C svchost.exe Port 0124 \RPC Control\tapsrvlpc
0000079C svchost.exe File 01c0 \53cb31a0\UnimodemNotifyTSP
0000079C svchost.exe Event 01c4
\BaseNamedObjects\--.-mailslot-53cb31a0-UnimodemNotifyTSP
0000079C svchost.exe File 01dc \ntsvcs
0000079C svchost.exe Key 0200
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\KMDDSP
0000079C svchost.exe Key 02b4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\NDPTSP
0000079C svchost.exe Key 036c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\conftsp
0000079C svchost.exe Key 03a0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000079C svchost.exe Key 03a8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000079C svchost.exe File 03ac \WINDOWS\system32\h323log.txt
0000079C svchost.exe Key 03b4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\H323TSP
0000079C svchost.exe Key 03e8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
0000079C svchost.exe Event 03ec \BaseNamedObjects\DINPUTWINMM
0000079C svchost.exe Key 03fc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\hidphone
00000668 svchost.exe Directory 0010 \KnownDlls
00000668 svchost.exe File 0014 \WINDOWS\system32
00000668 svchost.exe Directory 001c \Windows
00000668 svchost.exe Mutant 0024 \NlsCacheMutant
00000668 svchost.exe Key 002c \REGISTRY\MACHINE
00000668 svchost.exe File 0030 \net\NtControlPipe21
00000668 svchost.exe Directory 0070 \BaseNamedObjects
00000668 svchost.exe File 0078 \svcctl
00000668 svchost.exe WindowStation 0088 \Windows\WindowStations\WinSta0
00000668 svchost.exe Desktop 008c \Default
00000668 svchost.exe WindowStation 0090 \Windows\WindowStations\WinSta0
00000668 svchost.exe Event 00b8 \BaseNamedObjects\userenv: User
Profile setup event
00000668 svchost.exe Key 00c0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
00000668 svchost.exe File 00c4
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
00000668 svchost.exe Key 00c8 \REGISTRY\USER\.DEFAULT
00000668 svchost.exe File 00fc \WINDOWS\Sti_Trace.log
00000668 svchost.exe Mutant 0100
\BaseNamedObjects\StiTraceMutexSti_Trace.log
00000668 svchost.exe Section 010c \RPC Control\DSEC668
00000668 svchost.exe Port 0110 \RPC Control\OLE14
00000668 svchost.exe Key 0134
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe Key 013c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe Key 0148 \REGISTRY\USER
00000668 svchost.exe Key 014c
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe Key 0158
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe Key 0160
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe Key 0168
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000668 svchost.exe Key 0170
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe Key 0178
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe Key 0184
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe Key 018c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe Key 0194
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000668 svchost.exe Section 019c
\BaseNamedObjects\__R_000000000013_SMem__
00000668 svchost.exe Key 01a0
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe File 01a4 \WINDOWS\wiaservc.log
00000668 svchost.exe File 01cc \ntsvcs
00000668 svchost.exe Semaphore 01ec
\BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
00000668 svchost.exe Port 0264 \RPC Control\STI_LRPC
00000668 svchost.exe File 0288 \WINDOWS\Sti_Trace.log
00000668 svchost.exe Mutant 028c
\BaseNamedObjects\StiTraceMutexSti_Trace.log
00000870 wmiprvse.exe Directory 0010 \KnownDlls
00000870 wmiprvse.exe File 0014 \WINDOWS\system32
00000870 wmiprvse.exe Directory 0024 \Windows
00000870 wmiprvse.exe Mutant 0030 \NlsCacheMutant
00000870 wmiprvse.exe Key 0038 \REGISTRY\MACHINE
00000870 wmiprvse.exe WindowStation 0044
\Windows\WindowStations\Service-0x0-3e7$
00000870 wmiprvse.exe Desktop 0048 \Default
00000870 wmiprvse.exe WindowStation 004c
\Windows\WindowStations\Service-0x0-3e7$
00000870 wmiprvse.exe Directory 0050 \BaseNamedObjects
00000870 wmiprvse.exe Section 00ac \BaseNamedObjects\Wmi Provider
Sub System Counters
00000870 wmiprvse.exe Event 00d0
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
00000870 wmiprvse.exe Event 00ec
\BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
00000870 wmiprvse.exe Section 00f0 \RPC Control\DSEC870
00000870 wmiprvse.exe Port 00fc \RPC Control\OLE15
00000870 wmiprvse.exe Key 011c
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe Key 0124
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe Key 0130 \REGISTRY\USER
00000870 wmiprvse.exe Key 0134
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe Key 0140
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe Key 0148
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe Key 0150
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000870 wmiprvse.exe Key 0158
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe Key 0160
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe Key 016c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe Key 0174
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe Key 017c
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000870 wmiprvse.exe Section 0184
\BaseNamedObjects\__R_000000000013_SMem__
00000870 wmiprvse.exe Key 0188
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe Directory 0010 \KnownDlls
0000076C wuauclt.exe File 0014 \WINDOWS\system32
0000076C wuauclt.exe File 0018
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000076C wuauclt.exe Directory 0028 \Windows
0000076C wuauclt.exe Mutant 0034 \NlsCacheMutant
0000076C wuauclt.exe Key 003c \REGISTRY\MACHINE
0000076C wuauclt.exe WindowStation 0048 \Windows\WindowStations\WinSta0
0000076C wuauclt.exe Desktop 004c \Default
0000076C wuauclt.exe WindowStation 0050 \Windows\WindowStations\WinSta0
0000076C wuauclt.exe Key 0054
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000076C wuauclt.exe File 0058
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000076C wuauclt.exe Directory 005c \BaseNamedObjects
0000076C wuauclt.exe Mutant 0064
\BaseNamedObjects\ZonesCounterMutex
0000076C wuauclt.exe Mutant 0068
\BaseNamedObjects\ZonesCacheCounterMutex
0000076C wuauclt.exe Key 006c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010_CLASSES
0000076C wuauclt.exe Key 0070
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
0000076C wuauclt.exe Mutant 0078
\BaseNamedObjects\AutoUpdateSingleInstance
0000076C wuauclt.exe Key 008c
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe Key 0094
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe Key 00a0 \REGISTRY\USER
0000076C wuauclt.exe Key 00a4
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe Key 00b0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe Key 00b8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe Key 00c0
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000076C wuauclt.exe Key 00c8
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe Key 00d0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe Key 00dc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe Key 00e4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe Key 00ec
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000076C wuauclt.exe Section 00f4
\BaseNamedObjects\__R_000000000013_SMem__
0000076C wuauclt.exe Section 0134 \RPC Control\DSEC76c
0000076C wuauclt.exe Port 0148 \RPC Control\OLE16
0000076C wuauclt.exe File 0188 \lsarpc
0000076C wuauclt.exe Semaphore 01b8
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
0000076C wuauclt.exe Mutant 01ec \BaseNamedObjects\RasPbFile
0000076C wuauclt.exe Key 0214
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
0000076C wuauclt.exe File 0220 \svcctl
0000076C wuauclt.exe Key 022c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000076C wuauclt.exe Key 0234
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000076C wuauclt.exe File 023c \ROUTER
0000076C wuauclt.exe Key 0254
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
0000076C wuauclt.exe Event 026c \BaseNamedObjects\userenv: User
Profile setup event
0000076C wuauclt.exe Key 0290
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
0000076C wuauclt.exe Key 0294
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
0000076C wuauclt.exe Key 0298
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
0000076C wuauclt.exe Key 029c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
00000838 cmd.exe Directory 0010 \KnownDlls
00000838 cmd.exe File 0014 \Documents and
Settings\user.XP
00000838 cmd.exe Directory 0024 \Windows
00000838 cmd.exe Mutant 0030 \NlsCacheMutant
00000838 cmd.exe WindowStation 0040 \Windows\WindowStations\WinSta0
00000838 cmd.exe WindowStation 0044 \Windows\WindowStations\WinSta0
00000838 cmd.exe Desktop 0048 \Default
00000838 cmd.exe Key 0050 \REGISTRY\MACHINE
00000838 cmd.exe Key 0054
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
00000838 cmd.exe Key 0058
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
00000838 cmd.exe Key 005c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
00000838 cmd.exe Key 0060
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
00000838 cmd.exe File 006c \output\ohall.txt
00000778 oh.exe File 0014 \Documents and
Settings\user.XP
00000778 oh.exe File 006c \output\ohall.txt
00000778 oh.exe WindowStation 07c4 \Windows\WindowStations\WinSta0
00000778 oh.exe Key 07d0 \REGISTRY\MACHINE
00000778 oh.exe Mutant 07d4 \NlsCacheMutant
00000778 oh.exe Directory 07e0 \Windows
00000778 oh.exe Directory 07f0 \KnownDlls
To generate a list of key objects and send the output to the file C:\Output\Ohkey.txt, type the following at the command line:
oh /t key /o c:\output\ohkey.txt
Looking in Ohkey.txt, you then see output similar to the following:
00000004 System Key 000c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\WPA
00000004 System Key 0010 \REGISTRY
00000004 System Key 0014
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session
Manager\WPA\SigningHash-PRCRFTFJWDC27Q
00000004 System Key 0018
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter
00000004 System Key 001c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Executive
00000004 System Key 0020 \REGISTRY\MACHINE\SYSTEM\Setup
00000004 System Key 0024
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ProductOptions
00000004 System Key 0028
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog
00000004 System Key 0040
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB\3&29761208&0\Device
Parameters
00000004 System Key 0048
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_7112&SUBSYS_00000000&REV_01\2&ebb567f&0&22\Device
Parameters
00000004 System Key 004c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_7112&SUBSYS_00000000&REV_01\2&ebb567f&0&22\Device
Parameters
00000004 System Key 0050
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0000
00000004 System Key 0054
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0000
00000004 System Key 0058
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Video\{67BA24C1-E772-4266-BBE5-D44FE7A9D9A4}\0000\VolatileSettings
00000004 System Key 005c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0000
00000004 System Key 006c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Memory
Management\PrefetchParameters
000000C0 smss.exe Key 0030
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000000C0 smss.exe Key 0034
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CrashControl
000000D8 csrss.exe Key 00a0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\PriorityControl
000000D8 csrss.exe Key 0650 \REGISTRY\MACHINE
000000D8 csrss.exe Key 0680
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
000000D8 csrss.exe Key 0684
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
000000D8 csrss.exe Key 0688
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
000000D8 csrss.exe Key 0698
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Control
Panel\International
000000D8 csrss.exe Key 069c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Control
Panel\International
000000E0 winlogon.exe Key 0030 \REGISTRY\MACHINE
000000E0 winlogon.exe Key 00b0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000000E0 winlogon.exe Key 00b8 \REGISTRY\USER\.DEFAULT
000000E0 winlogon.exe Key 00dc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\crypt32chain
000000E0 winlogon.exe Key 00e0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\cryptnet
000000E0 winlogon.exe Key 00f0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sclgntfy
000000E0 winlogon.exe Key 00fc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa
000000E0 winlogon.exe Key 01d0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe Key 01e0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000000E0 winlogon.exe Key 020c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe Key 02e0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Credentials
000000E0 winlogon.exe Key 05f0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#ISAPNP#CTL0070_DEV0000#FFFFFFFF#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device
Parameters\Mixer
000000E0 winlogon.exe Key 05f8 \REGISTRY\USER
000000E0 winlogon.exe Key 0650
\REGISTRY\MACHINE\SOFTWARE\Classes
000000E0 winlogon.exe Key 06c4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
000000E0 winlogon.exe Key 0774
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\ScCertProp
000000E0 winlogon.exe Key 0790
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
000000E0 winlogon.exe Key 079c
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
000000E0 winlogon.exe Key 07a0
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam
000000E0 winlogon.exe Key 0838
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
00000110 services.exe Key 0038 \REGISTRY\MACHINE
00000110 services.exe Key 0068
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
00000110 services.exe Key 006c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
00000110 services.exe Key 0070
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
00000110 services.exe Key 0074
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum
00000110 services.exe Key 007c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services
00000110 services.exe Key 0080
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class
00000110 services.exe Key 0084
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\PerHwIdStorage
00000110 services.exe Key 0190
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\Order
00000110 services.exe Key 01d4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ServiceGroupOrder
00000110 services.exe Key 031c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent
00000110 services.exe Key 0348
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog
00000110 services.exe Key 036c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
00000110 services.exe Key 042c \REGISTRY\USER
00000110 services.exe Key 0430 \REGISTRY\USER\S-1-5-20
00000110 services.exe Key 0454 \REGISTRY\USER\S-1-5-19
00000110 services.exe Key 04c0 \REGISTRY\USER\S-1-5-20
00000110 services.exe Key 051c \REGISTRY\USER\S-1-5-20
00000110 services.exe Key 0544
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
00000110 services.exe Key 055c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe Key 0570
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe Key 05c4 \REGISTRY\USER\S-1-5-19
00000110 services.exe Key 0614
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe Key 0640
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
0000011C lsass.exe Key 0038 \REGISTRY\MACHINE
0000011C lsass.exe Key 0060
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
0000011C lsass.exe Key 0084
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll
0000011C lsass.exe Key 0088
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll
0000011C lsass.exe Key 008c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll
0000011C lsass.exe Key 00a8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa
0000011C lsass.exe Key 00dc \REGISTRY\MACHINE\SECURITY
0000011C lsass.exe Key 00e0 \REGISTRY\MACHINE\SECURITY\RXACT
0000011C lsass.exe Key 0110
\REGISTRY\MACHINE\SECURITY\Policy
0000011C lsass.exe Key 0130
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos
0000011C lsass.exe Key 0164
\REGISTRY\MACHINE\SECURITY\Policy
0000011C lsass.exe Key 016c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos\SidCache
0000011C lsass.exe Key 017c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Domains
0000011C lsass.exe Key 018c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000011C lsass.exe Key 0194
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000011C lsass.exe Key 01a4
\REGISTRY\MACHINE\SECURITY\Policy
0000011C lsass.exe Key 01b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa
0000011C lsass.exe Key 01b8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\MSV1_0
0000011C lsass.exe Key 02a0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
0000011C lsass.exe Key 0384 \REGISTRY\MACHINE\SAM\SAM
0000011C lsass.exe Key 0388 \REGISTRY\MACHINE\SAM\SAM\RXACT
0000011C lsass.exe Key 038c
\REGISTRY\MACHINE\SAM\SAM\Domains\Builtin
0000011C lsass.exe Key 0390
\REGISTRY\MACHINE\SAM\SAM\Domains\Account
0000011C lsass.exe Key 03e4 \REGISTRY\USER\S-1-5-20
0000011C lsass.exe Key 03f0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000011C lsass.exe Key 03f8 \REGISTRY\USER
0000011C lsass.exe Key 04a0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
0000011C lsass.exe Key 04a4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
0000011C lsass.exe Key 04a8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
0000011C lsass.exe Key 04ac
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000001A0 svchost.exe Key 002c \REGISTRY\MACHINE
000001A0 svchost.exe Key 00b0
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe Key 00c8
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000001A0 svchost.exe Key 00d0
\REGISTRY\MACHINE\SOFTWARE\Classes\AppID
000001A0 svchost.exe Key 00f4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Ole
000001A0 svchost.exe Key 0120
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000001A0 svchost.exe Key 0128
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000001A0 svchost.exe Key 0190
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
000001A0 svchost.exe Key 01b0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
000001A0 svchost.exe Key 01b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
000001A0 svchost.exe Key 01b8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000001A0 svchost.exe Key 0214
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe Key 021c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe Key 0228 \REGISTRY\USER
000001A0 svchost.exe Key 022c
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe Key 0238
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe Key 0240
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe Key 0248
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000001A0 svchost.exe Key 0250
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe Key 0258
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe Key 0264
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe Key 026c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe Key 0274
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000001BC svchost.exe Key 002c \REGISTRY\MACHINE
000001BC svchost.exe Key 00ec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing
Core
000001BC svchost.exe Key 0108
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters
000001BC svchost.exe Key 0180
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000001BC svchost.exe Key 0188
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000001BC svchost.exe Key 0260
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
000001BC svchost.exe Key 0274
\REGISTRY\MACHINE\SOFTWARE\Policies
000001BC svchost.exe Key 02fc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\AddIns
000001BC svchost.exe Key 0364 \REGISTRY\USER
00000200 svchost.exe Key 002c \REGISTRY\MACHINE
00000200 svchost.exe Key 00a8 \REGISTRY\USER\.DEFAULT
00000200 svchost.exe Key 00b8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
00000200 svchost.exe Key 0108
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
00000200 svchost.exe Key 010c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
00000200 svchost.exe Key 0110
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
00000200 svchost.exe Key 0114
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
00000200 svchost.exe Key 012c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
00000200 svchost.exe Key 0134
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
00000200 svchost.exe Key 0140
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Parameters
00000200 svchost.exe Key 0144
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
00000200 svchost.exe Key 0148
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Parameters\Options
00000200 svchost.exe Key 014c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services
00000200 svchost.exe Key 0178
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters
00000200 svchost.exe Key 0194
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{81A3AA37-6FFD-4907-99BB-47F19F605A44}
00000200 svchost.exe Key 01f8
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe Key 0200
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe Key 020c \REGISTRY\USER
00000200 svchost.exe Key 0210
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe Key 021c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe Key 0224
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe Key 022c
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000200 svchost.exe Key 0234
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe Key 023c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe Key 0248
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe Key 0250
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe Key 0258
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000200 svchost.exe Key 0268
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe Key 0478
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters
00000200 svchost.exe Key 0570
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting
00000200 svchost.exe Key 0630
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
00000200 svchost.exe Key 0710
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}
00000200 svchost.exe Key 0740
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses
00000200 svchost.exe Key 0860
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\EAPOL
00000200 svchost.exe Key 0868
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions
00000200 svchost.exe Key 08f0
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings
00000200 svchost.exe Key 0a4c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Browser\Parameters
00000200 svchost.exe Key 0a60
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
00000200 svchost.exe Key 0a94
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASTLS
00000200 svchost.exe Key 0aa4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASCHAP
00000200 svchost.exe Key 0abc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces
00000200 svchost.exe Key 0b98
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Network\Location Awareness
00000200 svchost.exe Key 0bc0
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows
NT\CurrentVersion\Network\Location Awareness
00000200 svchost.exe Key 0bc4
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows
NT\CurrentVersion\Network\Location Awareness
00000200 svchost.exe Key 0bc8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
00000200 svchost.exe Key 0be8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
00000200 svchost.exe Key 0bf8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
00000200 svchost.exe Key 0c1c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASTAPI
00000200 svchost.exe Key 0c3c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\tapi32
00000200 svchost.exe Key 0cb8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASMAN
00000200 svchost.exe Key 0cd0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\PPP
00000200 svchost.exe Key 0ce0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BAP
00000200 svchost.exe Key 0cec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RasMan\PPP
00000200 svchost.exe Key 0cfc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASSPAP
00000200 svchost.exe Key 0d0c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASPAP
00000200 svchost.exe Key 0d1c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASEAP
00000200 svchost.exe Key 0d2c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASCCP
00000200 svchost.exe Key 0d3c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASBACP
00000200 svchost.exe Key 0d68
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASIPHLP
00000200 svchost.exe Key 0d80
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
00000200 svchost.exe Key 0d90
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASIPCP
00000200 svchost.exe Key 0e30
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
00000230 csrss.exe Key 00c8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\PriorityControl
00000234 winlogon.exe Key 0030 \REGISTRY\MACHINE
0000025C csrss.exe Key 00c8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\PriorityControl
00000260 winlogon.exe Key 0030 \REGISTRY\MACHINE
00000294 svchost.exe Key 0018 \REGISTRY\MACHINE
00000294 svchost.exe Key 00b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
00000294 svchost.exe Key 00b8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
00000294 svchost.exe Key 00bc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
00000294 svchost.exe Key 00c0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
00000294 svchost.exe Key 00d8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
00000294 svchost.exe Key 00e0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000029C svchost.exe Key 0018 \REGISTRY\MACHINE
0000029C svchost.exe Key 00b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
0000029C svchost.exe Key 00b8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
0000029C svchost.exe Key 00bc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
0000029C svchost.exe Key 00c0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
0000029C svchost.exe Key 00f0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000029C svchost.exe Key 00f8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000029C svchost.exe Key 01e8
\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings
0000029C svchost.exe Key 01f0 \REGISTRY\USER\S-1-5-19
0000029C svchost.exe Key 0214
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000029C svchost.exe Key 02f8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
0000029C svchost.exe Key 0310 \REGISTRY\USER
0000029C svchost.exe Key 0314
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
0000029C svchost.exe Key 0318
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
000002D8 spoolsv.exe Key 0030 \REGISTRY\MACHINE
000002D8 spoolsv.exe Key 0190
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print
000002D8 spoolsv.exe Key 0194
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Print\Printers
000002D8 spoolsv.exe Key 01c0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard
TCP/IP Port
000002D8 spoolsv.exe Key 01c8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000002D8 spoolsv.exe Key 01d0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000002D8 spoolsv.exe Key 01ec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
000002D8 spoolsv.exe Key 0220
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe Key 0228
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe Key 0234 \REGISTRY\USER
000002D8 spoolsv.exe Key 0238
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe Key 0244
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe Key 024c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe Key 0254
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002D8 spoolsv.exe Key 025c
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe Key 0264
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe Key 0270
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe Key 0278
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe Key 0280
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002D8 spoolsv.exe Key 028c
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe Key 02e4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
000002D8 spoolsv.exe Key 02e8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
000002D8 spoolsv.exe Key 02ec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
000002D8 spoolsv.exe Key 02f0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000002D8 spoolsv.exe Key 0328
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000002D8 spoolsv.exe Key 0334 \REGISTRY\USER\.DEFAULT
000002FC msdtc.exe Key 0038 \REGISTRY\MACHINE
000002FC msdtc.exe Key 00ac
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000002FC msdtc.exe Key 0104
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000002FC msdtc.exe Key 010c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000002FC msdtc.exe Key 013c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Tracing\MSDTC\Changed
000002FC msdtc.exe Key 01b0
\REGISTRY\MACHINE\SOFTWARE\Classes\CID\41b1f46c-db5e-48b5-b9a7-90c0b862411d
000002FC msdtc.exe Key 01d0
\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\ced2de40-bff6-11ce-9de8-00aa00a3f464
000002FC msdtc.exe Key 01d4
\REGISTRY\MACHINE\SOFTWARE\Classes\CID\41b1f46c-db5e-48b5-b9a7-90c0b862411d
000002FC msdtc.exe Key 01d8
\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\ced2de40-bff6-11ce-9de8-00aa00a3f464
000002FC msdtc.exe Key 01dc
\REGISTRY\MACHINE\SOFTWARE\Classes\CID\41b1f46c-db5e-48b5-b9a7-90c0b862411d
000002FC msdtc.exe Key 01e0
\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\ced2de40-bff6-11ce-9de8-00aa00a3f464
000002FC msdtc.exe Key 0208
\REGISTRY\MACHINE\SOFTWARE\Classes
000002FC msdtc.exe Key 0210
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe Key 021c \REGISTRY\USER
000002FC msdtc.exe Key 0220
\REGISTRY\MACHINE\SOFTWARE\Classes
000002FC msdtc.exe Key 022c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe Key 0234
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe Key 023c
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002FC msdtc.exe Key 0244
\REGISTRY\MACHINE\SOFTWARE\Classes
000002FC msdtc.exe Key 024c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe Key 0258
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe Key 0260
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe Key 0268
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002FC msdtc.exe Key 0274 \REGISTRY\USER\S-1-5-20_CLASSES
000003B8 inetinfo.exe Key 0030 \REGISTRY\MACHINE
000003B8 inetinfo.exe Key 00cc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000003B8 inetinfo.exe Key 00d4 \REGISTRY\USER\.DEFAULT
000003B8 inetinfo.exe Key 0124
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe Key 012c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe Key 0138 \REGISTRY\USER
000003B8 inetinfo.exe Key 013c
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe Key 0148
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe Key 0150
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe Key 0158
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000003B8 inetinfo.exe Key 0160
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe Key 0168
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe Key 0174
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe Key 017c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe Key 0184
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000003B8 inetinfo.exe Key 0228
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters
000003B8 inetinfo.exe Key 0350
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000003B8 inetinfo.exe Key 0358
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000003B8 inetinfo.exe Key 065c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\MosTrace\CurrentVersion\DebugAsyncTrace
000003B8 inetinfo.exe Key 0674
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Parameters
000003B8 inetinfo.exe Key 06c0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip
000003B8 inetinfo.exe Key 06dc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Parameters
000003B8 inetinfo.exe Key 0860
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe Key 0978
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Parameters
000003B8 inetinfo.exe Key 09dc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ContentIndex
000003B8 inetinfo.exe Key 0bb8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Parameters
000003B8 inetinfo.exe Key 0bc8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters
000003CC llssrv.exe Key 0038 \REGISTRY\MACHINE
000003CC llssrv.exe Key 0120
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000003CC llssrv.exe Key 0128
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000003A8 NSPMON.exe Key 0018 \REGISTRY\MACHINE
000003A8 NSPMON.exe Key 005c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000003A8 NSPMON.exe Key 0064
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000041C NSCM.exe Key 0018 \REGISTRY\MACHINE
0000041C NSCM.exe Key 0058
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
0000041C NSCM.exe Key 005c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
0000041C NSCM.exe Key 00ac
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
0000041C NSCM.exe Key 00b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ASP\Performance
0000041C NSCM.exe Key 00bc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentFilter\Performance
0000041C NSCM.exe Key 00c4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentIndex\Performance
0000041C NSCM.exe Key 00cc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Performance
0000041C NSCM.exe Key 00d4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ISAPISearch\Performance
0000041C NSCM.exe Key 00dc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC\Performance
0000041C NSCM.exe Key 00e4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Performance
0000041C NSCM.exe Key 00ec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Performance
0000041C NSCM.exe Key 00f4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
0000041C NSCM.exe Key 00fc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
0000041C NSCM.exe Key 0104
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NTFSDRV\Performance
0000041C NSCM.exe Key 010c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfDisk\Performance
0000041C NSCM.exe Key 0114
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfNet\Performance
0000041C NSCM.exe Key 011c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfOS\Performance
0000041C NSCM.exe Key 0124
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance
0000041C NSCM.exe Key 012c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Performance
0000041C NSCM.exe Key 0134
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance
0000041C NSCM.exe Key 013c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMTPSVC\Performance
0000041C NSCM.exe Key 0144
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\Performance
0000041C NSCM.exe Key 014c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TapiSrv\Performance
0000041C NSCM.exe Key 0154
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Performance
0000041C NSCM.exe Key 015c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Performance
0000041C NSCM.exe Key 0164
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Performance
0000041C NSCM.exe Key 016c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance
0000041C NSCM.exe Key 019c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000041C NSCM.exe Key 01a4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000041C NSCM.exe Key 01b0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation
0000041C NSCM.exe Key 01b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Parameters
0000041C NSCM.exe Key 01c4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\AllowDistribution
0000041C NSCM.exe Key 01cc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\DisallowDistribution
0000041C NSCM.exe Key 0218
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Stations
0000041C NSCM.exe Key 0278
\REGISTRY\MACHINE\SOFTWARE\Classes
0000041C NSCM.exe Key 0280
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe Key 028c \REGISTRY\USER
0000041C NSCM.exe Key 0290
\REGISTRY\MACHINE\SOFTWARE\Classes
0000041C NSCM.exe Key 029c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe Key 02a4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe Key 02ac
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000041C NSCM.exe Key 02b4
\REGISTRY\MACHINE\SOFTWARE\Classes
0000041C NSCM.exe Key 02bc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe Key 02c8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe Key 02d0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe Key 02d8
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000041C NSCM.exe Key 02e4
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000_CLASSES
0000046C svchost.exe Key 0018 \REGISTRY\MACHINE
000004C0 svchost.exe Key 002c \REGISTRY\MACHINE
000004C0 svchost.exe Key 0124
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe Key 012c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe Key 0138 \REGISTRY\USER
000004C0 svchost.exe Key 013c
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe Key 0148
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe Key 0150
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe Key 0158
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004C0 svchost.exe Key 0160
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe Key 0168
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe Key 0174
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe Key 017c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe Key 0184
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004C0 svchost.exe Key 0190
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe Key 0214
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
000004C0 svchost.exe Key 021c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
000004C0 svchost.exe Key 0220
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
000004C0 svchost.exe Key 027c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
000003DC dfssvc.exe Key 0030 \REGISTRY\MACHINE
000004F0 NSUM.exe Key 001c \REGISTRY\MACHINE
000004F0 NSUM.exe Key 0058
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000004F0 NSUM.exe Key 005c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000004F0 NSUM.exe Key 00ac
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
000004F0 NSUM.exe Key 00b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ASP\Performance
000004F0 NSUM.exe Key 00bc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentFilter\Performance
000004F0 NSUM.exe Key 00c4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentIndex\Performance
000004F0 NSUM.exe Key 00cc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Performance
000004F0 NSUM.exe Key 00d4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ISAPISearch\Performance
000004F0 NSUM.exe Key 00dc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC\Performance
000004F0 NSUM.exe Key 00e4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Performance
000004F0 NSUM.exe Key 00ec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Performance
000004F0 NSUM.exe Key 00f4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
000004F0 NSUM.exe Key 00fc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
000004F0 NSUM.exe Key 0104
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NTFSDRV\Performance
000004F0 NSUM.exe Key 010c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfDisk\Performance
000004F0 NSUM.exe Key 0114
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfNet\Performance
000004F0 NSUM.exe Key 011c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfOS\Performance
000004F0 NSUM.exe Key 0124
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance
000004F0 NSUM.exe Key 012c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Performance
000004F0 NSUM.exe Key 0134
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance
000004F0 NSUM.exe Key 013c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMTPSVC\Performance
000004F0 NSUM.exe Key 0144
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\Performance
000004F0 NSUM.exe Key 014c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TapiSrv\Performance
000004F0 NSUM.exe Key 0154
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Performance
000004F0 NSUM.exe Key 015c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Performance
000004F0 NSUM.exe Key 0164
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Performance
000004F0 NSUM.exe Key 016c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance
000004F0 NSUM.exe Key 0180
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000004F0 NSUM.exe Key 01c4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000004F0 NSUM.exe Key 01d0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000004F0 NSUM.exe Key 0228
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Parameters\Virtual
Roots
000004F0 NSUM.exe Key 022c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Parameters
000004F0 NSUM.exe Key 023c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\AllowUnicastClients
000004F0 NSUM.exe Key 0240
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\DisallowUnicastClients
000004F0 NSUM.exe Key 0248
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\AllowDistribution
000004F0 NSUM.exe Key 0250
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\DisallowDistribution
000004F0 NSUM.exe Key 02b8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Event
Notification\ACL Check
000004F0 NSUM.exe Key 02cc
\REGISTRY\MACHINE\SOFTWARE\Classes
000004F0 NSUM.exe Key 02d4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe Key 02e0 \REGISTRY\USER
000004F0 NSUM.exe Key 02e4
\REGISTRY\MACHINE\SOFTWARE\Classes
000004F0 NSUM.exe Key 02f0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe Key 02f8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe Key 0300
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004F0 NSUM.exe Key 0308
\REGISTRY\MACHINE\SOFTWARE\Classes
000004F0 NSUM.exe Key 0310
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe Key 031c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe Key 0324
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe Key 032c
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004F0 NSUM.exe Key 0338
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000_CLASSES
000004F0 NSUM.exe Key 033c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Authentication\HTTP
BASIC-Membership
000004F0 NSUM.exe Key 0340
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Authentication\HTTP
BASIC-NTLM
000004F0 NSUM.exe Key 0344
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Authentication\NTLM-NTLM
00000548 nspm.exe Key 0018 \REGISTRY\MACHINE
00000548 nspm.exe Key 005c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
00000548 nspm.exe Key 0068
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000\Control
Panel\International
00000548 nspm.exe Key 00e8
\REGISTRY\MACHINE\SOFTWARE\Classes
00000548 nspm.exe Key 00f0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe Key 00fc \REGISTRY\USER
00000548 nspm.exe Key 0100
\REGISTRY\MACHINE\SOFTWARE\Classes
00000548 nspm.exe Key 010c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe Key 0114
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe Key 011c
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000548 nspm.exe Key 0124
\REGISTRY\MACHINE\SOFTWARE\Classes
00000548 nspm.exe Key 012c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe Key 0138
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe Key 0140
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe Key 0148
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000548 nspm.exe Key 0154
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000_CLASSES
00000548 nspm.exe Key 0198
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000548 nspm.exe Key 01a0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
00000548 nspm.exe Key 01a8
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process
0x548 Thread 0x5d0 DBC 0x37684 Jet
00000548 nspm.exe Key 01c0
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process
0x548 Thread 0x5d0 DBC 0x37684 Jet\Engines\Jet
000005C8 svchost.exe Key 002c \REGISTRY\MACHINE
000005C8 svchost.exe Key 00e4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters
000005C8 svchost.exe Key 0164
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe Key 016c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe Key 0178 \REGISTRY\USER
000005C8 svchost.exe Key 017c
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe Key 0188
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe Key 0190
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe Key 0198
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000005C8 svchost.exe Key 01a0
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe Key 01a8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe Key 01b4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe Key 01bc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe Key 01c4
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000005C8 svchost.exe Key 01d0
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe Key 0228
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000005C8 svchost.exe Key 0230 \REGISTRY\USER\.DEFAULT
000000F8 explorer.exe Key 0030 \REGISTRY\MACHINE
000000F8 explorer.exe Key 0048
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe Key 0050
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
000000F8 explorer.exe Key 0058
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010_CLASSES
000000F8 explorer.exe Key 0060
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe Key 006c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\World
Full Access Shared Parameters
000000F8 explorer.exe Key 0094
\REGISTRY\MACHINE\SOFTWARE\Classes
000000F8 explorer.exe Key 009c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe Key 00a8 \REGISTRY\USER
000000F8 explorer.exe Key 00ac
\REGISTRY\MACHINE\SOFTWARE\Classes
000000F8 explorer.exe Key 00b8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe Key 00c0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe Key 00c8
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000000F8 explorer.exe Key 00d0
\REGISTRY\MACHINE\SOFTWARE\Classes
000000F8 explorer.exe Key 00d8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe Key 00e4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe Key 00ec
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe Key 00f4
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000000F8 explorer.exe Key 0188
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
000000F8 explorer.exe Key 0190
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe Key 01c8
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet
Explorer\Security\P3Global
000000F8 explorer.exe Key 01cc
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet
Explorer\Security\P3Sites
000000F8 explorer.exe Key 01d8
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000000F8 explorer.exe Key 01dc
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\Shell
000000F8 explorer.exe Key 01e4
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\ShellNoRoam
000000F8 explorer.exe Key 01e8
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\ShellNoRoam\MUICache
000000F8 explorer.exe Key 0200
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu
000000F8 explorer.exe Key 0210
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet
Explorer\Security\P3Global
000000F8 explorer.exe Key 0224
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
000000F8 explorer.exe Key 0230
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe Key 023c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
000000F8 explorer.exe Key 0250
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe Key 02a8
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Accessories
000000F8 explorer.exe Key 02e8
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs\Accessories\Entertainment
000000F8 explorer.exe Key 02f4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000000F8 explorer.exe Key 0300
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
000000F8 explorer.exe Key 0330
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#ISAPNP#CTL0070_DEV0000#FFFFFFFF#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device
Parameters\Mixer
000000F8 explorer.exe Key 036c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
000000F8 explorer.exe Key 038c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap
000000F8 explorer.exe Key 03e0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
000000F8 explorer.exe Key 03e4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
000000F8 explorer.exe Key 03e8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
000000F8 explorer.exe Key 03ec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000000F8 explorer.exe Key 0404
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet
Explorer\Security\P3Sites
000000F8 explorer.exe Key 0414
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\1
000000F8 explorer.exe Key 0424
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions
000000F8 explorer.exe Key 0434
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\2
000000F8 explorer.exe Key 0438
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\1
000000F8 explorer.exe Key 0444
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\2
000000F8 explorer.exe Key 044c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu\Programs
000000F8 explorer.exe Key 0454
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
000000F8 explorer.exe Key 0460
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet
Explorer\TypedURLs
000000F8 explorer.exe Key 046c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Internet
Settings
000000F8 explorer.exe Key 0474
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\Shell
000000F8 explorer.exe Key 04c4
\REGISTRY\MACHINE\SOFTWARE\Classes
00000720 idwlog.exe Key 0038 \REGISTRY\MACHINE
00000720 idwlog.exe Key 006c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
00000720 idwlog.exe Key 00e0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\World
Full Access Shared Parameters
0000079C svchost.exe Key 002c \REGISTRY\MACHINE
0000079C svchost.exe Key 00c0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\tapisrv
0000079C svchost.exe Key 0200
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\KMDDSP
0000079C svchost.exe Key 02b4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\NDPTSP
0000079C svchost.exe Key 036c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\conftsp
0000079C svchost.exe Key 03a0
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000079C svchost.exe Key 03a8
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000079C svchost.exe Key 03b4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\H323TSP
0000079C svchost.exe Key 03e8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
0000079C svchost.exe Key 03fc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\hidphone
00000668 svchost.exe Key 002c \REGISTRY\MACHINE
00000668 svchost.exe Key 00c0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
00000668 svchost.exe Key 00c8 \REGISTRY\USER\.DEFAULT
00000668 svchost.exe Key 0134
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe Key 013c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe Key 0148 \REGISTRY\USER
00000668 svchost.exe Key 014c
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe Key 0158
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe Key 0160
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe Key 0168
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000668 svchost.exe Key 0170
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe Key 0178
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe Key 0184
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe Key 018c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe Key 0194
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000668 svchost.exe Key 01a0
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe Key 0038 \REGISTRY\MACHINE
00000870 wmiprvse.exe Key 011c
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe Key 0124
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe Key 0130 \REGISTRY\USER
00000870 wmiprvse.exe Key 0134
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe Key 0140
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe Key 0148
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe Key 0150
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000870 wmiprvse.exe Key 0158
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe Key 0160
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe Key 016c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe Key 0174
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe Key 017c
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000870 wmiprvse.exe Key 0188
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe Key 003c \REGISTRY\MACHINE
0000076C wuauclt.exe Key 0054
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000076C wuauclt.exe Key 006c
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010_CLASSES
0000076C wuauclt.exe Key 0070
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
0000076C wuauclt.exe Key 008c
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe Key 0094
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe Key 00a0 \REGISTRY\USER
0000076C wuauclt.exe Key 00a4
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe Key 00b0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe Key 00b8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe Key 00c0
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000076C wuauclt.exe Key 00c8
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe Key 00d0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe Key 00dc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe Key 00e4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe Key 00ec
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000076C wuauclt.exe Key 0214
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
0000076C wuauclt.exe Key 022c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000076C wuauclt.exe Key 0234
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000076C wuauclt.exe Key 0254
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
0000076C wuauclt.exe Key 0290
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
0000076C wuauclt.exe Key 0294
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
0000076C wuauclt.exe Key 0298
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
0000076C wuauclt.exe Key 029c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
00000838 cmd.exe Key 0050 \REGISTRY\MACHINE
00000838 cmd.exe Key 0054
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
00000838 cmd.exe Key 0058
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
00000838 cmd.exe Key 005c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
00000838 cmd.exe Key 0060
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
0000071C notepad.exe Key 004c \REGISTRY\MACHINE
0000071C notepad.exe Key 0054
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000071C notepad.exe Key 0058
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
0000071C notepad.exe Key 0064
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010_CLASSES
0000071C notepad.exe Key 0094 \REGISTRY\USER
0000071C notepad.exe Key 00d0
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
0000071C notepad.exe Key 00d4
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
0000071C notepad.exe Key 01f8
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\Shell
0000071C notepad.exe Key 01fc
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\ShellNoRoam
0000071C notepad.exe Key 0200
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\ShellNoRoam\MUICache
000006F0 wmiadap.exe Key 0038 \REGISTRY\MACHINE
000006F0 wmiadap.exe Key 005c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
000006F0 wmiadap.exe Key 0060
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
000006F0 wmiadap.exe Key 0064
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
000006F0 wmiadap.exe Key 00e0
\REGISTRY\MACHINE\SOFTWARE\Classes
000006F0 wmiadap.exe Key 00e8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000006F0 wmiadap.exe Key 00f4 \REGISTRY\USER
000006F0 wmiadap.exe Key 00f8
\REGISTRY\MACHINE\SOFTWARE\Classes
000006F0 wmiadap.exe Key 0104
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000006F0 wmiadap.exe Key 010c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000006F0 wmiadap.exe Key 0114
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000006F0 wmiadap.exe Key 011c
\REGISTRY\MACHINE\SOFTWARE\Classes
000006F0 wmiadap.exe Key 0124
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000006F0 wmiadap.exe Key 0130
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000006F0 wmiadap.exe Key 0138
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000006F0 wmiadap.exe Key 0140
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000006F0 wmiadap.exe Key 014c
\REGISTRY\MACHINE\SOFTWARE\Classes
000006F0 wmiadap.exe Key 018c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000006F0 wmiadap.exe Key 019c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000006F0 wmiadap.exe Key 01ac
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services
000006F0 wmiadap.exe Key 01b4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ASP\Performance
000006F0 wmiadap.exe Key 01bc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentFilter\Performance
000006F0 wmiadap.exe Key 01c4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentIndex\Performance
000006F0 wmiadap.exe Key 01cc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Performance
000006F0 wmiadap.exe Key 01d4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ISAPISearch\Performance
000006F0 wmiadap.exe Key 01dc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC\Performance
000006F0 wmiadap.exe Key 01e4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Performance
000006F0 wmiadap.exe Key 01ec
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Performance
000006F0 wmiadap.exe Key 01f4
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
000006F0 wmiadap.exe Key 01fc
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
000006F0 wmiadap.exe Key 0204
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NTFSDRV\Performance
000006F0 wmiadap.exe Key 020c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfDisk\Performance
000006F0 wmiadap.exe Key 0214
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfNet\Performance
000006F0 wmiadap.exe Key 021c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfOS\Performance
000006F0 wmiadap.exe Key 0224
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance
000006F0 wmiadap.exe Key 022c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Performance
000006F0 wmiadap.exe Key 0234
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance
000006F0 wmiadap.exe Key 023c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMTPSVC\Performance
000006F0 wmiadap.exe Key 0244
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\Performance
000006F0 wmiadap.exe Key 024c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TapiSrv\Performance
000006F0 wmiadap.exe Key 0254
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Performance
000006F0 wmiadap.exe Key 025c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Performance
000006F0 wmiadap.exe Key 0264
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Performance
000006F0 wmiadap.exe Key 026c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance
00000758 oh.exe Key 07d0 \REGISTRY\MACHINE
To generate a list of file objects and send the output to the file C:\Output\Ohfile.txt, type the following at the command line:
oh /t file /o c:\output\ohfile.txt
Looking in Ohfile.txt, you then see output similar to the following:
00000004 System File 0034
\WINDOWS\system32\config\software
00000004 System File 0044 \WINDOWS\system32\config\SAM.LOG
00000004 System File 007c
\WINDOWS\system32\config\SECURITY
00000004 System File 0084
\WINDOWS\system32\config\default.LOG
00000004 System File 0088 \WINDOWS\system32\config\SAM
00000004 System File 0090 \WINDOWS\system32\config\default
00000004 System File 00a0
\WINDOWS\system32\config\system.LOG
00000004 System File 00b8
\WINDOWS\system32\config\software.LOG
00000004 System File 00d8 \pagefile.sys
00000004 System File 00f4
\WINDOWS\system32\config\SECURITY.LOG
00000004 System File 01a4 \Documents and
Settings\LocalService.NT AUTHORITY\NTUSER.DAT
00000004 System File 01b0 \Documents and
Settings\NetworkService.NT AUTHORITY\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System File 01b4 \Documents and
Settings\LocalService.NT AUTHORITY\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
00000004 System File 01bc \Documents and
Settings\NetworkService.NT AUTHORITY\NTUSER.DAT
00000004 System File 01c0 \Documents and
Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG
00000004 System File 01c8 \Documents and
Settings\NetworkService.NT AUTHORITY\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
00000004 System File 01cc \Documents and
Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG
00000004 System File 01d0 \Documents and
Settings\LocalService.NT AUTHORITY\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System File 0238 \WINDOWS\system32\config\system
00000004 System File 02fc
\WINDOWS\system32\MsDtc\Trace\dtctrace.log
00000004 System File 0390 \Documents and
Settings\NetShowServices\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
00000004 System File 03a0 \Documents and
Settings\NetShowServices\NTUSER.DAT
00000004 System File 03a4 \Documents and
Settings\NetShowServices\ntuser.dat.LOG
00000004 System File 03b4 \Documents and
Settings\NetShowServices\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System File 03b8 \
00000004 System File 0498 \WINDOWS\DfsSvcLogFile
00000004 System File 04a8 \255
00000004 System File 0c3c \Documents and
Settings\user.XP\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
00000004 System File 0c44 \Documents and
Settings\user.XP\ntuser.dat.LOG
00000004 System File 0c48 \Documents and
Settings\user.XP\NTUSER.DAT
00000004 System File 0c4c \Documents and
Settings\user.XP\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System File 0dcc
\WINDOWS\system32\LogFiles\W3SVC1\ex010522.log
00000004 System File 0ddc \Topology
00000004 System File 0dfc \47
000000C0 smss.exe File 0010 \WINDOWS
000000C0 smss.exe File 0024 \WINDOWS\system32
000000D8 csrss.exe File 0014 \WINDOWS\system32
000000D8 csrss.exe File 0728 \WINDOWS\system32\ega.cpi
000000E0 winlogon.exe File 00b4
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000E0 winlogon.exe File 01a4 \InitShutdown
000000E0 winlogon.exe File 01a8 \InitShutdown
000000E0 winlogon.exe File 0244 \WINDOWS\system32\dllcache
000000E0 winlogon.exe File 0260 \WINDOWS\AppPatch
000000E0 winlogon.exe File 0264 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\isapi\_vti_adm
000000E0 winlogon.exe File 0270 \svcctl
000000E0 winlogon.exe File 0274 \ntsvcs
000000E0 winlogon.exe File 0280 \svcctl
000000E0 winlogon.exe File 0284 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\_vti_bin\_vti_adm
000000E0 winlogon.exe File 0288 \WINDOWS\system32
000000E0 winlogon.exe File 028c \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\isapi\_vti_aut
000000E0 winlogon.exe File 0290 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\_vti_bin\_vti_aut
000000E0 winlogon.exe File 0294 \WINDOWS\system32\inetsrv
000000E0 winlogon.exe File 0298 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\bin
000000E0 winlogon.exe File 029c \WINDOWS\Fonts
000000E0 winlogon.exe File 02a0 \WINDOWS\system32\drivers
000000E0 winlogon.exe File 02a4 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\servsupp
000000E0 winlogon.exe File 02a8 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\bots\vinavbar
000000E0 winlogon.exe File 02ac \Program Files\Microsoft
FrontPage\version3.0\bin
000000E0 winlogon.exe File 02b0 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\_vti_bin
000000E0 winlogon.exe File 02b4 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\bin\1033
000000E0 winlogon.exe File 02b8 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\isapi
000000E0 winlogon.exe File 02bc \WINDOWS
000000E0 winlogon.exe File 02c0 \Program Files\Common
Files\Microsoft Shared\DAO
000000E0 winlogon.exe File 02c4 \Program Files\Windows Media
Player
000000E0 winlogon.exe File 02c8 \Program Files\Common
Files\System\msadc
000000E0 winlogon.exe File 02cc \Program Files\Common
Files\System\ado
000000E0 winlogon.exe File 02d0 \Program Files\Common
Files\System\Ole DB
000000E0 winlogon.exe File 02d4 \WINDOWS\inf
000000E0 winlogon.exe File 02d8 \WINDOWS\system32\Setup
000000E0 winlogon.exe File 02f8
\WINDOWS\system32\clients\tsclient\win16
000000E0 winlogon.exe File 02fc
\WINDOWS\Microsoft.NET\Framework\v1.0.2706
000000E0 winlogon.exe File 0300 \WINDOWS\Application
Compatibility Scripts
000000E0 winlogon.exe File 0304
\WINDOWS\system32\clients\tsclient\win32\acme351
000000E0 winlogon.exe File 0308 \WINDOWS\msagent
000000E0 winlogon.exe File 030c \WINDOWS\msagent\intl
000000E0 winlogon.exe File 0310 \WINDOWS\system32\netmon\parsers
000000E0 winlogon.exe File 0314 \WINDOWS\system
000000E0 winlogon.exe File 0318 \WINDOWS\system32\netmon
000000E0 winlogon.exe File 031c \WINDOWS\Help
000000E0 winlogon.exe File 0320
\WINDOWS\PCHEALTH\HELPCTR\Binaries
000000E0 winlogon.exe File 0324 \Program Files\NetMeeting
000000E0 winlogon.exe File 0328 \WINDOWS\system32\drivers\disdn
000000E0 winlogon.exe File 032c \WINDOWS\ime\chtime\applets
000000E0 winlogon.exe File 0330 \WINDOWS\system32\wbem
000000E0 winlogon.exe File 0334 \WINDOWS\Cluster
000000E0 winlogon.exe File 0338 \WINDOWS\system32\Com
000000E0 winlogon.exe File 033c \WINDOWS\ime\imjp8_1
000000E0 winlogon.exe File 0340 \Program Files\Common
Files\Microsoft Shared\Triedit
000000E0 winlogon.exe File 0344 \Program Files\Windows NT
000000E0 winlogon.exe File 0348 \Program Files\Common
Files\System
000000E0 winlogon.exe File 034c \WINDOWS\system32\1033
000000E0 winlogon.exe File 0350 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\admcgi\scripts
000000E0 winlogon.exe File 0354 \Program Files\Common
Files\Microsoft Shared\Web Server Extensions\40\admisapi\scripts
000000E0 winlogon.exe File 0358 \WINDOWS\ime\imkr6_1\dicts
000000E0 winlogon.exe File 035c \WINDOWS\system32\mui\0009
000000E0 winlogon.exe File 0360 \Program Files\Internet Explorer
000000E0 winlogon.exe File 0364 \WINDOWS\ime\imjp8_1\applets
000000E0 winlogon.exe File 0368 \WINDOWS\ime\imkr6_1\applets
000000E0 winlogon.exe File 036c \Program Files\Internet
Explorer\Connection Wizard
000000E0 winlogon.exe File 0370 \Program Files\Common
Files\Microsoft Shared\MSInfo
000000E0 winlogon.exe File 0374 \Program Files\Common
Files\Microsoft Shared\Smart Tag
000000E0 winlogon.exe File 0378 \WINDOWS\ime\imkr6_1
000000E0 winlogon.exe File 037c \WINDOWS\ime\shared
000000E0 winlogon.exe File 0380 \WINDOWS\system32\reminst
000000E0 winlogon.exe File 0384 \WINDOWS\system32\ime\pintlgnt
000000E0 winlogon.exe File 0388
\WINDOWS\system32\clients\tsclient\win32
000000E0 winlogon.exe File 038c \Program Files\Common
Files\SpeechEngines\Microsoft\Lexicon\1033
000000E0 winlogon.exe File 0390 \WINDOWS\Resources\Themes\Luna
000000E0 winlogon.exe File 0394 \WINDOWS\ime
000000E0 winlogon.exe File 0398 \Program Files\Outlook Express
000000E0 winlogon.exe File 039c \Program Files\MSN\SmartTag
000000E0 winlogon.exe File 03a0 \WINDOWS\system32\oobe
000000E0 winlogon.exe File 03a4 \WINDOWS\mui
000000E0 winlogon.exe File 03a8 \WINDOWS\system32\npp
000000E0 winlogon.exe File 03ac \WINDOWS\ime\shared\res
000000E0 winlogon.exe File 03b0 \WINDOWS\system32\rocket
000000E0 winlogon.exe File 03b4 \WINDOWS\ime\chsime\applets
000000E0 winlogon.exe File 03b8 \WINDOWS\system32\rpcproxy
000000E0 winlogon.exe File 03bc \Program Files\Common
Files\SpeechEngines\Microsoft\TTS\1033
000000E0 winlogon.exe File 03c0 \Program Files\Common
Files\Microsoft Shared\Speech
000000E0 winlogon.exe File 03c4
\WINDOWS\system32\certsrv\certcontrol\ia64
000000E0 winlogon.exe File 03c8
\WINDOWS\system32\certsrv\certcontrol\w2k
000000E0 winlogon.exe File 03cc
\WINDOWS\system32\certsrv\certcontrol\x86
000000E0 winlogon.exe File 03d0
\WINDOWS\system32\spool\prtprocs\w32x86
000000E0 winlogon.exe File 03d4
\WINDOWS\Resources\Themes\Luna\Shell
000000E0 winlogon.exe File 03d8 \WINDOWS\system32\wbem\snmp
000000E0 winlogon.exe File 03dc \Program Files\Common
Files\SpeechEngines\Microsoft
000000E0 winlogon.exe File 03e0 \Program Files\Common
Files\Microsoft Shared\Speech\1033
000000E0 winlogon.exe File 03e4
\WINDOWS\system32\spool\drivers\color
000000E0 winlogon.exe File 03e8 \WINDOWS\system32\ime\tintlgnt
000000E0 winlogon.exe File 03ec \WINDOWS\Help\Tours
000000E0 winlogon.exe File 03f0 \WINDOWS\system32\wbem\AdStatus
000000E0 winlogon.exe File 03f4
\WINDOWS\PCHEALTH\UploadLB\Binaries
000000E0 winlogon.exe File 03f8 \Program Files\Common
Files\Microsoft Shared\VGX
000000E0 winlogon.exe File 0400
\WINDOWS\Microsoft.NET\Framework\v1.0.2706\1033
000000E0 winlogon.exe File 0404 \WINDOWS\system32\wbem\xml
000000E0 winlogon.exe File 0410 \Program Files\Windows
NT\Accessories
000000E0 winlogon.exe File 0428 \WINDOWS\WinSxS
000000E0 winlogon.exe File 05d0 \SfcApi
000000E0 winlogon.exe File 05d4 \SfcApi
000000E0 winlogon.exe File 0640
\{9B365890-165F-11D0-A195-0020AFD156E4}
000000E0 winlogon.exe File 06b4 \ProfMapApi
000000E0 winlogon.exe File 06b8 \ProfMapApi
000000E0 winlogon.exe File 0758 \winlogonrpc
000000E0 winlogon.exe File 075c \winlogonrpc
000000E0 winlogon.exe File 0794
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000E0 winlogon.exe File 0828 \AudioSrv
000000E0 winlogon.exe File 0914 \WINDOWS\system32
00000110 services.exe File 0014 \WINDOWS\system32
00000110 services.exe File 0204 \ntsvcs
00000110 services.exe File 0260 \ntsvcs
00000110 services.exe File 0264 \ntsvcs
00000110 services.exe File 02bc \scerpc
00000110 services.exe File 02c0 \scerpc
00000110 services.exe File 02c4 \ntsvcs
00000110 services.exe File 02dc \lsarpc
00000110 services.exe File 0314 \svcctl
00000110 services.exe File 0320 \net\NtControlPipe1
00000110 services.exe File 0328 \ntsvcs
00000110 services.exe File 0330 \ntsvcs
00000110 services.exe File 033c \net\NtControlPipe2
00000110 services.exe File 0350 \ntsvcs
00000110 services.exe File 0354 \net\NtControlPipe3
00000110 services.exe File 0360 \net\NtControlPipe3
00000110 services.exe File 0388
\WINDOWS\system32\config\AppEvent.Evt
00000110 services.exe File 0398
\WINDOWS\system32\config\SecEvent.Evt
00000110 services.exe File 03b0
\WINDOWS\system32\config\SysEvent.Evt
00000110 services.exe File 03c8 \net\NtControlPipe4
00000110 services.exe File 03e0 \ntsvcs
00000110 services.exe File 0444 \net\NtControlPipe5
00000110 services.exe File 044c \ntsvcs
00000110 services.exe File 0460 \net\NtControlPipe6
00000110 services.exe File 0468 \ntsvcs
00000110 services.exe File 0470 \ntsvcs
00000110 services.exe File 0494 \ntsvcs
00000110 services.exe File 04a0 \net\NtControlPipe0
00000110 services.exe File 04a4 \ntsvcs
00000110 services.exe File 04b4 \net\NtControlPipe7
00000110 services.exe File 04b8 \ntsvcs
00000110 services.exe File 04cc \net\NtControlPipe8
00000110 services.exe File 04d4 \ntsvcs
00000110 services.exe File 04e4 \ntsvcs
00000110 services.exe File 04f8 \ntsvcs
00000110 services.exe File 0500 \ntsvcs
00000110 services.exe File 0508 \net\NtControlPipe9
00000110 services.exe File 050c \ntsvcs
00000110 services.exe File 0528 \net\NtControlPipe10
00000110 services.exe File 0550 \ntsvcs
00000110 services.exe File 0564 \net\NtControlPipe11
00000110 services.exe File 0568 \ntsvcs
00000110 services.exe File 0588 \net\NtControlPipe12
00000110 services.exe File 05b8 \ntsvcs
00000110 services.exe File 05d0 \net\NtControlPipe13
00000110 services.exe File 05d8 \ntsvcs
00000110 services.exe File 05e0 \net\NtControlPipe14
00000110 services.exe File 05ec \ntsvcs
00000110 services.exe File 05f8 \ntsvcs
00000110 services.exe File 0600 \net\NtControlPipe15
00000110 services.exe File 060c \ntsvcs
00000110 services.exe File 0620 \net\NtControlPipe16
00000110 services.exe File 0628 \ntsvcs
00000110 services.exe File 0630 \ntsvcs
00000110 services.exe File 0648 \net\NtControlPipe18
00000110 services.exe File 064c \net\NtControlPipe17
00000110 services.exe File 0658 \ntsvcs
00000110 services.exe File 0668 \ntsvcs
00000110 services.exe File 0678 \ntsvcs
00000110 services.exe File 0694 \ntsvcs
00000110 services.exe File 06ac \ntsvcs
00000110 services.exe File 06bc \ntsvcs
00000110 services.exe File 06c0 \net\NtControlPipe21
00000110 services.exe File 06dc \ntsvcs
00000110 services.exe File 06e0 \net\NtControlPipe20
00000110 services.exe File 06ec \ntsvcs
00000110 services.exe File 06f4 \ntsvcs
00000110 services.exe File 0708 \ntsvcs
00000110 services.exe File 070c \ntsvcs
00000110 services.exe File 072c \ntsvcs
00000110 services.exe File 073c \PIPE_EVENTROOT\CIMV2SCM EVENT
PROVIDER
0000011C lsass.exe File 0014 \WINDOWS\system32
0000011C lsass.exe File 0078 \net\NtControlPipe0
0000011C lsass.exe File 01c0 \WINDOWS\Debug\PASSWD.LOG
0000011C lsass.exe File 0288 \lsass
0000011C lsass.exe File 02e4 \protected_storage
0000011C lsass.exe File 02e8 \protected_storage
0000011C lsass.exe File 03e8
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000011C lsass.exe File 0460 \lsass
0000011C lsass.exe File 04f8 \Endpoint
0000011C lsass.exe File 0508 \svcctl
0000011C lsass.exe File 0510 \WINDOWS\Debug\oakley.log
0000011C lsass.exe File 0544 \Endpoint
0000011C lsass.exe File 0558 \Endpoint
0000011C lsass.exe File 055c \255
0000011C lsass.exe File 05a0 \ipsec
0000011C lsass.exe File 05a4 \ipsec
0000011C lsass.exe File 05b8 \lsass
0000011C lsass.exe File 0608 \lsass
0000011C lsass.exe File 0618 \lsass
000001A0 svchost.exe File 0014 \WINDOWS\system32
000001A0 svchost.exe File 0054 \net\NtControlPipe1
000001A0 svchost.exe File 0154 \Endpoint
000001A0 svchost.exe File 015c \Endpoint
000001A0 svchost.exe File 0168
\Winsock2\CatalogChangeListener-1a0-0
000001A0 svchost.exe File 0170 \Endpoint
000001A0 svchost.exe File 0184 \Endpoint
000001A0 svchost.exe File 01d4 \Endpoint
000001A0 svchost.exe File 02bc \epmapper
000001A0 svchost.exe File 02c0 \epmapper
000001A0 svchost.exe File 0358 \Endpoint
000001A0 svchost.exe File 0438 \svcctl
000001BC svchost.exe File 0014 \WINDOWS\system32
000001BC svchost.exe File 008c \net\NtControlPipe2
000001BC svchost.exe File 00a0 \svcctl
000001BC svchost.exe File 0154 \TermSrv_Licensing_Core
000001BC svchost.exe File 0158 \TermSrv_Licensing_Core
000001BC svchost.exe File 0230 \Ctx_WinStation_API_service
000001BC svchost.exe File 0234 \Ctx_WinStation_API_service
00000200 svchost.exe File 0014 \WINDOWS\system32
00000200 svchost.exe File 008c \net\NtControlPipe4
00000200 svchost.exe File 00a0 \svcctl
00000200 svchost.exe File 00ac
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
00000200 svchost.exe File 0164 \DhcpClient
00000200 svchost.exe File 0260
\WINDOWS\Registration\R000000000013.clb
00000200 svchost.exe File 028c \svcctl
00000200 svchost.exe File 02d8 \ntsvcs
00000200 svchost.exe File 02dc \WINDOWS\SchedLgU.Txt
00000200 svchost.exe File 0354 \Endpoint
00000200 svchost.exe File 0364
\Winsock2\CatalogChangeListener-200-0
00000200 svchost.exe File 0394 \Endpoint
00000200 svchost.exe File 0398 \atsvc
00000200 svchost.exe File 039c \atsvc
00000200 svchost.exe File 03c0 \WINDOWS\Tasks
00000200 svchost.exe File 0460 \wkssvc
00000200 svchost.exe File 04dc \AudioSrv
00000200 svchost.exe File 04e0 \AudioSrv
00000200 svchost.exe File 0518 \keysvc
00000200 svchost.exe File 051c \keysvc
00000200 svchost.exe File 057c \PCHHangRepExecPipe
00000200 svchost.exe File 058c \PCHFaultRepExecPipe
00000200 svchost.exe File 05e4 \srvsvc
00000200 svchost.exe File 05f4 \AudioSrv
00000200 svchost.exe File 0674 \SECLOGON
00000200 svchost.exe File 0678 \SECLOGON
00000200 svchost.exe File 06c8 \trkwks
00000200 svchost.exe File 06cc \trkwks
00000200 svchost.exe File 06ec \$Extend\$ObjId
00000200 svchost.exe File 0714 \System Volume
Information\tracking.log
00000200 svchost.exe File 0790 \W32TIME
00000200 svchost.exe File 0794 \W32TIME
00000200 svchost.exe File 07f4 \Endpoint
00000200 svchost.exe File 0804 \Endpoint
00000200 svchost.exe File 08c0 \wzcsvc
00000200 svchost.exe File 08c4 \wzcsvc
00000200 svchost.exe File 0910 \WMDMPMSPpipe
00000200 svchost.exe File 09d0
\{9B365890-165F-11D0-A195-0020AFD156E4}
00000200 svchost.exe File 09ec \wkssvc
00000200 svchost.exe File 0a04 \srvsvc
00000200 svchost.exe File 0a44 \browser
00000200 svchost.exe File 0a48 \browser
00000200 svchost.exe File 0af8
\Winsock2\CatalogChangeListener-200-1
00000200 svchost.exe File 0b64 \svcctl
00000200 svchost.exe File 0c08 \EVENTLOG
00000200 svchost.exe File 0c98 \ROUTER
00000200 svchost.exe File 0c9c \ROUTER
00000200 svchost.exe File 0da8 \wkssvc
00000200 svchost.exe File 0db0 \srvsvc
00000200 svchost.exe File 0df8 \Documents and Settings\Default
User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\index.dat
00000200 svchost.exe File 0e0c \Documents and Settings\Default
User.WINDOWS\Cookies\index.dat
00000200 svchost.exe File 0e10 \Documents and Settings\Default
User.WINDOWS\Local Settings\History\History.IE5\index.dat
00000200 svchost.exe File 0e50 \ROUTER
00000230 csrss.exe File 0014 \WINDOWS\system32
00000234 winlogon.exe File 0014 \WINDOWS\system32
0000025C csrss.exe File 0014 \WINDOWS\system32
00000260 winlogon.exe File 0014 \WINDOWS\system32
00000294 svchost.exe File 0014 \WINDOWS\system32
00000294 svchost.exe File 0038 \net\NtControlPipe5
00000294 svchost.exe File 0080 \svcctl
00000294 svchost.exe File 00fc \WINDOWS\system32\drivers\etc
00000294 svchost.exe File 0134 \DNSRSLVR
00000294 svchost.exe File 0144 \DNSRSLVR
00000294 svchost.exe File 0148 \svcctl
00000294 svchost.exe File 0164 \DNSRSLVR
00000294 svchost.exe File 0198 \DNSRSLVR
0000029C svchost.exe File 0014 \WINDOWS\system32
0000029C svchost.exe File 0038 \net\NtControlPipe6
0000029C svchost.exe File 0080 \svcctl
0000029C svchost.exe File 0110 \Alerter
0000029C svchost.exe File 0128
\Winsock2\CatalogChangeListener-29c-0
0000029C svchost.exe File 0168 \messngr
0000029C svchost.exe File 0194 \msgsvc
0000029C svchost.exe File 0198 \msgsvc
0000029C svchost.exe File 01d0 \Endpoint
0000029C svchost.exe File 01f8 \DAV RPC SERVICE
0000029C svchost.exe File 0204 \ntsvcs
0000029C svchost.exe File 0218
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000029C svchost.exe File 022c \Documents and
Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet
Files\Content.IE5\index.dat
0000029C svchost.exe File 023c \Documents and
Settings\LocalService.NT AUTHORITY\Cookies\index.dat
0000029C svchost.exe File 0248 \Documents and
Settings\LocalService.NT AUTHORITY\Local
Settings\History\History.IE5\index.dat
0000029C svchost.exe File 02ac \DAV RPC SERVICE
0000029C svchost.exe File 02b0 \DAV RPC SERVICE
0000029C svchost.exe File 02b4 \msgsvc
0000029C svchost.exe File 02c0 \DNSRSLVR
0000029C svchost.exe File 0358 \ROUTER
000002D8 spoolsv.exe File 0014 \WINDOWS\system32
000002D8 spoolsv.exe File 0048 \net\NtControlPipe7
000002D8 spoolsv.exe File 0090 \svcctl
000002D8 spoolsv.exe File 00cc \spoolss
000002D8 spoolsv.exe File 00d0 \spoolss
000002D8 spoolsv.exe File 0208 \ntsvcs
000002D8 spoolsv.exe File 0330
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000002FC msdtc.exe File 0014 \WINDOWS\system32
000002FC msdtc.exe File 00c0 \net\NtControlPipe8
000002FC msdtc.exe File 00d4 \svcctl
000002FC msdtc.exe File 018c \Endpoint
000002FC msdtc.exe File 01a8
\Winsock2\CatalogChangeListener-2fc-0
000002FC msdtc.exe File 01ac \Endpoint
000002FC msdtc.exe File 0284
\WINDOWS\system32\MsDtc\MSDTC.LOG
000003B8 inetinfo.exe File 0014 \WINDOWS\system32
000003B8 inetinfo.exe File 006c \net\NtControlPipe9
000003B8 inetinfo.exe File 00b0 \svcctl
000003B8 inetinfo.exe File 00c0 \svcctl
000003B8 inetinfo.exe File 00d0
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000003B8 inetinfo.exe File 01c0
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01c8
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01d0
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01d8
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01e0
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01e8
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01f0
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 01f8
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 0200
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 0208
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe File 05ec \Endpoint
000003B8 inetinfo.exe File 05fc
\Winsock2\CatalogChangeListener-3b8-0
000003B8 inetinfo.exe File 0610 \Endpoint
000003B8 inetinfo.exe File 0638 \INETINFO
000003B8 inetinfo.exe File 063c \INETINFO
000003B8 inetinfo.exe File 0668 \EVENTLOG
000003B8 inetinfo.exe File 0698 \Endpoint
000003B8 inetinfo.exe File 071c \Inetpub\ftproot
000003B8 inetinfo.exe File 073c \Endpoint
000003B8 inetinfo.exe File 0740 \Endpoint
000003B8 inetinfo.exe File 0744 \Endpoint
000003B8 inetinfo.exe File 0748 \Endpoint
000003B8 inetinfo.exe File 074c \Endpoint
000003B8 inetinfo.exe File 0750 \Endpoint
000003B8 inetinfo.exe File 0754 \Endpoint
000003B8 inetinfo.exe File 0758 \Endpoint
000003B8 inetinfo.exe File 075c \Endpoint
000003B8 inetinfo.exe File 0760 \Endpoint
000003B8 inetinfo.exe File 0764 \Endpoint
000003B8 inetinfo.exe File 076c \Endpoint
000003B8 inetinfo.exe File 0824 \SMTPSVC
000003B8 inetinfo.exe File 0828 \SMTPSVC
000003B8 inetinfo.exe File 0874 \Endpoint
000003B8 inetinfo.exe File 08ec \Endpoint
000003B8 inetinfo.exe File 08f0 \Endpoint
000003B8 inetinfo.exe File 08f4 \Endpoint
000003B8 inetinfo.exe File 08f8 \Endpoint
000003B8 inetinfo.exe File 08fc \Endpoint
000003B8 inetinfo.exe File 0900 \Endpoint
000003B8 inetinfo.exe File 0918 \Inetpub\mailroot\Pickup
000003B8 inetinfo.exe File 093c \Endpoint
000003B8 inetinfo.exe File 0944 \Endpoint
000003B8 inetinfo.exe File 0948 \Endpoint
000003B8 inetinfo.exe File 094c \Endpoint
000003B8 inetinfo.exe File 0950 \Endpoint
000003B8 inetinfo.exe File 0954 \Endpoint
000003B8 inetinfo.exe File 0958 \Endpoint
000003B8 inetinfo.exe File 095c \Endpoint
000003B8 inetinfo.exe File 0960 \Endpoint
000003B8 inetinfo.exe File 0964 \Endpoint
000003B8 inetinfo.exe File 0968 \Endpoint
000003B8 inetinfo.exe File 0994 \Inetpub\nntpfile\groupvar.lst
000003B8 inetinfo.exe File 0998 \Inetpub\nntpfile\group.lst
000003B8 inetinfo.exe File 099c \Inetpub\nntpfile\article.hsh
000003B8 inetinfo.exe File 09a4 \Inetpub\nntpfile\history.hsh
000003B8 inetinfo.exe File 09ac \Inetpub\nntpfile\xover.hsh
000003B8 inetinfo.exe File 09e0
\Inetpub\nntpfile\root\control\group.vpp
000003B8 inetinfo.exe File 09e4 \Inetpub\nntpfile\root\control
000003B8 inetinfo.exe File 09f0 \Inetpub\nntpfile\pickup
000003B8 inetinfo.exe File 09fc
\Inetpub\nntpfile\root\_slavegroup
000003B8 inetinfo.exe File 0a00 \Inetpub\nntpfile\root
000003B8 inetinfo.exe File 0a04 \Inetpub\nntpfile\root\control
000003B8 inetinfo.exe File 0a10 \Endpoint
000003B8 inetinfo.exe File 0a18 \Endpoint
000003B8 inetinfo.exe File 0a1c \Endpoint
000003B8 inetinfo.exe File 0a20 \Endpoint
000003B8 inetinfo.exe File 0a24
\Inetpub\nntpfile\root\_slavegroup\group.vpp
000003B8 inetinfo.exe File 0a28
\Inetpub\nntpfile\root\_slavegroup
000003B8 inetinfo.exe File 0a30 \Inetpub\nntpfile\root\group.vpp
000003B8 inetinfo.exe File 0a34 \Inetpub\nntpfile\root
000003B8 inetinfo.exe File 0a3c \Endpoint
000003B8 inetinfo.exe File 0a40 \Endpoint
000003B8 inetinfo.exe File 0a44 \Endpoint
000003B8 inetinfo.exe File 0a48 \Endpoint
000003B8 inetinfo.exe File 0a4c \Endpoint
000003B8 inetinfo.exe File 0a50 \Endpoint
000003B8 inetinfo.exe File 0a54 \Endpoint
000003B8 inetinfo.exe File 0a5c \Endpoint
000003B8 inetinfo.exe File 0a64 \Endpoint
000003B8 inetinfo.exe File 0a68 \Endpoint
000003B8 inetinfo.exe File 0a6c \Endpoint
000003B8 inetinfo.exe File 0a70 \Endpoint
000003B8 inetinfo.exe File 0a74 \Endpoint
000003B8 inetinfo.exe File 0a78 \Endpoint
000003B8 inetinfo.exe File 0a7c \Endpoint
000003B8 inetinfo.exe File 0a80 \Endpoint
000003B8 inetinfo.exe File 0a84 \Endpoint
000003B8 inetinfo.exe File 0a88 \Endpoint
000003B8 inetinfo.exe File 0ae0 \NNTPSVC
000003B8 inetinfo.exe File 0ae4 \NNTPSVC
000003B8 inetinfo.exe File 0b60 \DefaultAppPool
000003B8 inetinfo.exe File 0b88 \iisipm
000003B8 inetinfo.exe File 0bcc \DNSRSLVR
000003B8 inetinfo.exe File 0bdc \IISCgiStdOut952
000003B8 inetinfo.exe File 0be4 \IISCgiStdIn952
000003B8 inetinfo.exe File 0c10 \SSLFilterChannel
000003CC llssrv.exe File 0014 \WINDOWS\system32
000003CC llssrv.exe File 0068 \net\NtControlPipe10
000003CC llssrv.exe File 00ac \svcctl
000003CC llssrv.exe File 017c \llsrpc
000003CC llssrv.exe File 0180 \llsrpc
000003A8 NSPMON.exe File 0014 \WINDOWS\system32
000003A8 NSPMON.exe File 0068 \net\NtControlPipe11
000003A8 NSPMON.exe File 00ac \svcctl
000003A8 NSPMON.exe File 00e8 \Endpoint
000003A8 NSPMON.exe File 00f0 \Endpoint
0000041C NSCM.exe File 0014 \WINDOWS\system32
0000041C NSCM.exe File 0068
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\Perflib_Perfdata_41c.dat
0000041C NSCM.exe File 017c \net\NtControlPipe12
0000041C NSCM.exe File 0190 \svcctl
0000041C NSCM.exe File 0220 \Endpoint
0000041C NSCM.exe File 0228 \Endpoint
0000046C svchost.exe File 0014 \WINDOWS\system32
0000046C svchost.exe File 0038 \net\NtControlPipe13
0000046C svchost.exe File 0080 \svcctl
0000046C svchost.exe File 00c0 \winreg
0000046C svchost.exe File 00c4 \winreg
000004C0 svchost.exe File 0014 \WINDOWS\system32
000004C0 svchost.exe File 008c \net\NtControlPipe14
000004C0 svchost.exe File 00a0 \svcctl
000004C0 svchost.exe File 00d0 \WINDOWS\system32\wbem\mof
000004C0 svchost.exe File 01a0 \lsarpc
000004C0 svchost.exe File 025c
\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
000004C0 svchost.exe File 0260
\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
000004C0 svchost.exe File 050c \PIPE_EVENTROOT\CIMV2SCM EVENT
PROVIDER
000004C0 svchost.exe File 0538 \PIPE_EVENTROOT\CIMV2SCM EVENT
PROVIDER
000003DC dfssvc.exe File 0014 \WINDOWS\system32
000003DC dfssvc.exe File 0070 \net\NtControlPipe15
000003DC dfssvc.exe File 00b4 \svcctl
000003DC dfssvc.exe File 00fc \netdfs
000003DC dfssvc.exe File 0100 \netdfs
000004F0 NSUM.exe File 0014 \WINDOWS\system32
000004F0 NSUM.exe File 0068
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\Perflib_Perfdata_4f0.dat
000004F0 NSUM.exe File 0184 \net\NtControlPipe16
000004F0 NSUM.exe File 019c \svcctl
000004F0 NSUM.exe File 0278 \Endpoint
000004F0 NSUM.exe File 0280 \Endpoint
000004F0 NSUM.exe File 0284 \Endpoint
000004F0 NSUM.exe File 028c \Endpoint
000004F0 NSUM.exe File 0290 \Endpoint
00000548 nspm.exe File 0014 \WINDOWS\system32
00000548 nspm.exe File 00c0 \net\NtControlPipe17
00000548 nspm.exe File 00c4 \svcctl
00000548 nspm.exe File 019c
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
00000548 nspm.exe File 01d8
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\JETA66.tmp
00000548 nspm.exe File 01f8
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\JET1.tmp
00000548 nspm.exe File 0218 \WINDOWS\system32\Windows
Media\Server\ASDB\mdsas.mdb
00000548 nspm.exe File 021c \WINDOWS\system32\Windows
Media\Server\ASDB\mdsas.ldb
000005C8 svchost.exe File 0014 \WINDOWS\system32
000005C8 svchost.exe File 008c \net\NtControlPipe18
000005C8 svchost.exe File 00a0 \svcctl
000005C8 svchost.exe File 014c \SSLFilterChannel
000005C8 svchost.exe File 022c
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000005C8 svchost.exe File 0278 \DefaultAppPool
000005C8 svchost.exe File 02bc \iisipm
000000F8 explorer.exe File 0014 \Documents and
Settings\user.XP
000000F8 explorer.exe File 004c
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe File 005c
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe File 0064
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe File 0068
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe File 0108
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe File 018c \Documents and Settings\All
Users.WINDOWS\Desktop
000000F8 explorer.exe File 01a0 \Documents and
Settings\user.XP\Desktop
000000F8 explorer.exe File 01f0 \Documents and Settings\All
Users.WINDOWS\Start Menu
000000F8 explorer.exe File 0204 \Documents and
Settings\user.XP\Start Menu
000000F8 explorer.exe File 0218 \Documents and
Settings\user.XP\Application Data\Microsoft\Internet Explorer\Quick
Launch
000000F8 explorer.exe File 0258
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe File 02a4 \Documents and
Settings\user.XP\Cookies\index.dat
000000F8 explorer.exe File 02e0
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe File 02e4
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe File 0320
\{9B365890-165F-11D0-A195-0020AFD156E4}
000000F8 explorer.exe File 0364 \ntsvcs
000000F8 explorer.exe File 0380 \AudioSrv
000000F8 explorer.exe File 0388
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe File 03c8 \Documents and
Settings\user.XP\PrintHood
000000F8 explorer.exe File 042c
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe File 0488 \Documents and
Settings\user.XP\Local Settings\History\History.IE5\index.dat
000000F8 explorer.exe File 048c \Documents and
Settings\user.XP\Local Settings\Temporary Internet
Files\Content.IE5\index.dat
000000F8 explorer.exe File 04a4 \Documents and
Settings\user.XP\Local
Settings\History\History.IE5\MSHist012001052220010523\index.dat
000000F8 explorer.exe File 0508 \output
00000720 idwlog.exe File 0014 \Documents and
Settings\user.XP
00000720 idwlog.exe File 0078 \Idwlog.log
00000720 idwlog.exe File 007c \WINDOWS\system32
00000720 idwlog.exe File 0084 \WINDOWS\system32
00000720 idwlog.exe File 00c4 \ntsvcs
00000720 idwlog.exe File 00d0 \WINDOWS\system32
00000720 idwlog.exe File 00f8 \DAV RPC SERVICE
0000079C svchost.exe File 0014 \WINDOWS\system32
0000079C svchost.exe File 0054 \net\NtControlPipe20
0000079C svchost.exe File 0078 \svcctl
0000079C svchost.exe File 010c \tapsrv
0000079C svchost.exe File 0110 \tapsrv
0000079C svchost.exe File 01c0 \53cb31a0\UnimodemNotifyTSP
0000079C svchost.exe File 01dc \ntsvcs
0000079C svchost.exe File 03ac \WINDOWS\system32\h323log.txt
00000668 svchost.exe File 0014 \WINDOWS\system32
00000668 svchost.exe File 0030 \net\NtControlPipe21
00000668 svchost.exe File 0078 \svcctl
00000668 svchost.exe File 00c4
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
00000668 svchost.exe File 00fc \WINDOWS\Sti_Trace.log
00000668 svchost.exe File 01a4 \WINDOWS\wiaservc.log
00000668 svchost.exe File 01cc \ntsvcs
00000668 svchost.exe File 0288 \WINDOWS\Sti_Trace.log
00000870 wmiprvse.exe File 0014 \WINDOWS\system32
0000076C wuauclt.exe File 0014 \WINDOWS\system32
0000076C wuauclt.exe File 0018
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000076C wuauclt.exe File 0058
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000076C wuauclt.exe File 023c \ROUTER
00000838 cmd.exe File 0014 \Documents and
Settings\user.XP
00000838 cmd.exe File 0064 \output\ohfile.txt
0000071C notepad.exe File 0018
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000071C notepad.exe File 005c
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000071C notepad.exe File 01e8
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000071C notepad.exe File 0250 \output
000007F0 oh.exe File 0014 \Documents and
Settings\user.XP
000007F0 oh.exe File 0064 \output\ohfile.txt
To generate a list of event objects and send the output to the file C:\Output\Ohevent.txt, type the following at the command line:
oh /t event /o c:\output\ohevent.txt
Looking in Ohevent.txt, you then see output similar to the following:
00000004 System Event 002c \Security\TRKWKS_EVENT
00000004 System Event 008c
\Device\DmControl\VxKernel2VoldEvent
00000004 System Event 00d4 \LanmanServerAnnounceEvent
000000C0 smss.exe Event 0038 \UniqueSessionIdEvent
000000D8 csrss.exe Event 00dc
\BaseNamedObjects\WinSta0_DesktopSwitch
000000E0 winlogon.exe Event 0050 \BaseNamedObjects\userenv: User
Profile setup event
000000E0 winlogon.exe Event 0058 \BaseNamedObjects\userenv:
Machine Group Policy has been applied
000000E0 winlogon.exe Event 005c \BaseNamedObjects\userenv:
Machine Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe Event 0060 \BaseNamedObjects\userenv:
Machine Group Policy Processing is done
000000E0 winlogon.exe Event 0064 \BaseNamedObjects\userenv:
Machine Policy Foreground Done Event
000000E0 winlogon.exe Event 006c \BaseNamedObjects\userenv: User
Group Policy has been applied
000000E0 winlogon.exe Event 0070 \BaseNamedObjects\userenv: User
Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe Event 0074 \BaseNamedObjects\userenv: User
Group Policy Processing is done
000000E0 winlogon.exe Event 0078 \BaseNamedObjects\userenv: User
Policy Foreground Done Event
000000E0 winlogon.exe Event 007c
\BaseNamedObjects\crypt32LogoffEvent
000000E0 winlogon.exe Event 0088 \Security\NetworkProviderLoad
000000E0 winlogon.exe Event 008c \BaseNamedObjects\TS-WPAAE
000000E0 winlogon.exe Event 00a8 \BaseNamedObjects\ReconEvent
000000E0 winlogon.exe Event 01ec \BaseNamedObjects\DINPUTWINMM
000000E0 winlogon.exe Event 0218
\BaseNamedObjects\WinSta0_DesktopSwitch
000000E0 winlogon.exe Event 0234
\BaseNamedObjects\WFP_IDLE_TRIGGER
000000E0 winlogon.exe Event 025c \BaseNamedObjects\Microsoft
Smart Card Resource Manager Started
000000E0 winlogon.exe Event 02dc
\BaseNamedObjects\ThemesStartEvent
000000E0 winlogon.exe Event 02e4 \BaseNamedObjects\msgina:
ReturnToWelcome
000000E0 winlogon.exe Event 05f4
\BaseNamedObjects\hardwaremixercallback
000000E0 winlogon.exe Event 0604
\BaseNamedObjects\GuardEventmmGlobalPnpInfoGuard
000000E0 winlogon.exe Event 0648 \BaseNamedObjects\mixercallback
000000E0 winlogon.exe Event 06d0 \BaseNamedObjects\winlogon:
machine GPO Event 49931
000000E0 winlogon.exe Event 06dc \BaseNamedObjects\userenv:
Machine Group Policy has been applied
000000E0 winlogon.exe Event 06e4 \BaseNamedObjects\userenv:
machine policy refresh event
000000E0 winlogon.exe Event 06e8 \BaseNamedObjects\userenv:
machine policy force refresh event
000000E0 winlogon.exe Event 06ec \BaseNamedObjects\userenv:
Machine Group Policy has been applied
000000E0 winlogon.exe Event 06f0 \BaseNamedObjects\userenv:
Machine Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe Event 06f4 \BaseNamedObjects\userenv:
Machine Group Policy Processing is done
000000E0 winlogon.exe Event 0704
\BaseNamedObjects\jjCSCSharedEvent_UM_KM
000000E0 winlogon.exe Event 070c
\BaseNamedObjects\jjCSCSharedFillEvent_UM_KM
000000E0 winlogon.exe Event 0714
\BaseNamedObjects\WkssvcToAgentStartEvent
000000E0 winlogon.exe Event 0718
\BaseNamedObjects\WkssvcToAgentStopEvent
000000E0 winlogon.exe Event 071c
\BaseNamedObjects\AgentExistsEvent
000000E0 winlogon.exe Event 0724
\BaseNamedObjects\AgentToWkssvcEvent
000000E0 winlogon.exe Event 0760 \BaseNamedObjects\SENS Started
Event
000000E0 winlogon.exe Event 07a4 \BaseNamedObjects\winlogon:
User GPO Event 73045
000000E0 winlogon.exe Event 07b0 \BaseNamedObjects\userenv: User
Group Policy has been applied
000000E0 winlogon.exe Event 07b8 \BaseNamedObjects\userenv: user
policy refresh event
000000E0 winlogon.exe Event 07bc \BaseNamedObjects\userenv: user
policy force refresh event
000000E0 winlogon.exe Event 07c0 \BaseNamedObjects\userenv: User
Group Policy has been applied
000000E0 winlogon.exe Event 07c4 \BaseNamedObjects\userenv: User
Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe Event 07c8 \BaseNamedObjects\userenv: User
Group Policy Processing is done
00000110 services.exe Event 0064 \BaseNamedObjects\userenv: User
Profile setup event
00000110 services.exe Event 018c
\BaseNamedObjects\SC_AutoStartComplete
00000110 services.exe Event 01b4
\BaseNamedObjects\SvcctrlStartEvent_A3752DX
00000110 services.exe Event 0218 \BaseNamedObjects\ScNetDrvMsg
00000110 services.exe Event 02f0
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
00000110 services.exe Event 03d8
\BaseNamedObjects\PnP_No_Pending_Install_Events
0000011C lsass.exe Event 00bc \SeLsaInitEvent
0000011C lsass.exe Event 01e8
\BaseNamedObjects\crypt32LogoffEvent
0000011C lsass.exe Event 01f8 \BaseNamedObjects\userenv: User
Profile setup event
0000011C lsass.exe Event 027c
\BaseNamedObjects\LSA_RPC_SERVER_ACTIVE
0000011C lsass.exe Event 03cc \SAM_SERVICE_STARTED
0000011C lsass.exe Event 04d0
\BaseNamedObjects\PS_SERVICE_STARTED
0000011C lsass.exe Event 04dc
\BaseNamedObjects\IPSEC_POLICY_CHANGE_EVENT
0000011C lsass.exe Event 04e8
\BaseNamedObjects\IPSEC_POLICY_CHANGE_NOTIFY
000001A0 svchost.exe Event 00ac \BaseNamedObjects\userenv: User
Profile setup event
000001A0 svchost.exe Event 01d8
\BaseNamedObjects\ScmCreatedEvent
000001BC svchost.exe Event 00bc
\BaseNamedObjects\crypt32LogoffEvent
000001BC svchost.exe Event 00c0
\BaseNamedObjects\TermSrvReadyEvent
000001BC svchost.exe Event 01dc
\BaseNamedObjects\WinMMConsoleAudioEvent
000001BC svchost.exe Event 01f0 \BaseNamedObjects\ReconEvent
000001BC svchost.exe Event 01f4 \BaseNamedObjects\TermSrv:
machine GP event
000001BC svchost.exe Event 0238 \BaseNamedObjects\userenv: User
Profile setup event
000001BC svchost.exe Event 0244 \BaseNamedObjects\userenv:
Machine Group Policy has been applied
000001BC svchost.exe Event 028c
\Sessions\1\BaseNamedObjects\CsrStartEvent
000001BC svchost.exe Event 0290
\Sessions\1\BaseNamedObjects\ReconEvent
000001BC svchost.exe Event 02c8
\Sessions\2\BaseNamedObjects\CsrStartEvent
000001BC svchost.exe Event 02cc
\Sessions\2\BaseNamedObjects\ReconEvent
00000200 svchost.exe Event 015c
\BaseNamedObjects\DHCPNEWIPADDRESS
00000200 svchost.exe Event 0198
\BaseNamedObjects\AgentToWkssvcEvent
00000200 svchost.exe Event 01d0
\BaseNamedObjects\WkssvcToAgentStartEvent
00000200 svchost.exe Event 01d4
\BaseNamedObjects\ShellHWDetection'sEvent
00000200 svchost.exe Event 01d8
\BaseNamedObjects\CGenericServiceManager__Init
00000200 svchost.exe Event 026c
\BaseNamedObjects\ShellHWDetection'sEvent
00000200 svchost.exe Event 02b4 \BaseNamedObjects\userenv: User
Profile setup event
00000200 svchost.exe Event 02e0
\BaseNamedObjects\ShellHWDetectionInitCompleted
00000200 svchost.exe Event 03e0
\BaseNamedObjects\WkssvcToAgentStopEvent
00000200 svchost.exe Event 046c \BaseNamedObjects\wkssvc: MUP
finished initializing event
00000200 svchost.exe Event 0490
\BaseNamedObjects\crypt32LogoffEvent
00000200 svchost.exe Event 04e4 \BaseNamedObjects\DmServerStop
00000200 svchost.exe Event 0540 \BaseNamedObjects\ReSyncKernel
00000200 svchost.exe Event 0548
\Device\DmControl\VxKernel2VoldEvent
00000200 svchost.exe Event 05f0 \LanmanServerAnnounceEvent
00000200 svchost.exe Event 06a0 \Security\TRKWKS_EVENT
00000200 svchost.exe Event 06f4 \BaseNamedObjects\SENS Started
Event
00000200 svchost.exe Event 0724 \BaseNamedObjects\Sens Hidden
Window Cleanup Event
00000230 csrss.exe Event 00c4
\Sessions\1\BaseNamedObjects\ScNetDrvMsg
00000234 winlogon.exe Event 0050 \BaseNamedObjects\userenv: User
Profile setup event
00000234 winlogon.exe Event 0058 \BaseNamedObjects\userenv:
Machine Group Policy has been applied
00000234 winlogon.exe Event 005c \BaseNamedObjects\userenv:
Machine Group Policy ForcedRefresh Needs Foreground Processing
00000234 winlogon.exe Event 0060 \BaseNamedObjects\userenv:
Machine Group Policy Processing is done
00000234 winlogon.exe Event 0064 \BaseNamedObjects\userenv:
Machine Policy Foreground Done Event
00000234 winlogon.exe Event 006c
\Sessions\1\BaseNamedObjects\userenv: User Group Policy has been applied
00000234 winlogon.exe Event 0070
\Sessions\1\BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs
Foreground Processing
00000234 winlogon.exe Event 0074
\Sessions\1\BaseNamedObjects\userenv: User Group Policy Processing is done
00000234 winlogon.exe Event 0078
\Sessions\1\BaseNamedObjects\userenv: User Policy Foreground Done Event
00000234 winlogon.exe Event 007c
\BaseNamedObjects\crypt32LogoffEvent
0000025C csrss.exe Event 00c4
\Sessions\2\BaseNamedObjects\ScNetDrvMsg
00000260 winlogon.exe Event 0050 \BaseNamedObjects\userenv: User
Profile setup event
00000260 winlogon.exe Event 0058 \BaseNamedObjects\userenv:
Machine Group Policy has been applied
00000260 winlogon.exe Event 005c \BaseNamedObjects\userenv:
Machine Group Policy ForcedRefresh Needs Foreground Processing
00000260 winlogon.exe Event 0060 \BaseNamedObjects\userenv:
Machine Group Policy Processing is done
00000260 winlogon.exe Event 0064 \BaseNamedObjects\userenv:
Machine Policy Foreground Done Event
00000260 winlogon.exe Event 006c
\Sessions\2\BaseNamedObjects\userenv: User Group Policy has been applied
00000260 winlogon.exe Event 0070
\Sessions\2\BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs
Foreground Processing
00000260 winlogon.exe Event 0074
\Sessions\2\BaseNamedObjects\userenv: User Group Policy Processing is done
00000260 winlogon.exe Event 0078
\Sessions\2\BaseNamedObjects\userenv: User Policy Foreground Done Event
00000260 winlogon.exe Event 007c
\BaseNamedObjects\crypt32LogoffEvent
0000029C svchost.exe Event 01f4
\BaseNamedObjects\crypt32LogoffEvent
000002D8 spoolsv.exe Event 00a0
\BaseNamedObjects\RouterPreInitEvent
000002D8 spoolsv.exe Event 0120
\BaseNamedObjects\crypt32LogoffEvent
000002D8 spoolsv.exe Event 0350 \BaseNamedObjects\userenv: User
Profile setup event
000002FC msdtc.exe Event 00f8
\BaseNamedObjects\EVENT_MSDTC_STARTING
000002FC msdtc.exe Event 02d8
\BaseNamedObjects\MSDTC_NAMED_EVENT
000003B8 inetinfo.exe Event 0064
\BaseNamedObjects\W3SVCStartW3WP-aae415e7-4598-4294-a382-0a435d5b32c5
000003B8 inetinfo.exe Event 0284 \BaseNamedObjects\userenv: User
Profile setup event
000003B8 inetinfo.exe Event 0288
\BaseNamedObjects\crypt32LogoffEvent
000003B8 inetinfo.exe Event 072c
\BaseNamedObjects\MicrosoftInternetNewsServerVersion2BootCheckEvent
0000041C NSCM.exe Event 00b0
\BaseNamedObjects\McmServPerf_RegChangeEvent
0000046C svchost.exe Event 00d0
\BaseNamedObjects\Microsoft.RPC_Registry_Server
000004C0 svchost.exe Event 00cc
\BaseNamedObjects\WINMGMT_COREDLL_CANSHUTDOWN
000004C0 svchost.exe Event 00d4
\BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
000004C0 svchost.exe Event 00d8
\BaseNamedObjects\WINMGMT_COREDLL_UNLOADED
000004C0 svchost.exe Event 00dc
\BaseNamedObjects\WINMGMT_COREDLL_LOADED
000004C0 svchost.exe Event 00e0
\BaseNamedObjects\WINMGMT_MARSHALLING_SERVER_TERMINATE
000004C0 svchost.exe Event 00e8
\BaseNamedObjects\WINMGMT_NEED_REGISTRATION
000004C0 svchost.exe Event 00ec
\BaseNamedObjects\WINMGMT_REGISTRATION_DONE
000004C0 svchost.exe Event 00f4
\BaseNamedObjects\WMI_SysEvent_LodCtr
000004C0 svchost.exe Event 00f8
\BaseNamedObjects\WMI_SysEvent_UnLodCtr
000004C0 svchost.exe Event 029c
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe Event 02b4
\BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
000004C0 svchost.exe Event 02e4
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe Event 02ec
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe Event 04e0
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe Event 0500
\BaseNamedObjects\EVENT_READYROOT/CIMV2SCM EVENT PROVIDER
000004C0 svchost.exe Event 0518
\BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
000004C0 svchost.exe Event 0524
\BaseNamedObjects\EVENT_READYROOT/CIMV2WMI SELF-INSTRUMENTATION EVENT
PROVIDER
000004C0 svchost.exe Event 0530
\BaseNamedObjects\EVENT_READYROOT/CIMV2STANDARD NON-COM EVENT PROVIDER
000003DC dfssvc.exe Event 0064 \BaseNamedObjects\userenv: User
Profile setup event
000004F0 NSUM.exe Event 00b0
\BaseNamedObjects\AsfServPerf_RegChangeEvent
000005C8 svchost.exe Event 00b8
\BaseNamedObjects\crypt32LogoffEvent
000005C8 svchost.exe Event 00e0 \BaseNamedObjects\userenv: User
Profile setup event
000005C8 svchost.exe Event 0220
\BaseNamedObjects\W3SVCStartW3WP-aae415e7-4598-4294-a382-0a435d5b32c5
000005C8 svchost.exe Event 02b0
\BaseNamedObjects\WASPerfCount-c40da922-9c0a-4def-8aba-cd0bb5f093e1
000000F8 explorer.exe Event 01c4 \BaseNamedObjects\userenv: User
Profile setup event
000000F8 explorer.exe Event 02dc
\BaseNamedObjects\ShellReadyEvent
000000F8 explorer.exe Event 0308
\BaseNamedObjects\GuardEventmmGlobalPnpInfoGuard
000000F8 explorer.exe Event 032c \BaseNamedObjects\mixercallback
000000F8 explorer.exe Event 0334
\BaseNamedObjects\hardwaremixercallback
000000F8 explorer.exe Event 0350
\BaseNamedObjects\HPlugEjectEvent
000000F8 explorer.exe Event 0450
\BaseNamedObjects\crypt32LogoffEvent
0000079C svchost.exe Event 00dc
\BaseNamedObjects\SC_AutoStartComplete
0000079C svchost.exe Event 01c4
\BaseNamedObjects\--.-mailslot-53cb31a0-UnimodemNotifyTSP
0000079C svchost.exe Event 03ec \BaseNamedObjects\DINPUTWINMM
00000668 svchost.exe Event 00b8 \BaseNamedObjects\userenv: User
Profile setup event
0000076C wuauclt.exe Event 026c \BaseNamedObjects\userenv: User
Profile setup event
0000071C notepad.exe Event 01e0 \BaseNamedObjects\userenv: User
Profile setup event
00000848 hh.exe Event 008c
\BaseNamedObjects\crypt32LogoffEvent
00000848 hh.exe Event 02a8
\BaseNamedObjects\GuardEventmmGlobalPnpInfoGuard
00000848 hh.exe Event 02dc \BaseNamedObjects\mixercallback
00000848 hh.exe Event 02e8
\BaseNamedObjects\hardwaremixercallback
To generate a list of open windows that contain WinLogon and send the output to the file C:\Output\Ohwinlogon.txt, type the following at the command line:
oh winlogon /o c:\output\ohwinlogon.txt
Looking in Ohwinlogon.txt, you then see output similar to the following:
000000E0 winlogon.exe Desktop 0094 \Winlogon
000000E0 winlogon.exe Mutant 00bc \BaseNamedObjects\winlogon:
Logon UserProfileMapping Mutex
000000E0 winlogon.exe Key 00dc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\crypt32chain
000000E0 winlogon.exe Key 00e0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\cryptnet
000000E0 winlogon.exe Key 00f0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sclgntfy
000000E0 winlogon.exe Key 01d0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe Key 020c
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe Key 02e0
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Credentials
000000E0 winlogon.exe Event 06d0 \BaseNamedObjects\winlogon:
machine GPO Event 49931
000000E0 winlogon.exe File 0758 \winlogonrpc
000000E0 winlogon.exe File 075c \winlogonrpc
000000E0 winlogon.exe Key 0774
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\ScCertProp
000000E0 winlogon.exe Event 07a4 \BaseNamedObjects\winlogon:
User GPO Event 73045
000000E0 winlogon.exe Key 0838
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
To generate a list of mutant objects as well as unnamed open windows and send the output to the file C:\Output\Ohmutant.txt, type the following at the command line:
oh /t mutant /a /o c:\output\ohmutant.txt
Looking in Ohmutant.txt, you then see output similar to the following:
000000D8 csrss.exe Mutant 0044 \NlsCacheMutant
000000D8 csrss.exe Mutant 004c \NlsCacheMutant
000000E0 winlogon.exe Mutant 0024 \NlsCacheMutant
000000E0 winlogon.exe Mutant 0054 \BaseNamedObjects\userenv:
machine policy mutex
000000E0 winlogon.exe Mutant 0068 \BaseNamedObjects\userenv: user
policy mutex
000000E0 winlogon.exe Mutant 00a4 \BaseNamedObjects\SingleSesMutex
000000E0 winlogon.exe Mutant 00bc \BaseNamedObjects\winlogon:
Logon UserProfileMapping Mutex
000000E0 winlogon.exe Mutant 00c8
000000E0 winlogon.exe Mutant 00d0
000000E0 winlogon.exe Mutant 01c4
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
000000E0 winlogon.exe Mutant 01fc
000000E0 winlogon.exe Mutant 0204
000000E0 winlogon.exe Mutant 05ec \BaseNamedObjects\mxrapi
000000E0 winlogon.exe Mutant 0600
\BaseNamedObjects\GuardMutexmmGlobalPnpInfoGuard
000000E0 winlogon.exe Mutant 0624
000000E0 winlogon.exe Mutant 0658
\BaseNamedObjects\MidiMapper_Configure
000000E0 winlogon.exe Mutant 065c
000000E0 winlogon.exe Mutant 0660
\BaseNamedObjects\MidiMapper_modLongMessage_RefCnt
000000E0 winlogon.exe Mutant 0668
\BaseNamedObjects\WPA_LICSTORE_MUTEX
000000E0 winlogon.exe Mutant 066c \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe Mutant 0674 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe Mutant 0678 \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe Mutant 0680 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe Mutant 0684 \BaseNamedObjects\WPA_PR_MUTEX
000000E0 winlogon.exe Mutant 0688 \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe Mutant 068c \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe Mutant 06bc
000000E0 winlogon.exe Mutant 07e4
\BaseNamedObjects\WPA_LICSTORE_MUTEX
000000E0 winlogon.exe Mutant 0834 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe Mutant 083c \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe Mutant 0840 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe Mutant 0844 \BaseNamedObjects\WPA_PR_MUTEX
000000E0 winlogon.exe Mutant 0848 \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe Mutant 084c \BaseNamedObjects\WPA_LT_MUTEX
00000110 services.exe Mutant 0030 \NlsCacheMutant
00000110 services.exe Mutant 008c
00000110 services.exe Mutant 0094
00000110 services.exe Mutant 009c
00000110 services.exe Mutant 00a4
00000110 services.exe Mutant 00ac
00000110 services.exe Mutant 00b4
00000110 services.exe Mutant 00bc
00000110 services.exe Mutant 00c4
00000110 services.exe Mutant 00cc
00000110 services.exe Mutant 00d4
00000110 services.exe Mutant 00dc
00000110 services.exe Mutant 00e4
00000110 services.exe Mutant 00ec
00000110 services.exe Mutant 00f4
00000110 services.exe Mutant 00fc
00000110 services.exe Mutant 0104
00000110 services.exe Mutant 010c
00000110 services.exe Mutant 0114
00000110 services.exe Mutant 011c
00000110 services.exe Mutant 0124
00000110 services.exe Mutant 012c
00000110 services.exe Mutant 0134
00000110 services.exe Mutant 013c
00000110 services.exe Mutant 0144
00000110 services.exe Mutant 014c
00000110 services.exe Mutant 0154
00000110 services.exe Mutant 015c
00000110 services.exe Mutant 0164
00000110 services.exe Mutant 016c
00000110 services.exe Mutant 0174
00000110 services.exe Mutant 017c
00000110 services.exe Mutant 0184
00000110 services.exe Mutant 01bc
00000110 services.exe Mutant 0400 \BaseNamedObjects\PnP_Init_Mutex
00000110 services.exe Mutant 043c
\BaseNamedObjects\ShimCacheMutex[S-1-5-20]
0000011C lsass.exe Mutant 0030 \NlsCacheMutant
0000011C lsass.exe Mutant 0344
0000011C lsass.exe Mutant 034c
000001A0 svchost.exe Mutant 0024 \NlsCacheMutant
000001A0 svchost.exe Mutant 04c0
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
000001BC svchost.exe Mutant 0024 \NlsCacheMutant
000001BC svchost.exe Mutant 00cc
\BaseNamedObjects\746bbf3569adEncrypt
000001BC svchost.exe Mutant 00f4
000001BC svchost.exe Mutant 01a8
000001BC svchost.exe Mutant 024c
000001BC svchost.exe Mutant 0258
000001BC svchost.exe Mutant 025c
00000200 svchost.exe Mutant 0024 \NlsCacheMutant
00000200 svchost.exe Mutant 02c0
00000200 svchost.exe Mutant 02c8
00000200 svchost.exe Mutant 02f0
00000200 svchost.exe Mutant 03a8
00000200 svchost.exe Mutant 0494
00000200 svchost.exe Mutant 049c
00000200 svchost.exe Mutant 054c
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
00000200 svchost.exe Mutant 0564
\BaseNamedObjects\0CADFD67AF62496dB34264F000F5624A
00000200 svchost.exe Mutant 0568
\BaseNamedObjects\4FCC0DEFE22C4f138FB9D5AF25FD9398
00000200 svchost.exe Mutant 0938
00000200 svchost.exe Mutant 0974
00000200 svchost.exe Mutant 0a68
00000200 svchost.exe Mutant 0a70 \BaseNamedObjects\RasPbFile
00000200 svchost.exe Mutant 0c24
00000200 svchost.exe Mutant 0c68 \BaseNamedObjects\RAS_MO_02
00000200 svchost.exe Mutant 0c6c \BaseNamedObjects\RAS_MO_01
00000200 svchost.exe Mutant 0d74
00000200 svchost.exe Mutant 0df4
\BaseNamedObjects\_!MSFTHISTORY!_
00000200 svchost.exe Mutant 0dfc \BaseNamedObjects\c:!documents
and settings!default user.windows!local settings!temporary internet
files!content.ie5!
00000200 svchost.exe Mutant 0e04 \BaseNamedObjects\c:!documents
and settings!default user.windows!cookies!
00000200 svchost.exe Mutant 0e08 \BaseNamedObjects\c:!documents
and settings!default user.windows!local settings!history!history.ie5!
00000200 svchost.exe Mutant 0e1c
\BaseNamedObjects\WininetStartupMutex
00000200 svchost.exe Mutant 0e24
00000200 svchost.exe Mutant 0e28
00000200 svchost.exe Mutant 0e2c
\BaseNamedObjects\WininetProxyRegistryMutex
00000230 csrss.exe Mutant 0050 \Sessions\1\NlsCacheMutant
00000230 csrss.exe Mutant 0058 \Sessions\1\NlsCacheMutant
00000234 winlogon.exe Mutant 0024 \Sessions\1\NlsCacheMutant
00000234 winlogon.exe Mutant 0054 \BaseNamedObjects\userenv:
machine policy mutex
00000234 winlogon.exe Mutant 0068
\Sessions\1\BaseNamedObjects\userenv: user policy mutex
0000025C csrss.exe Mutant 0050 \Sessions\2\NlsCacheMutant
0000025C csrss.exe Mutant 0058 \Sessions\2\NlsCacheMutant
00000260 winlogon.exe Mutant 0024 \Sessions\2\NlsCacheMutant
00000260 winlogon.exe Mutant 0054 \BaseNamedObjects\userenv:
machine policy mutex
00000260 winlogon.exe Mutant 0068
\Sessions\2\BaseNamedObjects\userenv: user policy mutex
00000294 svchost.exe Mutant 0030 \NlsCacheMutant
0000029C svchost.exe Mutant 0030 \NlsCacheMutant
0000029C svchost.exe Mutant 0228
\BaseNamedObjects\_!MSFTHISTORY!_
0000029C svchost.exe Mutant 0230 \BaseNamedObjects\c:!documents
and settings!localservice.nt authority!local settings!temporary internet
files!content.ie5!
0000029C svchost.exe Mutant 0238 \BaseNamedObjects\c:!documents
and settings!localservice.nt authority!cookies!
0000029C svchost.exe Mutant 0244 \BaseNamedObjects\c:!documents
and settings!localservice.nt authority!local settings!history!history.ie5!
0000029C svchost.exe Mutant 0254
\BaseNamedObjects\WininetStartupMutex
0000029C svchost.exe Mutant 0258
0000029C svchost.exe Mutant 025c
0000029C svchost.exe Mutant 0260
\BaseNamedObjects\WininetProxyRegistryMutex
0000029C svchost.exe Mutant 02cc
0000029C svchost.exe Mutant 02d0 \BaseNamedObjects\RasPbFile
000002D8 spoolsv.exe Mutant 0024 \NlsCacheMutant
000002D8 spoolsv.exe Mutant 0168
000002D8 spoolsv.exe Mutant 0170
000002FC msdtc.exe Mutant 0030 \NlsCacheMutant
000003B8 inetinfo.exe Mutant 0024 \NlsCacheMutant
000003B8 inetinfo.exe Mutant 02c0
000003B8 inetinfo.exe Mutant 051c \BaseNamedObjects\DBWinMutex
000003B8 inetinfo.exe Mutant 0580
000003B8 inetinfo.exe Mutant 0588
000003CC llssrv.exe Mutant 0030 \NlsCacheMutant
000003A8 NSPMON.exe Mutant 0030 \NlsCacheMutant
0000041C NSCM.exe Mutant 0030 \NlsCacheMutant
0000041C NSCM.exe Mutant 0054
\BaseNamedObjects\McmServPERF_REGISTRY_MUTEX
0000041C NSCM.exe Mutant 0060
0000041C NSCM.exe Mutant 00b8
\BaseNamedObjects\ASP_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 00c0
\BaseNamedObjects\ContentFilter_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 00c8
\BaseNamedObjects\ContentIndex_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 00d0
\BaseNamedObjects\InetInfo_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 00d8
\BaseNamedObjects\ISAPISearch_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 00e0
\BaseNamedObjects\MSDTC_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 00e8
\BaseNamedObjects\MSFtpsvc_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 00f0
\BaseNamedObjects\NntpSvc_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 00f8
\BaseNamedObjects\nsstation_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0100
\BaseNamedObjects\nsunicast_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0108
\BaseNamedObjects\NTFSDRV_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0110
\BaseNamedObjects\PerfDisk_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0118
\BaseNamedObjects\PerfNet_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0120
\BaseNamedObjects\PerfOS_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0128
\BaseNamedObjects\PerfProc_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0130
\BaseNamedObjects\RemoteAccess_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0138
\BaseNamedObjects\RSVP_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0140
\BaseNamedObjects\SMTPSVC_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0148
\BaseNamedObjects\Spooler_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0150
\BaseNamedObjects\TapiSrv_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0158
\BaseNamedObjects\Tcpip_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0160
\BaseNamedObjects\TermService_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0168
\BaseNamedObjects\W3SVC_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0170
\BaseNamedObjects\WmiApRpl_Perf_Library_Lock_PID_41c
0000041C NSCM.exe Mutant 0174
\BaseNamedObjects\McmServPERF_INFO_MUTEX
0000041C NSCM.exe Mutant 01f4 \BaseNamedObjects\Shared Mutex
for McmServ Data Collection_0
0000046C svchost.exe Mutant 0030 \NlsCacheMutant
000004C0 svchost.exe Mutant 0024 \NlsCacheMutant
000004C0 svchost.exe Mutant 00b4
000004C0 svchost.exe Mutant 00bc
000004C0 svchost.exe Mutant 00e4
\BaseNamedObjects\WINMGMT_MARSHALLING_SERVER
000004C0 svchost.exe Mutant 00f0
\BaseNamedObjects\WINMGMT_KEEP_NEW_CLIENTS_AT_BAY
000004C0 svchost.exe Mutant 0198
000004C0 svchost.exe Mutant 0238 \BaseNamedObjects\WINMGMT_ACTIVE
000004C0 svchost.exe Mutant 0248
000004C0 svchost.exe Mutant 024c
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
000003DC dfssvc.exe Mutant 0024 \NlsCacheMutant
000004F0 NSUM.exe Mutant 0030 \NlsCacheMutant
000004F0 NSUM.exe Mutant 0054
\BaseNamedObjects\AsfServPERF_REGISTRY_MUTEX
000004F0 NSUM.exe Mutant 0060
000004F0 NSUM.exe Mutant 00b8
\BaseNamedObjects\ASP_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 00c0
\BaseNamedObjects\ContentFilter_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 00c8
\BaseNamedObjects\ContentIndex_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 00d0
\BaseNamedObjects\InetInfo_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 00d8
\BaseNamedObjects\ISAPISearch_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 00e0
\BaseNamedObjects\MSDTC_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 00e8
\BaseNamedObjects\MSFtpsvc_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 00f0
\BaseNamedObjects\NntpSvc_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 00f8
\BaseNamedObjects\nsstation_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0100
\BaseNamedObjects\nsunicast_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0108
\BaseNamedObjects\NTFSDRV_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0110
\BaseNamedObjects\PerfDisk_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0118
\BaseNamedObjects\PerfNet_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0120
\BaseNamedObjects\PerfOS_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0128
\BaseNamedObjects\PerfProc_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0130
\BaseNamedObjects\RemoteAccess_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0138
\BaseNamedObjects\RSVP_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0140
\BaseNamedObjects\SMTPSVC_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0148
\BaseNamedObjects\Spooler_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0150
\BaseNamedObjects\TapiSrv_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0158
\BaseNamedObjects\Tcpip_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0160
\BaseNamedObjects\TermService_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0168
\BaseNamedObjects\W3SVC_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0170
\BaseNamedObjects\WmiApRpl_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe Mutant 0174
\BaseNamedObjects\AsfServPERF_INFO_MUTEX
000004F0 NSUM.exe Mutant 01dc \BaseNamedObjects\Shared Mutex
for AsfServ Data Collection_0
00000548 nspm.exe Mutant 0030 \NlsCacheMutant
000005C8 svchost.exe Mutant 0024 \NlsCacheMutant
000000F8 explorer.exe Mutant 0024 \NlsCacheMutant
000000F8 explorer.exe Mutant 0070
\BaseNamedObjects\ExplorerIsShellMutex
000000F8 explorer.exe Mutant 0100
000000F8 explorer.exe Mutant 0178
\BaseNamedObjects\WininetStartupMutex
000000F8 explorer.exe Mutant 01e0
\BaseNamedObjects\ZonesCounterMutex
000000F8 explorer.exe Mutant 025c
\BaseNamedObjects\_!MSFTHISTORY!_
000000F8 explorer.exe Mutant 0278
000000F8 explorer.exe Mutant 02b0 \BaseNamedObjects\_SHuassist.mtx
000000F8 explorer.exe Mutant 02b4
000000F8 explorer.exe Mutant 02bc \BaseNamedObjects\c:!documents
and settings!user.xp!local
settings!history!history.ie5!mshist012001052220010523!
000000F8 explorer.exe Mutant 02f0
\BaseNamedObjects\ShimCacheMutex[S-1-5-21-484763869-113007714-839522115-1010]
000000F8 explorer.exe Mutant 02fc
000000F8 explorer.exe Mutant 0304
\BaseNamedObjects\GuardMutexmmGlobalPnpInfoGuard
000000F8 explorer.exe Mutant 0328 \BaseNamedObjects\mxrapi
000000F8 explorer.exe Mutant 0344
000000F8 explorer.exe Mutant 0368
000000F8 explorer.exe Mutant 0398
000000F8 explorer.exe Mutant 041c
\BaseNamedObjects\WininetProxyRegistryMutex
000000F8 explorer.exe Mutant 0448 \BaseNamedObjects\c:!documents
and settings!user.xp!cookies!
000000F8 explorer.exe Mutant 0458
\BaseNamedObjects\ZonesCacheCounterMutex
000000F8 explorer.exe Mutant 0470 \BaseNamedObjects\c:!documents
and settings!user.xp!local settings!temporary internet files!content.ie5!
000000F8 explorer.exe Mutant 0480
\BaseNamedObjects\WininetConnectionMutex
000000F8 explorer.exe Mutant 0494
000000F8 explorer.exe Mutant 0498 \BaseNamedObjects\c:!documents
and settings!user.xp!local settings!history!history.ie5!
000000F8 explorer.exe Mutant 04a0
\BaseNamedObjects\_!SHMSFTHISTORY!_
000000F8 explorer.exe Mutant 04cc
000000F8 explorer.exe Mutant 04f4
000000F8 explorer.exe Mutant 0558
0000079C svchost.exe Mutant 0024 \NlsCacheMutant
0000079C svchost.exe Mutant 0170
0000079C svchost.exe Mutant 0178
0000079C svchost.exe Mutant 01c8
0000079C svchost.exe Mutant 01e4
0000079C svchost.exe Mutant 029c
0000079C svchost.exe Mutant 02a4
0000079C svchost.exe Mutant 02a8
0000079C svchost.exe Mutant 0350
0000079C svchost.exe Mutant 0358
0000079C svchost.exe Mutant 035c
0000079C svchost.exe Mutant 0374
0000079C svchost.exe Mutant 037c
0000079C svchost.exe Mutant 03d4
0000079C svchost.exe Mutant 03dc
0000079C svchost.exe Mutant 040c
00000668 svchost.exe Mutant 0024 \NlsCacheMutant
00000668 svchost.exe Mutant 009c
00000668 svchost.exe Mutant 00a4
00000668 svchost.exe Mutant 0100
\BaseNamedObjects\StiTraceMutexSti_Trace.log
00000668 svchost.exe Mutant 01b8
00000668 svchost.exe Mutant 01d0
00000668 svchost.exe Mutant 01f0
00000668 svchost.exe Mutant 01fc
00000668 svchost.exe Mutant 0238
00000668 svchost.exe Mutant 028c
\BaseNamedObjects\StiTraceMutexSti_Trace.log
0000076C wuauclt.exe Mutant 0034 \NlsCacheMutant
0000076C wuauclt.exe Mutant 0064
\BaseNamedObjects\ZonesCounterMutex
0000076C wuauclt.exe Mutant 0068
\BaseNamedObjects\ZonesCacheCounterMutex
0000076C wuauclt.exe Mutant 0078
\BaseNamedObjects\AutoUpdateSingleInstance
0000076C wuauclt.exe Mutant 01e4
0000076C wuauclt.exe Mutant 01ec \BaseNamedObjects\RasPbFile
0000076C wuauclt.exe Mutant 02b8
0000076C wuauclt.exe Mutant 02c0
00000838 cmd.exe Mutant 0030 \NlsCacheMutant
00000848 hh.exe Mutant 0030 \NlsCacheMutant
00000848 hh.exe Mutant 0070
\BaseNamedObjects\ZonesCounterMutex
00000848 hh.exe Mutant 0074
\BaseNamedObjects\ZonesCacheCounterMutex
00000848 hh.exe Mutant 015c
\BaseNamedObjects\_!MSFTHISTORY!_
00000848 hh.exe Mutant 0164 \BaseNamedObjects\c:!documents
and settings!user.xp!local settings!temporary internet files!content.ie5!
00000848 hh.exe Mutant 016c \BaseNamedObjects\c:!documents
and settings!user.xp!cookies!
00000848 hh.exe Mutant 0174 \BaseNamedObjects\c:!documents
and settings!user.xp!local settings!history!history.ie5!
00000848 hh.exe Mutant 0184
\BaseNamedObjects\WininetStartupMutex
00000848 hh.exe Mutant 018c
\BaseNamedObjects\WininetConnectionMutex
00000848 hh.exe Mutant 0190
00000848 hh.exe Mutant 0194
\BaseNamedObjects\WininetProxyRegistryMutex
00000848 hh.exe Mutant 01e0
\BaseNamedObjects\MSUIM.GlobalLangBarEventSink.Mutex
00000848 hh.exe Mutant 01e8
\BaseNamedObjects\MSUIM.GlobalCompartment.Mutex
00000848 hh.exe Mutant 01ec
\BaseNamedObjects\MSUIM.Assembly.Mutex
00000848 hh.exe Mutant 01f0
\BaseNamedObjects\MSUIM.Layouts.Mutex
00000848 hh.exe Mutant 01f4
\BaseNamedObjects\MSUIM.MarshalInterfaceMutex.TMD
00000848 hh.exe Mutant 02b0
\BaseNamedObjects\GuardMutexmmGlobalPnpInfoGuard
00000848 hh.exe Mutant 02d8 \BaseNamedObjects\mxrapi
00000848 hh.exe Mutant 02f0
000002AC oh.exe Mutant 07d4 \NlsCacheMutant
To generate a list of key objects and send the output to the file C:\Output\Ohexplore.txt, type the following at the command line:
oh /t file explore /o c:\output\ohexplore.txt
Looking in Ohexplore.txt, you then see output similar to the following:
000000E0 winlogon.exe File 0360 \Program Files\Internet Explorer
000000E0 winlogon.exe File 036c \Program Files\Internet
Explorer\Connection Wizard
000000F8 explorer.exe File 0218 \Documents and
Settings\user.XP\Application Data\Microsoft\Internet Explorer\Quick
Launch