Windows Tools

OH Examples

Overview | Notes | Syntax | Examples | Related Tools Open Command Prompt

Example 1: Enable the Kernel Option

To function properly, OH must enable a kernel option that maintains a linked list of all objects sorted by object type. To set the kernel option, type the following at the command line:

oh

Output similar to the following is displayed in the command window:

Enabled maintaining a list of objects for each type.
Will take effect next time you boot.
Until then, OH is unable to query useful information

Restart your computer, and you can then use OH.

Example 2: List Handles for Open Windows

To generate a list of handles for open windows and send the output to the file C:\Output\Ohall.txt, type the following at the command line:

oh /o c:\output\ohall.txt

Looking in Ohall.txt, you then see output similar to the following:

00000004 System		 Key			000c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\WPA
00000004 System		 Key			0010 \REGISTRY
00000004 System		 Key			0014 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session 
Manager\WPA\SigningHash-PRCRFTFJWDC27Q
00000004 System		 Key			0018 
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter
00000004 System		 Key			001c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Executive
00000004 System		 Key			0020 \REGISTRY\MACHINE\SYSTEM\Setup
00000004 System		 Key			0024 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ProductOptions
00000004 System		 Key			0028 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog
00000004 System		 Event		002c \Security\TRKWKS_EVENT
00000004 System		 File		 0034 
\WINDOWS\system32\config\software
00000004 System		 Key			0040 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB\3&29761208&0\Device 
Parameters
00000004 System		 File		 0044 \WINDOWS\system32\config\SAM.LOG
00000004 System		 Key			0048 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_7112&SUBSYS_00000000&REV_01\2&ebb567f&0&22\Device 
Parameters
00000004 System		 Key			004c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_7112&SUBSYS_00000000&REV_01\2&ebb567f&0&22\Device 
Parameters
00000004 System		 Key			0050 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0000
00000004 System		 Key			0054 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0000
00000004 System		 Key			0058 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Video\{67BA24C1-E772-4266-BBE5-D44FE7A9D9A4}\0000\VolatileSettings
00000004 System		 Key			005c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0000
00000004 System		 Key			006c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Memory 
Management\PrefetchParameters
00000004 System		 File		 007c 
\WINDOWS\system32\config\SECURITY
00000004 System		 File		 0084 
\WINDOWS\system32\config\default.LOG
00000004 System		 File		 0088 \WINDOWS\system32\config\SAM
00000004 System		 Event		008c 
\Device\DmControl\VxKernel2VoldEvent
00000004 System		 File		 0090 \WINDOWS\system32\config\default
00000004 System		 Directory	0094 \Device\WinDfs
00000004 System		 Directory	009c \Device\Harddisk0
00000004 System		 File		 00a0 
\WINDOWS\system32\config\system.LOG
00000004 System		 File		 00b8 
\WINDOWS\system32\config\software.LOG
00000004 System		 Port		 00d0 \SeRmCommandPort
00000004 System		 Event		00d4 \LanmanServerAnnounceEvent
00000004 System		 File		 00d8 \pagefile.sys
00000004 System		 File		 00f4 
\WINDOWS\system32\config\SECURITY.LOG
00000004 System		 File		 01a4 \Documents and 
Settings\LocalService.NT AUTHORITY\NTUSER.DAT
00000004 System		 File		 01b0 \Documents and 
Settings\NetworkService.NT AUTHORITY\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System		 File		 01b4 \Documents and 
Settings\LocalService.NT AUTHORITY\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
00000004 System		 File		 01bc \Documents and 
Settings\NetworkService.NT AUTHORITY\NTUSER.DAT
00000004 System		 File		 01c0 \Documents and 
Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG
00000004 System		 File		 01c8 \Documents and 
Settings\NetworkService.NT AUTHORITY\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
00000004 System		 File		 01cc \Documents and 
Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG
00000004 System		 File		 01d0 \Documents and 
Settings\LocalService.NT AUTHORITY\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System		 File		 0238 \WINDOWS\system32\config\system
00000004 System		 File		 02fc 
\WINDOWS\system32\MsDtc\Trace\dtctrace.log
00000004 System		 File		 0390 \Documents and 
Settings\NetShowServices\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
00000004 System		 Directory	0394 \Device\Http
00000004 System		 File		 03a0 \Documents and 
Settings\NetShowServices\NTUSER.DAT
00000004 System		 File		 03a4 \Documents and 
Settings\NetShowServices\ntuser.dat.LOG
00000004 System		 File		 03b4 \Documents and 
Settings\NetShowServices\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System		 File		 03b8 \
00000004 System		 File		 0498 \WINDOWS\DfsSvcLogFile
00000004 System		 File		 04a8 \255
00000004 System		 File		 0c3c \Documents and 
Settings\user.XP\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
00000004 System		 File		 0c44 \Documents and 
Settings\user.XP\ntuser.dat.LOG
00000004 System		 File		 0c48 \Documents and 
Settings\user.XP\NTUSER.DAT
00000004 System		 File		 0c4c \Documents and 
Settings\user.XP\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System		 File		 0dcc 
\WINDOWS\system32\LogFiles\W3SVC1\ex010522.log
00000004 System		 File		 0ddc \Topology
00000004 System		 File		 0dfc \47
000000C0 smss.exe	 File		 0010 \WINDOWS
000000C0 smss.exe	 Port		 0014 \SmApiPort
000000C0 smss.exe	 Directory	001c \GLOBAL??
000000C0 smss.exe	 Directory	0020 \Sessions
000000C0 smss.exe	 File		 0024 \WINDOWS\system32
000000C0 smss.exe	 Directory	0028 \KnownDlls
000000C0 smss.exe	 SymbolicLink   002c \KnownDlls\KnownDllPath
000000C0 smss.exe	 Key			0030 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000000C0 smss.exe	 Key			0034 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CrashControl
000000C0 smss.exe	 Event		0038 \UniqueSessionIdEvent
000000D8 csrss.exe	Directory	0010 \KnownDlls
000000D8 csrss.exe	File		 0014 \WINDOWS\system32
000000D8 csrss.exe	Directory	0018 \Sessions\BNOLINKS
000000D8 csrss.exe	SymbolicLink   0020 \Sessions\BNOLINKS\0
000000D8 csrss.exe	Directory	0024 \Sessions\0
000000D8 csrss.exe	Directory	0028 \Sessions\0\DosDevices
000000D8 csrss.exe	Directory	002c \Windows
000000D8 csrss.exe	Directory	003c \BaseNamedObjects
000000D8 csrss.exe	Directory	0040 \BaseNamedObjects\Restricted
000000D8 csrss.exe	Mutant		 0044 \NlsCacheMutant
000000D8 csrss.exe	Mutant		 004c \NlsCacheMutant
000000D8 csrss.exe	Section		0050 \NLS\NlsSectionUnicode
000000D8 csrss.exe	Section		0054 \NLS\NlsSectionLocale
000000D8 csrss.exe	Section		0058 \NLS\NlsSectionCType
000000D8 csrss.exe	Section		005c \NLS\NlsSectionSortkey
000000D8 csrss.exe	Section		0060 \NLS\NlsSectionSortTbls
000000D8 csrss.exe	Directory	0080 \BaseNamedObjects
000000D8 csrss.exe	Key			00a0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\PriorityControl
000000D8 csrss.exe	Port		 00a4 \Windows\ApiPort
000000D8 csrss.exe	Port		 00a8 \Windows\SbApiPort
000000D8 csrss.exe	Event		00dc 
\BaseNamedObjects\WinSta0_DesktopSwitch
000000D8 csrss.exe	Desktop		00f0 \Disconnect
000000D8 csrss.exe	WindowStation  00f4 \Windows\WindowStations\WinSta0
000000D8 csrss.exe	Desktop		04e4 \Default
000000D8 csrss.exe	Key			0650 \REGISTRY\MACHINE
000000D8 csrss.exe	Key			0680 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
000000D8 csrss.exe	Key			0684 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
000000D8 csrss.exe	Key			0688 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
000000D8 csrss.exe	Key			0698 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Control 
Panel\International
000000D8 csrss.exe	Key			069c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Control 
Panel\International
000000D8 csrss.exe	File		 0728 \WINDOWS\system32\ega.cpi
000000D8 csrss.exe	Desktop		0734 \Default
000000D8 csrss.exe	WindowStation  08a8 \Windows\WindowStations\WinSta0
000000E0 winlogon.exe   Directory	0010 \KnownDlls
000000E0 winlogon.exe   Directory	0018 \Windows
000000E0 winlogon.exe   Mutant		 0024 \NlsCacheMutant
000000E0 winlogon.exe   Key			0030 \REGISTRY\MACHINE
000000E0 winlogon.exe   Directory	004c \BaseNamedObjects
000000E0 winlogon.exe   Event		0050 \BaseNamedObjects\userenv:  User 
Profile setup event
000000E0 winlogon.exe   Mutant		 0054 \BaseNamedObjects\userenv: 
machine policy mutex
000000E0 winlogon.exe   Event		0058 \BaseNamedObjects\userenv: 
Machine Group Policy has been applied
000000E0 winlogon.exe   Event		005c \BaseNamedObjects\userenv: 
Machine Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe   Event		0060 \BaseNamedObjects\userenv: 
Machine Group Policy Processing is done
000000E0 winlogon.exe   Event		0064 \BaseNamedObjects\userenv: 
Machine Policy Foreground Done Event
000000E0 winlogon.exe   Mutant		 0068 \BaseNamedObjects\userenv: user 
policy mutex
000000E0 winlogon.exe   Event		006c \BaseNamedObjects\userenv: User 
Group Policy has been applied
000000E0 winlogon.exe   Event		0070 \BaseNamedObjects\userenv: User 
Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe   Event		0074 \BaseNamedObjects\userenv: User 
Group Policy Processing is done
000000E0 winlogon.exe   Event		0078 \BaseNamedObjects\userenv: User 
Policy Foreground Done Event
000000E0 winlogon.exe   Event		007c 
\BaseNamedObjects\crypt32LogoffEvent
000000E0 winlogon.exe   Event		0088 \Security\NetworkProviderLoad
000000E0 winlogon.exe   Event		008c \BaseNamedObjects\TS-WPAAE
000000E0 winlogon.exe   WindowStation  0090 \Windows\WindowStations\WinSta0
000000E0 winlogon.exe   Desktop		0094 \Winlogon
000000E0 winlogon.exe   WindowStation  0098 \Windows\WindowStations\WinSta0
000000E0 winlogon.exe   Desktop		009c \Disconnect
000000E0 winlogon.exe   Desktop		00a0 \Default
000000E0 winlogon.exe   Mutant		 00a4 \BaseNamedObjects\SingleSesMutex
000000E0 winlogon.exe   Event		00a8 \BaseNamedObjects\ReconEvent
000000E0 winlogon.exe   Key			00b0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000000E0 winlogon.exe   File		 00b4 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000E0 winlogon.exe   Key			00b8 \REGISTRY\USER\.DEFAULT
000000E0 winlogon.exe   Mutant		 00bc \BaseNamedObjects\winlogon: 
Logon UserProfileMapping Mutex
000000E0 winlogon.exe   Key			00dc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\crypt32chain
000000E0 winlogon.exe   Key			00e0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\cryptnet
000000E0 winlogon.exe   Key			00f0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\sclgntfy
000000E0 winlogon.exe   Key			00fc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa
000000E0 winlogon.exe   Section		013c \RPC Control\DSECe0
000000E0 winlogon.exe   Port		 0148 \RPC Control\IUserProfile
000000E0 winlogon.exe   Port		 0154 \RPC Control\sclogonrpc
000000E0 winlogon.exe   File		 01a4 \InitShutdown
000000E0 winlogon.exe   File		 01a8 \InitShutdown
000000E0 winlogon.exe   Section		01bc 
\BaseNamedObjects\ShimSharedMemory[S-1-5-18]
000000E0 winlogon.exe   Mutant		 01c4 
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
000000E0 winlogon.exe   Key			01d0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe   Key			01e0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000000E0 winlogon.exe   Desktop		01e8 \Default
000000E0 winlogon.exe   Event		01ec \BaseNamedObjects\DINPUTWINMM
000000E0 winlogon.exe   Key			020c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe   Event		0218 
\BaseNamedObjects\WinSta0_DesktopSwitch
000000E0 winlogon.exe   Event		0234 
\BaseNamedObjects\WFP_IDLE_TRIGGER
000000E0 winlogon.exe   File		 0244 \WINDOWS\system32\dllcache
000000E0 winlogon.exe   Event		025c \BaseNamedObjects\Microsoft 
Smart Card Resource Manager Started
000000E0 winlogon.exe   File		 0260 \WINDOWS\AppPatch
000000E0 winlogon.exe   File		 0264 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\isapi\_vti_adm
000000E0 winlogon.exe   File		 0270 \svcctl
000000E0 winlogon.exe   File		 0274 \ntsvcs
000000E0 winlogon.exe   File		 0280 \svcctl
000000E0 winlogon.exe   File		 0284 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\_vti_bin\_vti_adm
000000E0 winlogon.exe   File		 0288 \WINDOWS\system32
000000E0 winlogon.exe   File		 028c \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\isapi\_vti_aut
000000E0 winlogon.exe   File		 0290 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\_vti_bin\_vti_aut
000000E0 winlogon.exe   File		 0294 \WINDOWS\system32\inetsrv
000000E0 winlogon.exe   File		 0298 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\bin
000000E0 winlogon.exe   File		 029c \WINDOWS\Fonts
000000E0 winlogon.exe   File		 02a0 \WINDOWS\system32\drivers
000000E0 winlogon.exe   File		 02a4 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\servsupp
000000E0 winlogon.exe   File		 02a8 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\bots\vinavbar
000000E0 winlogon.exe   File		 02ac \Program Files\Microsoft 
FrontPage\version3.0\bin
000000E0 winlogon.exe   File		 02b0 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\_vti_bin
000000E0 winlogon.exe   File		 02b4 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\bin\1033
000000E0 winlogon.exe   File		 02b8 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\isapi
000000E0 winlogon.exe   File		 02bc \WINDOWS
000000E0 winlogon.exe   File		 02c0 \Program Files\Common 
Files\Microsoft Shared\DAO
000000E0 winlogon.exe   File		 02c4 \Program Files\Windows Media 
Player
000000E0 winlogon.exe   File		 02c8 \Program Files\Common 
Files\System\msadc
000000E0 winlogon.exe   File		 02cc \Program Files\Common 
Files\System\ado
000000E0 winlogon.exe   File		 02d0 \Program Files\Common 
Files\System\Ole DB
000000E0 winlogon.exe   File		 02d4 \WINDOWS\inf
000000E0 winlogon.exe   File		 02d8 \WINDOWS\system32\Setup
000000E0 winlogon.exe   Event		02dc 
\BaseNamedObjects\ThemesStartEvent
000000E0 winlogon.exe   Key			02e0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Credentials
000000E0 winlogon.exe   Event		02e4 \BaseNamedObjects\msgina: 
ReturnToWelcome
000000E0 winlogon.exe   File		 02f8 
\WINDOWS\system32\clients\tsclient\win16
000000E0 winlogon.exe   File		 02fc 
\WINDOWS\Microsoft.NET\Framework\v1.0.2706
000000E0 winlogon.exe   File		 0300 \WINDOWS\Application 
Compatibility Scripts
000000E0 winlogon.exe   File		 0304 
\WINDOWS\system32\clients\tsclient\win32\acme351
000000E0 winlogon.exe   File		 0308 \WINDOWS\msagent
000000E0 winlogon.exe   File		 030c \WINDOWS\msagent\intl
000000E0 winlogon.exe   File		 0310 \WINDOWS\system32\netmon\parsers
000000E0 winlogon.exe   File		 0314 \WINDOWS\system
000000E0 winlogon.exe   File		 0318 \WINDOWS\system32\netmon
000000E0 winlogon.exe   File		 031c \WINDOWS\Help
000000E0 winlogon.exe   File		 0320 
\WINDOWS\PCHEALTH\HELPCTR\Binaries
000000E0 winlogon.exe   File		 0324 \Program Files\NetMeeting
000000E0 winlogon.exe   File		 0328 \WINDOWS\system32\drivers\disdn
000000E0 winlogon.exe   File		 032c \WINDOWS\ime\chtime\applets
000000E0 winlogon.exe   File		 0330 \WINDOWS\system32\wbem
000000E0 winlogon.exe   File		 0334 \WINDOWS\Cluster
000000E0 winlogon.exe   File		 0338 \WINDOWS\system32\Com
000000E0 winlogon.exe   File		 033c \WINDOWS\ime\imjp8_1
000000E0 winlogon.exe   File		 0340 \Program Files\Common 
Files\Microsoft Shared\Triedit
000000E0 winlogon.exe   File		 0344 \Program Files\Windows NT
000000E0 winlogon.exe   File		 0348 \Program Files\Common 
Files\System
000000E0 winlogon.exe   File		 034c \WINDOWS\system32\1033
000000E0 winlogon.exe   File		 0350 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\admcgi\scripts
000000E0 winlogon.exe   File		 0354 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\admisapi\scripts
000000E0 winlogon.exe   File		 0358 \WINDOWS\ime\imkr6_1\dicts
000000E0 winlogon.exe   File		 035c \WINDOWS\system32\mui\0009
000000E0 winlogon.exe   File		 0360 \Program Files\Internet Explorer
000000E0 winlogon.exe   File		 0364 \WINDOWS\ime\imjp8_1\applets
000000E0 winlogon.exe   File		 0368 \WINDOWS\ime\imkr6_1\applets
000000E0 winlogon.exe   File		 036c \Program Files\Internet 
Explorer\Connection Wizard
000000E0 winlogon.exe   File		 0370 \Program Files\Common 
Files\Microsoft Shared\MSInfo
000000E0 winlogon.exe   File		 0374 \Program Files\Common 
Files\Microsoft Shared\Smart Tag
000000E0 winlogon.exe   File		 0378 \WINDOWS\ime\imkr6_1
000000E0 winlogon.exe   File		 037c \WINDOWS\ime\shared
000000E0 winlogon.exe   File		 0380 \WINDOWS\system32\reminst
000000E0 winlogon.exe   File		 0384 \WINDOWS\system32\ime\pintlgnt
000000E0 winlogon.exe   File		 0388 
\WINDOWS\system32\clients\tsclient\win32
000000E0 winlogon.exe   File		 038c \Program Files\Common 
Files\SpeechEngines\Microsoft\Lexicon\1033
000000E0 winlogon.exe   File		 0390 \WINDOWS\Resources\Themes\Luna
000000E0 winlogon.exe   File		 0394 \WINDOWS\ime
000000E0 winlogon.exe   File		 0398 \Program Files\Outlook Express
000000E0 winlogon.exe   File		 039c \Program Files\MSN\SmartTag
000000E0 winlogon.exe   File		 03a0 \WINDOWS\system32\oobe
000000E0 winlogon.exe   File		 03a4 \WINDOWS\mui
000000E0 winlogon.exe   File		 03a8 \WINDOWS\system32\npp
000000E0 winlogon.exe   File		 03ac \WINDOWS\ime\shared\res
000000E0 winlogon.exe   File		 03b0 \WINDOWS\system32\rocket
000000E0 winlogon.exe   File		 03b4 \WINDOWS\ime\chsime\applets
000000E0 winlogon.exe   File		 03b8 \WINDOWS\system32\rpcproxy
000000E0 winlogon.exe   File		 03bc \Program Files\Common 
Files\SpeechEngines\Microsoft\TTS\1033
000000E0 winlogon.exe   File		 03c0 \Program Files\Common 
Files\Microsoft Shared\Speech
000000E0 winlogon.exe   File		 03c4 
\WINDOWS\system32\certsrv\certcontrol\ia64
000000E0 winlogon.exe   File		 03c8 
\WINDOWS\system32\certsrv\certcontrol\w2k
000000E0 winlogon.exe   File		 03cc 
\WINDOWS\system32\certsrv\certcontrol\x86
000000E0 winlogon.exe   File		 03d0 
\WINDOWS\system32\spool\prtprocs\w32x86
000000E0 winlogon.exe   File		 03d4 
\WINDOWS\Resources\Themes\Luna\Shell
000000E0 winlogon.exe   File		 03d8 \WINDOWS\system32\wbem\snmp
000000E0 winlogon.exe   File		 03dc \Program Files\Common 
Files\SpeechEngines\Microsoft
000000E0 winlogon.exe   File		 03e0 \Program Files\Common 
Files\Microsoft Shared\Speech\1033
000000E0 winlogon.exe   File		 03e4 
\WINDOWS\system32\spool\drivers\color
000000E0 winlogon.exe   File		 03e8 \WINDOWS\system32\ime\tintlgnt
000000E0 winlogon.exe   File		 03ec \WINDOWS\Help\Tours
000000E0 winlogon.exe   File		 03f0 \WINDOWS\system32\wbem\AdStatus
000000E0 winlogon.exe   File		 03f4 
\WINDOWS\PCHEALTH\UploadLB\Binaries
000000E0 winlogon.exe   File		 03f8 \Program Files\Common 
Files\Microsoft Shared\VGX
000000E0 winlogon.exe   File		 0400 
\WINDOWS\Microsoft.NET\Framework\v1.0.2706\1033
000000E0 winlogon.exe   File		 0404 \WINDOWS\system32\wbem\xml
000000E0 winlogon.exe   File		 0410 \Program Files\Windows 
NT\Accessories
000000E0 winlogon.exe   File		 0428 \WINDOWS\WinSxS
000000E0 winlogon.exe   File		 05d0 \SfcApi
000000E0 winlogon.exe   File		 05d4 \SfcApi
000000E0 winlogon.exe   Mutant		 05ec \BaseNamedObjects\mxrapi
000000E0 winlogon.exe   Key			05f0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#ISAPNP#CTL0070_DEV0000#FFFFFFFF#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device 
Parameters\Mixer
000000E0 winlogon.exe   Event		05f4 
\BaseNamedObjects\hardwaremixercallback
000000E0 winlogon.exe   Key			05f8 \REGISTRY\USER
000000E0 winlogon.exe   Section		05fc 
\BaseNamedObjects\WDMAUD_Device_Interface_Path
000000E0 winlogon.exe   Mutant		 0600 
\BaseNamedObjects\GuardMutexmmGlobalPnpInfoGuard
000000E0 winlogon.exe   Event		0604 
\BaseNamedObjects\GuardEventmmGlobalPnpInfoGuard
000000E0 winlogon.exe   Semaphore	0608 
\BaseNamedObjects\GuardSemmmGlobalPnpInfoGuard
000000E0 winlogon.exe   Section		060c 
\BaseNamedObjects\mmGlobalPnpInfo
000000E0 winlogon.exe   Section		0610 
\BaseNamedObjects\WDMAUD_Path_Size
000000E0 winlogon.exe   Section		0618 
\BaseNamedObjects\WDMAUD_Callbacks
000000E0 winlogon.exe   File		 0640 
\{9B365890-165F-11D0-A195-0020AFD156E4}
000000E0 winlogon.exe   Event		0648 \BaseNamedObjects\mixercallback
000000E0 winlogon.exe   Semaphore	064c 
\BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
000000E0 winlogon.exe   Key			0650 
\REGISTRY\MACHINE\SOFTWARE\Classes
000000E0 winlogon.exe   Mutant		 0658 
\BaseNamedObjects\MidiMapper_Configure
000000E0 winlogon.exe   Mutant		 0660 
\BaseNamedObjects\MidiMapper_modLongMessage_RefCnt
000000E0 winlogon.exe   Mutant		 0668 
\BaseNamedObjects\WPA_LICSTORE_MUTEX
000000E0 winlogon.exe   Mutant		 066c \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe   Mutant		 0674 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe   Mutant		 0678 \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe   Mutant		 0680 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe   Mutant		 0684 \BaseNamedObjects\WPA_PR_MUTEX
000000E0 winlogon.exe   Mutant		 0688 \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe   Mutant		 068c \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe   File		 06b4 \ProfMapApi
000000E0 winlogon.exe   File		 06b8 \ProfMapApi
000000E0 winlogon.exe   Key			06c4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
000000E0 winlogon.exe   Event		06d0 \BaseNamedObjects\winlogon:  
machine GPO Event 49931
000000E0 winlogon.exe   Event		06dc \BaseNamedObjects\userenv: 
Machine Group Policy has been applied
000000E0 winlogon.exe   Event		06e4 \BaseNamedObjects\userenv: 
machine policy refresh event
000000E0 winlogon.exe   Event		06e8 \BaseNamedObjects\userenv: 
machine policy force refresh event
000000E0 winlogon.exe   Event		06ec \BaseNamedObjects\userenv: 
Machine Group Policy has been applied
000000E0 winlogon.exe   Event		06f0 \BaseNamedObjects\userenv: 
Machine Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe   Event		06f4 \BaseNamedObjects\userenv: 
Machine Group Policy Processing is done
000000E0 winlogon.exe   Event		0704 
\BaseNamedObjects\jjCSCSharedEvent_UM_KM
000000E0 winlogon.exe   Event		070c 
\BaseNamedObjects\jjCSCSharedFillEvent_UM_KM
000000E0 winlogon.exe   Event		0714 
\BaseNamedObjects\WkssvcToAgentStartEvent
000000E0 winlogon.exe   Event		0718 
\BaseNamedObjects\WkssvcToAgentStopEvent
000000E0 winlogon.exe   Event		071c 
\BaseNamedObjects\AgentExistsEvent
000000E0 winlogon.exe   Event		0724 
\BaseNamedObjects\AgentToWkssvcEvent
000000E0 winlogon.exe   Timer		072c \BaseNamedObjects\userenv: 
refresh timer for 224:784
000000E0 winlogon.exe   File		 0758 \winlogonrpc
000000E0 winlogon.exe   File		 075c \winlogonrpc
000000E0 winlogon.exe   Event		0760 \BaseNamedObjects\SENS Started 
Event
000000E0 winlogon.exe   Key			0774 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\ScCertProp
000000E0 winlogon.exe   Key			0790 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
000000E0 winlogon.exe   File		 0794 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000E0 winlogon.exe   Semaphore	0798 
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
000000E0 winlogon.exe   Key			079c 
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
000000E0 winlogon.exe   Key			07a0 
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam
000000E0 winlogon.exe   Event		07a4 \BaseNamedObjects\winlogon:  
User GPO Event 73045
000000E0 winlogon.exe   Desktop		07a8 \Default
000000E0 winlogon.exe   Event		07b0 \BaseNamedObjects\userenv: User 
Group Policy has been applied
000000E0 winlogon.exe   Event		07b8 \BaseNamedObjects\userenv: user 
policy refresh event
000000E0 winlogon.exe   Event		07bc \BaseNamedObjects\userenv: user 
policy force refresh event
000000E0 winlogon.exe   Event		07c0 \BaseNamedObjects\userenv: User 
Group Policy has been applied
000000E0 winlogon.exe   Event		07c4 \BaseNamedObjects\userenv: User 
Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe   Event		07c8 \BaseNamedObjects\userenv: User 
Group Policy Processing is done
000000E0 winlogon.exe   Mutant		 07e4 
\BaseNamedObjects\WPA_LICSTORE_MUTEX
000000E0 winlogon.exe   Timer		080c \BaseNamedObjects\userenv: 
refresh timer for 224:1684
000000E0 winlogon.exe   File		 0828 \AudioSrv
000000E0 winlogon.exe   Mutant		 0834 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe   Key			0838 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe   Mutant		 083c \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe   Mutant		 0840 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe   Mutant		 0844 \BaseNamedObjects\WPA_PR_MUTEX
000000E0 winlogon.exe   Mutant		 0848 \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe   Mutant		 084c \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe   Section		08ec 
\BaseNamedObjects\__R_000000000013_SMem__
000000E0 winlogon.exe   File		 0914 \WINDOWS\system32
000000E0 winlogon.exe   Port		 0920 \RPC Control\OLE10
00000110 services.exe   Directory	0010 \KnownDlls
00000110 services.exe   File		 0014 \WINDOWS\system32
00000110 services.exe   Directory	0024 \Windows
00000110 services.exe   Mutant		 0030 \NlsCacheMutant
00000110 services.exe   Key			0038 \REGISTRY\MACHINE
00000110 services.exe   WindowStation  0044 
\Windows\WindowStations\Service-0x0-3e7$
00000110 services.exe   Desktop		0048 \Default
00000110 services.exe   WindowStation  004c 
\Windows\WindowStations\Service-0x0-3e7$
00000110 services.exe   Directory	0060 \BaseNamedObjects
00000110 services.exe   Event		0064 \BaseNamedObjects\userenv:  User 
Profile setup event
00000110 services.exe   Key			0068 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
00000110 services.exe   Key			006c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
00000110 services.exe   Key			0070 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
00000110 services.exe   Key			0074 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum
00000110 services.exe   Key			007c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services
00000110 services.exe   Key			0080 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class
00000110 services.exe   Key			0084 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\PerHwIdStorage
00000110 services.exe   Event		018c 
\BaseNamedObjects\SC_AutoStartComplete
00000110 services.exe   Key			0190 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\Order
00000110 services.exe   Event		01b4 
\BaseNamedObjects\SvcctrlStartEvent_A3752DX
00000110 services.exe   Key			01d4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ServiceGroupOrder
00000110 services.exe   File		 0204 \ntsvcs
00000110 services.exe   Event		0218 \BaseNamedObjects\ScNetDrvMsg
00000110 services.exe   Section		0220 \RPC Control\DSEC110
00000110 services.exe   Port		 0230 \RPC Control\ntsvcs
00000110 services.exe   File		 0260 \ntsvcs
00000110 services.exe   File		 0264 \ntsvcs
00000110 services.exe   File		 02bc \scerpc
00000110 services.exe   File		 02c0 \scerpc
00000110 services.exe   File		 02c4 \ntsvcs
00000110 services.exe   File		 02dc \lsarpc
00000110 services.exe   Event		02f0 
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
00000110 services.exe   File		 0314 \svcctl
00000110 services.exe   Key			031c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent
00000110 services.exe   File		 0320 \net\NtControlPipe1
00000110 services.exe   File		 0328 \ntsvcs
00000110 services.exe   File		 0330 \ntsvcs
00000110 services.exe   File		 033c \net\NtControlPipe2
00000110 services.exe   Key			0348 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog
00000110 services.exe   File		 0350 \ntsvcs
00000110 services.exe   File		 0354 \net\NtControlPipe3
00000110 services.exe   File		 0360 \net\NtControlPipe3
00000110 services.exe   Key			036c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
00000110 services.exe   File		 0388 
\WINDOWS\system32\config\AppEvent.Evt
00000110 services.exe   File		 0398 
\WINDOWS\system32\config\SecEvent.Evt
00000110 services.exe   File		 03b0 
\WINDOWS\system32\config\SysEvent.Evt
00000110 services.exe   File		 03c8 \net\NtControlPipe4
00000110 services.exe   Port		 03cc \ErrorLogPort
00000110 services.exe   Event		03d8 
\BaseNamedObjects\PnP_No_Pending_Install_Events
00000110 services.exe   File		 03e0 \ntsvcs
00000110 services.exe   Mutant		 0400 \BaseNamedObjects\PnP_Init_Mutex
00000110 services.exe   Key			042c \REGISTRY\USER
00000110 services.exe   Key			0430 \REGISTRY\USER\S-1-5-20
00000110 services.exe   Mutant		 043c 
\BaseNamedObjects\ShimCacheMutex[S-1-5-20]
00000110 services.exe   Section		0440 
\BaseNamedObjects\ShimSharedMemory[S-1-5-20]
00000110 services.exe   File		 0444 \net\NtControlPipe5
00000110 services.exe   File		 044c \ntsvcs
00000110 services.exe   Key			0454 \REGISTRY\USER\S-1-5-19
00000110 services.exe   File		 0460 \net\NtControlPipe6
00000110 services.exe   File		 0468 \ntsvcs
00000110 services.exe   File		 0470 \ntsvcs
00000110 services.exe   File		 0490 \ntsvcs
00000110 services.exe   File		 0494 \ntsvcs
00000110 services.exe   File		 04a0 \net\NtControlPipe0
00000110 services.exe   File		 04a4 \ntsvcs
00000110 services.exe   File		 04b4 \net\NtControlPipe7
00000110 services.exe   File		 04b8 \ntsvcs
00000110 services.exe   Key			04c0 \REGISTRY\USER\S-1-5-20
00000110 services.exe   File		 04cc \net\NtControlPipe8
00000110 services.exe   File		 04d4 \ntsvcs
00000110 services.exe   File		 04e4 \ntsvcs
00000110 services.exe   File		 0500 \ntsvcs
00000110 services.exe   File		 0508 \net\NtControlPipe9
00000110 services.exe   File		 050c \ntsvcs
00000110 services.exe   Key			051c \REGISTRY\USER\S-1-5-20
00000110 services.exe   File		 0528 \net\NtControlPipe10
00000110 services.exe   Key			0544 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
00000110 services.exe   File		 0550 \ntsvcs
00000110 services.exe   Key			055c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe   File		 0564 \net\NtControlPipe11
00000110 services.exe   File		 0568 \ntsvcs
00000110 services.exe   Key			0570 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe   File		 0588 \net\NtControlPipe12
00000110 services.exe   File		 05b8 \ntsvcs
00000110 services.exe   Key			05c4 \REGISTRY\USER\S-1-5-19
00000110 services.exe   File		 05d0 \net\NtControlPipe13
00000110 services.exe   File		 05d8 \ntsvcs
00000110 services.exe   File		 05e0 \net\NtControlPipe14
00000110 services.exe   File		 05ec \ntsvcs
00000110 services.exe   File		 05f8 \ntsvcs
00000110 services.exe   File		 0600 \net\NtControlPipe15
00000110 services.exe   File		 060c \ntsvcs
00000110 services.exe   Key			0614 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe   File		 0620 \net\NtControlPipe16
00000110 services.exe   File		 0628 \ntsvcs
00000110 services.exe   File		 0630 \ntsvcs
00000110 services.exe   Key			0640 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe   File		 0648 \net\NtControlPipe18
00000110 services.exe   File		 064c \net\NtControlPipe17
00000110 services.exe   File		 0658 \ntsvcs
00000110 services.exe   File		 0668 \ntsvcs
00000110 services.exe   File		 0678 \ntsvcs
00000110 services.exe   File		 0694 \ntsvcs
00000110 services.exe   File		 06ac \ntsvcs
00000110 services.exe   File		 06bc \ntsvcs
00000110 services.exe   File		 06c0 \net\NtControlPipe21
00000110 services.exe   File		 06dc \ntsvcs
00000110 services.exe   File		 06e0 \net\NtControlPipe20
00000110 services.exe   File		 06ec \ntsvcs
00000110 services.exe   File		 06f4 \ntsvcs
00000110 services.exe   File		 0708 \ntsvcs
00000110 services.exe   File		 070c \ntsvcs
00000110 services.exe   File		 072c \ntsvcs
00000110 services.exe   File		 073c \PIPE_EVENTROOT\CIMV2SCM EVENT 
PROVIDER
0000011C lsass.exe	Directory	0010 \KnownDlls
0000011C lsass.exe	File		 0014 \WINDOWS\system32
0000011C lsass.exe	Directory	0024 \Windows
0000011C lsass.exe	Mutant		 0030 \NlsCacheMutant
0000011C lsass.exe	Key			0038 \REGISTRY\MACHINE
0000011C lsass.exe	WindowStation  004c 
\Windows\WindowStations\Service-0x0-3e7$
0000011C lsass.exe	Desktop		0050 \Default
0000011C lsass.exe	WindowStation  0054 
\Windows\WindowStations\Service-0x0-3e7$
0000011C lsass.exe	Key			0060 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
0000011C lsass.exe	Directory	0074 \BaseNamedObjects
0000011C lsass.exe	File		 0078 \net\NtControlPipe0
0000011C lsass.exe	Key			0084 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll
0000011C lsass.exe	Key			0088 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll
0000011C lsass.exe	Key			008c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll
0000011C lsass.exe	Key			00a8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa
0000011C lsass.exe	Port		 00b8 \SeLsaCommandPort
0000011C lsass.exe	Event		00bc \SeLsaInitEvent
0000011C lsass.exe	Key			00dc \REGISTRY\MACHINE\SECURITY
0000011C lsass.exe	Key			00e0 \REGISTRY\MACHINE\SECURITY\RXACT
0000011C lsass.exe	Key			0110 
\REGISTRY\MACHINE\SECURITY\Policy
0000011C lsass.exe	Section		012c 
\BaseNamedObjects\Debug.Memory.11c
0000011C lsass.exe	Key			0130 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos
0000011C lsass.exe	Key			0164 
\REGISTRY\MACHINE\SECURITY\Policy
0000011C lsass.exe	Key			016c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos\SidCache
0000011C lsass.exe	Key			017c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Domains
0000011C lsass.exe	Key			018c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000011C lsass.exe	Key			0194 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000011C lsass.exe	Key			01a4 
\REGISTRY\MACHINE\SECURITY\Policy
0000011C lsass.exe	Key			01b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa
0000011C lsass.exe	Key			01b8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\MSV1_0
0000011C lsass.exe	File		 01c0 \WINDOWS\Debug\PASSWD.LOG
0000011C lsass.exe	Event		01e8 
\BaseNamedObjects\crypt32LogoffEvent
0000011C lsass.exe	Event		01f8 \BaseNamedObjects\userenv:  User 
Profile setup event
0000011C lsass.exe	Section		01fc \RPC Control\DSEC11c
0000011C lsass.exe	Port		 0260 \LsaAuthenticationPort
0000011C lsass.exe	Event		027c 
\BaseNamedObjects\LSA_RPC_SERVER_ACTIVE
0000011C lsass.exe	File		 0284 \lsass
0000011C lsass.exe	File		 0288 \lsass
0000011C lsass.exe	Key			02a0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
0000011C lsass.exe	Port		 02b4 \RPC Control\protected_storage
0000011C lsass.exe	File		 02e4 \protected_storage
0000011C lsass.exe	File		 02e8 \protected_storage
0000011C lsass.exe	File		 035c \lsarpc
0000011C lsass.exe	File		 0370 \lsass
0000011C lsass.exe	Key			0384 \REGISTRY\MACHINE\SAM\SAM
0000011C lsass.exe	Key			0388 \REGISTRY\MACHINE\SAM\SAM\RXACT
0000011C lsass.exe	Key			038c 
\REGISTRY\MACHINE\SAM\SAM\Domains\Builtin
0000011C lsass.exe	Key			0390 
\REGISTRY\MACHINE\SAM\SAM\Domains\Account
0000011C lsass.exe	File		 0398 \lsass
0000011C lsass.exe	File		 03b0 \lsass
0000011C lsass.exe	Event		03cc \SAM_SERVICE_STARTED
0000011C lsass.exe	Key			03e4 \REGISTRY\USER\S-1-5-20
0000011C lsass.exe	File		 03e8 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000011C lsass.exe	Key			03f0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000011C lsass.exe	Key			03f8 \REGISTRY\USER
0000011C lsass.exe	File		 0410 \lsass
0000011C lsass.exe	File		 0460 \lsass
0000011C lsass.exe	File		 0478 \lsass
0000011C lsass.exe	Key			04a0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
0000011C lsass.exe	Key			04a4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
0000011C lsass.exe	Key			04a8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
0000011C lsass.exe	Key			04ac 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
0000011C lsass.exe	Event		04d0 
\BaseNamedObjects\PS_SERVICE_STARTED
0000011C lsass.exe	Event		04dc 
\BaseNamedObjects\IPSEC_POLICY_CHANGE_EVENT
0000011C lsass.exe	Event		04e8 
\BaseNamedObjects\IPSEC_POLICY_CHANGE_NOTIFY
0000011C lsass.exe	File		 04f8 \Endpoint
0000011C lsass.exe	File		 0508 \svcctl
0000011C lsass.exe	File		 0510 \WINDOWS\Debug\oakley.log
0000011C lsass.exe	File		 0514 \lsass
0000011C lsass.exe	File		 0544 \Endpoint
0000011C lsass.exe	File		 0558 \Endpoint
0000011C lsass.exe	File		 055c \255
0000011C lsass.exe	File		 05a0 \ipsec
0000011C lsass.exe	File		 05a4 \ipsec
0000011C lsass.exe	Port		 05ac \RPC Control\ipsec
0000011C lsass.exe	File		 05b8 \lsass
0000011C lsass.exe	File		 0608 \lsass
0000011C lsass.exe	File		 0618 \lsass
000001A0 svchost.exe	Directory	0010 \KnownDlls
000001A0 svchost.exe	File		 0014 \WINDOWS\system32
000001A0 svchost.exe	Directory	001c \Windows
000001A0 svchost.exe	Mutant		 0024 \NlsCacheMutant
000001A0 svchost.exe	Key			002c \REGISTRY\MACHINE
000001A0 svchost.exe	File		 0054 \net\NtControlPipe1
000001A0 svchost.exe	Directory	0070 \BaseNamedObjects
000001A0 svchost.exe	WindowStation  0088 
\Windows\WindowStations\Service-0x0-3e7$
000001A0 svchost.exe	Desktop		008c \Default
000001A0 svchost.exe	WindowStation  0090 
\Windows\WindowStations\Service-0x0-3e7$
000001A0 svchost.exe	Event		00ac \BaseNamedObjects\userenv:  User 
Profile setup event
000001A0 svchost.exe	Key			00b0 
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe	Key			00c8 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000001A0 svchost.exe	Key			00d0 
\REGISTRY\MACHINE\SOFTWARE\Classes\AppID
000001A0 svchost.exe	Key			00f4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Ole
000001A0 svchost.exe	Section		00fc \RPC Control\DSEC1a0
000001A0 svchost.exe	Port		 0108 \RPC Control\epmapper
000001A0 svchost.exe	Key			0120 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000001A0 svchost.exe	Key			0128 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000001A0 svchost.exe	File		 0154 \Endpoint
000001A0 svchost.exe	File		 015c \Endpoint
000001A0 svchost.exe	File		 0168 
\Winsock2\CatalogChangeListener-1a0-0
000001A0 svchost.exe	File		 0170 \Endpoint
000001A0 svchost.exe	File		 0184 \Endpoint
000001A0 svchost.exe	Key			0190 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
000001A0 svchost.exe	Key			01b0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
000001A0 svchost.exe	Key			01b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
000001A0 svchost.exe	Key			01b8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000001A0 svchost.exe	Section		01d0 \BaseNamedObjects\RotHintTable
000001A0 svchost.exe	File		 01d4 \Endpoint
000001A0 svchost.exe	Event		01d8 
\BaseNamedObjects\ScmCreatedEvent
000001A0 svchost.exe	Key			0214 
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe	Key			021c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe	Key			0228 \REGISTRY\USER
000001A0 svchost.exe	Key			022c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe	Key			0238 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe	Key			0240 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe	Key			0248 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000001A0 svchost.exe	Key			0250 
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe	Key			0258 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe	Key			0264 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe	Key			026c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe	Key			0274 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000001A0 svchost.exe	Section		027c 
\BaseNamedObjects\__R_000000000013_SMem__
000001A0 svchost.exe	File		 02bc \epmapper
000001A0 svchost.exe	File		 02c0 \epmapper
000001A0 svchost.exe	File		 0358 \Endpoint
000001A0 svchost.exe	File		 0438 \svcctl
000001A0 svchost.exe	Mutant		 04c0 
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
000001A0 svchost.exe	Section		04c4 
\BaseNamedObjects\ShimSharedMemory[S-1-5-18]
000001BC svchost.exe	Directory	0010 \KnownDlls
000001BC svchost.exe	File		 0014 \WINDOWS\system32
000001BC svchost.exe	Directory	001c \Windows
000001BC svchost.exe	Mutant		 0024 \NlsCacheMutant
000001BC svchost.exe	Key			002c \REGISTRY\MACHINE
000001BC svchost.exe	WindowStation  003c 
\Windows\WindowStations\Service-0x0-3e7$
000001BC svchost.exe	Desktop		0040 \Default
000001BC svchost.exe	WindowStation  0044 
\Windows\WindowStations\Service-0x0-3e7$
000001BC svchost.exe	Directory	0048 \BaseNamedObjects
000001BC svchost.exe	File		 008c \net\NtControlPipe2
000001BC svchost.exe	File		 00a0 \svcctl
000001BC svchost.exe	Event		00bc 
\BaseNamedObjects\crypt32LogoffEvent
000001BC svchost.exe	Event		00c0 
\BaseNamedObjects\TermSrvReadyEvent
000001BC svchost.exe	Mutant		 00cc 
\BaseNamedObjects\746bbf3569adEncrypt
000001BC svchost.exe	Key			00ec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing 
Core
000001BC svchost.exe	Key			0108 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters
000001BC svchost.exe	Section		011c \RPC Control\DSEC1bc
000001BC svchost.exe	Port		 0124 \RPC Control\LcRpc
000001BC svchost.exe	File		 0154 \TermSrv_Licensing_Core
000001BC svchost.exe	File		 0158 \TermSrv_Licensing_Core
000001BC svchost.exe	Port		 0170 \SmSsWinStationApiPort
000001BC svchost.exe	Key			0180 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000001BC svchost.exe	Key			0188 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000001BC svchost.exe	File		 019c \lsarpc
000001BC svchost.exe	Event		01dc 
\BaseNamedObjects\WinMMConsoleAudioEvent
000001BC svchost.exe	Event		01f0 \BaseNamedObjects\ReconEvent
000001BC svchost.exe	Event		01f4 \BaseNamedObjects\TermSrv:  
machine GP event
000001BC svchost.exe	Port		 0200 \RPC Control\IcaApi
000001BC svchost.exe	File		 0230 \Ctx_WinStation_API_service
000001BC svchost.exe	File		 0234 \Ctx_WinStation_API_service
000001BC svchost.exe	Event		0238 \BaseNamedObjects\userenv:  User 
Profile setup event
000001BC svchost.exe	Event		0244 \BaseNamedObjects\userenv: 
Machine Group Policy has been applied
000001BC svchost.exe	Key			0260 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
000001BC svchost.exe	Key			0274 
\REGISTRY\MACHINE\SOFTWARE\Policies
000001BC svchost.exe	Event		028c 
\Sessions\1\BaseNamedObjects\CsrStartEvent
000001BC svchost.exe	Event		0290 
\Sessions\1\BaseNamedObjects\ReconEvent
000001BC svchost.exe	Event		02c8 
\Sessions\2\BaseNamedObjects\CsrStartEvent
000001BC svchost.exe	Event		02cc 
\Sessions\2\BaseNamedObjects\ReconEvent
000001BC svchost.exe	Key			02fc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\AddIns
000001BC svchost.exe	Key			0364 \REGISTRY\USER
00000200 svchost.exe	Directory	0010 \KnownDlls
00000200 svchost.exe	File		 0014 \WINDOWS\system32
00000200 svchost.exe	Directory	001c \Windows
00000200 svchost.exe	Mutant		 0024 \NlsCacheMutant
00000200 svchost.exe	Key			002c \REGISTRY\MACHINE
00000200 svchost.exe	WindowStation  003c 
\Windows\WindowStations\Service-0x0-3e7$
00000200 svchost.exe	Desktop		0040 \Default
00000200 svchost.exe	WindowStation  0044 \Windows\WindowStations\WinSta0
00000200 svchost.exe	Directory	0048 \BaseNamedObjects
00000200 svchost.exe	File		 008c \net\NtControlPipe4
00000200 svchost.exe	File		 00a0 \svcctl
00000200 svchost.exe	Key			00a8 \REGISTRY\USER\.DEFAULT
00000200 svchost.exe	File		 00ac 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
00000200 svchost.exe	Key			00b8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
00000200 svchost.exe	Port		 00bc \ThemeApiPort
00000200 svchost.exe	Key			0108 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
00000200 svchost.exe	Key			010c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
00000200 svchost.exe	Key			0110 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
00000200 svchost.exe	Key			0114 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
00000200 svchost.exe	Key			012c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
00000200 svchost.exe	Key			0134 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
00000200 svchost.exe	Key			0140 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Parameters
00000200 svchost.exe	Key			0144 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
00000200 svchost.exe	Key			0148 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Parameters\Options
00000200 svchost.exe	Key			014c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services
00000200 svchost.exe	Event		015c 
\BaseNamedObjects\DHCPNEWIPADDRESS
00000200 svchost.exe	File		 0164 \DhcpClient
00000200 svchost.exe	Key			0178 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters
00000200 svchost.exe	Key			0194 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{81A3AA37-6FFD-4907-99BB-47F19F605A44}
00000200 svchost.exe	Event		0198 
\BaseNamedObjects\AgentToWkssvcEvent
00000200 svchost.exe	Event		01d0 
\BaseNamedObjects\WkssvcToAgentStartEvent
00000200 svchost.exe	Event		01d4 
\BaseNamedObjects\ShellHWDetection'sEvent
00000200 svchost.exe	Event		01d8 
\BaseNamedObjects\CGenericServiceManager__Init
00000200 svchost.exe	Key			01f8 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe	Key			0200 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe	Key			020c \REGISTRY\USER
00000200 svchost.exe	Key			0210 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe	Key			021c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe	Key			0224 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe	Key			022c 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000200 svchost.exe	Key			0234 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe	Key			023c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe	Key			0248 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe	Key			0250 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe	Key			0258 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000200 svchost.exe	File		 0260 
\WINDOWS\Registration\R000000000013.clb
00000200 svchost.exe	Section		0264 
\BaseNamedObjects\__R_000000000013_SMem__
00000200 svchost.exe	Key			0268 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe	Event		026c 
\BaseNamedObjects\ShellHWDetection'sEvent
00000200 svchost.exe	Section		0270 \RPC Control\DSEC200
00000200 svchost.exe	Port		 0278 \RPC Control\OLE3
00000200 svchost.exe	File		 028c \svcctl
00000200 svchost.exe	Event		02b4 \BaseNamedObjects\userenv:  User 
Profile setup event
00000200 svchost.exe	File		 02d0 \lsarpc
00000200 svchost.exe	File		 02d8 \ntsvcs
00000200 svchost.exe	File		 02dc \WINDOWS\SchedLgU.Txt
00000200 svchost.exe	Event		02e0 
\BaseNamedObjects\ShellHWDetectionInitCompleted
00000200 svchost.exe	Desktop		02ec \SADesktop
00000200 svchost.exe	WindowStation  0300 \Windows\WindowStations\SAWinSta
00000200 svchost.exe	File		 0354 \Endpoint
00000200 svchost.exe	File		 0364 
\Winsock2\CatalogChangeListener-200-0
00000200 svchost.exe	File		 0394 \Endpoint
00000200 svchost.exe	File		 0398 \atsvc
00000200 svchost.exe	File		 039c \atsvc
00000200 svchost.exe	File		 03c0 \WINDOWS\Tasks
00000200 svchost.exe	Event		03e0 
\BaseNamedObjects\WkssvcToAgentStopEvent
00000200 svchost.exe	File		 0460 \wkssvc
00000200 svchost.exe	File		 0464 \wkssvc
00000200 svchost.exe	Event		046c \BaseNamedObjects\wkssvc:  MUP 
finished initializing event
00000200 svchost.exe	Key			0478 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters
00000200 svchost.exe	Event		0490 
\BaseNamedObjects\crypt32LogoffEvent
00000200 svchost.exe	File		 04dc \AudioSrv
00000200 svchost.exe	File		 04e0 \AudioSrv
00000200 svchost.exe	Event		04e4 \BaseNamedObjects\DmServerStop
00000200 svchost.exe	File		 0518 \keysvc
00000200 svchost.exe	File		 051c \keysvc
00000200 svchost.exe	Port		 0524 \RPC Control\keysvc
00000200 svchost.exe	Event		0540 \BaseNamedObjects\ReSyncKernel
00000200 svchost.exe	Event		0548 
\Device\DmControl\VxKernel2VoldEvent
00000200 svchost.exe	Mutant		 054c 
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
00000200 svchost.exe	Section		0550 
\BaseNamedObjects\ShimSharedMemory[S-1-5-18]
00000200 svchost.exe	Mutant		 0564 
\BaseNamedObjects\0CADFD67AF62496dB34264F000F5624A
00000200 svchost.exe	Mutant		 0568 
\BaseNamedObjects\4FCC0DEFE22C4f138FB9D5AF25FD9398
00000200 svchost.exe	Key			0570 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting
00000200 svchost.exe	File		 057c \PCHHangRepExecPipe
00000200 svchost.exe	File		 058c \PCHFaultRepExecPipe
00000200 svchost.exe	Port		 05b8 \XactSrvLpcPort
00000200 svchost.exe	File		 05e4 \srvsvc
00000200 svchost.exe	File		 05e8 \srvsvc
00000200 svchost.exe	Event		05f0 \LanmanServerAnnounceEvent
00000200 svchost.exe	File		 05f4 \AudioSrv
00000200 svchost.exe	Semaphore	0614 
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
00000200 svchost.exe	Key			0630 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
00000200 svchost.exe	File		 0674 \SECLOGON
00000200 svchost.exe	File		 0678 \SECLOGON
00000200 svchost.exe	WaitablePort   069c \Security\TRKWKS_PORT
00000200 svchost.exe	Event		06a0 \Security\TRKWKS_EVENT
00000200 svchost.exe	File		 06c8 \trkwks
00000200 svchost.exe	File		 06cc \trkwks
00000200 svchost.exe	Port		 06d4 \RPC Control\trkwks
00000200 svchost.exe	File		 06ec \$Extend\$ObjId
00000200 svchost.exe	Event		06f4 \BaseNamedObjects\SENS Started 
Event
00000200 svchost.exe	Section		06f8 \BaseNamedObjects\SENS 
Information Cache
00000200 svchost.exe	Port		 070c \RPC Control\senssvc
00000200 svchost.exe	Key			0710 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}
00000200 svchost.exe	File		 0714 \System Volume 
Information\tracking.log
00000200 svchost.exe	Event		0724 \BaseNamedObjects\Sens Hidden 
Window Cleanup Event
00000200 svchost.exe	Key			0740 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses
00000200 svchost.exe	File		 0790 \W32TIME
00000200 svchost.exe	File		 0794 \W32TIME
00000200 svchost.exe	File		 07f4 \Endpoint
00000200 svchost.exe	File		 0804 \Endpoint
00000200 svchost.exe	Key			0860 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\EAPOL
00000200 svchost.exe	Key			0868 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions
00000200 svchost.exe	File		 08c0 \wzcsvc
00000200 svchost.exe	File		 08c4 \wzcsvc
00000200 svchost.exe	Port		 08cc \RPC Control\wzcsvc
00000200 svchost.exe	Key			08f0 
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings
00000200 svchost.exe	File		 0910 \WMDMPMSPpipe
00000200 svchost.exe	File		 0978 \srvsvc
00000200 svchost.exe	File		 0980 \srvsvc
00000200 svchost.exe	File		 09cc \wkssvc
00000200 svchost.exe	File		 09d0 
\{9B365890-165F-11D0-A195-0020AFD156E4}
00000200 svchost.exe	File		 09ec \wkssvc
00000200 svchost.exe	File		 0a04 \srvsvc
00000200 svchost.exe	File		 0a2c \wkssvc
00000200 svchost.exe	File		 0a44 \browser
00000200 svchost.exe	File		 0a48 \browser
00000200 svchost.exe	Key			0a4c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Browser\Parameters
00000200 svchost.exe	Key			0a60 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
00000200 svchost.exe	Mutant		 0a70 \BaseNamedObjects\RasPbFile
00000200 svchost.exe	Key			0a94 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASTLS
00000200 svchost.exe	Key			0aa4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASCHAP
00000200 svchost.exe	Key			0abc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces
00000200 svchost.exe	File		 0ad4 \winlogonrpc
00000200 svchost.exe	Desktop		0aec \Default
00000200 svchost.exe	WindowStation  0af0 \Windows\WindowStations\WinSta0
00000200 svchost.exe	File		 0af8 
\Winsock2\CatalogChangeListener-200-1
00000200 svchost.exe	File		 0b64 \svcctl
00000200 svchost.exe	WaitablePort   0b88 \NLAPublicPort
00000200 svchost.exe	WaitablePort   0b8c \NLAPrivatePort
00000200 svchost.exe	Key			0b98 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Network\Location Awareness
00000200 svchost.exe	Key			0bc0 
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows 
NT\CurrentVersion\Network\Location Awareness
00000200 svchost.exe	Key			0bc4 
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows 
NT\CurrentVersion\Network\Location Awareness
00000200 svchost.exe	Key			0bc8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
00000200 svchost.exe	Key			0be8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
00000200 svchost.exe	Key			0bf8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
00000200 svchost.exe	File		 0c08 \EVENTLOG
00000200 svchost.exe	Key			0c1c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASTAPI
00000200 svchost.exe	Key			0c3c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\tapi32
00000200 svchost.exe	Mutant		 0c68 \BaseNamedObjects\RAS_MO_02
00000200 svchost.exe	Mutant		 0c6c \BaseNamedObjects\RAS_MO_01
00000200 svchost.exe	File		 0c98 \ROUTER
00000200 svchost.exe	File		 0c9c \ROUTER
00000200 svchost.exe	Key			0cb8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASMAN
00000200 svchost.exe	Key			0cd0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\PPP
00000200 svchost.exe	Key			0ce0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BAP
00000200 svchost.exe	Key			0cec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RasMan\PPP
00000200 svchost.exe	Key			0cfc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASSPAP
00000200 svchost.exe	Key			0d0c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASPAP
00000200 svchost.exe	Key			0d1c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASEAP
00000200 svchost.exe	Key			0d2c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASCCP
00000200 svchost.exe	Key			0d3c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASBACP
00000200 svchost.exe	File		 0d48 \wkssvc
00000200 svchost.exe	Key			0d68 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASIPHLP
00000200 svchost.exe	Key			0d80 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
00000200 svchost.exe	Key			0d90 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASIPCP
00000200 svchost.exe	File		 0da8 \wkssvc
00000200 svchost.exe	File		 0db0 \srvsvc
00000200 svchost.exe	Mutant		 0df4 
\BaseNamedObjects\_!MSFTHISTORY!_
00000200 svchost.exe	File		 0df8 \Documents and Settings\Default 
User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\index.dat
00000200 svchost.exe	Mutant		 0dfc \BaseNamedObjects\c:!documents 
and settings!default user.windows!local settings!temporary internet 
files!content.ie5!
00000200 svchost.exe	Section		0e00 \BaseNamedObjects\C:_Documents 
and Settings_Default User.WINDOWS_Local Settings_Temporary Internet 
Files_Content.IE5_index.dat_32768
00000200 svchost.exe	Mutant		 0e04 \BaseNamedObjects\c:!documents 
and settings!default user.windows!cookies!
00000200 svchost.exe	Mutant		 0e08 \BaseNamedObjects\c:!documents 
and settings!default user.windows!local settings!history!history.ie5!
00000200 svchost.exe	File		 0e0c \Documents and Settings\Default 
User.WINDOWS\Cookies\index.dat
00000200 svchost.exe	File		 0e10 \Documents and Settings\Default 
User.WINDOWS\Local Settings\History\History.IE5\index.dat
00000200 svchost.exe	Section		0e14 \BaseNamedObjects\C:_Documents 
and Settings_Default User.WINDOWS_Local 
Settings_History_History.IE5_index.dat_16384
00000200 svchost.exe	Mutant		 0e1c 
\BaseNamedObjects\WininetStartupMutex
00000200 svchost.exe	Section		0e20 \BaseNamedObjects\C:_Documents 
and Settings_Default User.WINDOWS_Cookies_index.dat_16384
00000200 svchost.exe	Mutant		 0e2c 
\BaseNamedObjects\WininetProxyRegistryMutex
00000200 svchost.exe	Key			0e30 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
00000200 svchost.exe	Section		0e34 \BaseNamedObjects\SENS 
Information Cache
00000200 svchost.exe	File		 0e50 \ROUTER
00000230 csrss.exe	Directory	0010 \KnownDlls
00000230 csrss.exe	File		 0014 \WINDOWS\system32
00000230 csrss.exe	Directory	0018 \Sessions\BNOLINKS
00000230 csrss.exe	SymbolicLink   0020 \Sessions\BNOLINKS\1
00000230 csrss.exe	Directory	0024 \Sessions\1
00000230 csrss.exe	Directory	0028 \Sessions\1\DosDevices
00000230 csrss.exe	Directory	002c \Sessions\1\Windows
00000230 csrss.exe	Directory	003c \Sessions\1\BaseNamedObjects
00000230 csrss.exe	SymbolicLink   0040 
\Sessions\1\BaseNamedObjects\Global
00000230 csrss.exe	SymbolicLink   0044 
\Sessions\1\BaseNamedObjects\Local
00000230 csrss.exe	SymbolicLink   0048 
\Sessions\1\BaseNamedObjects\Session
00000230 csrss.exe	Directory	004c 
\Sessions\1\BaseNamedObjects\Restricted
00000230 csrss.exe	Mutant		 0050 \Sessions\1\NlsCacheMutant
00000230 csrss.exe	Mutant		 0058 \Sessions\1\NlsCacheMutant
00000230 csrss.exe	Directory	0070 
\Sessions\1\Windows\WindowStations
00000230 csrss.exe	Directory	007c \Sessions\1\BaseNamedObjects
00000230 csrss.exe	Port		 0098 \Sessions\1\Windows\ApiPort
00000230 csrss.exe	Port		 009c \Sessions\1\Windows\SbApiPort
00000230 csrss.exe	Event		00c4 
\Sessions\1\BaseNamedObjects\ScNetDrvMsg
00000230 csrss.exe	Key			00c8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\PriorityControl
00000234 winlogon.exe   Directory	0010 \KnownDlls
00000234 winlogon.exe   File		 0014 \WINDOWS\system32
00000234 winlogon.exe   Directory	0018 \Sessions\1\Windows
00000234 winlogon.exe   Mutant		 0024 \Sessions\1\NlsCacheMutant
00000234 winlogon.exe   Key			0030 \REGISTRY\MACHINE
00000234 winlogon.exe   Directory	004c \Sessions\1\BaseNamedObjects
00000234 winlogon.exe   Event		0050 \BaseNamedObjects\userenv:  User 
Profile setup event
00000234 winlogon.exe   Mutant		 0054 \BaseNamedObjects\userenv: 
machine policy mutex
00000234 winlogon.exe   Event		0058 \BaseNamedObjects\userenv: 
Machine Group Policy has been applied
00000234 winlogon.exe   Event		005c \BaseNamedObjects\userenv: 
Machine Group Policy ForcedRefresh Needs Foreground Processing
00000234 winlogon.exe   Event		0060 \BaseNamedObjects\userenv: 
Machine Group Policy Processing is done
00000234 winlogon.exe   Event		0064 \BaseNamedObjects\userenv: 
Machine Policy Foreground Done Event
00000234 winlogon.exe   Mutant		 0068 
\Sessions\1\BaseNamedObjects\userenv: user policy mutex
00000234 winlogon.exe   Event		006c 
\Sessions\1\BaseNamedObjects\userenv: User Group Policy has been applied
00000234 winlogon.exe   Event		0070 
\Sessions\1\BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs 
Foreground Processing
00000234 winlogon.exe   Event		0074 
\Sessions\1\BaseNamedObjects\userenv: User Group Policy Processing is done
00000234 winlogon.exe   Event		0078 
\Sessions\1\BaseNamedObjects\userenv: User Policy Foreground Done Event
00000234 winlogon.exe   Event		007c 
\BaseNamedObjects\crypt32LogoffEvent
0000025C csrss.exe	Directory	0010 \KnownDlls
0000025C csrss.exe	File		 0014 \WINDOWS\system32
0000025C csrss.exe	Directory	0018 \Sessions\BNOLINKS
0000025C csrss.exe	SymbolicLink   0020 \Sessions\BNOLINKS\2
0000025C csrss.exe	Directory	0024 \Sessions\2
0000025C csrss.exe	Directory	0028 \Sessions\2\DosDevices
0000025C csrss.exe	Directory	002c \Sessions\2\Windows
0000025C csrss.exe	Directory	003c \Sessions\2\BaseNamedObjects
0000025C csrss.exe	SymbolicLink   0040 
\Sessions\2\BaseNamedObjects\Global
0000025C csrss.exe	SymbolicLink   0044 
\Sessions\2\BaseNamedObjects\Local
0000025C csrss.exe	SymbolicLink   0048 
\Sessions\2\BaseNamedObjects\Session
0000025C csrss.exe	Directory	004c 
\Sessions\2\BaseNamedObjects\Restricted
0000025C csrss.exe	Mutant		 0050 \Sessions\2\NlsCacheMutant
0000025C csrss.exe	Mutant		 0058 \Sessions\2\NlsCacheMutant
0000025C csrss.exe	Directory	0070 
\Sessions\2\Windows\WindowStations
0000025C csrss.exe	Directory	007c \Sessions\2\BaseNamedObjects
0000025C csrss.exe	Port		 0098 \Sessions\2\Windows\ApiPort
0000025C csrss.exe	Port		 009c \Sessions\2\Windows\SbApiPort
0000025C csrss.exe	Event		00c4 
\Sessions\2\BaseNamedObjects\ScNetDrvMsg
0000025C csrss.exe	Key			00c8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\PriorityControl
00000260 winlogon.exe   Directory	0010 \KnownDlls
00000260 winlogon.exe   File		 0014 \WINDOWS\system32
00000260 winlogon.exe   Directory	0018 \Sessions\2\Windows
00000260 winlogon.exe   Mutant		 0024 \Sessions\2\NlsCacheMutant
00000260 winlogon.exe   Key			0030 \REGISTRY\MACHINE
00000260 winlogon.exe   Directory	004c \Sessions\2\BaseNamedObjects
00000260 winlogon.exe   Event		0050 \BaseNamedObjects\userenv:  User 
Profile setup event
00000260 winlogon.exe   Mutant		 0054 \BaseNamedObjects\userenv: 
machine policy mutex
00000260 winlogon.exe   Event		0058 \BaseNamedObjects\userenv: 
Machine Group Policy has been applied
00000260 winlogon.exe   Event		005c \BaseNamedObjects\userenv: 
Machine Group Policy ForcedRefresh Needs Foreground Processing
00000260 winlogon.exe   Event		0060 \BaseNamedObjects\userenv: 
Machine Group Policy Processing is done
00000260 winlogon.exe   Event		0064 \BaseNamedObjects\userenv: 
Machine Policy Foreground Done Event
00000260 winlogon.exe   Mutant		 0068 
\Sessions\2\BaseNamedObjects\userenv: user policy mutex
00000260 winlogon.exe   Event		006c 
\Sessions\2\BaseNamedObjects\userenv: User Group Policy has been applied
00000260 winlogon.exe   Event		0070 
\Sessions\2\BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs 
Foreground Processing
00000260 winlogon.exe   Event		0074 
\Sessions\2\BaseNamedObjects\userenv: User Group Policy Processing is done
00000260 winlogon.exe   Event		0078 
\Sessions\2\BaseNamedObjects\userenv: User Policy Foreground Done Event
00000260 winlogon.exe   Event		007c 
\BaseNamedObjects\crypt32LogoffEvent
00000294 svchost.exe	Directory	0010 \KnownDlls
00000294 svchost.exe	File		 0014 \WINDOWS\system32
00000294 svchost.exe	Key			0018 \REGISTRY\MACHINE
00000294 svchost.exe	Directory	0024 \Windows
00000294 svchost.exe	Mutant		 0030 \NlsCacheMutant
00000294 svchost.exe	File		 0038 \net\NtControlPipe5
00000294 svchost.exe	Directory	0078 \BaseNamedObjects
00000294 svchost.exe	File		 0080 \svcctl
00000294 svchost.exe	WindowStation  0090 
\Windows\WindowStations\Service-0x0-3e4$
00000294 svchost.exe	Desktop		0094 \Default
00000294 svchost.exe	WindowStation  0098 
\Windows\WindowStations\Service-0x0-3e4$
00000294 svchost.exe	Key			00b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
00000294 svchost.exe	Key			00b8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
00000294 svchost.exe	Key			00bc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
00000294 svchost.exe	Key			00c0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
00000294 svchost.exe	Key			00d8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
00000294 svchost.exe	Key			00e0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
00000294 svchost.exe	File		 00fc \WINDOWS\system32\drivers\etc
00000294 svchost.exe	Section		0108 \RPC Control\DSEC294
00000294 svchost.exe	File		 0130 \DNSRSLVR
00000294 svchost.exe	File		 0134 \DNSRSLVR
00000294 svchost.exe	File		 0144 \DNSRSLVR
00000294 svchost.exe	File		 0148 \svcctl
00000294 svchost.exe	File		 0164 \DNSRSLVR
00000294 svchost.exe	File		 0198 \DNSRSLVR
0000029C svchost.exe	Directory	0010 \KnownDlls
0000029C svchost.exe	File		 0014 \WINDOWS\system32
0000029C svchost.exe	Key			0018 \REGISTRY\MACHINE
0000029C svchost.exe	Directory	0024 \Windows
0000029C svchost.exe	Mutant		 0030 \NlsCacheMutant
0000029C svchost.exe	File		 0038 \net\NtControlPipe6
0000029C svchost.exe	Directory	0078 \BaseNamedObjects
0000029C svchost.exe	File		 0080 \svcctl
0000029C svchost.exe	WindowStation  0090 
\Windows\WindowStations\Service-0x0-3e5$
0000029C svchost.exe	Desktop		0094 \Default
0000029C svchost.exe	WindowStation  0098 
\Windows\WindowStations\Service-0x0-3e5$
0000029C svchost.exe	Key			00b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
0000029C svchost.exe	Key			00b8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
0000029C svchost.exe	Key			00bc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
0000029C svchost.exe	Key			00c0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
0000029C svchost.exe	Key			00f0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000029C svchost.exe	Key			00f8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000029C svchost.exe	File		 0110 \Alerter
0000029C svchost.exe	File		 0128 
\Winsock2\CatalogChangeListener-29c-0
0000029C svchost.exe	File		 0168 \messngr
0000029C svchost.exe	Section		0170 \RPC Control\DSEC29c
0000029C svchost.exe	File		 0194 \msgsvc
0000029C svchost.exe	File		 0198 \msgsvc
0000029C svchost.exe	File		 01d0 \Endpoint
0000029C svchost.exe	Key			01e8 
\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings
0000029C svchost.exe	Key			01f0 \REGISTRY\USER\S-1-5-19
0000029C svchost.exe	Event		01f4 
\BaseNamedObjects\crypt32LogoffEvent
0000029C svchost.exe	File		 01fc \lsarpc
0000029C svchost.exe	File		 0204 \ntsvcs
0000029C svchost.exe	Key			0214 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000029C svchost.exe	File		 0218 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000029C svchost.exe	Semaphore	0220 
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
0000029C svchost.exe	Mutant		 0228 
\BaseNamedObjects\_!MSFTHISTORY!_
0000029C svchost.exe	File		 022c \Documents and 
Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet 
Files\Content.IE5\index.dat
0000029C svchost.exe	Mutant		 0230 \BaseNamedObjects\c:!documents 
and settings!localservice.nt authority!local settings!temporary internet 
files!content.ie5!
0000029C svchost.exe	Section		0234 \BaseNamedObjects\C:_Documents 
and Settings_LocalService.NT AUTHORITY_Local Settings_Temporary Internet 
Files_Content.IE5_index.dat_32768
0000029C svchost.exe	Mutant		 0238 \BaseNamedObjects\c:!documents 
and settings!localservice.nt authority!cookies!
0000029C svchost.exe	File		 023c \Documents and 
Settings\LocalService.NT AUTHORITY\Cookies\index.dat
0000029C svchost.exe	Section		0240 \BaseNamedObjects\C:_Documents 
and Settings_LocalService.NT AUTHORITY_Cookies_index.dat_16384
0000029C svchost.exe	Mutant		 0244 \BaseNamedObjects\c:!documents 
and settings!localservice.nt authority!local settings!history!history.ie5!
0000029C svchost.exe	File		 0248 \Documents and 
Settings\LocalService.NT AUTHORITY\Local 
Settings\History\History.IE5\index.dat
0000029C svchost.exe	Section		024c \BaseNamedObjects\C:_Documents 
and Settings_LocalService.NT AUTHORITY_Local 
Settings_History_History.IE5_index.dat_16384
0000029C svchost.exe	Mutant		 0254 
\BaseNamedObjects\WininetStartupMutex
0000029C svchost.exe	Mutant		 0260 
\BaseNamedObjects\WininetProxyRegistryMutex
0000029C svchost.exe	File		 02ac \DAV RPC SERVICE
0000029C svchost.exe	File		 02b0 \DAV RPC SERVICE
0000029C svchost.exe	File		 02b4 \msgsvc
0000029C svchost.exe	File		 02c0 \DNSRSLVR
0000029C svchost.exe	Mutant		 02d0 \BaseNamedObjects\RasPbFile
0000029C svchost.exe	Key			02f8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
0000029C svchost.exe	Section		0308 \BaseNamedObjects\SENS 
Information Cache
0000029C svchost.exe	Key			0310 \REGISTRY\USER
0000029C svchost.exe	Key			0314 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
0000029C svchost.exe	Key			0318 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
0000029C svchost.exe	File		 0358 \ROUTER
000002D8 spoolsv.exe	Directory	0010 \KnownDlls
000002D8 spoolsv.exe	File		 0014 \WINDOWS\system32
000002D8 spoolsv.exe	Directory	001c \Windows
000002D8 spoolsv.exe	Mutant		 0024 \NlsCacheMutant
000002D8 spoolsv.exe	Key			0030 \REGISTRY\MACHINE
000002D8 spoolsv.exe	WindowStation  003c \Windows\WindowStations\WinSta0
000002D8 spoolsv.exe	Desktop		0040 \Default
000002D8 spoolsv.exe	WindowStation  0044 \Windows\WindowStations\WinSta0
000002D8 spoolsv.exe	File		 0048 \net\NtControlPipe7
000002D8 spoolsv.exe	Directory	0088 \BaseNamedObjects
000002D8 spoolsv.exe	File		 0090 \svcctl
000002D8 spoolsv.exe	Event		00a0 
\BaseNamedObjects\RouterPreInitEvent
000002D8 spoolsv.exe	Section		00a4 \RPC Control\DSEC2d8
000002D8 spoolsv.exe	File		 00cc \spoolss
000002D8 spoolsv.exe	File		 00d0 \spoolss
000002D8 spoolsv.exe	Port		 00e4 \RPC Control\spoolss
000002D8 spoolsv.exe	Event		0120 
\BaseNamedObjects\crypt32LogoffEvent
000002D8 spoolsv.exe	File		 0150 \DNSRSLVR
000002D8 spoolsv.exe	Key			0190 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print
000002D8 spoolsv.exe	Key			0194 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Print\Printers
000002D8 spoolsv.exe	Key			01c0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard 
TCP/IP Port
000002D8 spoolsv.exe	Key			01c8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000002D8 spoolsv.exe	Key			01d0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000002D8 spoolsv.exe	Key			01ec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
000002D8 spoolsv.exe	File		 0200 \lsarpc
000002D8 spoolsv.exe	File		 0208 \ntsvcs
000002D8 spoolsv.exe	Key			0220 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe	Key			0228 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe	Key			0234 \REGISTRY\USER
000002D8 spoolsv.exe	Key			0238 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe	Key			0244 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe	Key			024c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe	Key			0254 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002D8 spoolsv.exe	Key			025c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe	Key			0264 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe	Key			0270 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe	Key			0278 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe	Key			0280 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002D8 spoolsv.exe	Section		0288 
\BaseNamedObjects\__R_000000000013_SMem__
000002D8 spoolsv.exe	Key			028c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe	Port		 02ac \RPC Control\OLE4
000002D8 spoolsv.exe	Key			02e4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
000002D8 spoolsv.exe	Key			02e8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
000002D8 spoolsv.exe	Key			02ec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
000002D8 spoolsv.exe	Key			02f0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000002D8 spoolsv.exe	Key			0328 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000002D8 spoolsv.exe	File		 0330 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000002D8 spoolsv.exe	Key			0334 \REGISTRY\USER\.DEFAULT
000002D8 spoolsv.exe	Semaphore	0338 
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
000002D8 spoolsv.exe	Event		0350 \BaseNamedObjects\userenv:  User 
Profile setup event
000002FC msdtc.exe	Directory	0010 \KnownDlls
000002FC msdtc.exe	File		 0014 \WINDOWS\system32
000002FC msdtc.exe	Directory	0024 \Windows
000002FC msdtc.exe	Mutant		 0030 \NlsCacheMutant
000002FC msdtc.exe	Key			0038 \REGISTRY\MACHINE
000002FC msdtc.exe	WindowStation  0044 
\Windows\WindowStations\Service-0x0-3e4$
000002FC msdtc.exe	Desktop		0048 \Default
000002FC msdtc.exe	WindowStation  004c 
\Windows\WindowStations\Service-0x0-3e4$
000002FC msdtc.exe	Directory	0058 \BaseNamedObjects
000002FC msdtc.exe	Key			00ac 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000002FC msdtc.exe	File		 00c0 \net\NtControlPipe8
000002FC msdtc.exe	File		 00d4 \svcctl
000002FC msdtc.exe	Event		00f8 
\BaseNamedObjects\EVENT_MSDTC_STARTING
000002FC msdtc.exe	Key			0104 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000002FC msdtc.exe	Key			010c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000002FC msdtc.exe	Key			013c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Tracing\MSDTC\Changed
000002FC msdtc.exe	Section		0150 \RPC Control\DSEC2fc
000002FC msdtc.exe	Port		 0158 \RPC 
Control\LRPC000002fc.00000001
000002FC msdtc.exe	File		 018c \Endpoint
000002FC msdtc.exe	File		 01a8 
\Winsock2\CatalogChangeListener-2fc-0
000002FC msdtc.exe	File		 01ac \Endpoint
000002FC msdtc.exe	Key			01b0 
\REGISTRY\MACHINE\SOFTWARE\Classes\CID\41b1f46c-db5e-48b5-b9a7-90c0b862411d
000002FC msdtc.exe	Key			01d0 
\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\ced2de40-bff6-11ce-9de8-00aa00a3f464
000002FC msdtc.exe	Key			01d4 
\REGISTRY\MACHINE\SOFTWARE\Classes\CID\41b1f46c-db5e-48b5-b9a7-90c0b862411d
000002FC msdtc.exe	Key			01d8 
\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\ced2de40-bff6-11ce-9de8-00aa00a3f464
000002FC msdtc.exe	Key			01dc 
\REGISTRY\MACHINE\SOFTWARE\Classes\CID\41b1f46c-db5e-48b5-b9a7-90c0b862411d
000002FC msdtc.exe	Key			01e0 
\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\ced2de40-bff6-11ce-9de8-00aa00a3f464
000002FC msdtc.exe	Key			0208 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002FC msdtc.exe	Key			0210 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe	Key			021c \REGISTRY\USER
000002FC msdtc.exe	Key			0220 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002FC msdtc.exe	Key			022c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe	Key			0234 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe	Key			023c 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002FC msdtc.exe	Key			0244 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002FC msdtc.exe	Key			024c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe	Key			0258 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe	Key			0260 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe	Key			0268 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002FC msdtc.exe	Section		0270 
\BaseNamedObjects\__R_000000000013_SMem__
000002FC msdtc.exe	Key			0274 \REGISTRY\USER\S-1-5-20_CLASSES
000002FC msdtc.exe	File		 0284 
\WINDOWS\system32\MsDtc\MSDTC.LOG
000002FC msdtc.exe	Event		02d8 
\BaseNamedObjects\MSDTC_NAMED_EVENT
000003B8 inetinfo.exe   Directory	0010 \KnownDlls
000003B8 inetinfo.exe   File		 0014 \WINDOWS\system32
000003B8 inetinfo.exe   Directory	001c \Windows
000003B8 inetinfo.exe   Mutant		 0024 \NlsCacheMutant
000003B8 inetinfo.exe   Key			0030 \REGISTRY\MACHINE
000003B8 inetinfo.exe   WindowStation  003c 
\Windows\WindowStations\Service-0x0-3e7$
000003B8 inetinfo.exe   Desktop		0040 \Default
000003B8 inetinfo.exe   WindowStation  0044 
\Windows\WindowStations\__X78B95_89_IW
000003B8 inetinfo.exe   Directory	0048 \BaseNamedObjects
000003B8 inetinfo.exe   Event		0064 
\BaseNamedObjects\W3SVCStartW3WP-aae415e7-4598-4294-a382-0a435d5b32c5
000003B8 inetinfo.exe   File		 006c \net\NtControlPipe9
000003B8 inetinfo.exe   File		 00b0 \svcctl
000003B8 inetinfo.exe   File		 00c0 \svcctl
000003B8 inetinfo.exe   Key			00cc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000003B8 inetinfo.exe   File		 00d0 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000003B8 inetinfo.exe   Key			00d4 \REGISTRY\USER\.DEFAULT
000003B8 inetinfo.exe   Desktop		00e8 \__A8D9S1_42_ID
000003B8 inetinfo.exe   WindowStation  00ec 
\Windows\WindowStations\__X78B95_89_IW
000003B8 inetinfo.exe   Key			0124 
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe   Key			012c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe   Key			0138 \REGISTRY\USER
000003B8 inetinfo.exe   Key			013c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe   Key			0148 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe   Key			0150 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe   Key			0158 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000003B8 inetinfo.exe   Key			0160 
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe   Key			0168 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe   Key			0174 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe   Key			017c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe   Key			0184 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000003B8 inetinfo.exe   Section		018c 
\BaseNamedObjects\__R_000000000013_SMem__
000003B8 inetinfo.exe   File		 01c0 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01c8 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01d0 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01d8 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01e0 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01e8 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01f0 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01f8 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 0200 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 0208 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   Key			0228 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters
000003B8 inetinfo.exe   Semaphore	026c 
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
000003B8 inetinfo.exe   Event		0284 \BaseNamedObjects\userenv:  User 
Profile setup event
000003B8 inetinfo.exe   Event		0288 
\BaseNamedObjects\crypt32LogoffEvent
000003B8 inetinfo.exe   Section		02d0 \RPC Control\DSEC3b8
000003B8 inetinfo.exe   Port		 02d8 \RPC Control\OLE5
000003B8 inetinfo.exe   Key			0350 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000003B8 inetinfo.exe   Key			0358 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000003B8 inetinfo.exe   Mutant		 051c \BaseNamedObjects\DBWinMutex
000003B8 inetinfo.exe   Port		 05bc \RPC Control\INETINFO_LPC
000003B8 inetinfo.exe   File		 05ec \Endpoint
000003B8 inetinfo.exe   File		 05fc 
\Winsock2\CatalogChangeListener-3b8-0
000003B8 inetinfo.exe   File		 0610 \Endpoint
000003B8 inetinfo.exe   File		 0638 \INETINFO
000003B8 inetinfo.exe   File		 063c \INETINFO
000003B8 inetinfo.exe   Key			065c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\MosTrace\CurrentVersion\DebugAsyncTrace
000003B8 inetinfo.exe   File		 0668 \EVENTLOG
000003B8 inetinfo.exe   Key			0674 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Parameters
000003B8 inetinfo.exe   File		 0698 \Endpoint
000003B8 inetinfo.exe   Key			06c0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip
000003B8 inetinfo.exe   Key			06dc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Parameters
000003B8 inetinfo.exe   File		 071c \Inetpub\ftproot
000003B8 inetinfo.exe   Event		072c 
\BaseNamedObjects\MicrosoftInternetNewsServerVersion2BootCheckEvent
000003B8 inetinfo.exe   File		 073c \Endpoint
000003B8 inetinfo.exe   File		 0740 \Endpoint
000003B8 inetinfo.exe   File		 0744 \Endpoint
000003B8 inetinfo.exe   File		 0748 \Endpoint
000003B8 inetinfo.exe   File		 074c \Endpoint
000003B8 inetinfo.exe   File		 0750 \Endpoint
000003B8 inetinfo.exe   File		 0754 \Endpoint
000003B8 inetinfo.exe   File		 0758 \Endpoint
000003B8 inetinfo.exe   File		 075c \Endpoint
000003B8 inetinfo.exe   File		 0760 \Endpoint
000003B8 inetinfo.exe   File		 0764 \Endpoint
000003B8 inetinfo.exe   File		 076c \Endpoint
000003B8 inetinfo.exe   Port		 07f0 \RPC Control\SMTPSVC_LPC
000003B8 inetinfo.exe   File		 0824 \SMTPSVC
000003B8 inetinfo.exe   File		 0828 \SMTPSVC
000003B8 inetinfo.exe   Port		 0830 \RPC Control\NNTPSVC_LPC
000003B8 inetinfo.exe   Section		0858 \BaseNamedObjects\RotHintTable
000003B8 inetinfo.exe   Key			0860 
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe   File		 0874 \Endpoint
000003B8 inetinfo.exe   File		 08ec \Endpoint
000003B8 inetinfo.exe   File		 08f0 \Endpoint
000003B8 inetinfo.exe   File		 08f4 \Endpoint
000003B8 inetinfo.exe   File		 08f8 \Endpoint
000003B8 inetinfo.exe   File		 08fc \Endpoint
000003B8 inetinfo.exe   File		 0900 \Endpoint
000003B8 inetinfo.exe   File		 0918 \Inetpub\mailroot\Pickup
000003B8 inetinfo.exe   Section		091c \BaseNamedObjects\NTFSDrv
000003B8 inetinfo.exe   Section		0920 \BaseNamedObjects\NTFSDRV_OBJ0
000003B8 inetinfo.exe   File		 093c \Endpoint
000003B8 inetinfo.exe   File		 0944 \Endpoint
000003B8 inetinfo.exe   File		 0948 \Endpoint
000003B8 inetinfo.exe   File		 094c \Endpoint
000003B8 inetinfo.exe   File		 0950 \Endpoint
000003B8 inetinfo.exe   File		 0954 \Endpoint
000003B8 inetinfo.exe   File		 0958 \Endpoint
000003B8 inetinfo.exe   File		 095c \Endpoint
000003B8 inetinfo.exe   File		 0960 \Endpoint
000003B8 inetinfo.exe   File		 0964 \Endpoint
000003B8 inetinfo.exe   File		 0968 \Endpoint
000003B8 inetinfo.exe   Key			0978 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Parameters
000003B8 inetinfo.exe   File		 0994 \Inetpub\nntpfile\groupvar.lst
000003B8 inetinfo.exe   File		 0998 \Inetpub\nntpfile\group.lst
000003B8 inetinfo.exe   File		 099c \Inetpub\nntpfile\article.hsh
000003B8 inetinfo.exe   File		 09a4 \Inetpub\nntpfile\history.hsh
000003B8 inetinfo.exe   File		 09ac \Inetpub\nntpfile\xover.hsh
000003B8 inetinfo.exe   Key			09dc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ContentIndex
000003B8 inetinfo.exe   File		 09e0 
\Inetpub\nntpfile\root\control\group.vpp
000003B8 inetinfo.exe   File		 09e4 \Inetpub\nntpfile\root\control
000003B8 inetinfo.exe   File		 09f0 \Inetpub\nntpfile\pickup
000003B8 inetinfo.exe   File		 09fc 
\Inetpub\nntpfile\root\_slavegroup
000003B8 inetinfo.exe   File		 0a00 \Inetpub\nntpfile\root
000003B8 inetinfo.exe   File		 0a04 \Inetpub\nntpfile\root\control
000003B8 inetinfo.exe   File		 0a10 \Endpoint
000003B8 inetinfo.exe   File		 0a18 \Endpoint
000003B8 inetinfo.exe   File		 0a1c \Endpoint
000003B8 inetinfo.exe   File		 0a20 \Endpoint
000003B8 inetinfo.exe   File		 0a24 
\Inetpub\nntpfile\root\_slavegroup\group.vpp
000003B8 inetinfo.exe   File		 0a28 
\Inetpub\nntpfile\root\_slavegroup
000003B8 inetinfo.exe   File		 0a30 \Inetpub\nntpfile\root\group.vpp
000003B8 inetinfo.exe   File		 0a34 \Inetpub\nntpfile\root
000003B8 inetinfo.exe   File		 0a3c \Endpoint
000003B8 inetinfo.exe   File		 0a40 \Endpoint
000003B8 inetinfo.exe   File		 0a44 \Endpoint
000003B8 inetinfo.exe   File		 0a48 \Endpoint
000003B8 inetinfo.exe   File		 0a4c \Endpoint
000003B8 inetinfo.exe   File		 0a50 \Endpoint
000003B8 inetinfo.exe   File		 0a54 \Endpoint
000003B8 inetinfo.exe   File		 0a5c \Endpoint
000003B8 inetinfo.exe   File		 0a64 \Endpoint
000003B8 inetinfo.exe   File		 0a68 \Endpoint
000003B8 inetinfo.exe   File		 0a6c \Endpoint
000003B8 inetinfo.exe   File		 0a70 \Endpoint
000003B8 inetinfo.exe   File		 0a74 \Endpoint
000003B8 inetinfo.exe   File		 0a78 \Endpoint
000003B8 inetinfo.exe   File		 0a7c \Endpoint
000003B8 inetinfo.exe   File		 0a80 \Endpoint
000003B8 inetinfo.exe   File		 0a84 \Endpoint
000003B8 inetinfo.exe   File		 0a88 \Endpoint
000003B8 inetinfo.exe   File		 0ae0 \NNTPSVC
000003B8 inetinfo.exe   File		 0ae4 \NNTPSVC
000003B8 inetinfo.exe   File		 0b60 \DefaultAppPool
000003B8 inetinfo.exe   File		 0b88 \iisipm
000003B8 inetinfo.exe   Key			0bb8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Parameters
000003B8 inetinfo.exe   Key			0bc8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters
000003B8 inetinfo.exe   File		 0bdc \IISCgiStdOut952
000003B8 inetinfo.exe   File		 0be4 \IISCgiStdIn952
000003B8 inetinfo.exe   File		 0c10 \SSLFilterChannel
000003CC llssrv.exe	 Directory	0010 \KnownDlls
000003CC llssrv.exe	 File		 0014 \WINDOWS\system32
000003CC llssrv.exe	 Directory	0024 \Windows
000003CC llssrv.exe	 Mutant		 0030 \NlsCacheMutant
000003CC llssrv.exe	 Key			0038 \REGISTRY\MACHINE
000003CC llssrv.exe	 WindowStation  004c 
\Windows\WindowStations\Service-0x0-3e4$
000003CC llssrv.exe	 Desktop		0050 \Default
000003CC llssrv.exe	 WindowStation  0054 
\Windows\WindowStations\Service-0x0-3e4$
000003CC llssrv.exe	 Directory	005c \BaseNamedObjects
000003CC llssrv.exe	 File		 0068 \net\NtControlPipe10
000003CC llssrv.exe	 File		 00ac \svcctl
000003CC llssrv.exe	 Key			0120 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000003CC llssrv.exe	 Key			0128 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000003CC llssrv.exe	 Section		0140 \RPC Control\DSEC3cc
000003CC llssrv.exe	 Port		 014c \RPC Control\llslpc
000003CC llssrv.exe	 File		 017c \llsrpc
000003CC llssrv.exe	 File		 0180 \llsrpc
000003A8 NSPMON.exe	 Directory	0010 \KnownDlls
000003A8 NSPMON.exe	 File		 0014 \WINDOWS\system32
000003A8 NSPMON.exe	 Key			0018 \REGISTRY\MACHINE
000003A8 NSPMON.exe	 Directory	0024 \Windows
000003A8 NSPMON.exe	 Mutant		 0030 \NlsCacheMutant
000003A8 NSPMON.exe	 WindowStation  0040 
\Windows\WindowStations\Service-0x0-b39a$
000003A8 NSPMON.exe	 Desktop		0044 \Default
000003A8 NSPMON.exe	 WindowStation  0048 
\Windows\WindowStations\Service-0x0-b39a$
000003A8 NSPMON.exe	 Directory	0050 \BaseNamedObjects
000003A8 NSPMON.exe	 Key			005c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000003A8 NSPMON.exe	 Key			0064 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000003A8 NSPMON.exe	 File		 0068 \net\NtControlPipe11
000003A8 NSPMON.exe	 File		 00ac \svcctl
000003A8 NSPMON.exe	 File		 00e8 \Endpoint
000003A8 NSPMON.exe	 File		 00f0 \Endpoint
0000041C NSCM.exe	 Directory	0010 \KnownDlls
0000041C NSCM.exe	 File		 0014 \WINDOWS\system32
0000041C NSCM.exe	 Key			0018 \REGISTRY\MACHINE
0000041C NSCM.exe	 Directory	0024 \Windows
0000041C NSCM.exe	 Mutant		 0030 \NlsCacheMutant
0000041C NSCM.exe	 WindowStation  0040 
\Windows\WindowStations\Service-0x0-b80d$
0000041C NSCM.exe	 Desktop		0044 \Default
0000041C NSCM.exe	 WindowStation  0048 
\Windows\WindowStations\Service-0x0-b80d$
0000041C NSCM.exe	 Directory	0050 \BaseNamedObjects
0000041C NSCM.exe	 Mutant		 0054 
\BaseNamedObjects\McmServPERF_REGISTRY_MUTEX
0000041C NSCM.exe	 Key			0058 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
0000041C NSCM.exe	 Key			005c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
0000041C NSCM.exe	 File		 0068 
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\Perflib_Perfdata_41c.dat
0000041C NSCM.exe	 Section		006c 
\BaseNamedObjects\Perflib_Perfdata_41c
0000041C NSCM.exe	 Key			00ac 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
0000041C NSCM.exe	 Event		00b0 
\BaseNamedObjects\McmServPerf_RegChangeEvent
0000041C NSCM.exe	 Key			00b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ASP\Performance
0000041C NSCM.exe	 Mutant		 00b8 
\BaseNamedObjects\ASP_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			00bc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentFilter\Performance
0000041C NSCM.exe	 Mutant		 00c0 
\BaseNamedObjects\ContentFilter_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			00c4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentIndex\Performance
0000041C NSCM.exe	 Mutant		 00c8 
\BaseNamedObjects\ContentIndex_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			00cc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Performance
0000041C NSCM.exe	 Mutant		 00d0 
\BaseNamedObjects\InetInfo_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			00d4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ISAPISearch\Performance
0000041C NSCM.exe	 Mutant		 00d8 
\BaseNamedObjects\ISAPISearch_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			00dc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC\Performance
0000041C NSCM.exe	 Mutant		 00e0 
\BaseNamedObjects\MSDTC_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			00e4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Performance
0000041C NSCM.exe	 Mutant		 00e8 
\BaseNamedObjects\MSFtpsvc_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			00ec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Performance
0000041C NSCM.exe	 Mutant		 00f0 
\BaseNamedObjects\NntpSvc_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			00f4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
0000041C NSCM.exe	 Mutant		 00f8 
\BaseNamedObjects\nsstation_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			00fc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
0000041C NSCM.exe	 Mutant		 0100 
\BaseNamedObjects\nsunicast_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			0104 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NTFSDRV\Performance
0000041C NSCM.exe	 Mutant		 0108 
\BaseNamedObjects\NTFSDRV_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			010c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfDisk\Performance
0000041C NSCM.exe	 Mutant		 0110 
\BaseNamedObjects\PerfDisk_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			0114 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfNet\Performance
0000041C NSCM.exe	 Mutant		 0118 
\BaseNamedObjects\PerfNet_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			011c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfOS\Performance
0000041C NSCM.exe	 Mutant		 0120 
\BaseNamedObjects\PerfOS_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			0124 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance
0000041C NSCM.exe	 Mutant		 0128 
\BaseNamedObjects\PerfProc_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			012c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Performance
0000041C NSCM.exe	 Mutant		 0130 
\BaseNamedObjects\RemoteAccess_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			0134 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance
0000041C NSCM.exe	 Mutant		 0138 
\BaseNamedObjects\RSVP_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			013c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMTPSVC\Performance
0000041C NSCM.exe	 Mutant		 0140 
\BaseNamedObjects\SMTPSVC_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			0144 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\Performance
0000041C NSCM.exe	 Mutant		 0148 
\BaseNamedObjects\Spooler_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			014c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TapiSrv\Performance
0000041C NSCM.exe	 Mutant		 0150 
\BaseNamedObjects\TapiSrv_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			0154 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Performance
0000041C NSCM.exe	 Mutant		 0158 
\BaseNamedObjects\Tcpip_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			015c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Performance
0000041C NSCM.exe	 Mutant		 0160 
\BaseNamedObjects\TermService_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			0164 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Performance
0000041C NSCM.exe	 Mutant		 0168 
\BaseNamedObjects\W3SVC_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Key			016c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance
0000041C NSCM.exe	 Mutant		 0170 
\BaseNamedObjects\WmiApRpl_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0174 
\BaseNamedObjects\McmServPERF_INFO_MUTEX
0000041C NSCM.exe	 File		 017c \net\NtControlPipe12
0000041C NSCM.exe	 File		 0190 \svcctl
0000041C NSCM.exe	 Key			019c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000041C NSCM.exe	 Key			01a4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000041C NSCM.exe	 Key			01b0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation
0000041C NSCM.exe	 Key			01b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Parameters
0000041C NSCM.exe	 Key			01c4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\AllowDistribution
0000041C NSCM.exe	 Key			01cc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\DisallowDistribution
0000041C NSCM.exe	 Section		01d4 \BaseNamedObjects\McmServ 
PerfAPI Global Info ShMem
0000041C NSCM.exe	 Mutant		 01f4 \BaseNamedObjects\Shared Mutex 
for McmServ Data Collection_0
0000041C NSCM.exe	 Section		01f8 \BaseNamedObjects\McmServ 
Counter Name ShMem
0000041C NSCM.exe	 Section		01fc \BaseNamedObjects\McmServ 
Counter Help ShMem
0000041C NSCM.exe	 Section		0200 \BaseNamedObjects\McmServ 
PerfAPI Counter Data ShMem_Windows Media Station Service
0000041C NSCM.exe	 Key			0218 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Stations
0000041C NSCM.exe	 File		 0220 \Endpoint
0000041C NSCM.exe	 File		 0228 \Endpoint
0000041C NSCM.exe	 Section		0250 \RPC Control\DSEC41c
0000041C NSCM.exe	 Port		 0254 \RPC Control\OLE9
0000041C NSCM.exe	 Key			0278 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000041C NSCM.exe	 Key			0280 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe	 Key			028c \REGISTRY\USER
0000041C NSCM.exe	 Key			0290 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000041C NSCM.exe	 Key			029c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe	 Key			02a4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe	 Key			02ac 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000041C NSCM.exe	 Key			02b4 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000041C NSCM.exe	 Key			02bc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe	 Key			02c8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe	 Key			02d0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe	 Key			02d8 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000041C NSCM.exe	 Section		02e0 
\BaseNamedObjects\__R_000000000013_SMem__
0000041C NSCM.exe	 Key			02e4 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000_CLASSES
0000041C NSCM.exe	 File		 02f0 \lsarpc
0000046C svchost.exe	Directory	0010 \KnownDlls
0000046C svchost.exe	File		 0014 \WINDOWS\system32
0000046C svchost.exe	Key			0018 \REGISTRY\MACHINE
0000046C svchost.exe	Directory	0024 \Windows
0000046C svchost.exe	Mutant		 0030 \NlsCacheMutant
0000046C svchost.exe	File		 0038 \net\NtControlPipe13
0000046C svchost.exe	Directory	0078 \BaseNamedObjects
0000046C svchost.exe	File		 0080 \svcctl
0000046C svchost.exe	Section		0098 \RPC Control\DSEC46c
0000046C svchost.exe	File		 00c0 \winreg
0000046C svchost.exe	File		 00c4 \winreg
0000046C svchost.exe	Event		00d0 
\BaseNamedObjects\Microsoft.RPC_Registry_Server
000004C0 svchost.exe	Directory	0010 \KnownDlls
000004C0 svchost.exe	File		 0014 \WINDOWS\system32
000004C0 svchost.exe	Directory	001c \Windows
000004C0 svchost.exe	Mutant		 0024 \NlsCacheMutant
000004C0 svchost.exe	Key			002c \REGISTRY\MACHINE
000004C0 svchost.exe	WindowStation  003c 
\Windows\WindowStations\Service-0x0-3e7$
000004C0 svchost.exe	Desktop		0040 \Default
000004C0 svchost.exe	WindowStation  0044 
\Windows\WindowStations\Service-0x0-3e7$
000004C0 svchost.exe	Directory	0048 \BaseNamedObjects
000004C0 svchost.exe	File		 008c \net\NtControlPipe14
000004C0 svchost.exe	File		 00a0 \svcctl
000004C0 svchost.exe	Event		00cc 
\BaseNamedObjects\WINMGMT_COREDLL_CANSHUTDOWN
000004C0 svchost.exe	File		 00d0 \WINDOWS\system32\wbem\mof
000004C0 svchost.exe	Event		00d4 
\BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
000004C0 svchost.exe	Event		00d8 
\BaseNamedObjects\WINMGMT_COREDLL_UNLOADED
000004C0 svchost.exe	Event		00dc 
\BaseNamedObjects\WINMGMT_COREDLL_LOADED
000004C0 svchost.exe	Event		00e0 
\BaseNamedObjects\WINMGMT_MARSHALLING_SERVER_TERMINATE
000004C0 svchost.exe	Mutant		 00e4 
\BaseNamedObjects\WINMGMT_MARSHALLING_SERVER
000004C0 svchost.exe	Event		00e8 
\BaseNamedObjects\WINMGMT_NEED_REGISTRATION
000004C0 svchost.exe	Event		00ec 
\BaseNamedObjects\WINMGMT_REGISTRATION_DONE
000004C0 svchost.exe	Mutant		 00f0 
\BaseNamedObjects\WINMGMT_KEEP_NEW_CLIENTS_AT_BAY
000004C0 svchost.exe	Event		00f4 
\BaseNamedObjects\WMI_SysEvent_LodCtr
000004C0 svchost.exe	Event		00f8 
\BaseNamedObjects\WMI_SysEvent_UnLodCtr
000004C0 svchost.exe	Section		0100 \RPC Control\DSEC4c0
000004C0 svchost.exe	Port		 0104 \RPC Control\OLEa
000004C0 svchost.exe	Key			0124 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe	Key			012c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe	Key			0138 \REGISTRY\USER
000004C0 svchost.exe	Key			013c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe	Key			0148 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe	Key			0150 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe	Key			0158 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004C0 svchost.exe	Key			0160 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe	Key			0168 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe	Key			0174 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe	Key			017c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe	Key			0184 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004C0 svchost.exe	Section		018c 
\BaseNamedObjects\__R_000000000013_SMem__
000004C0 svchost.exe	Key			0190 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe	Key			0214 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
000004C0 svchost.exe	Key			021c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
000004C0 svchost.exe	Key			0220 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
000004C0 svchost.exe	Mutant		 0238 \BaseNamedObjects\WINMGMT_ACTIVE
000004C0 svchost.exe	File		 025c 
\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
000004C0 svchost.exe	File		 0260 
\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
000004C0 svchost.exe	Key			027c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
000004C0 svchost.exe	Section		0284 \BaseNamedObjects\Wmi Provider 
Sub System Counters
000004C0 svchost.exe	Event		029c 
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe	Event		02b4 
\BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
000004C0 svchost.exe	Job			02b8 
\BaseNamedObjects\WmiProviderSubSystemHostJob
000004C0 svchost.exe	Event		02e4 
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe	Event		02ec 
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe	Event		04e0 
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe	Event		0500 
\BaseNamedObjects\EVENT_READYROOT/CIMV2SCM EVENT PROVIDER
000004C0 svchost.exe	File		 050c \PIPE_EVENTROOT\CIMV2SCM EVENT 
PROVIDER
000004C0 svchost.exe	Event		0518 
\BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
000004C0 svchost.exe	Event		0524 
\BaseNamedObjects\EVENT_READYROOT/CIMV2WMI SELF-INSTRUMENTATION EVENT 
PROVIDER
000004C0 svchost.exe	Event		0530 
\BaseNamedObjects\EVENT_READYROOT/CIMV2STANDARD NON-COM EVENT PROVIDER
000004C0 svchost.exe	File		 0538 \PIPE_EVENTROOT\CIMV2SCM EVENT 
PROVIDER
000003DC dfssvc.exe	 Directory	0010 \KnownDlls
000003DC dfssvc.exe	 File		 0014 \WINDOWS\system32
000003DC dfssvc.exe	 Directory	0018 \Windows
000003DC dfssvc.exe	 Mutant		 0024 \NlsCacheMutant
000003DC dfssvc.exe	 Key			0030 \REGISTRY\MACHINE
000003DC dfssvc.exe	 WindowStation  0044 
\Windows\WindowStations\Service-0x0-3e7$
000003DC dfssvc.exe	 Desktop		0048 \Default
000003DC dfssvc.exe	 WindowStation  004c 
\Windows\WindowStations\Service-0x0-3e7$
000003DC dfssvc.exe	 Directory	0050 \BaseNamedObjects
000003DC dfssvc.exe	 Event		0064 \BaseNamedObjects\userenv:  User 
Profile setup event
000003DC dfssvc.exe	 File		 0070 \net\NtControlPipe15
000003DC dfssvc.exe	 File		 00b4 \svcctl
000003DC dfssvc.exe	 Section		00d0 \RPC Control\DSEC3dc
000003DC dfssvc.exe	 File		 00fc \netdfs
000003DC dfssvc.exe	 File		 0100 \netdfs
000003DC dfssvc.exe	 File		 0110 \wkssvc
000004F0 NSUM.exe	 Directory	0010 \KnownDlls
000004F0 NSUM.exe	 File		 0014 \WINDOWS\system32
000004F0 NSUM.exe	 Key			001c \REGISTRY\MACHINE
000004F0 NSUM.exe	 Directory	0024 \Windows
000004F0 NSUM.exe	 Mutant		 0030 \NlsCacheMutant
000004F0 NSUM.exe	 WindowStation  0040 
\Windows\WindowStations\Service-0x0-c3f3$
000004F0 NSUM.exe	 Desktop		0044 \Default
000004F0 NSUM.exe	 WindowStation  0048 
\Windows\WindowStations\Service-0x0-c3f3$
000004F0 NSUM.exe	 Directory	0050 \BaseNamedObjects
000004F0 NSUM.exe	 Mutant		 0054 
\BaseNamedObjects\AsfServPERF_REGISTRY_MUTEX
000004F0 NSUM.exe	 Key			0058 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000004F0 NSUM.exe	 Key			005c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000004F0 NSUM.exe	 File		 0068 
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\Perflib_Perfdata_4f0.dat
000004F0 NSUM.exe	 Section		006c 
\BaseNamedObjects\Perflib_Perfdata_4f0
000004F0 NSUM.exe	 Key			00ac 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
000004F0 NSUM.exe	 Event		00b0 
\BaseNamedObjects\AsfServPerf_RegChangeEvent
000004F0 NSUM.exe	 Key			00b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ASP\Performance
000004F0 NSUM.exe	 Mutant		 00b8 
\BaseNamedObjects\ASP_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			00bc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentFilter\Performance
000004F0 NSUM.exe	 Mutant		 00c0 
\BaseNamedObjects\ContentFilter_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			00c4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentIndex\Performance
000004F0 NSUM.exe	 Mutant		 00c8 
\BaseNamedObjects\ContentIndex_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			00cc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Performance
000004F0 NSUM.exe	 Mutant		 00d0 
\BaseNamedObjects\InetInfo_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			00d4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ISAPISearch\Performance
000004F0 NSUM.exe	 Mutant		 00d8 
\BaseNamedObjects\ISAPISearch_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			00dc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC\Performance
000004F0 NSUM.exe	 Mutant		 00e0 
\BaseNamedObjects\MSDTC_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			00e4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Performance
000004F0 NSUM.exe	 Mutant		 00e8 
\BaseNamedObjects\MSFtpsvc_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			00ec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Performance
000004F0 NSUM.exe	 Mutant		 00f0 
\BaseNamedObjects\NntpSvc_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			00f4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
000004F0 NSUM.exe	 Mutant		 00f8 
\BaseNamedObjects\nsstation_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			00fc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
000004F0 NSUM.exe	 Mutant		 0100 
\BaseNamedObjects\nsunicast_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			0104 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NTFSDRV\Performance
000004F0 NSUM.exe	 Mutant		 0108 
\BaseNamedObjects\NTFSDRV_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			010c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfDisk\Performance
000004F0 NSUM.exe	 Mutant		 0110 
\BaseNamedObjects\PerfDisk_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			0114 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfNet\Performance
000004F0 NSUM.exe	 Mutant		 0118 
\BaseNamedObjects\PerfNet_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			011c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfOS\Performance
000004F0 NSUM.exe	 Mutant		 0120 
\BaseNamedObjects\PerfOS_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			0124 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance
000004F0 NSUM.exe	 Mutant		 0128 
\BaseNamedObjects\PerfProc_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			012c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Performance
000004F0 NSUM.exe	 Mutant		 0130 
\BaseNamedObjects\RemoteAccess_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			0134 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance
000004F0 NSUM.exe	 Mutant		 0138 
\BaseNamedObjects\RSVP_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			013c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMTPSVC\Performance
000004F0 NSUM.exe	 Mutant		 0140 
\BaseNamedObjects\SMTPSVC_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			0144 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\Performance
000004F0 NSUM.exe	 Mutant		 0148 
\BaseNamedObjects\Spooler_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			014c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TapiSrv\Performance
000004F0 NSUM.exe	 Mutant		 0150 
\BaseNamedObjects\TapiSrv_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			0154 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Performance
000004F0 NSUM.exe	 Mutant		 0158 
\BaseNamedObjects\Tcpip_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			015c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Performance
000004F0 NSUM.exe	 Mutant		 0160 
\BaseNamedObjects\TermService_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			0164 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Performance
000004F0 NSUM.exe	 Mutant		 0168 
\BaseNamedObjects\W3SVC_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Key			016c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance
000004F0 NSUM.exe	 Mutant		 0170 
\BaseNamedObjects\WmiApRpl_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0174 
\BaseNamedObjects\AsfServPERF_INFO_MUTEX
000004F0 NSUM.exe	 Key			0180 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000004F0 NSUM.exe	 File		 0184 \net\NtControlPipe16
000004F0 NSUM.exe	 File		 019c \svcctl
000004F0 NSUM.exe	 Key			01c4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000004F0 NSUM.exe	 Key			01d0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000004F0 NSUM.exe	 Section		01d8 \BaseNamedObjects\AsfServ 
PerfAPI Global Info ShMem
000004F0 NSUM.exe	 Mutant		 01dc \BaseNamedObjects\Shared Mutex 
for AsfServ Data Collection_0
000004F0 NSUM.exe	 Section		01e0 \BaseNamedObjects\AsfServ 
Counter Name ShMem
000004F0 NSUM.exe	 Section		01e4 \BaseNamedObjects\AsfServ 
Counter Help ShMem
000004F0 NSUM.exe	 Section		01e8 \BaseNamedObjects\AsfServ 
PerfAPI Counter Data ShMem_Windows Media Unicast Service
000004F0 NSUM.exe	 Key			0228 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Parameters\Virtual 
Roots
000004F0 NSUM.exe	 Key			022c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Parameters
000004F0 NSUM.exe	 Key			023c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\AllowUnicastClients
000004F0 NSUM.exe	 Key			0240 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\DisallowUnicastClients
000004F0 NSUM.exe	 Key			0248 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\AllowDistribution
000004F0 NSUM.exe	 Key			0250 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\DisallowDistribution
000004F0 NSUM.exe	 File		 0278 \Endpoint
000004F0 NSUM.exe	 File		 0280 \Endpoint
000004F0 NSUM.exe	 File		 0284 \Endpoint
000004F0 NSUM.exe	 File		 028c \Endpoint
000004F0 NSUM.exe	 File		 0290 \Endpoint
000004F0 NSUM.exe	 Section		029c \RPC Control\DSEC4f0
000004F0 NSUM.exe	 Port		 02ac \RPC Control\OLEb
000004F0 NSUM.exe	 Key			02b8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Event 
Notification\ACL Check
000004F0 NSUM.exe	 Key			02cc 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004F0 NSUM.exe	 Key			02d4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe	 Key			02e0 \REGISTRY\USER
000004F0 NSUM.exe	 Key			02e4 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004F0 NSUM.exe	 Key			02f0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe	 Key			02f8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe	 Key			0300 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004F0 NSUM.exe	 Key			0308 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004F0 NSUM.exe	 Key			0310 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe	 Key			031c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe	 Key			0324 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe	 Key			032c 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004F0 NSUM.exe	 Section		0334 
\BaseNamedObjects\__R_000000000013_SMem__
000004F0 NSUM.exe	 Key			0338 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000_CLASSES
000004F0 NSUM.exe	 Key			033c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Authentication\HTTP 
BASIC-Membership
000004F0 NSUM.exe	 Key			0340 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Authentication\HTTP 
BASIC-NTLM
000004F0 NSUM.exe	 Key			0344 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Authentication\NTLM-NTLM
00000548 nspm.exe	 Directory	0010 \KnownDlls
00000548 nspm.exe	 File		 0014 \WINDOWS\system32
00000548 nspm.exe	 Key			0018 \REGISTRY\MACHINE
00000548 nspm.exe	 Directory	0024 \Windows
00000548 nspm.exe	 Mutant		 0030 \NlsCacheMutant
00000548 nspm.exe	 WindowStation  0044 
\Windows\WindowStations\Service-0x0-ce4b$
00000548 nspm.exe	 Desktop		0048 \Default
00000548 nspm.exe	 WindowStation  004c 
\Windows\WindowStations\Service-0x0-ce4b$
00000548 nspm.exe	 Directory	0050 \BaseNamedObjects
00000548 nspm.exe	 Key			005c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
00000548 nspm.exe	 Key			0068 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000\Control 
Panel\International
00000548 nspm.exe	 File		 00c0 \net\NtControlPipe17
00000548 nspm.exe	 File		 00c4 \svcctl
00000548 nspm.exe	 Key			00e8 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000548 nspm.exe	 Key			00f0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe	 Key			00fc \REGISTRY\USER
00000548 nspm.exe	 Key			0100 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000548 nspm.exe	 Key			010c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe	 Key			0114 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe	 Key			011c 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000548 nspm.exe	 Key			0124 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000548 nspm.exe	 Key			012c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe	 Key			0138 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe	 Key			0140 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe	 Key			0148 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000548 nspm.exe	 Section		0150 
\BaseNamedObjects\__R_000000000013_SMem__
00000548 nspm.exe	 Key			0154 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000_CLASSES
00000548 nspm.exe	 Section		0160 \RPC Control\DSEC548
00000548 nspm.exe	 Port		 0168 \RPC Control\OLEd
00000548 nspm.exe	 Key			0198 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000548 nspm.exe	 File		 019c 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
00000548 nspm.exe	 Key			01a0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
00000548 nspm.exe	 Key			01a8 
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 
0x548 Thread 0x5d0 DBC 0x37684 Jet
00000548 nspm.exe	 Key			01c0 
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 
0x548 Thread 0x5d0 DBC 0x37684 Jet\Engines\Jet
00000548 nspm.exe	 File		 01d8 
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\JETA66.tmp
00000548 nspm.exe	 File		 01f8 
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\JET1.tmp
00000548 nspm.exe	 File		 0218 \WINDOWS\system32\Windows 
Media\Server\ASDB\mdsas.mdb
00000548 nspm.exe	 File		 021c \WINDOWS\system32\Windows 
Media\Server\ASDB\mdsas.ldb
000005C8 svchost.exe	Directory	0010 \KnownDlls
000005C8 svchost.exe	File		 0014 \WINDOWS\system32
000005C8 svchost.exe	Directory	001c \Windows
000005C8 svchost.exe	Mutant		 0024 \NlsCacheMutant
000005C8 svchost.exe	Key			002c \REGISTRY\MACHINE
000005C8 svchost.exe	WindowStation  003c \Windows\WindowStations\WinSta0
000005C8 svchost.exe	Desktop		0040 \Default
000005C8 svchost.exe	WindowStation  0044 \Windows\WindowStations\WinSta0
000005C8 svchost.exe	Directory	0048 \BaseNamedObjects
000005C8 svchost.exe	File		 008c \net\NtControlPipe18
000005C8 svchost.exe	File		 00a0 \svcctl
000005C8 svchost.exe	Event		00b8 
\BaseNamedObjects\crypt32LogoffEvent
000005C8 svchost.exe	Event		00e0 \BaseNamedObjects\userenv:  User 
Profile setup event
000005C8 svchost.exe	Key			00e4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters
000005C8 svchost.exe	File		 014c \SSLFilterChannel
000005C8 svchost.exe	Key			0164 
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe	Key			016c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe	Key			0178 \REGISTRY\USER
000005C8 svchost.exe	Key			017c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe	Key			0188 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe	Key			0190 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe	Key			0198 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000005C8 svchost.exe	Key			01a0 
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe	Key			01a8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe	Key			01b4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe	Key			01bc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe	Key			01c4 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000005C8 svchost.exe	Section		01cc 
\BaseNamedObjects\__R_000000000013_SMem__
000005C8 svchost.exe	Key			01d0 
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe	Section		01d4 \RPC Control\DSEC5c8
000005C8 svchost.exe	Port		 01e0 \RPC Control\OLEf
000005C8 svchost.exe	Section		0214 
\BaseNamedObjects\IISCacheCounters-c205a604-4df5-42b6-8fe9-dbfe18f022a0_1_A
000005C8 svchost.exe	Section		0218 
\BaseNamedObjects\IISCounterControlBlock-46382a23-095e-4559-8d63-6fdeaf552c23
000005C8 svchost.exe	Event		0220 
\BaseNamedObjects\W3SVCStartW3WP-aae415e7-4598-4294-a382-0a435d5b32c5
000005C8 svchost.exe	Key			0228 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000005C8 svchost.exe	File		 022c 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000005C8 svchost.exe	Key			0230 \REGISTRY\USER\.DEFAULT
000005C8 svchost.exe	Semaphore	0234 
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
000005C8 svchost.exe	File		 0278 \DefaultAppPool
000005C8 svchost.exe	Section		02a4 
\BaseNamedObjects\IISCacheCounters-c205a604-4df5-42b6-8fe9-dbfe18f022a0_1_B
000005C8 svchost.exe	Section		02a8 
\BaseNamedObjects\IISSitesCounters-99c62c38-377d-4a73-af40-6ea7ed1f5896_1_A
000005C8 svchost.exe	Section		02ac 
\BaseNamedObjects\IISSitesCounters-99c62c38-377d-4a73-af40-6ea7ed1f5896_1_B
000005C8 svchost.exe	Event		02b0 
\BaseNamedObjects\WASPerfCount-c40da922-9c0a-4def-8aba-cd0bb5f093e1
000005C8 svchost.exe	File		 02bc \iisipm
000000F8 explorer.exe   Directory	0010 \KnownDlls
000000F8 explorer.exe   File		 0014 \Documents and 
Settings\user.XP
000000F8 explorer.exe   Directory	0018 \Windows
000000F8 explorer.exe   Mutant		 0024 \NlsCacheMutant
000000F8 explorer.exe   Key			0030 \REGISTRY\MACHINE
000000F8 explorer.exe   WindowStation  003c \Windows\WindowStations\WinSta0
000000F8 explorer.exe   Desktop		0040 \Default
000000F8 explorer.exe   WindowStation  0044 \Windows\WindowStations\WinSta0
000000F8 explorer.exe   Key			0048 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe   File		 004c 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   Key			0050 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
000000F8 explorer.exe   Directory	0054 \BaseNamedObjects
000000F8 explorer.exe   Key			0058 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010_CLASSES
000000F8 explorer.exe   File		 005c 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   Key			0060 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe   File		 0064 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   File		 0068 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   Key			006c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows 
NT\CurrentVersion\Windows
000000F8 explorer.exe   Mutant		 0070 
\BaseNamedObjects\ExplorerIsShellMutex
000000F8 explorer.exe   Semaphore	0074 
\BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
000000F8 explorer.exe   Semaphore	0080 
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
000000F8 explorer.exe   Key			0094 
\REGISTRY\MACHINE\SOFTWARE\Classes
000000F8 explorer.exe   Key			009c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe   Key			00a8 \REGISTRY\USER
000000F8 explorer.exe   Key			00ac 
\REGISTRY\MACHINE\SOFTWARE\Classes
000000F8 explorer.exe   Key			00b8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe   Key			00c0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe   Key			00c8 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000000F8 explorer.exe   Key			00d0 
\REGISTRY\MACHINE\SOFTWARE\Classes
000000F8 explorer.exe   Key			00d8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe   Key			00e4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe   Key			00ec 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe   Key			00f4 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000000F8 explorer.exe   Section		00fc 
\BaseNamedObjects\__R_000000000013_SMem__
000000F8 explorer.exe   Semaphore	0104 
\BaseNamedObjects\shell.{090851A5-EB96-11D2-8BE4-00C04FA31A66}
000000F8 explorer.exe   File		 0108 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   Section		0150 \RPC Control\DSECf8
000000F8 explorer.exe   Port		 0164 \RPC Control\OLE11
000000F8 explorer.exe   Key			0188 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
000000F8 explorer.exe   File		 018c \Documents and Settings\All 
Users.WINDOWS\Desktop
000000F8 explorer.exe   Key			0190 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe   Semaphore	0198 
\BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
000000F8 explorer.exe   File		 01a0 \Documents and 
Settings\user.XP\Desktop
000000F8 explorer.exe   Event		01c4 \BaseNamedObjects\userenv:  User 
Profile setup event
000000F8 explorer.exe   Key			01c8 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet 
Explorer\Security\P3Global
000000F8 explorer.exe   Key			01cc 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet 
Explorer\Security\P3Sites
000000F8 explorer.exe   Key			01d8 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000000F8 explorer.exe   Key			01dc 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\Shell
000000F8 explorer.exe   Key			01e4 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\ShellNoRoam
000000F8 explorer.exe   Key			01e8 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\ShellNoRoam\MUICache
000000F8 explorer.exe   File		 01f0 \Documents and Settings\All 
Users.WINDOWS\Start Menu
000000F8 explorer.exe   Key			0200 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start 
Menu
000000F8 explorer.exe   File		 0204 \Documents and 
Settings\user.XP\Start Menu
000000F8 explorer.exe   Semaphore	020c 
\BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
000000F8 explorer.exe   File		 0218 \Documents and 
Settings\user.XP\Application Data\Microsoft\Internet Explorer\Quick 
Launch
000000F8 explorer.exe   Key			0224 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
000000F8 explorer.exe   Section		022c 
\BaseNamedObjects\ShimSharedMemory[S-1-5-21-484763869-113007714-839522115-1010]
000000F8 explorer.exe   Key			0230 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe   Key			023c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
000000F8 explorer.exe   Key			0250 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe   File		 0258 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   Mutant		 025c 
\BaseNamedObjects\_!MSFTHISTORY!_
000000F8 explorer.exe   File		 0264 \srvsvc
000000F8 explorer.exe   Semaphore	0274 
\BaseNamedObjects\PowerProfileRegistrySemaphore
000000F8 explorer.exe   File		 02a4 \Documents and 
Settings\user.XP\Cookies\index.dat
000000F8 explorer.exe   Key			02a8 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start 
Menu\Programs\Accessories
000000F8 explorer.exe   Mutant		 02b0 \BaseNamedObjects\_SHuassist.mtx
000000F8 explorer.exe   Section		02b8 \BaseNamedObjects\C:_Documents 
and Settings_user.XP_Cookies_index.dat_32768
000000F8 explorer.exe   Mutant		 02bc \BaseNamedObjects\c:!documents 
and settings!user.xp!local 
settings!history!history.ie5!mshist012001052220010523!
000000F8 explorer.exe   File		 02d0 \lsarpc
000000F8 explorer.exe   Event		02dc 
\BaseNamedObjects\ShellReadyEvent
000000F8 explorer.exe   File		 02e0 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   File		 02e4 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   Key			02e8 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start 
Menu\Programs\Accessories\Entertainment
000000F8 explorer.exe   Mutant		 02f0 
\BaseNamedObjects\ShimCacheMutex[S-1-5-21-484763869-113007714-839522115-1010]
000000F8 explorer.exe   Key			02f4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000000F8 explorer.exe   Key			0300 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
000000F8 explorer.exe   Mutant		 0304 
\BaseNamedObjects\GuardMutexmmGlobalPnpInfoGuard
000000F8 explorer.exe   Event		0308 
\BaseNamedObjects\GuardEventmmGlobalPnpInfoGuard
000000F8 explorer.exe   Semaphore	030c 
\BaseNamedObjects\GuardSemmmGlobalPnpInfoGuard
000000F8 explorer.exe   Section		0310 
\BaseNamedObjects\mmGlobalPnpInfo
000000F8 explorer.exe   Section		0314 
\BaseNamedObjects\WDMAUD_Path_Size
000000F8 explorer.exe   Section		0318 
\BaseNamedObjects\WDMAUD_Path_Size
000000F8 explorer.exe   Section		031c 
\BaseNamedObjects\WDMAUD_Path_Size
000000F8 explorer.exe   File		 0320 
\{9B365890-165F-11D0-A195-0020AFD156E4}
000000F8 explorer.exe   Section		0324 
\BaseNamedObjects\WDMAUD_Callbacks
000000F8 explorer.exe   Mutant		 0328 \BaseNamedObjects\mxrapi
000000F8 explorer.exe   Event		032c \BaseNamedObjects\mixercallback
000000F8 explorer.exe   Key			0330 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#ISAPNP#CTL0070_DEV0000#FFFFFFFF#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device 
Parameters\Mixer
000000F8 explorer.exe   Event		0334 
\BaseNamedObjects\hardwaremixercallback
000000F8 explorer.exe   Event		0350 
\BaseNamedObjects\HPlugEjectEvent
000000F8 explorer.exe   File		 0364 \ntsvcs
000000F8 explorer.exe   File		 0380 \AudioSrv
000000F8 explorer.exe   File		 0388 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   File		 038c \wkssvc
000000F8 explorer.exe   File		 03c8 \Documents and 
Settings\user.XP\PrintHood
000000F8 explorer.exe   Key			03e0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
000000F8 explorer.exe   Key			03e4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
000000F8 explorer.exe   Key			03e8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
000000F8 explorer.exe   Key			03ec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000000F8 explorer.exe   Key			0414 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\1
000000F8 explorer.exe   Key			0424 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions
000000F8 explorer.exe   File		 042c 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   Key			0434 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\2
000000F8 explorer.exe   Key			0438 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\1
000000F8 explorer.exe   Key			0444 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\2
000000F8 explorer.exe   Mutant		 0448 \BaseNamedObjects\c:!documents 
and settings!user.xp!cookies!
000000F8 explorer.exe   Key			044c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start 
Menu\Programs
000000F8 explorer.exe   Event		0450 
\BaseNamedObjects\crypt32LogoffEvent
000000F8 explorer.exe   Key			0454 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
000000F8 explorer.exe   Key			046c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings
000000F8 explorer.exe   Mutant		 0470 \BaseNamedObjects\c:!documents 
and settings!user.xp!local settings!temporary internet files!content.ie5!
000000F8 explorer.exe   Section		0478 \BaseNamedObjects\C:_Documents 
and Settings_user.XP_Local Settings_Temporary Internet 
Files_Content.IE5_index.dat_278528
000000F8 explorer.exe   File		 0488 \Documents and 
Settings\user.XP\Local Settings\History\History.IE5\index.dat
000000F8 explorer.exe   File		 048c \Documents and 
Settings\user.XP\Local Settings\Temporary Internet 
Files\Content.IE5\index.dat
000000F8 explorer.exe   Mutant		 0498 \BaseNamedObjects\c:!documents 
and settings!user.xp!local settings!history!history.ie5!
000000F8 explorer.exe   Mutant		 04a0 
\BaseNamedObjects\_!SHMSFTHISTORY!_
000000F8 explorer.exe   File		 04a4 \Documents and 
Settings\user.XP\Local 
Settings\History\History.IE5\MSHist012001052220010523\index.dat
000000F8 explorer.exe   Section		04a8 \BaseNamedObjects\C:_Documents 
and Settings_user.XP_Local Settings_History_History.IE5_index.dat_98304
000000F8 explorer.exe   Section		04ac \BaseNamedObjects\C:_Documents 
and Settings_user.XP_Local 
Settings_History_History.IE5_MSHist012001052220010523_index.dat_32768
00000720 idwlog.exe	 Directory	0010 \KnownDlls
00000720 idwlog.exe	 File		 0014 \Documents and 
Settings\user.XP
00000720 idwlog.exe	 Directory	0024 \Windows
00000720 idwlog.exe	 Mutant		 0030 \NlsCacheMutant
00000720 idwlog.exe	 Key			0038 \REGISTRY\MACHINE
00000720 idwlog.exe	 WindowStation  0044 \Windows\WindowStations\WinSta0
00000720 idwlog.exe	 Desktop		0048 \Default
00000720 idwlog.exe	 WindowStation  004c \Windows\WindowStations\WinSta0
00000720 idwlog.exe	 Key			006c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
00000720 idwlog.exe	 File		 0078 \Idwlog.log
00000720 idwlog.exe	 File		 007c \WINDOWS\system32
00000720 idwlog.exe	 File		 0084 \WINDOWS\system32
00000720 idwlog.exe	 File		 00c4 \ntsvcs
00000720 idwlog.exe	 File		 00d0 \WINDOWS\system32
00000720 idwlog.exe	 Key			00e0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\World 
Full Access Shared Parameters
00000720 idwlog.exe	 Directory	00ec \BaseNamedObjects
00000720 idwlog.exe	 File		 00f8 \DAV RPC SERVICE
0000079C svchost.exe	Directory	0010 \KnownDlls
0000079C svchost.exe	File		 0014 \WINDOWS\system32
0000079C svchost.exe	Directory	001c \Windows
0000079C svchost.exe	Mutant		 0024 \NlsCacheMutant
0000079C svchost.exe	Key			002c \REGISTRY\MACHINE
0000079C svchost.exe	File		 0054 \net\NtControlPipe20
0000079C svchost.exe	Directory	0070 \BaseNamedObjects
0000079C svchost.exe	File		 0078 \svcctl
0000079C svchost.exe	WindowStation  0088 
\Windows\WindowStations\Service-0x0-3e7$
0000079C svchost.exe	Desktop		008c \Default
0000079C svchost.exe	WindowStation  0090 
\Windows\WindowStations\Service-0x0-3e7$
0000079C svchost.exe	Key			00c0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\tapisrv
0000079C svchost.exe	Event		00dc 
\BaseNamedObjects\SC_AutoStartComplete
0000079C svchost.exe	Section		00e4 \RPC Control\DSEC79c
0000079C svchost.exe	File		 010c \tapsrv
0000079C svchost.exe	File		 0110 \tapsrv
0000079C svchost.exe	Port		 0124 \RPC Control\tapsrvlpc
0000079C svchost.exe	File		 01c0 \53cb31a0\UnimodemNotifyTSP
0000079C svchost.exe	Event		01c4 
\BaseNamedObjects\--.-mailslot-53cb31a0-UnimodemNotifyTSP
0000079C svchost.exe	File		 01dc \ntsvcs
0000079C svchost.exe	Key			0200 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\KMDDSP
0000079C svchost.exe	Key			02b4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\NDPTSP
0000079C svchost.exe	Key			036c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\conftsp
0000079C svchost.exe	Key			03a0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000079C svchost.exe	Key			03a8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000079C svchost.exe	File		 03ac \WINDOWS\system32\h323log.txt
0000079C svchost.exe	Key			03b4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\H323TSP
0000079C svchost.exe	Key			03e8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
0000079C svchost.exe	Event		03ec \BaseNamedObjects\DINPUTWINMM
0000079C svchost.exe	Key			03fc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\hidphone
00000668 svchost.exe	Directory	0010 \KnownDlls
00000668 svchost.exe	File		 0014 \WINDOWS\system32
00000668 svchost.exe	Directory	001c \Windows
00000668 svchost.exe	Mutant		 0024 \NlsCacheMutant
00000668 svchost.exe	Key			002c \REGISTRY\MACHINE
00000668 svchost.exe	File		 0030 \net\NtControlPipe21
00000668 svchost.exe	Directory	0070 \BaseNamedObjects
00000668 svchost.exe	File		 0078 \svcctl
00000668 svchost.exe	WindowStation  0088 \Windows\WindowStations\WinSta0
00000668 svchost.exe	Desktop		008c \Default
00000668 svchost.exe	WindowStation  0090 \Windows\WindowStations\WinSta0
00000668 svchost.exe	Event		00b8 \BaseNamedObjects\userenv:  User 
Profile setup event
00000668 svchost.exe	Key			00c0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
00000668 svchost.exe	File		 00c4 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
00000668 svchost.exe	Key			00c8 \REGISTRY\USER\.DEFAULT
00000668 svchost.exe	File		 00fc \WINDOWS\Sti_Trace.log
00000668 svchost.exe	Mutant		 0100 
\BaseNamedObjects\StiTraceMutexSti_Trace.log
00000668 svchost.exe	Section		010c \RPC Control\DSEC668
00000668 svchost.exe	Port		 0110 \RPC Control\OLE14
00000668 svchost.exe	Key			0134 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe	Key			013c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe	Key			0148 \REGISTRY\USER
00000668 svchost.exe	Key			014c 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe	Key			0158 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe	Key			0160 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe	Key			0168 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000668 svchost.exe	Key			0170 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe	Key			0178 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe	Key			0184 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe	Key			018c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe	Key			0194 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000668 svchost.exe	Section		019c 
\BaseNamedObjects\__R_000000000013_SMem__
00000668 svchost.exe	Key			01a0 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe	File		 01a4 \WINDOWS\wiaservc.log
00000668 svchost.exe	File		 01cc \ntsvcs
00000668 svchost.exe	Semaphore	01ec 
\BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
00000668 svchost.exe	Port		 0264 \RPC Control\STI_LRPC
00000668 svchost.exe	File		 0288 \WINDOWS\Sti_Trace.log
00000668 svchost.exe	Mutant		 028c 
\BaseNamedObjects\StiTraceMutexSti_Trace.log
00000870 wmiprvse.exe   Directory	0010 \KnownDlls
00000870 wmiprvse.exe   File		 0014 \WINDOWS\system32
00000870 wmiprvse.exe   Directory	0024 \Windows
00000870 wmiprvse.exe   Mutant		 0030 \NlsCacheMutant
00000870 wmiprvse.exe   Key			0038 \REGISTRY\MACHINE
00000870 wmiprvse.exe   WindowStation  0044 
\Windows\WindowStations\Service-0x0-3e7$
00000870 wmiprvse.exe   Desktop		0048 \Default
00000870 wmiprvse.exe   WindowStation  004c 
\Windows\WindowStations\Service-0x0-3e7$
00000870 wmiprvse.exe   Directory	0050 \BaseNamedObjects
00000870 wmiprvse.exe   Section		00ac \BaseNamedObjects\Wmi Provider 
Sub System Counters
00000870 wmiprvse.exe   Event		00d0 
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
00000870 wmiprvse.exe   Event		00ec 
\BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
00000870 wmiprvse.exe   Section		00f0 \RPC Control\DSEC870
00000870 wmiprvse.exe   Port		 00fc \RPC Control\OLE15
00000870 wmiprvse.exe   Key			011c 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe   Key			0124 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe   Key			0130 \REGISTRY\USER
00000870 wmiprvse.exe   Key			0134 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe   Key			0140 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe   Key			0148 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe   Key			0150 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000870 wmiprvse.exe   Key			0158 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe   Key			0160 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe   Key			016c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe   Key			0174 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe   Key			017c 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000870 wmiprvse.exe   Section		0184 
\BaseNamedObjects\__R_000000000013_SMem__
00000870 wmiprvse.exe   Key			0188 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe	Directory	0010 \KnownDlls
0000076C wuauclt.exe	File		 0014 \WINDOWS\system32
0000076C wuauclt.exe	File		 0018 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000076C wuauclt.exe	Directory	0028 \Windows
0000076C wuauclt.exe	Mutant		 0034 \NlsCacheMutant
0000076C wuauclt.exe	Key			003c \REGISTRY\MACHINE
0000076C wuauclt.exe	WindowStation  0048 \Windows\WindowStations\WinSta0
0000076C wuauclt.exe	Desktop		004c \Default
0000076C wuauclt.exe	WindowStation  0050 \Windows\WindowStations\WinSta0
0000076C wuauclt.exe	Key			0054 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000076C wuauclt.exe	File		 0058 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000076C wuauclt.exe	Directory	005c \BaseNamedObjects
0000076C wuauclt.exe	Mutant		 0064 
\BaseNamedObjects\ZonesCounterMutex
0000076C wuauclt.exe	Mutant		 0068 
\BaseNamedObjects\ZonesCacheCounterMutex
0000076C wuauclt.exe	Key			006c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010_CLASSES
0000076C wuauclt.exe	Key			0070 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
0000076C wuauclt.exe	Mutant		 0078 
\BaseNamedObjects\AutoUpdateSingleInstance
0000076C wuauclt.exe	Key			008c 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe	Key			0094 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe	Key			00a0 \REGISTRY\USER
0000076C wuauclt.exe	Key			00a4 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe	Key			00b0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe	Key			00b8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe	Key			00c0 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000076C wuauclt.exe	Key			00c8 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe	Key			00d0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe	Key			00dc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe	Key			00e4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe	Key			00ec 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000076C wuauclt.exe	Section		00f4 
\BaseNamedObjects\__R_000000000013_SMem__
0000076C wuauclt.exe	Section		0134 \RPC Control\DSEC76c
0000076C wuauclt.exe	Port		 0148 \RPC Control\OLE16
0000076C wuauclt.exe	File		 0188 \lsarpc
0000076C wuauclt.exe	Semaphore	01b8 
\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
0000076C wuauclt.exe	Mutant		 01ec \BaseNamedObjects\RasPbFile
0000076C wuauclt.exe	Key			0214 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
0000076C wuauclt.exe	File		 0220 \svcctl
0000076C wuauclt.exe	Key			022c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000076C wuauclt.exe	Key			0234 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000076C wuauclt.exe	File		 023c \ROUTER
0000076C wuauclt.exe	Key			0254 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
0000076C wuauclt.exe	Event		026c \BaseNamedObjects\userenv:  User 
Profile setup event
0000076C wuauclt.exe	Key			0290 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
0000076C wuauclt.exe	Key			0294 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
0000076C wuauclt.exe	Key			0298 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
0000076C wuauclt.exe	Key			029c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
00000838 cmd.exe		Directory	0010 \KnownDlls
00000838 cmd.exe		File		 0014 \Documents and 
Settings\user.XP
00000838 cmd.exe		Directory	0024 \Windows
00000838 cmd.exe		Mutant		 0030 \NlsCacheMutant
00000838 cmd.exe		WindowStation  0040 \Windows\WindowStations\WinSta0
00000838 cmd.exe		WindowStation  0044 \Windows\WindowStations\WinSta0
00000838 cmd.exe		Desktop		0048 \Default
00000838 cmd.exe		Key			0050 \REGISTRY\MACHINE
00000838 cmd.exe		Key			0054 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
00000838 cmd.exe		Key			0058 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
00000838 cmd.exe		Key			005c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
00000838 cmd.exe		Key			0060 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
00000838 cmd.exe		File		 006c \output\ohall.txt
00000778 oh.exe		 File		 0014 \Documents and 
Settings\user.XP
00000778 oh.exe		 File		 006c \output\ohall.txt
00000778 oh.exe		 WindowStation  07c4 \Windows\WindowStations\WinSta0
00000778 oh.exe		 Key			07d0 \REGISTRY\MACHINE
00000778 oh.exe		 Mutant		 07d4 \NlsCacheMutant
00000778 oh.exe		 Directory	07e0 \Windows
00000778 oh.exe		 Directory	07f0 \KnownDlls

Example 3: List Handles for Key Objects with Open Windows

To generate a list of key objects and send the output to the file C:\Output\Ohkey.txt, type the following at the command line:

oh /t key /o c:\output\ohkey.txt

Looking in Ohkey.txt, you then see output similar to the following:

00000004 System		 Key			000c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\WPA
00000004 System		 Key			0010 \REGISTRY
00000004 System		 Key			0014 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session 
Manager\WPA\SigningHash-PRCRFTFJWDC27Q
00000004 System		 Key			0018 
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter
00000004 System		 Key			001c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Executive
00000004 System		 Key			0020 \REGISTRY\MACHINE\SYSTEM\Setup
00000004 System		 Key			0024 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ProductOptions
00000004 System		 Key			0028 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog
00000004 System		 Key			0040 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB\3&29761208&0\Device 
Parameters
00000004 System		 Key			0048 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_7112&SUBSYS_00000000&REV_01\2&ebb567f&0&22\Device 
Parameters
00000004 System		 Key			004c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_7112&SUBSYS_00000000&REV_01\2&ebb567f&0&22\Device 
Parameters
00000004 System		 Key			0050 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0000
00000004 System		 Key			0054 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0000
00000004 System		 Key			0058 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Video\{67BA24C1-E772-4266-BBE5-D44FE7A9D9A4}\0000\VolatileSettings
00000004 System		 Key			005c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0000
00000004 System		 Key			006c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Memory 
Management\PrefetchParameters
000000C0 smss.exe	 Key			0030 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000000C0 smss.exe	 Key			0034 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CrashControl
000000D8 csrss.exe	Key			00a0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\PriorityControl
000000D8 csrss.exe	Key			0650 \REGISTRY\MACHINE
000000D8 csrss.exe	Key			0680 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
000000D8 csrss.exe	Key			0684 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
000000D8 csrss.exe	Key			0688 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
000000D8 csrss.exe	Key			0698 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Control 
Panel\International
000000D8 csrss.exe	Key			069c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Control 
Panel\International
000000E0 winlogon.exe   Key			0030 \REGISTRY\MACHINE
000000E0 winlogon.exe   Key			00b0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000000E0 winlogon.exe   Key			00b8 \REGISTRY\USER\.DEFAULT
000000E0 winlogon.exe   Key			00dc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\crypt32chain
000000E0 winlogon.exe   Key			00e0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\cryptnet
000000E0 winlogon.exe   Key			00f0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\sclgntfy
000000E0 winlogon.exe   Key			00fc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa
000000E0 winlogon.exe   Key			01d0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe   Key			01e0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000000E0 winlogon.exe   Key			020c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe   Key			02e0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Credentials
000000E0 winlogon.exe   Key			05f0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#ISAPNP#CTL0070_DEV0000#FFFFFFFF#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device 
Parameters\Mixer
000000E0 winlogon.exe   Key			05f8 \REGISTRY\USER
000000E0 winlogon.exe   Key			0650 
\REGISTRY\MACHINE\SOFTWARE\Classes
000000E0 winlogon.exe   Key			06c4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
000000E0 winlogon.exe   Key			0774 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\ScCertProp
000000E0 winlogon.exe   Key			0790 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
000000E0 winlogon.exe   Key			079c 
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
000000E0 winlogon.exe   Key			07a0 
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam
000000E0 winlogon.exe   Key			0838 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
00000110 services.exe   Key			0038 \REGISTRY\MACHINE
00000110 services.exe   Key			0068 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
00000110 services.exe   Key			006c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
00000110 services.exe   Key			0070 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
00000110 services.exe   Key			0074 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum
00000110 services.exe   Key			007c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services
00000110 services.exe   Key			0080 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class
00000110 services.exe   Key			0084 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\PerHwIdStorage
00000110 services.exe   Key			0190 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\Order
00000110 services.exe   Key			01d4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ServiceGroupOrder
00000110 services.exe   Key			031c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent
00000110 services.exe   Key			0348 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog
00000110 services.exe   Key			036c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
00000110 services.exe   Key			042c \REGISTRY\USER
00000110 services.exe   Key			0430 \REGISTRY\USER\S-1-5-20
00000110 services.exe   Key			0454 \REGISTRY\USER\S-1-5-19
00000110 services.exe   Key			04c0 \REGISTRY\USER\S-1-5-20
00000110 services.exe   Key			051c \REGISTRY\USER\S-1-5-20
00000110 services.exe   Key			0544 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
00000110 services.exe   Key			055c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe   Key			0570 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe   Key			05c4 \REGISTRY\USER\S-1-5-19
00000110 services.exe   Key			0614 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000110 services.exe   Key			0640 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
0000011C lsass.exe	Key			0038 \REGISTRY\MACHINE
0000011C lsass.exe	Key			0060 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
0000011C lsass.exe	Key			0084 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll
0000011C lsass.exe	Key			0088 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll
0000011C lsass.exe	Key			008c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll
0000011C lsass.exe	Key			00a8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa
0000011C lsass.exe	Key			00dc \REGISTRY\MACHINE\SECURITY
0000011C lsass.exe	Key			00e0 \REGISTRY\MACHINE\SECURITY\RXACT
0000011C lsass.exe	Key			0110 
\REGISTRY\MACHINE\SECURITY\Policy
0000011C lsass.exe	Key			0130 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos
0000011C lsass.exe	Key			0164 
\REGISTRY\MACHINE\SECURITY\Policy
0000011C lsass.exe	Key			016c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos\SidCache
0000011C lsass.exe	Key			017c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Domains
0000011C lsass.exe	Key			018c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000011C lsass.exe	Key			0194 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000011C lsass.exe	Key			01a4 
\REGISTRY\MACHINE\SECURITY\Policy
0000011C lsass.exe	Key			01b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa
0000011C lsass.exe	Key			01b8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\MSV1_0
0000011C lsass.exe	Key			02a0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
0000011C lsass.exe	Key			0384 \REGISTRY\MACHINE\SAM\SAM
0000011C lsass.exe	Key			0388 \REGISTRY\MACHINE\SAM\SAM\RXACT
0000011C lsass.exe	Key			038c 
\REGISTRY\MACHINE\SAM\SAM\Domains\Builtin
0000011C lsass.exe	Key			0390 
\REGISTRY\MACHINE\SAM\SAM\Domains\Account
0000011C lsass.exe	Key			03e4 \REGISTRY\USER\S-1-5-20
0000011C lsass.exe	Key			03f0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000011C lsass.exe	Key			03f8 \REGISTRY\USER
0000011C lsass.exe	Key			04a0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
0000011C lsass.exe	Key			04a4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
0000011C lsass.exe	Key			04a8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
0000011C lsass.exe	Key			04ac 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000001A0 svchost.exe	Key			002c \REGISTRY\MACHINE
000001A0 svchost.exe	Key			00b0 
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe	Key			00c8 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000001A0 svchost.exe	Key			00d0 
\REGISTRY\MACHINE\SOFTWARE\Classes\AppID
000001A0 svchost.exe	Key			00f4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Ole
000001A0 svchost.exe	Key			0120 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000001A0 svchost.exe	Key			0128 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000001A0 svchost.exe	Key			0190 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
000001A0 svchost.exe	Key			01b0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
000001A0 svchost.exe	Key			01b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
000001A0 svchost.exe	Key			01b8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000001A0 svchost.exe	Key			0214 
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe	Key			021c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe	Key			0228 \REGISTRY\USER
000001A0 svchost.exe	Key			022c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe	Key			0238 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe	Key			0240 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe	Key			0248 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000001A0 svchost.exe	Key			0250 
\REGISTRY\MACHINE\SOFTWARE\Classes
000001A0 svchost.exe	Key			0258 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe	Key			0264 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe	Key			026c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000001A0 svchost.exe	Key			0274 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000001BC svchost.exe	Key			002c \REGISTRY\MACHINE
000001BC svchost.exe	Key			00ec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing 
Core
000001BC svchost.exe	Key			0108 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters
000001BC svchost.exe	Key			0180 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000001BC svchost.exe	Key			0188 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000001BC svchost.exe	Key			0260 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
000001BC svchost.exe	Key			0274 
\REGISTRY\MACHINE\SOFTWARE\Policies
000001BC svchost.exe	Key			02fc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\AddIns
000001BC svchost.exe	Key			0364 \REGISTRY\USER
00000200 svchost.exe	Key			002c \REGISTRY\MACHINE
00000200 svchost.exe	Key			00a8 \REGISTRY\USER\.DEFAULT
00000200 svchost.exe	Key			00b8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
00000200 svchost.exe	Key			0108 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
00000200 svchost.exe	Key			010c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
00000200 svchost.exe	Key			0110 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
00000200 svchost.exe	Key			0114 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
00000200 svchost.exe	Key			012c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
00000200 svchost.exe	Key			0134 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
00000200 svchost.exe	Key			0140 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Parameters
00000200 svchost.exe	Key			0144 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
00000200 svchost.exe	Key			0148 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Parameters\Options
00000200 svchost.exe	Key			014c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services
00000200 svchost.exe	Key			0178 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters
00000200 svchost.exe	Key			0194 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{81A3AA37-6FFD-4907-99BB-47F19F605A44}
00000200 svchost.exe	Key			01f8 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe	Key			0200 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe	Key			020c \REGISTRY\USER
00000200 svchost.exe	Key			0210 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe	Key			021c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe	Key			0224 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe	Key			022c 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000200 svchost.exe	Key			0234 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe	Key			023c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe	Key			0248 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe	Key			0250 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000200 svchost.exe	Key			0258 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000200 svchost.exe	Key			0268 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000200 svchost.exe	Key			0478 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters
00000200 svchost.exe	Key			0570 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting
00000200 svchost.exe	Key			0630 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
00000200 svchost.exe	Key			0710 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}
00000200 svchost.exe	Key			0740 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses
00000200 svchost.exe	Key			0860 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\EAPOL
00000200 svchost.exe	Key			0868 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions
00000200 svchost.exe	Key			08f0 
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings
00000200 svchost.exe	Key			0a4c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Browser\Parameters
00000200 svchost.exe	Key			0a60 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
00000200 svchost.exe	Key			0a94 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASTLS
00000200 svchost.exe	Key			0aa4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASCHAP
00000200 svchost.exe	Key			0abc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces
00000200 svchost.exe	Key			0b98 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Network\Location Awareness
00000200 svchost.exe	Key			0bc0 
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows 
NT\CurrentVersion\Network\Location Awareness
00000200 svchost.exe	Key			0bc4 
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows 
NT\CurrentVersion\Network\Location Awareness
00000200 svchost.exe	Key			0bc8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
00000200 svchost.exe	Key			0be8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
00000200 svchost.exe	Key			0bf8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
00000200 svchost.exe	Key			0c1c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASTAPI
00000200 svchost.exe	Key			0c3c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\tapi32
00000200 svchost.exe	Key			0cb8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASMAN
00000200 svchost.exe	Key			0cd0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\PPP
00000200 svchost.exe	Key			0ce0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BAP
00000200 svchost.exe	Key			0cec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RasMan\PPP
00000200 svchost.exe	Key			0cfc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASSPAP
00000200 svchost.exe	Key			0d0c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASPAP
00000200 svchost.exe	Key			0d1c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASEAP
00000200 svchost.exe	Key			0d2c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASCCP
00000200 svchost.exe	Key			0d3c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASBACP
00000200 svchost.exe	Key			0d68 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASIPHLP
00000200 svchost.exe	Key			0d80 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
00000200 svchost.exe	Key			0d90 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASIPCP
00000200 svchost.exe	Key			0e30 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
00000230 csrss.exe	Key			00c8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\PriorityControl
00000234 winlogon.exe   Key			0030 \REGISTRY\MACHINE
0000025C csrss.exe	Key			00c8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\PriorityControl
00000260 winlogon.exe   Key			0030 \REGISTRY\MACHINE
00000294 svchost.exe	Key			0018 \REGISTRY\MACHINE
00000294 svchost.exe	Key			00b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
00000294 svchost.exe	Key			00b8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
00000294 svchost.exe	Key			00bc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
00000294 svchost.exe	Key			00c0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
00000294 svchost.exe	Key			00d8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
00000294 svchost.exe	Key			00e0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000029C svchost.exe	Key			0018 \REGISTRY\MACHINE
0000029C svchost.exe	Key			00b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
0000029C svchost.exe	Key			00b8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
0000029C svchost.exe	Key			00bc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
0000029C svchost.exe	Key			00c0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
0000029C svchost.exe	Key			00f0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000029C svchost.exe	Key			00f8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000029C svchost.exe	Key			01e8 
\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings
0000029C svchost.exe	Key			01f0 \REGISTRY\USER\S-1-5-19
0000029C svchost.exe	Key			0214 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000029C svchost.exe	Key			02f8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
0000029C svchost.exe	Key			0310 \REGISTRY\USER
0000029C svchost.exe	Key			0314 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
0000029C svchost.exe	Key			0318 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
000002D8 spoolsv.exe	Key			0030 \REGISTRY\MACHINE
000002D8 spoolsv.exe	Key			0190 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print
000002D8 spoolsv.exe	Key			0194 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Print\Printers
000002D8 spoolsv.exe	Key			01c0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard 
TCP/IP Port
000002D8 spoolsv.exe	Key			01c8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000002D8 spoolsv.exe	Key			01d0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000002D8 spoolsv.exe	Key			01ec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
000002D8 spoolsv.exe	Key			0220 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe	Key			0228 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe	Key			0234 \REGISTRY\USER
000002D8 spoolsv.exe	Key			0238 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe	Key			0244 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe	Key			024c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe	Key			0254 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002D8 spoolsv.exe	Key			025c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe	Key			0264 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe	Key			0270 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe	Key			0278 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002D8 spoolsv.exe	Key			0280 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002D8 spoolsv.exe	Key			028c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002D8 spoolsv.exe	Key			02e4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
000002D8 spoolsv.exe	Key			02e8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
000002D8 spoolsv.exe	Key			02ec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
000002D8 spoolsv.exe	Key			02f0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000002D8 spoolsv.exe	Key			0328 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000002D8 spoolsv.exe	Key			0334 \REGISTRY\USER\.DEFAULT
000002FC msdtc.exe	Key			0038 \REGISTRY\MACHINE
000002FC msdtc.exe	Key			00ac 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000002FC msdtc.exe	Key			0104 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000002FC msdtc.exe	Key			010c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000002FC msdtc.exe	Key			013c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Tracing\MSDTC\Changed
000002FC msdtc.exe	Key			01b0 
\REGISTRY\MACHINE\SOFTWARE\Classes\CID\41b1f46c-db5e-48b5-b9a7-90c0b862411d
000002FC msdtc.exe	Key			01d0 
\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\ced2de40-bff6-11ce-9de8-00aa00a3f464
000002FC msdtc.exe	Key			01d4 
\REGISTRY\MACHINE\SOFTWARE\Classes\CID\41b1f46c-db5e-48b5-b9a7-90c0b862411d
000002FC msdtc.exe	Key			01d8 
\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\ced2de40-bff6-11ce-9de8-00aa00a3f464
000002FC msdtc.exe	Key			01dc 
\REGISTRY\MACHINE\SOFTWARE\Classes\CID\41b1f46c-db5e-48b5-b9a7-90c0b862411d
000002FC msdtc.exe	Key			01e0 
\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\ced2de40-bff6-11ce-9de8-00aa00a3f464
000002FC msdtc.exe	Key			0208 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002FC msdtc.exe	Key			0210 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe	Key			021c \REGISTRY\USER
000002FC msdtc.exe	Key			0220 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002FC msdtc.exe	Key			022c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe	Key			0234 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe	Key			023c 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002FC msdtc.exe	Key			0244 
\REGISTRY\MACHINE\SOFTWARE\Classes
000002FC msdtc.exe	Key			024c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe	Key			0258 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe	Key			0260 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000002FC msdtc.exe	Key			0268 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000002FC msdtc.exe	Key			0274 \REGISTRY\USER\S-1-5-20_CLASSES
000003B8 inetinfo.exe   Key			0030 \REGISTRY\MACHINE
000003B8 inetinfo.exe   Key			00cc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000003B8 inetinfo.exe   Key			00d4 \REGISTRY\USER\.DEFAULT
000003B8 inetinfo.exe   Key			0124 
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe   Key			012c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe   Key			0138 \REGISTRY\USER
000003B8 inetinfo.exe   Key			013c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe   Key			0148 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe   Key			0150 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe   Key			0158 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000003B8 inetinfo.exe   Key			0160 
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe   Key			0168 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe   Key			0174 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe   Key			017c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000003B8 inetinfo.exe   Key			0184 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000003B8 inetinfo.exe   Key			0228 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters
000003B8 inetinfo.exe   Key			0350 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000003B8 inetinfo.exe   Key			0358 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000003B8 inetinfo.exe   Key			065c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\MosTrace\CurrentVersion\DebugAsyncTrace
000003B8 inetinfo.exe   Key			0674 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Parameters
000003B8 inetinfo.exe   Key			06c0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip
000003B8 inetinfo.exe   Key			06dc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Parameters
000003B8 inetinfo.exe   Key			0860 
\REGISTRY\MACHINE\SOFTWARE\Classes
000003B8 inetinfo.exe   Key			0978 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Parameters
000003B8 inetinfo.exe   Key			09dc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ContentIndex
000003B8 inetinfo.exe   Key			0bb8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Parameters
000003B8 inetinfo.exe   Key			0bc8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters
000003CC llssrv.exe	 Key			0038 \REGISTRY\MACHINE
000003CC llssrv.exe	 Key			0120 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000003CC llssrv.exe	 Key			0128 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000003A8 NSPMON.exe	 Key			0018 \REGISTRY\MACHINE
000003A8 NSPMON.exe	 Key			005c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000003A8 NSPMON.exe	 Key			0064 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000041C NSCM.exe	 Key			0018 \REGISTRY\MACHINE
0000041C NSCM.exe	 Key			0058 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
0000041C NSCM.exe	 Key			005c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
0000041C NSCM.exe	 Key			00ac 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
0000041C NSCM.exe	 Key			00b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ASP\Performance
0000041C NSCM.exe	 Key			00bc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentFilter\Performance
0000041C NSCM.exe	 Key			00c4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentIndex\Performance
0000041C NSCM.exe	 Key			00cc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Performance
0000041C NSCM.exe	 Key			00d4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ISAPISearch\Performance
0000041C NSCM.exe	 Key			00dc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC\Performance
0000041C NSCM.exe	 Key			00e4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Performance
0000041C NSCM.exe	 Key			00ec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Performance
0000041C NSCM.exe	 Key			00f4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
0000041C NSCM.exe	 Key			00fc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
0000041C NSCM.exe	 Key			0104 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NTFSDRV\Performance
0000041C NSCM.exe	 Key			010c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfDisk\Performance
0000041C NSCM.exe	 Key			0114 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfNet\Performance
0000041C NSCM.exe	 Key			011c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfOS\Performance
0000041C NSCM.exe	 Key			0124 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance
0000041C NSCM.exe	 Key			012c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Performance
0000041C NSCM.exe	 Key			0134 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance
0000041C NSCM.exe	 Key			013c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMTPSVC\Performance
0000041C NSCM.exe	 Key			0144 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\Performance
0000041C NSCM.exe	 Key			014c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TapiSrv\Performance
0000041C NSCM.exe	 Key			0154 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Performance
0000041C NSCM.exe	 Key			015c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Performance
0000041C NSCM.exe	 Key			0164 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Performance
0000041C NSCM.exe	 Key			016c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance
0000041C NSCM.exe	 Key			019c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000041C NSCM.exe	 Key			01a4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000041C NSCM.exe	 Key			01b0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation
0000041C NSCM.exe	 Key			01b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Parameters
0000041C NSCM.exe	 Key			01c4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\AllowDistribution
0000041C NSCM.exe	 Key			01cc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\DisallowDistribution
0000041C NSCM.exe	 Key			0218 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Stations
0000041C NSCM.exe	 Key			0278 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000041C NSCM.exe	 Key			0280 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe	 Key			028c \REGISTRY\USER
0000041C NSCM.exe	 Key			0290 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000041C NSCM.exe	 Key			029c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe	 Key			02a4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe	 Key			02ac 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000041C NSCM.exe	 Key			02b4 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000041C NSCM.exe	 Key			02bc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe	 Key			02c8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe	 Key			02d0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000041C NSCM.exe	 Key			02d8 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000041C NSCM.exe	 Key			02e4 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000_CLASSES
0000046C svchost.exe	Key			0018 \REGISTRY\MACHINE
000004C0 svchost.exe	Key			002c \REGISTRY\MACHINE
000004C0 svchost.exe	Key			0124 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe	Key			012c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe	Key			0138 \REGISTRY\USER
000004C0 svchost.exe	Key			013c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe	Key			0148 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe	Key			0150 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe	Key			0158 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004C0 svchost.exe	Key			0160 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe	Key			0168 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe	Key			0174 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe	Key			017c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004C0 svchost.exe	Key			0184 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004C0 svchost.exe	Key			0190 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004C0 svchost.exe	Key			0214 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
000004C0 svchost.exe	Key			021c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
000004C0 svchost.exe	Key			0220 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
000004C0 svchost.exe	Key			027c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
000003DC dfssvc.exe	 Key			0030 \REGISTRY\MACHINE
000004F0 NSUM.exe	 Key			001c \REGISTRY\MACHINE
000004F0 NSUM.exe	 Key			0058 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000004F0 NSUM.exe	 Key			005c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000004F0 NSUM.exe	 Key			00ac 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
000004F0 NSUM.exe	 Key			00b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ASP\Performance
000004F0 NSUM.exe	 Key			00bc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentFilter\Performance
000004F0 NSUM.exe	 Key			00c4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentIndex\Performance
000004F0 NSUM.exe	 Key			00cc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Performance
000004F0 NSUM.exe	 Key			00d4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ISAPISearch\Performance
000004F0 NSUM.exe	 Key			00dc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC\Performance
000004F0 NSUM.exe	 Key			00e4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Performance
000004F0 NSUM.exe	 Key			00ec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Performance
000004F0 NSUM.exe	 Key			00f4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
000004F0 NSUM.exe	 Key			00fc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
000004F0 NSUM.exe	 Key			0104 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NTFSDRV\Performance
000004F0 NSUM.exe	 Key			010c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfDisk\Performance
000004F0 NSUM.exe	 Key			0114 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfNet\Performance
000004F0 NSUM.exe	 Key			011c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfOS\Performance
000004F0 NSUM.exe	 Key			0124 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance
000004F0 NSUM.exe	 Key			012c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Performance
000004F0 NSUM.exe	 Key			0134 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance
000004F0 NSUM.exe	 Key			013c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMTPSVC\Performance
000004F0 NSUM.exe	 Key			0144 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\Performance
000004F0 NSUM.exe	 Key			014c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TapiSrv\Performance
000004F0 NSUM.exe	 Key			0154 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Performance
000004F0 NSUM.exe	 Key			015c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Performance
000004F0 NSUM.exe	 Key			0164 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Performance
000004F0 NSUM.exe	 Key			016c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance
000004F0 NSUM.exe	 Key			0180 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000004F0 NSUM.exe	 Key			01c4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
000004F0 NSUM.exe	 Key			01d0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
000004F0 NSUM.exe	 Key			0228 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Parameters\Virtual 
Roots
000004F0 NSUM.exe	 Key			022c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Parameters
000004F0 NSUM.exe	 Key			023c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\AllowUnicastClients
000004F0 NSUM.exe	 Key			0240 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\DisallowUnicastClients
000004F0 NSUM.exe	 Key			0248 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\AllowDistribution
000004F0 NSUM.exe	 Key			0250 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\AccessLists\DisallowDistribution
000004F0 NSUM.exe	 Key			02b8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Event 
Notification\ACL Check
000004F0 NSUM.exe	 Key			02cc 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004F0 NSUM.exe	 Key			02d4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe	 Key			02e0 \REGISTRY\USER
000004F0 NSUM.exe	 Key			02e4 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004F0 NSUM.exe	 Key			02f0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe	 Key			02f8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe	 Key			0300 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004F0 NSUM.exe	 Key			0308 
\REGISTRY\MACHINE\SOFTWARE\Classes
000004F0 NSUM.exe	 Key			0310 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe	 Key			031c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe	 Key			0324 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000004F0 NSUM.exe	 Key			032c 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000004F0 NSUM.exe	 Key			0338 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000_CLASSES
000004F0 NSUM.exe	 Key			033c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Authentication\HTTP 
BASIC-Membership
000004F0 NSUM.exe	 Key			0340 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Authentication\HTTP 
BASIC-NTLM
000004F0 NSUM.exe	 Key			0344 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetShow\Servers\Default\Authentication\NTLM-NTLM
00000548 nspm.exe	 Key			0018 \REGISTRY\MACHINE
00000548 nspm.exe	 Key			005c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
00000548 nspm.exe	 Key			0068 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000\Control 
Panel\International
00000548 nspm.exe	 Key			00e8 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000548 nspm.exe	 Key			00f0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe	 Key			00fc \REGISTRY\USER
00000548 nspm.exe	 Key			0100 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000548 nspm.exe	 Key			010c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe	 Key			0114 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe	 Key			011c 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000548 nspm.exe	 Key			0124 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000548 nspm.exe	 Key			012c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe	 Key			0138 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe	 Key			0140 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000548 nspm.exe	 Key			0148 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000548 nspm.exe	 Key			0154 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000_CLASSES
00000548 nspm.exe	 Key			0198 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1000
00000548 nspm.exe	 Key			01a0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
00000548 nspm.exe	 Key			01a8 
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 
0x548 Thread 0x5d0 DBC 0x37684 Jet
00000548 nspm.exe	 Key			01c0 
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 
0x548 Thread 0x5d0 DBC 0x37684 Jet\Engines\Jet
000005C8 svchost.exe	Key			002c \REGISTRY\MACHINE
000005C8 svchost.exe	Key			00e4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters
000005C8 svchost.exe	Key			0164 
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe	Key			016c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe	Key			0178 \REGISTRY\USER
000005C8 svchost.exe	Key			017c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe	Key			0188 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe	Key			0190 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe	Key			0198 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000005C8 svchost.exe	Key			01a0 
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe	Key			01a8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe	Key			01b4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe	Key			01bc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000005C8 svchost.exe	Key			01c4 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000005C8 svchost.exe	Key			01d0 
\REGISTRY\MACHINE\SOFTWARE\Classes
000005C8 svchost.exe	Key			0228 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000005C8 svchost.exe	Key			0230 \REGISTRY\USER\.DEFAULT
000000F8 explorer.exe   Key			0030 \REGISTRY\MACHINE
000000F8 explorer.exe   Key			0048 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe   Key			0050 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
000000F8 explorer.exe   Key			0058 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010_CLASSES
000000F8 explorer.exe   Key			0060 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe   Key			006c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\World 
Full Access Shared Parameters
000000F8 explorer.exe   Key			0094 
\REGISTRY\MACHINE\SOFTWARE\Classes
000000F8 explorer.exe   Key			009c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe   Key			00a8 \REGISTRY\USER
000000F8 explorer.exe   Key			00ac 
\REGISTRY\MACHINE\SOFTWARE\Classes
000000F8 explorer.exe   Key			00b8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe   Key			00c0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe   Key			00c8 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000000F8 explorer.exe   Key			00d0 
\REGISTRY\MACHINE\SOFTWARE\Classes
000000F8 explorer.exe   Key			00d8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe   Key			00e4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe   Key			00ec 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000000F8 explorer.exe   Key			00f4 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000000F8 explorer.exe   Key			0188 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
000000F8 explorer.exe   Key			0190 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe   Key			01c8 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet 
Explorer\Security\P3Global
000000F8 explorer.exe   Key			01cc 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet 
Explorer\Security\P3Sites
000000F8 explorer.exe   Key			01d8 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000000F8 explorer.exe   Key			01dc 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\Shell
000000F8 explorer.exe   Key			01e4 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\ShellNoRoam
000000F8 explorer.exe   Key			01e8 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\ShellNoRoam\MUICache
000000F8 explorer.exe   Key			0200 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start 
Menu
000000F8 explorer.exe   Key			0210 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet 
Explorer\Security\P3Global
000000F8 explorer.exe   Key			0224 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
000000F8 explorer.exe   Key			0230 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe   Key			023c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
000000F8 explorer.exe   Key			0250 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
000000F8 explorer.exe   Key			02a8 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start 
Menu\Programs\Accessories
000000F8 explorer.exe   Key			02e8 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start 
Menu\Programs\Accessories\Entertainment
000000F8 explorer.exe   Key			02f4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
000000F8 explorer.exe   Key			0300 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
000000F8 explorer.exe   Key			0330 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#ISAPNP#CTL0070_DEV0000#FFFFFFFF#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device 
Parameters\Mixer
000000F8 explorer.exe   Key			036c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
000000F8 explorer.exe   Key			038c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings\ZoneMap
000000F8 explorer.exe   Key			03e0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
000000F8 explorer.exe   Key			03e4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
000000F8 explorer.exe   Key			03e8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
000000F8 explorer.exe   Key			03ec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
000000F8 explorer.exe   Key			0404 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet 
Explorer\Security\P3Sites
000000F8 explorer.exe   Key			0414 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\1
000000F8 explorer.exe   Key			0424 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions
000000F8 explorer.exe   Key			0434 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\2
000000F8 explorer.exe   Key			0438 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\1
000000F8 explorer.exe   Key			0444 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\2
000000F8 explorer.exe   Key			044c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start 
Menu\Programs
000000F8 explorer.exe   Key			0454 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
000000F8 explorer.exe   Key			0460 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Internet 
Explorer\TypedURLs
000000F8 explorer.exe   Key			046c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings
000000F8 explorer.exe   Key			0474 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\Shell
000000F8 explorer.exe   Key			04c4 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000720 idwlog.exe	 Key			0038 \REGISTRY\MACHINE
00000720 idwlog.exe	 Key			006c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
00000720 idwlog.exe	 Key			00e0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\World 
Full Access Shared Parameters
0000079C svchost.exe	Key			002c \REGISTRY\MACHINE
0000079C svchost.exe	Key			00c0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\tapisrv
0000079C svchost.exe	Key			0200 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\KMDDSP
0000079C svchost.exe	Key			02b4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\NDPTSP
0000079C svchost.exe	Key			036c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\conftsp
0000079C svchost.exe	Key			03a0 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000079C svchost.exe	Key			03a8 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000079C svchost.exe	Key			03b4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\H323TSP
0000079C svchost.exe	Key			03e8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
0000079C svchost.exe	Key			03fc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\hidphone
00000668 svchost.exe	Key			002c \REGISTRY\MACHINE
00000668 svchost.exe	Key			00c0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
00000668 svchost.exe	Key			00c8 \REGISTRY\USER\.DEFAULT
00000668 svchost.exe	Key			0134 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe	Key			013c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe	Key			0148 \REGISTRY\USER
00000668 svchost.exe	Key			014c 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe	Key			0158 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe	Key			0160 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe	Key			0168 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000668 svchost.exe	Key			0170 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000668 svchost.exe	Key			0178 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe	Key			0184 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe	Key			018c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000668 svchost.exe	Key			0194 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000668 svchost.exe	Key			01a0 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe   Key			0038 \REGISTRY\MACHINE
00000870 wmiprvse.exe   Key			011c 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe   Key			0124 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe   Key			0130 \REGISTRY\USER
00000870 wmiprvse.exe   Key			0134 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe   Key			0140 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe   Key			0148 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe   Key			0150 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000870 wmiprvse.exe   Key			0158 
\REGISTRY\MACHINE\SOFTWARE\Classes
00000870 wmiprvse.exe   Key			0160 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe   Key			016c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe   Key			0174 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
00000870 wmiprvse.exe   Key			017c 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
00000870 wmiprvse.exe   Key			0188 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe	Key			003c \REGISTRY\MACHINE
0000076C wuauclt.exe	Key			0054 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000076C wuauclt.exe	Key			006c 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010_CLASSES
0000076C wuauclt.exe	Key			0070 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
0000076C wuauclt.exe	Key			008c 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe	Key			0094 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe	Key			00a0 \REGISTRY\USER
0000076C wuauclt.exe	Key			00a4 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe	Key			00b0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe	Key			00b8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe	Key			00c0 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000076C wuauclt.exe	Key			00c8 
\REGISTRY\MACHINE\SOFTWARE\Classes
0000076C wuauclt.exe	Key			00d0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe	Key			00dc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe	Key			00e4 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
0000076C wuauclt.exe	Key			00ec 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
0000076C wuauclt.exe	Key			0214 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
0000076C wuauclt.exe	Key			022c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0000076C wuauclt.exe	Key			0234 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0000076C wuauclt.exe	Key			0254 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001
0000076C wuauclt.exe	Key			0290 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
0000076C wuauclt.exe	Key			0294 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
0000076C wuauclt.exe	Key			0298 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
0000076C wuauclt.exe	Key			029c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters
00000838 cmd.exe		Key			0050 \REGISTRY\MACHINE
00000838 cmd.exe		Key			0054 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
00000838 cmd.exe		Key			0058 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
00000838 cmd.exe		Key			005c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
00000838 cmd.exe		Key			0060 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
0000071C notepad.exe	Key			004c \REGISTRY\MACHINE
0000071C notepad.exe	Key			0054 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
0000071C notepad.exe	Key			0058 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010
0000071C notepad.exe	Key			0064 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010_CLASSES
0000071C notepad.exe	Key			0094 \REGISTRY\USER
0000071C notepad.exe	Key			00d0 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer
0000071C notepad.exe	Key			00d4 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
0000071C notepad.exe	Key			01f8 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\Shell
0000071C notepad.exe	Key			01fc 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\ShellNoRoam
0000071C notepad.exe	Key			0200 
\REGISTRY\USER\S-1-5-21-484763869-113007714-839522115-1010\Software\Microsoft\Windows\ShellNoRoam\MUICache
000006F0 wmiadap.exe	Key			0038 \REGISTRY\MACHINE
000006F0 wmiadap.exe	Key			005c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
000006F0 wmiadap.exe	Key			0060 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
000006F0 wmiadap.exe	Key			0064 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
000006F0 wmiadap.exe	Key			00e0 
\REGISTRY\MACHINE\SOFTWARE\Classes
000006F0 wmiadap.exe	Key			00e8 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000006F0 wmiadap.exe	Key			00f4 \REGISTRY\USER
000006F0 wmiadap.exe	Key			00f8 
\REGISTRY\MACHINE\SOFTWARE\Classes
000006F0 wmiadap.exe	Key			0104 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000006F0 wmiadap.exe	Key			010c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000006F0 wmiadap.exe	Key			0114 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000006F0 wmiadap.exe	Key			011c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000006F0 wmiadap.exe	Key			0124 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000006F0 wmiadap.exe	Key			0130 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000006F0 wmiadap.exe	Key			0138 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
000006F0 wmiadap.exe	Key			0140 
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
000006F0 wmiadap.exe	Key			014c 
\REGISTRY\MACHINE\SOFTWARE\Classes
000006F0 wmiadap.exe	Key			018c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000006F0 wmiadap.exe	Key			019c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
000006F0 wmiadap.exe	Key			01ac 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services
000006F0 wmiadap.exe	Key			01b4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ASP\Performance
000006F0 wmiadap.exe	Key			01bc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentFilter\Performance
000006F0 wmiadap.exe	Key			01c4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ContentIndex\Performance
000006F0 wmiadap.exe	Key			01cc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\InetInfo\Performance
000006F0 wmiadap.exe	Key			01d4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ISAPISearch\Performance
000006F0 wmiadap.exe	Key			01dc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC\Performance
000006F0 wmiadap.exe	Key			01e4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSFtpsvc\Performance
000006F0 wmiadap.exe	Key			01ec 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NntpSvc\Performance
000006F0 wmiadap.exe	Key			01f4 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsstation\Performance
000006F0 wmiadap.exe	Key			01fc 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsunicast\Performance
000006F0 wmiadap.exe	Key			0204 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NTFSDRV\Performance
000006F0 wmiadap.exe	Key			020c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfDisk\Performance
000006F0 wmiadap.exe	Key			0214 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfNet\Performance
000006F0 wmiadap.exe	Key			021c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfOS\Performance
000006F0 wmiadap.exe	Key			0224 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance
000006F0 wmiadap.exe	Key			022c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Performance
000006F0 wmiadap.exe	Key			0234 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance
000006F0 wmiadap.exe	Key			023c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMTPSVC\Performance
000006F0 wmiadap.exe	Key			0244 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\Performance
000006F0 wmiadap.exe	Key			024c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TapiSrv\Performance
000006F0 wmiadap.exe	Key			0254 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Performance
000006F0 wmiadap.exe	Key			025c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Performance
000006F0 wmiadap.exe	Key			0264 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Performance
000006F0 wmiadap.exe	Key			026c 
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance
00000758 oh.exe		 Key			07d0 \REGISTRY\MACHINE

Example 4: List Handles for File Objects with Open Windows

To generate a list of file objects and send the output to the file C:\Output\Ohfile.txt, type the following at the command line:

oh /t file /o c:\output\ohfile.txt

Looking in Ohfile.txt, you then see output similar to the following:

00000004 System		 File		 0034 
\WINDOWS\system32\config\software
00000004 System		 File		 0044 \WINDOWS\system32\config\SAM.LOG
00000004 System		 File		 007c 
\WINDOWS\system32\config\SECURITY
00000004 System		 File		 0084 
\WINDOWS\system32\config\default.LOG
00000004 System		 File		 0088 \WINDOWS\system32\config\SAM
00000004 System		 File		 0090 \WINDOWS\system32\config\default
00000004 System		 File		 00a0 
\WINDOWS\system32\config\system.LOG
00000004 System		 File		 00b8 
\WINDOWS\system32\config\software.LOG
00000004 System		 File		 00d8 \pagefile.sys
00000004 System		 File		 00f4 
\WINDOWS\system32\config\SECURITY.LOG
00000004 System		 File		 01a4 \Documents and 
Settings\LocalService.NT AUTHORITY\NTUSER.DAT
00000004 System		 File		 01b0 \Documents and 
Settings\NetworkService.NT AUTHORITY\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System		 File		 01b4 \Documents and 
Settings\LocalService.NT AUTHORITY\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
00000004 System		 File		 01bc \Documents and 
Settings\NetworkService.NT AUTHORITY\NTUSER.DAT
00000004 System		 File		 01c0 \Documents and 
Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG
00000004 System		 File		 01c8 \Documents and 
Settings\NetworkService.NT AUTHORITY\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
00000004 System		 File		 01cc \Documents and 
Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG
00000004 System		 File		 01d0 \Documents and 
Settings\LocalService.NT AUTHORITY\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System		 File		 0238 \WINDOWS\system32\config\system
00000004 System		 File		 02fc 
\WINDOWS\system32\MsDtc\Trace\dtctrace.log
00000004 System		 File		 0390 \Documents and 
Settings\NetShowServices\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
00000004 System		 File		 03a0 \Documents and 
Settings\NetShowServices\NTUSER.DAT
00000004 System		 File		 03a4 \Documents and 
Settings\NetShowServices\ntuser.dat.LOG
00000004 System		 File		 03b4 \Documents and 
Settings\NetShowServices\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System		 File		 03b8 \
00000004 System		 File		 0498 \WINDOWS\DfsSvcLogFile
00000004 System		 File		 04a8 \255
00000004 System		 File		 0c3c \Documents and 
Settings\user.XP\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
00000004 System		 File		 0c44 \Documents and 
Settings\user.XP\ntuser.dat.LOG
00000004 System		 File		 0c48 \Documents and 
Settings\user.XP\NTUSER.DAT
00000004 System		 File		 0c4c \Documents and 
Settings\user.XP\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat.LOG
00000004 System		 File		 0dcc 
\WINDOWS\system32\LogFiles\W3SVC1\ex010522.log
00000004 System		 File		 0ddc \Topology
00000004 System		 File		 0dfc \47
000000C0 smss.exe	 File		 0010 \WINDOWS
000000C0 smss.exe	 File		 0024 \WINDOWS\system32
000000D8 csrss.exe	File		 0014 \WINDOWS\system32
000000D8 csrss.exe	File		 0728 \WINDOWS\system32\ega.cpi
000000E0 winlogon.exe   File		 00b4 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000E0 winlogon.exe   File		 01a4 \InitShutdown
000000E0 winlogon.exe   File		 01a8 \InitShutdown
000000E0 winlogon.exe   File		 0244 \WINDOWS\system32\dllcache
000000E0 winlogon.exe   File		 0260 \WINDOWS\AppPatch
000000E0 winlogon.exe   File		 0264 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\isapi\_vti_adm
000000E0 winlogon.exe   File		 0270 \svcctl
000000E0 winlogon.exe   File		 0274 \ntsvcs
000000E0 winlogon.exe   File		 0280 \svcctl
000000E0 winlogon.exe   File		 0284 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\_vti_bin\_vti_adm
000000E0 winlogon.exe   File		 0288 \WINDOWS\system32
000000E0 winlogon.exe   File		 028c \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\isapi\_vti_aut
000000E0 winlogon.exe   File		 0290 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\_vti_bin\_vti_aut
000000E0 winlogon.exe   File		 0294 \WINDOWS\system32\inetsrv
000000E0 winlogon.exe   File		 0298 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\bin
000000E0 winlogon.exe   File		 029c \WINDOWS\Fonts
000000E0 winlogon.exe   File		 02a0 \WINDOWS\system32\drivers
000000E0 winlogon.exe   File		 02a4 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\servsupp
000000E0 winlogon.exe   File		 02a8 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\bots\vinavbar
000000E0 winlogon.exe   File		 02ac \Program Files\Microsoft 
FrontPage\version3.0\bin
000000E0 winlogon.exe   File		 02b0 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\_vti_bin
000000E0 winlogon.exe   File		 02b4 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\bin\1033
000000E0 winlogon.exe   File		 02b8 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\isapi
000000E0 winlogon.exe   File		 02bc \WINDOWS
000000E0 winlogon.exe   File		 02c0 \Program Files\Common 
Files\Microsoft Shared\DAO
000000E0 winlogon.exe   File		 02c4 \Program Files\Windows Media 
Player
000000E0 winlogon.exe   File		 02c8 \Program Files\Common 
Files\System\msadc
000000E0 winlogon.exe   File		 02cc \Program Files\Common 
Files\System\ado
000000E0 winlogon.exe   File		 02d0 \Program Files\Common 
Files\System\Ole DB
000000E0 winlogon.exe   File		 02d4 \WINDOWS\inf
000000E0 winlogon.exe   File		 02d8 \WINDOWS\system32\Setup
000000E0 winlogon.exe   File		 02f8 
\WINDOWS\system32\clients\tsclient\win16
000000E0 winlogon.exe   File		 02fc 
\WINDOWS\Microsoft.NET\Framework\v1.0.2706
000000E0 winlogon.exe   File		 0300 \WINDOWS\Application 
Compatibility Scripts
000000E0 winlogon.exe   File		 0304 
\WINDOWS\system32\clients\tsclient\win32\acme351
000000E0 winlogon.exe   File		 0308 \WINDOWS\msagent
000000E0 winlogon.exe   File		 030c \WINDOWS\msagent\intl
000000E0 winlogon.exe   File		 0310 \WINDOWS\system32\netmon\parsers
000000E0 winlogon.exe   File		 0314 \WINDOWS\system
000000E0 winlogon.exe   File		 0318 \WINDOWS\system32\netmon
000000E0 winlogon.exe   File		 031c \WINDOWS\Help
000000E0 winlogon.exe   File		 0320 
\WINDOWS\PCHEALTH\HELPCTR\Binaries
000000E0 winlogon.exe   File		 0324 \Program Files\NetMeeting
000000E0 winlogon.exe   File		 0328 \WINDOWS\system32\drivers\disdn
000000E0 winlogon.exe   File		 032c \WINDOWS\ime\chtime\applets
000000E0 winlogon.exe   File		 0330 \WINDOWS\system32\wbem
000000E0 winlogon.exe   File		 0334 \WINDOWS\Cluster
000000E0 winlogon.exe   File		 0338 \WINDOWS\system32\Com
000000E0 winlogon.exe   File		 033c \WINDOWS\ime\imjp8_1
000000E0 winlogon.exe   File		 0340 \Program Files\Common 
Files\Microsoft Shared\Triedit
000000E0 winlogon.exe   File		 0344 \Program Files\Windows NT
000000E0 winlogon.exe   File		 0348 \Program Files\Common 
Files\System
000000E0 winlogon.exe   File		 034c \WINDOWS\system32\1033
000000E0 winlogon.exe   File		 0350 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\admcgi\scripts
000000E0 winlogon.exe   File		 0354 \Program Files\Common 
Files\Microsoft Shared\Web Server Extensions\40\admisapi\scripts
000000E0 winlogon.exe   File		 0358 \WINDOWS\ime\imkr6_1\dicts
000000E0 winlogon.exe   File		 035c \WINDOWS\system32\mui\0009
000000E0 winlogon.exe   File		 0360 \Program Files\Internet Explorer
000000E0 winlogon.exe   File		 0364 \WINDOWS\ime\imjp8_1\applets
000000E0 winlogon.exe   File		 0368 \WINDOWS\ime\imkr6_1\applets
000000E0 winlogon.exe   File		 036c \Program Files\Internet 
Explorer\Connection Wizard
000000E0 winlogon.exe   File		 0370 \Program Files\Common 
Files\Microsoft Shared\MSInfo
000000E0 winlogon.exe   File		 0374 \Program Files\Common 
Files\Microsoft Shared\Smart Tag
000000E0 winlogon.exe   File		 0378 \WINDOWS\ime\imkr6_1
000000E0 winlogon.exe   File		 037c \WINDOWS\ime\shared
000000E0 winlogon.exe   File		 0380 \WINDOWS\system32\reminst
000000E0 winlogon.exe   File		 0384 \WINDOWS\system32\ime\pintlgnt
000000E0 winlogon.exe   File		 0388 
\WINDOWS\system32\clients\tsclient\win32
000000E0 winlogon.exe   File		 038c \Program Files\Common 
Files\SpeechEngines\Microsoft\Lexicon\1033
000000E0 winlogon.exe   File		 0390 \WINDOWS\Resources\Themes\Luna
000000E0 winlogon.exe   File		 0394 \WINDOWS\ime
000000E0 winlogon.exe   File		 0398 \Program Files\Outlook Express
000000E0 winlogon.exe   File		 039c \Program Files\MSN\SmartTag
000000E0 winlogon.exe   File		 03a0 \WINDOWS\system32\oobe
000000E0 winlogon.exe   File		 03a4 \WINDOWS\mui
000000E0 winlogon.exe   File		 03a8 \WINDOWS\system32\npp
000000E0 winlogon.exe   File		 03ac \WINDOWS\ime\shared\res
000000E0 winlogon.exe   File		 03b0 \WINDOWS\system32\rocket
000000E0 winlogon.exe   File		 03b4 \WINDOWS\ime\chsime\applets
000000E0 winlogon.exe   File		 03b8 \WINDOWS\system32\rpcproxy
000000E0 winlogon.exe   File		 03bc \Program Files\Common 
Files\SpeechEngines\Microsoft\TTS\1033
000000E0 winlogon.exe   File		 03c0 \Program Files\Common 
Files\Microsoft Shared\Speech
000000E0 winlogon.exe   File		 03c4 
\WINDOWS\system32\certsrv\certcontrol\ia64
000000E0 winlogon.exe   File		 03c8 
\WINDOWS\system32\certsrv\certcontrol\w2k
000000E0 winlogon.exe   File		 03cc 
\WINDOWS\system32\certsrv\certcontrol\x86
000000E0 winlogon.exe   File		 03d0 
\WINDOWS\system32\spool\prtprocs\w32x86
000000E0 winlogon.exe   File		 03d4 
\WINDOWS\Resources\Themes\Luna\Shell
000000E0 winlogon.exe   File		 03d8 \WINDOWS\system32\wbem\snmp
000000E0 winlogon.exe   File		 03dc \Program Files\Common 
Files\SpeechEngines\Microsoft
000000E0 winlogon.exe   File		 03e0 \Program Files\Common 
Files\Microsoft Shared\Speech\1033
000000E0 winlogon.exe   File		 03e4 
\WINDOWS\system32\spool\drivers\color
000000E0 winlogon.exe   File		 03e8 \WINDOWS\system32\ime\tintlgnt
000000E0 winlogon.exe   File		 03ec \WINDOWS\Help\Tours
000000E0 winlogon.exe   File		 03f0 \WINDOWS\system32\wbem\AdStatus
000000E0 winlogon.exe   File		 03f4 
\WINDOWS\PCHEALTH\UploadLB\Binaries
000000E0 winlogon.exe   File		 03f8 \Program Files\Common 
Files\Microsoft Shared\VGX
000000E0 winlogon.exe   File		 0400 
\WINDOWS\Microsoft.NET\Framework\v1.0.2706\1033
000000E0 winlogon.exe   File		 0404 \WINDOWS\system32\wbem\xml
000000E0 winlogon.exe   File		 0410 \Program Files\Windows 
NT\Accessories
000000E0 winlogon.exe   File		 0428 \WINDOWS\WinSxS
000000E0 winlogon.exe   File		 05d0 \SfcApi
000000E0 winlogon.exe   File		 05d4 \SfcApi
000000E0 winlogon.exe   File		 0640 
\{9B365890-165F-11D0-A195-0020AFD156E4}
000000E0 winlogon.exe   File		 06b4 \ProfMapApi
000000E0 winlogon.exe   File		 06b8 \ProfMapApi
000000E0 winlogon.exe   File		 0758 \winlogonrpc
000000E0 winlogon.exe   File		 075c \winlogonrpc
000000E0 winlogon.exe   File		 0794 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000E0 winlogon.exe   File		 0828 \AudioSrv
000000E0 winlogon.exe   File		 0914 \WINDOWS\system32
00000110 services.exe   File		 0014 \WINDOWS\system32
00000110 services.exe   File		 0204 \ntsvcs
00000110 services.exe   File		 0260 \ntsvcs
00000110 services.exe   File		 0264 \ntsvcs
00000110 services.exe   File		 02bc \scerpc
00000110 services.exe   File		 02c0 \scerpc
00000110 services.exe   File		 02c4 \ntsvcs
00000110 services.exe   File		 02dc \lsarpc
00000110 services.exe   File		 0314 \svcctl
00000110 services.exe   File		 0320 \net\NtControlPipe1
00000110 services.exe   File		 0328 \ntsvcs
00000110 services.exe   File		 0330 \ntsvcs
00000110 services.exe   File		 033c \net\NtControlPipe2
00000110 services.exe   File		 0350 \ntsvcs
00000110 services.exe   File		 0354 \net\NtControlPipe3
00000110 services.exe   File		 0360 \net\NtControlPipe3
00000110 services.exe   File		 0388 
\WINDOWS\system32\config\AppEvent.Evt
00000110 services.exe   File		 0398 
\WINDOWS\system32\config\SecEvent.Evt
00000110 services.exe   File		 03b0 
\WINDOWS\system32\config\SysEvent.Evt
00000110 services.exe   File		 03c8 \net\NtControlPipe4
00000110 services.exe   File		 03e0 \ntsvcs
00000110 services.exe   File		 0444 \net\NtControlPipe5
00000110 services.exe   File		 044c \ntsvcs
00000110 services.exe   File		 0460 \net\NtControlPipe6
00000110 services.exe   File		 0468 \ntsvcs
00000110 services.exe   File		 0470 \ntsvcs
00000110 services.exe   File		 0494 \ntsvcs
00000110 services.exe   File		 04a0 \net\NtControlPipe0
00000110 services.exe   File		 04a4 \ntsvcs
00000110 services.exe   File		 04b4 \net\NtControlPipe7
00000110 services.exe   File		 04b8 \ntsvcs
00000110 services.exe   File		 04cc \net\NtControlPipe8
00000110 services.exe   File		 04d4 \ntsvcs
00000110 services.exe   File		 04e4 \ntsvcs
00000110 services.exe   File		 04f8 \ntsvcs
00000110 services.exe   File		 0500 \ntsvcs
00000110 services.exe   File		 0508 \net\NtControlPipe9
00000110 services.exe   File		 050c \ntsvcs
00000110 services.exe   File		 0528 \net\NtControlPipe10
00000110 services.exe   File		 0550 \ntsvcs
00000110 services.exe   File		 0564 \net\NtControlPipe11
00000110 services.exe   File		 0568 \ntsvcs
00000110 services.exe   File		 0588 \net\NtControlPipe12
00000110 services.exe   File		 05b8 \ntsvcs
00000110 services.exe   File		 05d0 \net\NtControlPipe13
00000110 services.exe   File		 05d8 \ntsvcs
00000110 services.exe   File		 05e0 \net\NtControlPipe14
00000110 services.exe   File		 05ec \ntsvcs
00000110 services.exe   File		 05f8 \ntsvcs
00000110 services.exe   File		 0600 \net\NtControlPipe15
00000110 services.exe   File		 060c \ntsvcs
00000110 services.exe   File		 0620 \net\NtControlPipe16
00000110 services.exe   File		 0628 \ntsvcs
00000110 services.exe   File		 0630 \ntsvcs
00000110 services.exe   File		 0648 \net\NtControlPipe18
00000110 services.exe   File		 064c \net\NtControlPipe17
00000110 services.exe   File		 0658 \ntsvcs
00000110 services.exe   File		 0668 \ntsvcs
00000110 services.exe   File		 0678 \ntsvcs
00000110 services.exe   File		 0694 \ntsvcs
00000110 services.exe   File		 06ac \ntsvcs
00000110 services.exe   File		 06bc \ntsvcs
00000110 services.exe   File		 06c0 \net\NtControlPipe21
00000110 services.exe   File		 06dc \ntsvcs
00000110 services.exe   File		 06e0 \net\NtControlPipe20
00000110 services.exe   File		 06ec \ntsvcs
00000110 services.exe   File		 06f4 \ntsvcs
00000110 services.exe   File		 0708 \ntsvcs
00000110 services.exe   File		 070c \ntsvcs
00000110 services.exe   File		 072c \ntsvcs
00000110 services.exe   File		 073c \PIPE_EVENTROOT\CIMV2SCM EVENT 
PROVIDER
0000011C lsass.exe	File		 0014 \WINDOWS\system32
0000011C lsass.exe	File		 0078 \net\NtControlPipe0
0000011C lsass.exe	File		 01c0 \WINDOWS\Debug\PASSWD.LOG
0000011C lsass.exe	File		 0288 \lsass
0000011C lsass.exe	File		 02e4 \protected_storage
0000011C lsass.exe	File		 02e8 \protected_storage
0000011C lsass.exe	File		 03e8 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000011C lsass.exe	File		 0460 \lsass
0000011C lsass.exe	File		 04f8 \Endpoint
0000011C lsass.exe	File		 0508 \svcctl
0000011C lsass.exe	File		 0510 \WINDOWS\Debug\oakley.log
0000011C lsass.exe	File		 0544 \Endpoint
0000011C lsass.exe	File		 0558 \Endpoint
0000011C lsass.exe	File		 055c \255
0000011C lsass.exe	File		 05a0 \ipsec
0000011C lsass.exe	File		 05a4 \ipsec
0000011C lsass.exe	File		 05b8 \lsass
0000011C lsass.exe	File		 0608 \lsass
0000011C lsass.exe	File		 0618 \lsass
000001A0 svchost.exe	File		 0014 \WINDOWS\system32
000001A0 svchost.exe	File		 0054 \net\NtControlPipe1
000001A0 svchost.exe	File		 0154 \Endpoint
000001A0 svchost.exe	File		 015c \Endpoint
000001A0 svchost.exe	File		 0168 
\Winsock2\CatalogChangeListener-1a0-0
000001A0 svchost.exe	File		 0170 \Endpoint
000001A0 svchost.exe	File		 0184 \Endpoint
000001A0 svchost.exe	File		 01d4 \Endpoint
000001A0 svchost.exe	File		 02bc \epmapper
000001A0 svchost.exe	File		 02c0 \epmapper
000001A0 svchost.exe	File		 0358 \Endpoint
000001A0 svchost.exe	File		 0438 \svcctl
000001BC svchost.exe	File		 0014 \WINDOWS\system32
000001BC svchost.exe	File		 008c \net\NtControlPipe2
000001BC svchost.exe	File		 00a0 \svcctl
000001BC svchost.exe	File		 0154 \TermSrv_Licensing_Core
000001BC svchost.exe	File		 0158 \TermSrv_Licensing_Core
000001BC svchost.exe	File		 0230 \Ctx_WinStation_API_service
000001BC svchost.exe	File		 0234 \Ctx_WinStation_API_service
00000200 svchost.exe	File		 0014 \WINDOWS\system32
00000200 svchost.exe	File		 008c \net\NtControlPipe4
00000200 svchost.exe	File		 00a0 \svcctl
00000200 svchost.exe	File		 00ac 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
00000200 svchost.exe	File		 0164 \DhcpClient
00000200 svchost.exe	File		 0260 
\WINDOWS\Registration\R000000000013.clb
00000200 svchost.exe	File		 028c \svcctl
00000200 svchost.exe	File		 02d8 \ntsvcs
00000200 svchost.exe	File		 02dc \WINDOWS\SchedLgU.Txt
00000200 svchost.exe	File		 0354 \Endpoint
00000200 svchost.exe	File		 0364 
\Winsock2\CatalogChangeListener-200-0
00000200 svchost.exe	File		 0394 \Endpoint
00000200 svchost.exe	File		 0398 \atsvc
00000200 svchost.exe	File		 039c \atsvc
00000200 svchost.exe	File		 03c0 \WINDOWS\Tasks
00000200 svchost.exe	File		 0460 \wkssvc
00000200 svchost.exe	File		 04dc \AudioSrv
00000200 svchost.exe	File		 04e0 \AudioSrv
00000200 svchost.exe	File		 0518 \keysvc
00000200 svchost.exe	File		 051c \keysvc
00000200 svchost.exe	File		 057c \PCHHangRepExecPipe
00000200 svchost.exe	File		 058c \PCHFaultRepExecPipe
00000200 svchost.exe	File		 05e4 \srvsvc
00000200 svchost.exe	File		 05f4 \AudioSrv
00000200 svchost.exe	File		 0674 \SECLOGON
00000200 svchost.exe	File		 0678 \SECLOGON
00000200 svchost.exe	File		 06c8 \trkwks
00000200 svchost.exe	File		 06cc \trkwks
00000200 svchost.exe	File		 06ec \$Extend\$ObjId
00000200 svchost.exe	File		 0714 \System Volume 
Information\tracking.log
00000200 svchost.exe	File		 0790 \W32TIME
00000200 svchost.exe	File		 0794 \W32TIME
00000200 svchost.exe	File		 07f4 \Endpoint
00000200 svchost.exe	File		 0804 \Endpoint
00000200 svchost.exe	File		 08c0 \wzcsvc
00000200 svchost.exe	File		 08c4 \wzcsvc
00000200 svchost.exe	File		 0910 \WMDMPMSPpipe
00000200 svchost.exe	File		 09d0 
\{9B365890-165F-11D0-A195-0020AFD156E4}
00000200 svchost.exe	File		 09ec \wkssvc
00000200 svchost.exe	File		 0a04 \srvsvc
00000200 svchost.exe	File		 0a44 \browser
00000200 svchost.exe	File		 0a48 \browser
00000200 svchost.exe	File		 0af8 
\Winsock2\CatalogChangeListener-200-1
00000200 svchost.exe	File		 0b64 \svcctl
00000200 svchost.exe	File		 0c08 \EVENTLOG
00000200 svchost.exe	File		 0c98 \ROUTER
00000200 svchost.exe	File		 0c9c \ROUTER
00000200 svchost.exe	File		 0da8 \wkssvc
00000200 svchost.exe	File		 0db0 \srvsvc
00000200 svchost.exe	File		 0df8 \Documents and Settings\Default 
User.WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\index.dat
00000200 svchost.exe	File		 0e0c \Documents and Settings\Default 
User.WINDOWS\Cookies\index.dat
00000200 svchost.exe	File		 0e10 \Documents and Settings\Default 
User.WINDOWS\Local Settings\History\History.IE5\index.dat
00000200 svchost.exe	File		 0e50 \ROUTER
00000230 csrss.exe	File		 0014 \WINDOWS\system32
00000234 winlogon.exe   File		 0014 \WINDOWS\system32
0000025C csrss.exe	File		 0014 \WINDOWS\system32
00000260 winlogon.exe   File		 0014 \WINDOWS\system32
00000294 svchost.exe	File		 0014 \WINDOWS\system32
00000294 svchost.exe	File		 0038 \net\NtControlPipe5
00000294 svchost.exe	File		 0080 \svcctl
00000294 svchost.exe	File		 00fc \WINDOWS\system32\drivers\etc
00000294 svchost.exe	File		 0134 \DNSRSLVR
00000294 svchost.exe	File		 0144 \DNSRSLVR
00000294 svchost.exe	File		 0148 \svcctl
00000294 svchost.exe	File		 0164 \DNSRSLVR
00000294 svchost.exe	File		 0198 \DNSRSLVR
0000029C svchost.exe	File		 0014 \WINDOWS\system32
0000029C svchost.exe	File		 0038 \net\NtControlPipe6
0000029C svchost.exe	File		 0080 \svcctl
0000029C svchost.exe	File		 0110 \Alerter
0000029C svchost.exe	File		 0128 
\Winsock2\CatalogChangeListener-29c-0
0000029C svchost.exe	File		 0168 \messngr
0000029C svchost.exe	File		 0194 \msgsvc
0000029C svchost.exe	File		 0198 \msgsvc
0000029C svchost.exe	File		 01d0 \Endpoint
0000029C svchost.exe	File		 01f8 \DAV RPC SERVICE
0000029C svchost.exe	File		 0204 \ntsvcs
0000029C svchost.exe	File		 0218 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000029C svchost.exe	File		 022c \Documents and 
Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet 
Files\Content.IE5\index.dat
0000029C svchost.exe	File		 023c \Documents and 
Settings\LocalService.NT AUTHORITY\Cookies\index.dat
0000029C svchost.exe	File		 0248 \Documents and 
Settings\LocalService.NT AUTHORITY\Local 
Settings\History\History.IE5\index.dat
0000029C svchost.exe	File		 02ac \DAV RPC SERVICE
0000029C svchost.exe	File		 02b0 \DAV RPC SERVICE
0000029C svchost.exe	File		 02b4 \msgsvc
0000029C svchost.exe	File		 02c0 \DNSRSLVR
0000029C svchost.exe	File		 0358 \ROUTER
000002D8 spoolsv.exe	File		 0014 \WINDOWS\system32
000002D8 spoolsv.exe	File		 0048 \net\NtControlPipe7
000002D8 spoolsv.exe	File		 0090 \svcctl
000002D8 spoolsv.exe	File		 00cc \spoolss
000002D8 spoolsv.exe	File		 00d0 \spoolss
000002D8 spoolsv.exe	File		 0208 \ntsvcs
000002D8 spoolsv.exe	File		 0330 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000002FC msdtc.exe	File		 0014 \WINDOWS\system32
000002FC msdtc.exe	File		 00c0 \net\NtControlPipe8
000002FC msdtc.exe	File		 00d4 \svcctl
000002FC msdtc.exe	File		 018c \Endpoint
000002FC msdtc.exe	File		 01a8 
\Winsock2\CatalogChangeListener-2fc-0
000002FC msdtc.exe	File		 01ac \Endpoint
000002FC msdtc.exe	File		 0284 
\WINDOWS\system32\MsDtc\MSDTC.LOG
000003B8 inetinfo.exe   File		 0014 \WINDOWS\system32
000003B8 inetinfo.exe   File		 006c \net\NtControlPipe9
000003B8 inetinfo.exe   File		 00b0 \svcctl
000003B8 inetinfo.exe   File		 00c0 \svcctl
000003B8 inetinfo.exe   File		 00d0 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000003B8 inetinfo.exe   File		 01c0 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01c8 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01d0 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01d8 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01e0 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01e8 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01f0 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 01f8 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 0200 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 0208 
\WINDOWS\system32\inetsrv\MBSchema.bin.00000000h
000003B8 inetinfo.exe   File		 05ec \Endpoint
000003B8 inetinfo.exe   File		 05fc 
\Winsock2\CatalogChangeListener-3b8-0
000003B8 inetinfo.exe   File		 0610 \Endpoint
000003B8 inetinfo.exe   File		 0638 \INETINFO
000003B8 inetinfo.exe   File		 063c \INETINFO
000003B8 inetinfo.exe   File		 0668 \EVENTLOG
000003B8 inetinfo.exe   File		 0698 \Endpoint
000003B8 inetinfo.exe   File		 071c \Inetpub\ftproot
000003B8 inetinfo.exe   File		 073c \Endpoint
000003B8 inetinfo.exe   File		 0740 \Endpoint
000003B8 inetinfo.exe   File		 0744 \Endpoint
000003B8 inetinfo.exe   File		 0748 \Endpoint
000003B8 inetinfo.exe   File		 074c \Endpoint
000003B8 inetinfo.exe   File		 0750 \Endpoint
000003B8 inetinfo.exe   File		 0754 \Endpoint
000003B8 inetinfo.exe   File		 0758 \Endpoint
000003B8 inetinfo.exe   File		 075c \Endpoint
000003B8 inetinfo.exe   File		 0760 \Endpoint
000003B8 inetinfo.exe   File		 0764 \Endpoint
000003B8 inetinfo.exe   File		 076c \Endpoint
000003B8 inetinfo.exe   File		 0824 \SMTPSVC
000003B8 inetinfo.exe   File		 0828 \SMTPSVC
000003B8 inetinfo.exe   File		 0874 \Endpoint
000003B8 inetinfo.exe   File		 08ec \Endpoint
000003B8 inetinfo.exe   File		 08f0 \Endpoint
000003B8 inetinfo.exe   File		 08f4 \Endpoint
000003B8 inetinfo.exe   File		 08f8 \Endpoint
000003B8 inetinfo.exe   File		 08fc \Endpoint
000003B8 inetinfo.exe   File		 0900 \Endpoint
000003B8 inetinfo.exe   File		 0918 \Inetpub\mailroot\Pickup
000003B8 inetinfo.exe   File		 093c \Endpoint
000003B8 inetinfo.exe   File		 0944 \Endpoint
000003B8 inetinfo.exe   File		 0948 \Endpoint
000003B8 inetinfo.exe   File		 094c \Endpoint
000003B8 inetinfo.exe   File		 0950 \Endpoint
000003B8 inetinfo.exe   File		 0954 \Endpoint
000003B8 inetinfo.exe   File		 0958 \Endpoint
000003B8 inetinfo.exe   File		 095c \Endpoint
000003B8 inetinfo.exe   File		 0960 \Endpoint
000003B8 inetinfo.exe   File		 0964 \Endpoint
000003B8 inetinfo.exe   File		 0968 \Endpoint
000003B8 inetinfo.exe   File		 0994 \Inetpub\nntpfile\groupvar.lst
000003B8 inetinfo.exe   File		 0998 \Inetpub\nntpfile\group.lst
000003B8 inetinfo.exe   File		 099c \Inetpub\nntpfile\article.hsh
000003B8 inetinfo.exe   File		 09a4 \Inetpub\nntpfile\history.hsh
000003B8 inetinfo.exe   File		 09ac \Inetpub\nntpfile\xover.hsh
000003B8 inetinfo.exe   File		 09e0 
\Inetpub\nntpfile\root\control\group.vpp
000003B8 inetinfo.exe   File		 09e4 \Inetpub\nntpfile\root\control
000003B8 inetinfo.exe   File		 09f0 \Inetpub\nntpfile\pickup
000003B8 inetinfo.exe   File		 09fc 
\Inetpub\nntpfile\root\_slavegroup
000003B8 inetinfo.exe   File		 0a00 \Inetpub\nntpfile\root
000003B8 inetinfo.exe   File		 0a04 \Inetpub\nntpfile\root\control
000003B8 inetinfo.exe   File		 0a10 \Endpoint
000003B8 inetinfo.exe   File		 0a18 \Endpoint
000003B8 inetinfo.exe   File		 0a1c \Endpoint
000003B8 inetinfo.exe   File		 0a20 \Endpoint
000003B8 inetinfo.exe   File		 0a24 
\Inetpub\nntpfile\root\_slavegroup\group.vpp
000003B8 inetinfo.exe   File		 0a28 
\Inetpub\nntpfile\root\_slavegroup
000003B8 inetinfo.exe   File		 0a30 \Inetpub\nntpfile\root\group.vpp
000003B8 inetinfo.exe   File		 0a34 \Inetpub\nntpfile\root
000003B8 inetinfo.exe   File		 0a3c \Endpoint
000003B8 inetinfo.exe   File		 0a40 \Endpoint
000003B8 inetinfo.exe   File		 0a44 \Endpoint
000003B8 inetinfo.exe   File		 0a48 \Endpoint
000003B8 inetinfo.exe   File		 0a4c \Endpoint
000003B8 inetinfo.exe   File		 0a50 \Endpoint
000003B8 inetinfo.exe   File		 0a54 \Endpoint
000003B8 inetinfo.exe   File		 0a5c \Endpoint
000003B8 inetinfo.exe   File		 0a64 \Endpoint
000003B8 inetinfo.exe   File		 0a68 \Endpoint
000003B8 inetinfo.exe   File		 0a6c \Endpoint
000003B8 inetinfo.exe   File		 0a70 \Endpoint
000003B8 inetinfo.exe   File		 0a74 \Endpoint
000003B8 inetinfo.exe   File		 0a78 \Endpoint
000003B8 inetinfo.exe   File		 0a7c \Endpoint
000003B8 inetinfo.exe   File		 0a80 \Endpoint
000003B8 inetinfo.exe   File		 0a84 \Endpoint
000003B8 inetinfo.exe   File		 0a88 \Endpoint
000003B8 inetinfo.exe   File		 0ae0 \NNTPSVC
000003B8 inetinfo.exe   File		 0ae4 \NNTPSVC
000003B8 inetinfo.exe   File		 0b60 \DefaultAppPool
000003B8 inetinfo.exe   File		 0b88 \iisipm
000003B8 inetinfo.exe   File		 0bcc \DNSRSLVR
000003B8 inetinfo.exe   File		 0bdc \IISCgiStdOut952
000003B8 inetinfo.exe   File		 0be4 \IISCgiStdIn952
000003B8 inetinfo.exe   File		 0c10 \SSLFilterChannel
000003CC llssrv.exe	 File		 0014 \WINDOWS\system32
000003CC llssrv.exe	 File		 0068 \net\NtControlPipe10
000003CC llssrv.exe	 File		 00ac \svcctl
000003CC llssrv.exe	 File		 017c \llsrpc
000003CC llssrv.exe	 File		 0180 \llsrpc
000003A8 NSPMON.exe	 File		 0014 \WINDOWS\system32
000003A8 NSPMON.exe	 File		 0068 \net\NtControlPipe11
000003A8 NSPMON.exe	 File		 00ac \svcctl
000003A8 NSPMON.exe	 File		 00e8 \Endpoint
000003A8 NSPMON.exe	 File		 00f0 \Endpoint
0000041C NSCM.exe	 File		 0014 \WINDOWS\system32
0000041C NSCM.exe	 File		 0068 
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\Perflib_Perfdata_41c.dat
0000041C NSCM.exe	 File		 017c \net\NtControlPipe12
0000041C NSCM.exe	 File		 0190 \svcctl
0000041C NSCM.exe	 File		 0220 \Endpoint
0000041C NSCM.exe	 File		 0228 \Endpoint
0000046C svchost.exe	File		 0014 \WINDOWS\system32
0000046C svchost.exe	File		 0038 \net\NtControlPipe13
0000046C svchost.exe	File		 0080 \svcctl
0000046C svchost.exe	File		 00c0 \winreg
0000046C svchost.exe	File		 00c4 \winreg
000004C0 svchost.exe	File		 0014 \WINDOWS\system32
000004C0 svchost.exe	File		 008c \net\NtControlPipe14
000004C0 svchost.exe	File		 00a0 \svcctl
000004C0 svchost.exe	File		 00d0 \WINDOWS\system32\wbem\mof
000004C0 svchost.exe	File		 01a0 \lsarpc
000004C0 svchost.exe	File		 025c 
\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
000004C0 svchost.exe	File		 0260 
\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
000004C0 svchost.exe	File		 050c \PIPE_EVENTROOT\CIMV2SCM EVENT 
PROVIDER
000004C0 svchost.exe	File		 0538 \PIPE_EVENTROOT\CIMV2SCM EVENT 
PROVIDER
000003DC dfssvc.exe	 File		 0014 \WINDOWS\system32
000003DC dfssvc.exe	 File		 0070 \net\NtControlPipe15
000003DC dfssvc.exe	 File		 00b4 \svcctl
000003DC dfssvc.exe	 File		 00fc \netdfs
000003DC dfssvc.exe	 File		 0100 \netdfs
000004F0 NSUM.exe	 File		 0014 \WINDOWS\system32
000004F0 NSUM.exe	 File		 0068 
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\Perflib_Perfdata_4f0.dat
000004F0 NSUM.exe	 File		 0184 \net\NtControlPipe16
000004F0 NSUM.exe	 File		 019c \svcctl
000004F0 NSUM.exe	 File		 0278 \Endpoint
000004F0 NSUM.exe	 File		 0280 \Endpoint
000004F0 NSUM.exe	 File		 0284 \Endpoint
000004F0 NSUM.exe	 File		 028c \Endpoint
000004F0 NSUM.exe	 File		 0290 \Endpoint
00000548 nspm.exe	 File		 0014 \WINDOWS\system32
00000548 nspm.exe	 File		 00c0 \net\NtControlPipe17
00000548 nspm.exe	 File		 00c4 \svcctl
00000548 nspm.exe	 File		 019c 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
00000548 nspm.exe	 File		 01d8 
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\JETA66.tmp
00000548 nspm.exe	 File		 01f8 
\DOCUME~1\NETSHO~1\LOCALS~1\Temp\JET1.tmp
00000548 nspm.exe	 File		 0218 \WINDOWS\system32\Windows 
Media\Server\ASDB\mdsas.mdb
00000548 nspm.exe	 File		 021c \WINDOWS\system32\Windows 
Media\Server\ASDB\mdsas.ldb
000005C8 svchost.exe	File		 0014 \WINDOWS\system32
000005C8 svchost.exe	File		 008c \net\NtControlPipe18
000005C8 svchost.exe	File		 00a0 \svcctl
000005C8 svchost.exe	File		 014c \SSLFilterChannel
000005C8 svchost.exe	File		 022c 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000005C8 svchost.exe	File		 0278 \DefaultAppPool
000005C8 svchost.exe	File		 02bc \iisipm
000000F8 explorer.exe   File		 0014 \Documents and 
Settings\user.XP
000000F8 explorer.exe   File		 004c 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   File		 005c 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   File		 0064 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   File		 0068 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   File		 0108 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   File		 018c \Documents and Settings\All 
Users.WINDOWS\Desktop
000000F8 explorer.exe   File		 01a0 \Documents and 
Settings\user.XP\Desktop
000000F8 explorer.exe   File		 01f0 \Documents and Settings\All 
Users.WINDOWS\Start Menu
000000F8 explorer.exe   File		 0204 \Documents and 
Settings\user.XP\Start Menu
000000F8 explorer.exe   File		 0218 \Documents and 
Settings\user.XP\Application Data\Microsoft\Internet Explorer\Quick 
Launch
000000F8 explorer.exe   File		 0258 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   File		 02a4 \Documents and 
Settings\user.XP\Cookies\index.dat
000000F8 explorer.exe   File		 02e0 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   File		 02e4 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   File		 0320 
\{9B365890-165F-11D0-A195-0020AFD156E4}
000000F8 explorer.exe   File		 0364 \ntsvcs
000000F8 explorer.exe   File		 0380 \AudioSrv
000000F8 explorer.exe   File		 0388 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   File		 03c8 \Documents and 
Settings\user.XP\PrintHood
000000F8 explorer.exe   File		 042c 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
000000F8 explorer.exe   File		 0488 \Documents and 
Settings\user.XP\Local Settings\History\History.IE5\index.dat
000000F8 explorer.exe   File		 048c \Documents and 
Settings\user.XP\Local Settings\Temporary Internet 
Files\Content.IE5\index.dat
000000F8 explorer.exe   File		 04a4 \Documents and 
Settings\user.XP\Local 
Settings\History\History.IE5\MSHist012001052220010523\index.dat
000000F8 explorer.exe   File		 0508 \output
00000720 idwlog.exe	 File		 0014 \Documents and 
Settings\user.XP
00000720 idwlog.exe	 File		 0078 \Idwlog.log
00000720 idwlog.exe	 File		 007c \WINDOWS\system32
00000720 idwlog.exe	 File		 0084 \WINDOWS\system32
00000720 idwlog.exe	 File		 00c4 \ntsvcs
00000720 idwlog.exe	 File		 00d0 \WINDOWS\system32
00000720 idwlog.exe	 File		 00f8 \DAV RPC SERVICE
0000079C svchost.exe	File		 0014 \WINDOWS\system32
0000079C svchost.exe	File		 0054 \net\NtControlPipe20
0000079C svchost.exe	File		 0078 \svcctl
0000079C svchost.exe	File		 010c \tapsrv
0000079C svchost.exe	File		 0110 \tapsrv
0000079C svchost.exe	File		 01c0 \53cb31a0\UnimodemNotifyTSP
0000079C svchost.exe	File		 01dc \ntsvcs
0000079C svchost.exe	File		 03ac \WINDOWS\system32\h323log.txt
00000668 svchost.exe	File		 0014 \WINDOWS\system32
00000668 svchost.exe	File		 0030 \net\NtControlPipe21
00000668 svchost.exe	File		 0078 \svcctl
00000668 svchost.exe	File		 00c4 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
00000668 svchost.exe	File		 00fc \WINDOWS\Sti_Trace.log
00000668 svchost.exe	File		 01a4 \WINDOWS\wiaservc.log
00000668 svchost.exe	File		 01cc \ntsvcs
00000668 svchost.exe	File		 0288 \WINDOWS\Sti_Trace.log
00000870 wmiprvse.exe   File		 0014 \WINDOWS\system32
0000076C wuauclt.exe	File		 0014 \WINDOWS\system32
0000076C wuauclt.exe	File		 0018 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000076C wuauclt.exe	File		 0058 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000076C wuauclt.exe	File		 023c \ROUTER
00000838 cmd.exe		File		 0014 \Documents and 
Settings\user.XP
00000838 cmd.exe		File		 0064 \output\ohfile.txt
0000071C notepad.exe	File		 0018 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000071C notepad.exe	File		 005c 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000071C notepad.exe	File		 01e8 
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
0000071C notepad.exe	File		 0250 \output
000007F0 oh.exe		 File		 0014 \Documents and 
Settings\user.XP
000007F0 oh.exe		 File		 0064 \output\ohfile.txt

Example 5: List Handles for Event Objects with Open Windows

To generate a list of event objects and send the output to the file C:\Output\Ohevent.txt, type the following at the command line:

oh /t event /o c:\output\ohevent.txt

Looking in Ohevent.txt, you then see output similar to the following:

00000004 System		 Event		002c \Security\TRKWKS_EVENT
00000004 System		 Event		008c 
\Device\DmControl\VxKernel2VoldEvent
00000004 System		 Event		00d4 \LanmanServerAnnounceEvent
000000C0 smss.exe	 Event		0038 \UniqueSessionIdEvent
000000D8 csrss.exe	Event		00dc 
\BaseNamedObjects\WinSta0_DesktopSwitch
000000E0 winlogon.exe   Event		0050 \BaseNamedObjects\userenv:  User 
Profile setup event
000000E0 winlogon.exe   Event		0058 \BaseNamedObjects\userenv: 
Machine Group Policy has been applied
000000E0 winlogon.exe   Event		005c \BaseNamedObjects\userenv: 
Machine Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe   Event		0060 \BaseNamedObjects\userenv: 
Machine Group Policy Processing is done
000000E0 winlogon.exe   Event		0064 \BaseNamedObjects\userenv: 
Machine Policy Foreground Done Event
000000E0 winlogon.exe   Event		006c \BaseNamedObjects\userenv: User 
Group Policy has been applied
000000E0 winlogon.exe   Event		0070 \BaseNamedObjects\userenv: User 
Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe   Event		0074 \BaseNamedObjects\userenv: User 
Group Policy Processing is done
000000E0 winlogon.exe   Event		0078 \BaseNamedObjects\userenv: User 
Policy Foreground Done Event
000000E0 winlogon.exe   Event		007c 
\BaseNamedObjects\crypt32LogoffEvent
000000E0 winlogon.exe   Event		0088 \Security\NetworkProviderLoad
000000E0 winlogon.exe   Event		008c \BaseNamedObjects\TS-WPAAE
000000E0 winlogon.exe   Event		00a8 \BaseNamedObjects\ReconEvent
000000E0 winlogon.exe   Event		01ec \BaseNamedObjects\DINPUTWINMM
000000E0 winlogon.exe   Event		0218 
\BaseNamedObjects\WinSta0_DesktopSwitch
000000E0 winlogon.exe   Event		0234 
\BaseNamedObjects\WFP_IDLE_TRIGGER
000000E0 winlogon.exe   Event		025c \BaseNamedObjects\Microsoft 
Smart Card Resource Manager Started
000000E0 winlogon.exe   Event		02dc 
\BaseNamedObjects\ThemesStartEvent
000000E0 winlogon.exe   Event		02e4 \BaseNamedObjects\msgina: 
ReturnToWelcome
000000E0 winlogon.exe   Event		05f4 
\BaseNamedObjects\hardwaremixercallback
000000E0 winlogon.exe   Event		0604 
\BaseNamedObjects\GuardEventmmGlobalPnpInfoGuard
000000E0 winlogon.exe   Event		0648 \BaseNamedObjects\mixercallback
000000E0 winlogon.exe   Event		06d0 \BaseNamedObjects\winlogon:  
machine GPO Event 49931
000000E0 winlogon.exe   Event		06dc \BaseNamedObjects\userenv: 
Machine Group Policy has been applied
000000E0 winlogon.exe   Event		06e4 \BaseNamedObjects\userenv: 
machine policy refresh event
000000E0 winlogon.exe   Event		06e8 \BaseNamedObjects\userenv: 
machine policy force refresh event
000000E0 winlogon.exe   Event		06ec \BaseNamedObjects\userenv: 
Machine Group Policy has been applied
000000E0 winlogon.exe   Event		06f0 \BaseNamedObjects\userenv: 
Machine Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe   Event		06f4 \BaseNamedObjects\userenv: 
Machine Group Policy Processing is done
000000E0 winlogon.exe   Event		0704 
\BaseNamedObjects\jjCSCSharedEvent_UM_KM
000000E0 winlogon.exe   Event		070c 
\BaseNamedObjects\jjCSCSharedFillEvent_UM_KM
000000E0 winlogon.exe   Event		0714 
\BaseNamedObjects\WkssvcToAgentStartEvent
000000E0 winlogon.exe   Event		0718 
\BaseNamedObjects\WkssvcToAgentStopEvent
000000E0 winlogon.exe   Event		071c 
\BaseNamedObjects\AgentExistsEvent
000000E0 winlogon.exe   Event		0724 
\BaseNamedObjects\AgentToWkssvcEvent
000000E0 winlogon.exe   Event		0760 \BaseNamedObjects\SENS Started 
Event
000000E0 winlogon.exe   Event		07a4 \BaseNamedObjects\winlogon:  
User GPO Event 73045
000000E0 winlogon.exe   Event		07b0 \BaseNamedObjects\userenv: User 
Group Policy has been applied
000000E0 winlogon.exe   Event		07b8 \BaseNamedObjects\userenv: user 
policy refresh event
000000E0 winlogon.exe   Event		07bc \BaseNamedObjects\userenv: user 
policy force refresh event
000000E0 winlogon.exe   Event		07c0 \BaseNamedObjects\userenv: User 
Group Policy has been applied
000000E0 winlogon.exe   Event		07c4 \BaseNamedObjects\userenv: User 
Group Policy ForcedRefresh Needs Foreground Processing
000000E0 winlogon.exe   Event		07c8 \BaseNamedObjects\userenv: User 
Group Policy Processing is done
00000110 services.exe   Event		0064 \BaseNamedObjects\userenv:  User 
Profile setup event
00000110 services.exe   Event		018c 
\BaseNamedObjects\SC_AutoStartComplete
00000110 services.exe   Event		01b4 
\BaseNamedObjects\SvcctrlStartEvent_A3752DX
00000110 services.exe   Event		0218 \BaseNamedObjects\ScNetDrvMsg
00000110 services.exe   Event		02f0 
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
00000110 services.exe   Event		03d8 
\BaseNamedObjects\PnP_No_Pending_Install_Events
0000011C lsass.exe	Event		00bc \SeLsaInitEvent
0000011C lsass.exe	Event		01e8 
\BaseNamedObjects\crypt32LogoffEvent
0000011C lsass.exe	Event		01f8 \BaseNamedObjects\userenv:  User 
Profile setup event
0000011C lsass.exe	Event		027c 
\BaseNamedObjects\LSA_RPC_SERVER_ACTIVE
0000011C lsass.exe	Event		03cc \SAM_SERVICE_STARTED
0000011C lsass.exe	Event		04d0 
\BaseNamedObjects\PS_SERVICE_STARTED
0000011C lsass.exe	Event		04dc 
\BaseNamedObjects\IPSEC_POLICY_CHANGE_EVENT
0000011C lsass.exe	Event		04e8 
\BaseNamedObjects\IPSEC_POLICY_CHANGE_NOTIFY
000001A0 svchost.exe	Event		00ac \BaseNamedObjects\userenv:  User 
Profile setup event
000001A0 svchost.exe	Event		01d8 
\BaseNamedObjects\ScmCreatedEvent
000001BC svchost.exe	Event		00bc 
\BaseNamedObjects\crypt32LogoffEvent
000001BC svchost.exe	Event		00c0 
\BaseNamedObjects\TermSrvReadyEvent
000001BC svchost.exe	Event		01dc 
\BaseNamedObjects\WinMMConsoleAudioEvent
000001BC svchost.exe	Event		01f0 \BaseNamedObjects\ReconEvent
000001BC svchost.exe	Event		01f4 \BaseNamedObjects\TermSrv:  
machine GP event
000001BC svchost.exe	Event		0238 \BaseNamedObjects\userenv:  User 
Profile setup event
000001BC svchost.exe	Event		0244 \BaseNamedObjects\userenv: 
Machine Group Policy has been applied
000001BC svchost.exe	Event		028c 
\Sessions\1\BaseNamedObjects\CsrStartEvent
000001BC svchost.exe	Event		0290 
\Sessions\1\BaseNamedObjects\ReconEvent
000001BC svchost.exe	Event		02c8 
\Sessions\2\BaseNamedObjects\CsrStartEvent
000001BC svchost.exe	Event		02cc 
\Sessions\2\BaseNamedObjects\ReconEvent
00000200 svchost.exe	Event		015c 
\BaseNamedObjects\DHCPNEWIPADDRESS
00000200 svchost.exe	Event		0198 
\BaseNamedObjects\AgentToWkssvcEvent
00000200 svchost.exe	Event		01d0 
\BaseNamedObjects\WkssvcToAgentStartEvent
00000200 svchost.exe	Event		01d4 
\BaseNamedObjects\ShellHWDetection'sEvent
00000200 svchost.exe	Event		01d8 
\BaseNamedObjects\CGenericServiceManager__Init
00000200 svchost.exe	Event		026c 
\BaseNamedObjects\ShellHWDetection'sEvent
00000200 svchost.exe	Event		02b4 \BaseNamedObjects\userenv:  User 
Profile setup event
00000200 svchost.exe	Event		02e0 
\BaseNamedObjects\ShellHWDetectionInitCompleted
00000200 svchost.exe	Event		03e0 
\BaseNamedObjects\WkssvcToAgentStopEvent
00000200 svchost.exe	Event		046c \BaseNamedObjects\wkssvc:  MUP 
finished initializing event
00000200 svchost.exe	Event		0490 
\BaseNamedObjects\crypt32LogoffEvent
00000200 svchost.exe	Event		04e4 \BaseNamedObjects\DmServerStop
00000200 svchost.exe	Event		0540 \BaseNamedObjects\ReSyncKernel
00000200 svchost.exe	Event		0548 
\Device\DmControl\VxKernel2VoldEvent
00000200 svchost.exe	Event		05f0 \LanmanServerAnnounceEvent
00000200 svchost.exe	Event		06a0 \Security\TRKWKS_EVENT
00000200 svchost.exe	Event		06f4 \BaseNamedObjects\SENS Started 
Event
00000200 svchost.exe	Event		0724 \BaseNamedObjects\Sens Hidden 
Window Cleanup Event
00000230 csrss.exe	Event		00c4 
\Sessions\1\BaseNamedObjects\ScNetDrvMsg
00000234 winlogon.exe   Event		0050 \BaseNamedObjects\userenv:  User 
Profile setup event
00000234 winlogon.exe   Event		0058 \BaseNamedObjects\userenv: 
Machine Group Policy has been applied
00000234 winlogon.exe   Event		005c \BaseNamedObjects\userenv: 
Machine Group Policy ForcedRefresh Needs Foreground Processing
00000234 winlogon.exe   Event		0060 \BaseNamedObjects\userenv: 
Machine Group Policy Processing is done
00000234 winlogon.exe   Event		0064 \BaseNamedObjects\userenv: 
Machine Policy Foreground Done Event
00000234 winlogon.exe   Event		006c 
\Sessions\1\BaseNamedObjects\userenv: User Group Policy has been applied
00000234 winlogon.exe   Event		0070 
\Sessions\1\BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs 
Foreground Processing
00000234 winlogon.exe   Event		0074 
\Sessions\1\BaseNamedObjects\userenv: User Group Policy Processing is done
00000234 winlogon.exe   Event		0078 
\Sessions\1\BaseNamedObjects\userenv: User Policy Foreground Done Event
00000234 winlogon.exe   Event		007c 
\BaseNamedObjects\crypt32LogoffEvent
0000025C csrss.exe	Event		00c4 
\Sessions\2\BaseNamedObjects\ScNetDrvMsg
00000260 winlogon.exe   Event		0050 \BaseNamedObjects\userenv:  User 
Profile setup event
00000260 winlogon.exe   Event		0058 \BaseNamedObjects\userenv: 
Machine Group Policy has been applied
00000260 winlogon.exe   Event		005c \BaseNamedObjects\userenv: 
Machine Group Policy ForcedRefresh Needs Foreground Processing
00000260 winlogon.exe   Event		0060 \BaseNamedObjects\userenv: 
Machine Group Policy Processing is done
00000260 winlogon.exe   Event		0064 \BaseNamedObjects\userenv: 
Machine Policy Foreground Done Event
00000260 winlogon.exe   Event		006c 
\Sessions\2\BaseNamedObjects\userenv: User Group Policy has been applied
00000260 winlogon.exe   Event		0070 
\Sessions\2\BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs 
Foreground Processing
00000260 winlogon.exe   Event		0074 
\Sessions\2\BaseNamedObjects\userenv: User Group Policy Processing is done
00000260 winlogon.exe   Event		0078 
\Sessions\2\BaseNamedObjects\userenv: User Policy Foreground Done Event
00000260 winlogon.exe   Event		007c 
\BaseNamedObjects\crypt32LogoffEvent
0000029C svchost.exe	Event		01f4 
\BaseNamedObjects\crypt32LogoffEvent
000002D8 spoolsv.exe	Event		00a0 
\BaseNamedObjects\RouterPreInitEvent
000002D8 spoolsv.exe	Event		0120 
\BaseNamedObjects\crypt32LogoffEvent
000002D8 spoolsv.exe	Event		0350 \BaseNamedObjects\userenv:  User 
Profile setup event
000002FC msdtc.exe	Event		00f8 
\BaseNamedObjects\EVENT_MSDTC_STARTING
000002FC msdtc.exe	Event		02d8 
\BaseNamedObjects\MSDTC_NAMED_EVENT
000003B8 inetinfo.exe   Event		0064 
\BaseNamedObjects\W3SVCStartW3WP-aae415e7-4598-4294-a382-0a435d5b32c5
000003B8 inetinfo.exe   Event		0284 \BaseNamedObjects\userenv:  User 
Profile setup event
000003B8 inetinfo.exe   Event		0288 
\BaseNamedObjects\crypt32LogoffEvent
000003B8 inetinfo.exe   Event		072c 
\BaseNamedObjects\MicrosoftInternetNewsServerVersion2BootCheckEvent
0000041C NSCM.exe	 Event		00b0 
\BaseNamedObjects\McmServPerf_RegChangeEvent
0000046C svchost.exe	Event		00d0 
\BaseNamedObjects\Microsoft.RPC_Registry_Server
000004C0 svchost.exe	Event		00cc 
\BaseNamedObjects\WINMGMT_COREDLL_CANSHUTDOWN
000004C0 svchost.exe	Event		00d4 
\BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
000004C0 svchost.exe	Event		00d8 
\BaseNamedObjects\WINMGMT_COREDLL_UNLOADED
000004C0 svchost.exe	Event		00dc 
\BaseNamedObjects\WINMGMT_COREDLL_LOADED
000004C0 svchost.exe	Event		00e0 
\BaseNamedObjects\WINMGMT_MARSHALLING_SERVER_TERMINATE
000004C0 svchost.exe	Event		00e8 
\BaseNamedObjects\WINMGMT_NEED_REGISTRATION
000004C0 svchost.exe	Event		00ec 
\BaseNamedObjects\WINMGMT_REGISTRATION_DONE
000004C0 svchost.exe	Event		00f4 
\BaseNamedObjects\WMI_SysEvent_LodCtr
000004C0 svchost.exe	Event		00f8 
\BaseNamedObjects\WMI_SysEvent_UnLodCtr
000004C0 svchost.exe	Event		029c 
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe	Event		02b4 
\BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
000004C0 svchost.exe	Event		02e4 
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe	Event		02ec 
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe	Event		04e0 
\BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
000004C0 svchost.exe	Event		0500 
\BaseNamedObjects\EVENT_READYROOT/CIMV2SCM EVENT PROVIDER
000004C0 svchost.exe	Event		0518 
\BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
000004C0 svchost.exe	Event		0524 
\BaseNamedObjects\EVENT_READYROOT/CIMV2WMI SELF-INSTRUMENTATION EVENT 
PROVIDER
000004C0 svchost.exe	Event		0530 
\BaseNamedObjects\EVENT_READYROOT/CIMV2STANDARD NON-COM EVENT PROVIDER
000003DC dfssvc.exe	 Event		0064 \BaseNamedObjects\userenv:  User 
Profile setup event
000004F0 NSUM.exe	 Event		00b0 
\BaseNamedObjects\AsfServPerf_RegChangeEvent
000005C8 svchost.exe	Event		00b8 
\BaseNamedObjects\crypt32LogoffEvent
000005C8 svchost.exe	Event		00e0 \BaseNamedObjects\userenv:  User 
Profile setup event
000005C8 svchost.exe	Event		0220 
\BaseNamedObjects\W3SVCStartW3WP-aae415e7-4598-4294-a382-0a435d5b32c5
000005C8 svchost.exe	Event		02b0 
\BaseNamedObjects\WASPerfCount-c40da922-9c0a-4def-8aba-cd0bb5f093e1
000000F8 explorer.exe   Event		01c4 \BaseNamedObjects\userenv:  User 
Profile setup event
000000F8 explorer.exe   Event		02dc 
\BaseNamedObjects\ShellReadyEvent
000000F8 explorer.exe   Event		0308 
\BaseNamedObjects\GuardEventmmGlobalPnpInfoGuard
000000F8 explorer.exe   Event		032c \BaseNamedObjects\mixercallback
000000F8 explorer.exe   Event		0334 
\BaseNamedObjects\hardwaremixercallback
000000F8 explorer.exe   Event		0350 
\BaseNamedObjects\HPlugEjectEvent
000000F8 explorer.exe   Event		0450 
\BaseNamedObjects\crypt32LogoffEvent
0000079C svchost.exe	Event		00dc 
\BaseNamedObjects\SC_AutoStartComplete
0000079C svchost.exe	Event		01c4 
\BaseNamedObjects\--.-mailslot-53cb31a0-UnimodemNotifyTSP
0000079C svchost.exe	Event		03ec \BaseNamedObjects\DINPUTWINMM
00000668 svchost.exe	Event		00b8 \BaseNamedObjects\userenv:  User 
Profile setup event
0000076C wuauclt.exe	Event		026c \BaseNamedObjects\userenv:  User 
Profile setup event
0000071C notepad.exe	Event		01e0 \BaseNamedObjects\userenv:  User 
Profile setup event
00000848 hh.exe		 Event		008c 
\BaseNamedObjects\crypt32LogoffEvent
00000848 hh.exe		 Event		02a8 
\BaseNamedObjects\GuardEventmmGlobalPnpInfoGuard
00000848 hh.exe		 Event		02dc \BaseNamedObjects\mixercallback
00000848 hh.exe		 Event		02e8 
\BaseNamedObjects\hardwaremixercallback

Example 6: List Handles for WinLogon Open Windows

To generate a list of open windows that contain WinLogon and send the output to the file C:\Output\Ohwinlogon.txt, type the following at the command line:

oh winlogon /o c:\output\ohwinlogon.txt

Looking in Ohwinlogon.txt, you then see output similar to the following:

000000E0 winlogon.exe   Desktop		0094 \Winlogon
000000E0 winlogon.exe   Mutant		 00bc \BaseNamedObjects\winlogon: 
Logon UserProfileMapping Mutex
000000E0 winlogon.exe   Key			00dc 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\crypt32chain
000000E0 winlogon.exe   Key			00e0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\cryptnet
000000E0 winlogon.exe   Key			00f0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\sclgntfy
000000E0 winlogon.exe   Key			01d0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe   Key			020c 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
000000E0 winlogon.exe   Key			02e0 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Credentials
000000E0 winlogon.exe   Event		06d0 \BaseNamedObjects\winlogon:  
machine GPO Event 49931
000000E0 winlogon.exe   File		 0758 \winlogonrpc
000000E0 winlogon.exe   File		 075c \winlogonrpc
000000E0 winlogon.exe   Key			0774 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\ScCertProp
000000E0 winlogon.exe   Event		07a4 \BaseNamedObjects\winlogon:  
User GPO Event 73045
000000E0 winlogon.exe   Key			0838 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Example 7: List Handles for Mutant Objects with Open Windows

To generate a list of mutant objects as well as unnamed open windows and send the output to the file C:\Output\Ohmutant.txt, type the following at the command line:

oh /t mutant /a /o c:\output\ohmutant.txt

Looking in Ohmutant.txt, you then see output similar to the following:

000000D8 csrss.exe	Mutant		 0044 \NlsCacheMutant
000000D8 csrss.exe	Mutant		 004c \NlsCacheMutant
000000E0 winlogon.exe   Mutant		 0024 \NlsCacheMutant
000000E0 winlogon.exe   Mutant		 0054 \BaseNamedObjects\userenv: 
machine policy mutex
000000E0 winlogon.exe   Mutant		 0068 \BaseNamedObjects\userenv: user 
policy mutex
000000E0 winlogon.exe   Mutant		 00a4 \BaseNamedObjects\SingleSesMutex
000000E0 winlogon.exe   Mutant		 00bc \BaseNamedObjects\winlogon: 
Logon UserProfileMapping Mutex
000000E0 winlogon.exe   Mutant		 00c8
000000E0 winlogon.exe   Mutant		 00d0
000000E0 winlogon.exe   Mutant		 01c4 
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
000000E0 winlogon.exe   Mutant		 01fc
000000E0 winlogon.exe   Mutant		 0204
000000E0 winlogon.exe   Mutant		 05ec \BaseNamedObjects\mxrapi
000000E0 winlogon.exe   Mutant		 0600 
\BaseNamedObjects\GuardMutexmmGlobalPnpInfoGuard
000000E0 winlogon.exe   Mutant		 0624
000000E0 winlogon.exe   Mutant		 0658 
\BaseNamedObjects\MidiMapper_Configure
000000E0 winlogon.exe   Mutant		 065c
000000E0 winlogon.exe   Mutant		 0660 
\BaseNamedObjects\MidiMapper_modLongMessage_RefCnt
000000E0 winlogon.exe   Mutant		 0668 
\BaseNamedObjects\WPA_LICSTORE_MUTEX
000000E0 winlogon.exe   Mutant		 066c \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe   Mutant		 0674 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe   Mutant		 0678 \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe   Mutant		 0680 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe   Mutant		 0684 \BaseNamedObjects\WPA_PR_MUTEX
000000E0 winlogon.exe   Mutant		 0688 \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe   Mutant		 068c \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe   Mutant		 06bc
000000E0 winlogon.exe   Mutant		 07e4 
\BaseNamedObjects\WPA_LICSTORE_MUTEX
000000E0 winlogon.exe   Mutant		 0834 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe   Mutant		 083c \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe   Mutant		 0840 \BaseNamedObjects\WPA_LT_MUTEX
000000E0 winlogon.exe   Mutant		 0844 \BaseNamedObjects\WPA_PR_MUTEX
000000E0 winlogon.exe   Mutant		 0848 \BaseNamedObjects\WPA_RT_MUTEX
000000E0 winlogon.exe   Mutant		 084c \BaseNamedObjects\WPA_LT_MUTEX
00000110 services.exe   Mutant		 0030 \NlsCacheMutant
00000110 services.exe   Mutant		 008c
00000110 services.exe   Mutant		 0094
00000110 services.exe   Mutant		 009c
00000110 services.exe   Mutant		 00a4
00000110 services.exe   Mutant		 00ac
00000110 services.exe   Mutant		 00b4
00000110 services.exe   Mutant		 00bc
00000110 services.exe   Mutant		 00c4
00000110 services.exe   Mutant		 00cc
00000110 services.exe   Mutant		 00d4
00000110 services.exe   Mutant		 00dc
00000110 services.exe   Mutant		 00e4
00000110 services.exe   Mutant		 00ec
00000110 services.exe   Mutant		 00f4
00000110 services.exe   Mutant		 00fc
00000110 services.exe   Mutant		 0104
00000110 services.exe   Mutant		 010c
00000110 services.exe   Mutant		 0114
00000110 services.exe   Mutant		 011c
00000110 services.exe   Mutant		 0124
00000110 services.exe   Mutant		 012c
00000110 services.exe   Mutant		 0134
00000110 services.exe   Mutant		 013c
00000110 services.exe   Mutant		 0144
00000110 services.exe   Mutant		 014c
00000110 services.exe   Mutant		 0154
00000110 services.exe   Mutant		 015c
00000110 services.exe   Mutant		 0164
00000110 services.exe   Mutant		 016c
00000110 services.exe   Mutant		 0174
00000110 services.exe   Mutant		 017c
00000110 services.exe   Mutant		 0184
00000110 services.exe   Mutant		 01bc
00000110 services.exe   Mutant		 0400 \BaseNamedObjects\PnP_Init_Mutex
00000110 services.exe   Mutant		 043c 
\BaseNamedObjects\ShimCacheMutex[S-1-5-20]
0000011C lsass.exe	Mutant		 0030 \NlsCacheMutant
0000011C lsass.exe	Mutant		 0344
0000011C lsass.exe	Mutant		 034c
000001A0 svchost.exe	Mutant		 0024 \NlsCacheMutant
000001A0 svchost.exe	Mutant		 04c0 
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
000001BC svchost.exe	Mutant		 0024 \NlsCacheMutant
000001BC svchost.exe	Mutant		 00cc 
\BaseNamedObjects\746bbf3569adEncrypt
000001BC svchost.exe	Mutant		 00f4
000001BC svchost.exe	Mutant		 01a8
000001BC svchost.exe	Mutant		 024c
000001BC svchost.exe	Mutant		 0258
000001BC svchost.exe	Mutant		 025c
00000200 svchost.exe	Mutant		 0024 \NlsCacheMutant
00000200 svchost.exe	Mutant		 02c0
00000200 svchost.exe	Mutant		 02c8
00000200 svchost.exe	Mutant		 02f0
00000200 svchost.exe	Mutant		 03a8
00000200 svchost.exe	Mutant		 0494
00000200 svchost.exe	Mutant		 049c
00000200 svchost.exe	Mutant		 054c 
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
00000200 svchost.exe	Mutant		 0564 
\BaseNamedObjects\0CADFD67AF62496dB34264F000F5624A
00000200 svchost.exe	Mutant		 0568 
\BaseNamedObjects\4FCC0DEFE22C4f138FB9D5AF25FD9398
00000200 svchost.exe	Mutant		 0938
00000200 svchost.exe	Mutant		 0974
00000200 svchost.exe	Mutant		 0a68
00000200 svchost.exe	Mutant		 0a70 \BaseNamedObjects\RasPbFile
00000200 svchost.exe	Mutant		 0c24
00000200 svchost.exe	Mutant		 0c68 \BaseNamedObjects\RAS_MO_02
00000200 svchost.exe	Mutant		 0c6c \BaseNamedObjects\RAS_MO_01
00000200 svchost.exe	Mutant		 0d74
00000200 svchost.exe	Mutant		 0df4 
\BaseNamedObjects\_!MSFTHISTORY!_
00000200 svchost.exe	Mutant		 0dfc \BaseNamedObjects\c:!documents 
and settings!default user.windows!local settings!temporary internet 
files!content.ie5!
00000200 svchost.exe	Mutant		 0e04 \BaseNamedObjects\c:!documents 
and settings!default user.windows!cookies!
00000200 svchost.exe	Mutant		 0e08 \BaseNamedObjects\c:!documents 
and settings!default user.windows!local settings!history!history.ie5!
00000200 svchost.exe	Mutant		 0e1c 
\BaseNamedObjects\WininetStartupMutex
00000200 svchost.exe	Mutant		 0e24
00000200 svchost.exe	Mutant		 0e28
00000200 svchost.exe	Mutant		 0e2c 
\BaseNamedObjects\WininetProxyRegistryMutex
00000230 csrss.exe	Mutant		 0050 \Sessions\1\NlsCacheMutant
00000230 csrss.exe	Mutant		 0058 \Sessions\1\NlsCacheMutant
00000234 winlogon.exe   Mutant		 0024 \Sessions\1\NlsCacheMutant
00000234 winlogon.exe   Mutant		 0054 \BaseNamedObjects\userenv: 
machine policy mutex
00000234 winlogon.exe   Mutant		 0068 
\Sessions\1\BaseNamedObjects\userenv: user policy mutex
0000025C csrss.exe	Mutant		 0050 \Sessions\2\NlsCacheMutant
0000025C csrss.exe	Mutant		 0058 \Sessions\2\NlsCacheMutant
00000260 winlogon.exe   Mutant		 0024 \Sessions\2\NlsCacheMutant
00000260 winlogon.exe   Mutant		 0054 \BaseNamedObjects\userenv: 
machine policy mutex
00000260 winlogon.exe   Mutant		 0068 
\Sessions\2\BaseNamedObjects\userenv: user policy mutex
00000294 svchost.exe	Mutant		 0030 \NlsCacheMutant
0000029C svchost.exe	Mutant		 0030 \NlsCacheMutant
0000029C svchost.exe	Mutant		 0228 
\BaseNamedObjects\_!MSFTHISTORY!_
0000029C svchost.exe	Mutant		 0230 \BaseNamedObjects\c:!documents 
and settings!localservice.nt authority!local settings!temporary internet 
files!content.ie5!
0000029C svchost.exe	Mutant		 0238 \BaseNamedObjects\c:!documents 
and settings!localservice.nt authority!cookies!
0000029C svchost.exe	Mutant		 0244 \BaseNamedObjects\c:!documents 
and settings!localservice.nt authority!local settings!history!history.ie5!
0000029C svchost.exe	Mutant		 0254 
\BaseNamedObjects\WininetStartupMutex
0000029C svchost.exe	Mutant		 0258
0000029C svchost.exe	Mutant		 025c
0000029C svchost.exe	Mutant		 0260 
\BaseNamedObjects\WininetProxyRegistryMutex
0000029C svchost.exe	Mutant		 02cc
0000029C svchost.exe	Mutant		 02d0 \BaseNamedObjects\RasPbFile
000002D8 spoolsv.exe	Mutant		 0024 \NlsCacheMutant
000002D8 spoolsv.exe	Mutant		 0168
000002D8 spoolsv.exe	Mutant		 0170
000002FC msdtc.exe	Mutant		 0030 \NlsCacheMutant
000003B8 inetinfo.exe   Mutant		 0024 \NlsCacheMutant
000003B8 inetinfo.exe   Mutant		 02c0
000003B8 inetinfo.exe   Mutant		 051c \BaseNamedObjects\DBWinMutex
000003B8 inetinfo.exe   Mutant		 0580
000003B8 inetinfo.exe   Mutant		 0588
000003CC llssrv.exe	 Mutant		 0030 \NlsCacheMutant
000003A8 NSPMON.exe	 Mutant		 0030 \NlsCacheMutant
0000041C NSCM.exe	 Mutant		 0030 \NlsCacheMutant
0000041C NSCM.exe	 Mutant		 0054 
\BaseNamedObjects\McmServPERF_REGISTRY_MUTEX
0000041C NSCM.exe	 Mutant		 0060
0000041C NSCM.exe	 Mutant		 00b8 
\BaseNamedObjects\ASP_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 00c0 
\BaseNamedObjects\ContentFilter_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 00c8 
\BaseNamedObjects\ContentIndex_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 00d0 
\BaseNamedObjects\InetInfo_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 00d8 
\BaseNamedObjects\ISAPISearch_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 00e0 
\BaseNamedObjects\MSDTC_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 00e8 
\BaseNamedObjects\MSFtpsvc_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 00f0 
\BaseNamedObjects\NntpSvc_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 00f8 
\BaseNamedObjects\nsstation_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0100 
\BaseNamedObjects\nsunicast_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0108 
\BaseNamedObjects\NTFSDRV_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0110 
\BaseNamedObjects\PerfDisk_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0118 
\BaseNamedObjects\PerfNet_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0120 
\BaseNamedObjects\PerfOS_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0128 
\BaseNamedObjects\PerfProc_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0130 
\BaseNamedObjects\RemoteAccess_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0138 
\BaseNamedObjects\RSVP_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0140 
\BaseNamedObjects\SMTPSVC_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0148 
\BaseNamedObjects\Spooler_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0150 
\BaseNamedObjects\TapiSrv_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0158 
\BaseNamedObjects\Tcpip_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0160 
\BaseNamedObjects\TermService_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0168 
\BaseNamedObjects\W3SVC_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0170 
\BaseNamedObjects\WmiApRpl_Perf_Library_Lock_PID_41c
0000041C NSCM.exe	 Mutant		 0174 
\BaseNamedObjects\McmServPERF_INFO_MUTEX
0000041C NSCM.exe	 Mutant		 01f4 \BaseNamedObjects\Shared Mutex 
for McmServ Data Collection_0
0000046C svchost.exe	Mutant		 0030 \NlsCacheMutant
000004C0 svchost.exe	Mutant		 0024 \NlsCacheMutant
000004C0 svchost.exe	Mutant		 00b4
000004C0 svchost.exe	Mutant		 00bc
000004C0 svchost.exe	Mutant		 00e4 
\BaseNamedObjects\WINMGMT_MARSHALLING_SERVER
000004C0 svchost.exe	Mutant		 00f0 
\BaseNamedObjects\WINMGMT_KEEP_NEW_CLIENTS_AT_BAY
000004C0 svchost.exe	Mutant		 0198
000004C0 svchost.exe	Mutant		 0238 \BaseNamedObjects\WINMGMT_ACTIVE
000004C0 svchost.exe	Mutant		 0248
000004C0 svchost.exe	Mutant		 024c 
\BaseNamedObjects\ShimCacheMutex[S-1-5-18]
000003DC dfssvc.exe	 Mutant		 0024 \NlsCacheMutant
000004F0 NSUM.exe	 Mutant		 0030 \NlsCacheMutant
000004F0 NSUM.exe	 Mutant		 0054 
\BaseNamedObjects\AsfServPERF_REGISTRY_MUTEX
000004F0 NSUM.exe	 Mutant		 0060
000004F0 NSUM.exe	 Mutant		 00b8 
\BaseNamedObjects\ASP_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 00c0 
\BaseNamedObjects\ContentFilter_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 00c8 
\BaseNamedObjects\ContentIndex_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 00d0 
\BaseNamedObjects\InetInfo_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 00d8 
\BaseNamedObjects\ISAPISearch_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 00e0 
\BaseNamedObjects\MSDTC_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 00e8 
\BaseNamedObjects\MSFtpsvc_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 00f0 
\BaseNamedObjects\NntpSvc_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 00f8 
\BaseNamedObjects\nsstation_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0100 
\BaseNamedObjects\nsunicast_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0108 
\BaseNamedObjects\NTFSDRV_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0110 
\BaseNamedObjects\PerfDisk_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0118 
\BaseNamedObjects\PerfNet_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0120 
\BaseNamedObjects\PerfOS_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0128 
\BaseNamedObjects\PerfProc_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0130 
\BaseNamedObjects\RemoteAccess_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0138 
\BaseNamedObjects\RSVP_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0140 
\BaseNamedObjects\SMTPSVC_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0148 
\BaseNamedObjects\Spooler_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0150 
\BaseNamedObjects\TapiSrv_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0158 
\BaseNamedObjects\Tcpip_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0160 
\BaseNamedObjects\TermService_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0168 
\BaseNamedObjects\W3SVC_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0170 
\BaseNamedObjects\WmiApRpl_Perf_Library_Lock_PID_4f0
000004F0 NSUM.exe	 Mutant		 0174 
\BaseNamedObjects\AsfServPERF_INFO_MUTEX
000004F0 NSUM.exe	 Mutant		 01dc \BaseNamedObjects\Shared Mutex 
for AsfServ Data Collection_0
00000548 nspm.exe	 Mutant		 0030 \NlsCacheMutant
000005C8 svchost.exe	Mutant		 0024 \NlsCacheMutant
000000F8 explorer.exe   Mutant		 0024 \NlsCacheMutant
000000F8 explorer.exe   Mutant		 0070 
\BaseNamedObjects\ExplorerIsShellMutex
000000F8 explorer.exe   Mutant		 0100
000000F8 explorer.exe   Mutant		 0178 
\BaseNamedObjects\WininetStartupMutex
000000F8 explorer.exe   Mutant		 01e0 
\BaseNamedObjects\ZonesCounterMutex
000000F8 explorer.exe   Mutant		 025c 
\BaseNamedObjects\_!MSFTHISTORY!_
000000F8 explorer.exe   Mutant		 0278
000000F8 explorer.exe   Mutant		 02b0 \BaseNamedObjects\_SHuassist.mtx
000000F8 explorer.exe   Mutant		 02b4
000000F8 explorer.exe   Mutant		 02bc \BaseNamedObjects\c:!documents 
and settings!user.xp!local 
settings!history!history.ie5!mshist012001052220010523!
000000F8 explorer.exe   Mutant		 02f0 
\BaseNamedObjects\ShimCacheMutex[S-1-5-21-484763869-113007714-839522115-1010]
000000F8 explorer.exe   Mutant		 02fc
000000F8 explorer.exe   Mutant		 0304 
\BaseNamedObjects\GuardMutexmmGlobalPnpInfoGuard
000000F8 explorer.exe   Mutant		 0328 \BaseNamedObjects\mxrapi
000000F8 explorer.exe   Mutant		 0344
000000F8 explorer.exe   Mutant		 0368
000000F8 explorer.exe   Mutant		 0398
000000F8 explorer.exe   Mutant		 041c 
\BaseNamedObjects\WininetProxyRegistryMutex
000000F8 explorer.exe   Mutant		 0448 \BaseNamedObjects\c:!documents 
and settings!user.xp!cookies!
000000F8 explorer.exe   Mutant		 0458 
\BaseNamedObjects\ZonesCacheCounterMutex
000000F8 explorer.exe   Mutant		 0470 \BaseNamedObjects\c:!documents 
and settings!user.xp!local settings!temporary internet files!content.ie5!
000000F8 explorer.exe   Mutant		 0480 
\BaseNamedObjects\WininetConnectionMutex
000000F8 explorer.exe   Mutant		 0494
000000F8 explorer.exe   Mutant		 0498 \BaseNamedObjects\c:!documents 
and settings!user.xp!local settings!history!history.ie5!
000000F8 explorer.exe   Mutant		 04a0 
\BaseNamedObjects\_!SHMSFTHISTORY!_
000000F8 explorer.exe   Mutant		 04cc
000000F8 explorer.exe   Mutant		 04f4
000000F8 explorer.exe   Mutant		 0558
0000079C svchost.exe	Mutant		 0024 \NlsCacheMutant
0000079C svchost.exe	Mutant		 0170
0000079C svchost.exe	Mutant		 0178
0000079C svchost.exe	Mutant		 01c8
0000079C svchost.exe	Mutant		 01e4
0000079C svchost.exe	Mutant		 029c
0000079C svchost.exe	Mutant		 02a4
0000079C svchost.exe	Mutant		 02a8
0000079C svchost.exe	Mutant		 0350
0000079C svchost.exe	Mutant		 0358
0000079C svchost.exe	Mutant		 035c
0000079C svchost.exe	Mutant		 0374
0000079C svchost.exe	Mutant		 037c
0000079C svchost.exe	Mutant		 03d4
0000079C svchost.exe	Mutant		 03dc
0000079C svchost.exe	Mutant		 040c
00000668 svchost.exe	Mutant		 0024 \NlsCacheMutant
00000668 svchost.exe	Mutant		 009c
00000668 svchost.exe	Mutant		 00a4
00000668 svchost.exe	Mutant		 0100 
\BaseNamedObjects\StiTraceMutexSti_Trace.log
00000668 svchost.exe	Mutant		 01b8
00000668 svchost.exe	Mutant		 01d0
00000668 svchost.exe	Mutant		 01f0
00000668 svchost.exe	Mutant		 01fc
00000668 svchost.exe	Mutant		 0238
00000668 svchost.exe	Mutant		 028c 
\BaseNamedObjects\StiTraceMutexSti_Trace.log
0000076C wuauclt.exe	Mutant		 0034 \NlsCacheMutant
0000076C wuauclt.exe	Mutant		 0064 
\BaseNamedObjects\ZonesCounterMutex
0000076C wuauclt.exe	Mutant		 0068 
\BaseNamedObjects\ZonesCacheCounterMutex
0000076C wuauclt.exe	Mutant		 0078 
\BaseNamedObjects\AutoUpdateSingleInstance
0000076C wuauclt.exe	Mutant		 01e4
0000076C wuauclt.exe	Mutant		 01ec \BaseNamedObjects\RasPbFile
0000076C wuauclt.exe	Mutant		 02b8
0000076C wuauclt.exe	Mutant		 02c0
00000838 cmd.exe		Mutant		 0030 \NlsCacheMutant
00000848 hh.exe		 Mutant		 0030 \NlsCacheMutant
00000848 hh.exe		 Mutant		 0070 
\BaseNamedObjects\ZonesCounterMutex
00000848 hh.exe		 Mutant		 0074 
\BaseNamedObjects\ZonesCacheCounterMutex
00000848 hh.exe		 Mutant		 015c 
\BaseNamedObjects\_!MSFTHISTORY!_
00000848 hh.exe		 Mutant		 0164 \BaseNamedObjects\c:!documents 
and settings!user.xp!local settings!temporary internet files!content.ie5!
00000848 hh.exe		 Mutant		 016c \BaseNamedObjects\c:!documents 
and settings!user.xp!cookies!
00000848 hh.exe		 Mutant		 0174 \BaseNamedObjects\c:!documents 
and settings!user.xp!local settings!history!history.ie5!
00000848 hh.exe		 Mutant		 0184 
\BaseNamedObjects\WininetStartupMutex
00000848 hh.exe		 Mutant		 018c 
\BaseNamedObjects\WininetConnectionMutex
00000848 hh.exe		 Mutant		 0190
00000848 hh.exe		 Mutant		 0194 
\BaseNamedObjects\WininetProxyRegistryMutex
00000848 hh.exe		 Mutant		 01e0 
\BaseNamedObjects\MSUIM.GlobalLangBarEventSink.Mutex
00000848 hh.exe		 Mutant		 01e8 
\BaseNamedObjects\MSUIM.GlobalCompartment.Mutex
00000848 hh.exe		 Mutant		 01ec 
\BaseNamedObjects\MSUIM.Assembly.Mutex
00000848 hh.exe		 Mutant		 01f0 
\BaseNamedObjects\MSUIM.Layouts.Mutex
00000848 hh.exe		 Mutant		 01f4 
\BaseNamedObjects\MSUIM.MarshalInterfaceMutex.TMD
00000848 hh.exe		 Mutant		 02b0 
\BaseNamedObjects\GuardMutexmmGlobalPnpInfoGuard
00000848 hh.exe		 Mutant		 02d8 \BaseNamedObjects\mxrapi
00000848 hh.exe		 Mutant		 02f0
000002AC oh.exe		 Mutant		 07d4 \NlsCacheMutant

Example 8: List Handles for File Objects Containing "Explore" with Open Windows

To generate a list of key objects and send the output to the file C:\Output\Ohexplore.txt, type the following at the command line:

oh /t file explore /o c:\output\ohexplore.txt

Looking in Ohexplore.txt, you then see output similar to the following:

000000E0 winlogon.exe   File		 0360 \Program Files\Internet Explorer
000000E0 winlogon.exe   File		 036c \Program Files\Internet 
Explorer\Connection Wizard
000000F8 explorer.exe   File		 0218 \Documents and 
Settings\user.XP\Application Data\Microsoft\Internet Explorer\Quick 
Launch