PSLoggedon v1.35
70 views
Skip to first unread message
OmenScan
Dec 10, 2017, 10:10:10 PM12/10/17
to forensic-utili...@googlegroups.com
Utility Version:
PSLoggedon v1.35
Utility Source:
https://download.sysinternals.com/files/PSTools.zip
Utility Hash:
PSLoggedon Hash MD5 - e3ea271e748ccdad6a6d3e692d6f337e
PSLoggedon Hash Sha1 - f02e06bc439a28aad6dd957df8d0022f22798a09
Utility Command line:
PSLoggedon.exe /accepteula > D:\Logon.dat
Artifact Identification Process:
Unique Changes Results:
Unique Registry Key Additions (Not in snapshot baseline)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\BITS Writer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag\BITS Writer
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Sysinternals
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Sysinternals\PsLoggedon
Unique Registry Values Added (Not in snapshot baseline)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\Security\000c07e1-0000-000a-1500-390014005e03
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security\000c07e1-0000-000a-1500-390014005e03
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Sysinternals\PsLoggedon\EulaAccepted
Unique registry Value Modifications (Not in snapshot Baseline)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\cval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ServiceSessionId
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}.check.101\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.103\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.104\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.106\CheckSetting
Unique File Folder Additions (Not in snapshot baseline)
None
Unique File Folder Deletions (Not in snapshot baseline)
None
Unique File Additions (Not in snapshot baseline)
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
Unique File Deletions (Not in snapshot baseline)
None
Unique File Attribute Modifications (Not in snapshot baseline)
C:\Windows\SoftwareDistribution\DataStore\DataStore.edb
C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log
PSLoggedon v1.35
Utility Source:
https://download.sysinternals.com/files/PSTools.zip
Utility Hash:
PSLoggedon Hash MD5 - e3ea271e748ccdad6a6d3e692d6f337e
PSLoggedon Hash Sha1 - f02e06bc439a28aad6dd957df8d0022f22798a09
Utility Command line:
PSLoggedon.exe /accepteula > D:\Logon.dat
Artifact Identification Process:
- Install All Current Windows Updates on the VM
- Install MS Windows Defender Updates
- Reboot VM Twice
- Create Snapshot
- Reboot VM
- Login To VM
- Start Windows Explorer
- Copy program to Root of D:
- Start Elevated Command Prompt
- Select D: drive by typing in: D:
- Start Regshot-x64-ANSI
- Leave Max Data to Show 256
- Set Output Directory to D:\
- Uncheck – Don't show files with same old/new size
- Uncheck – Do not process registry, only dirs
- Uncheck – Replace HKEY_USERS\sid in output file
- Do First Shot and Save
- Run Utility program from Command Prompt
- PSLoggedon.exe /accepteula > D:\Logon.dat
- Run Second Shot And Save
- Compare And Output
- Notate Differences from Baseline.
Unique Changes Results:
Unique Registry Key Additions (Not in snapshot baseline)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\BITS Writer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag\BITS Writer
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Sysinternals
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Sysinternals\PsLoggedon
Unique Registry Values Added (Not in snapshot baseline)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\Security\000c07e1-0000-000a-1500-390014005e03
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security\000c07e1-0000-000a-1500-390014005e03
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Sysinternals\PsLoggedon\EulaAccepted
Unique registry Value Modifications (Not in snapshot Baseline)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\cval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ServiceSessionId
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}.check.101\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.103\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.104\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.106\CheckSetting
Unique File Folder Additions (Not in snapshot baseline)
None
Unique File Folder Deletions (Not in snapshot baseline)
None
Unique File Additions (Not in snapshot baseline)
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
Unique File Deletions (Not in snapshot baseline)
None
Unique File Attribute Modifications (Not in snapshot baseline)
C:\Windows\SoftwareDistribution\DataStore\DataStore.edb
C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log
Non-Unique Changes Results:
Non-Unique Registry Key Additions (Generated by the snapshot process)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UAS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\RebootWatch
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.hiv
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\WHCIconStartup
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules\GlobalSettings
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules\GlobalSettings\ProperTreeModuleInner
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\hiv
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017121020171211
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Non-Unique Registry Value Additions (Generated by the snapshot process)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UAS\UpdateCount
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\1
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.hiv\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInner
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\hiv\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017121020171211\CachePrefix
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017121020171211\CachePath
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017121020171211\CacheOptions
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017121020171211\CacheRepair
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017121020171211\CacheLimit
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection
Non-Unique Registry Value Modifications (Generated by the snapshot process)
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{945a8954-c147-4acd-923f-40c45405a658}.check.42\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkr
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q
Non-Unique Folder Addition (Generated by the snapshot process)
C:\Users\4n6Test\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017121020171211
Non-Unique Folder Deletion (Generated by the snapshot process)
None
Non-Unique File Addition (Generated by the snapshot process)
C:\Users\4n6Test\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017121020171211\container.dat
C:\Users\4n6Test\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp
C:\Users\4n6Test\AppData\Roaming\Microsoft\Windows\Recent\Baseline1.hiv.lnk
C:\Users\4n6Test\AppData\Roaming\Microsoft\Windows\Recent\Data Volume (D).lnk
C:\Windows\Temp\TMP980BC3B9448F786F
Non-Unique File Deletion (Generated by the snapshot process)
None
Non-Unique File Attribute Modification (Generated by the snapshot process)
C:\Users\4n6Test\AppData\Local\Microsoft\Windows\WebCache\V01.log
C:\Users\4n6Test\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
C:\Users\4n6Test\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx
Non-Unique Registry Key Additions (Generated by the snapshot process)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UAS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\RebootWatch
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.hiv
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\WHCIconStartup
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules\GlobalSettings
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules\GlobalSettings\ProperTreeModuleInner
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\hiv
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017121020171211
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Non-Unique Registry Value Additions (Generated by the snapshot process)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UAS\UpdateCount
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\1
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.hiv\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInner
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\hiv\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017121020171211\CachePrefix
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017121020171211\CachePath
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017121020171211\CacheOptions
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017121020171211\CacheRepair
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017121020171211\CacheLimit
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection
Non-Unique Registry Value Modifications (Generated by the snapshot process)
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{945a8954-c147-4acd-923f-40c45405a658}.check.42\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkr
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q
Non-Unique Folder Addition (Generated by the snapshot process)
C:\Users\4n6Test\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017121020171211
Non-Unique Folder Deletion (Generated by the snapshot process)
None
Non-Unique File Addition (Generated by the snapshot process)
C:\Users\4n6Test\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017121020171211\container.dat
C:\Users\4n6Test\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp
C:\Users\4n6Test\AppData\Roaming\Microsoft\Windows\Recent\Baseline1.hiv.lnk
C:\Users\4n6Test\AppData\Roaming\Microsoft\Windows\Recent\Data Volume (D).lnk
C:\Windows\Temp\TMP980BC3B9448F786F
Non-Unique File Deletion (Generated by the snapshot process)
None
Non-Unique File Attribute Modification (Generated by the snapshot process)
C:\Users\4n6Test\AppData\Local\Microsoft\Windows\WebCache\V01.log
C:\Users\4n6Test\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
C:\Users\4n6Test\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx
Reply all
Reply to author
Forward
0 new messages