Susp_Dropper (Kaspersky), Gen:Variant.Strictor.109609 (B) (Emsisoft), Gen:Variant.Strictor.109609 (AdAware), Packed.Win32.Themida.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm, Packed
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 67147327df38232430857c29157b95f8
SHA1: 29fcbeed1aa3fe253d6581c1e354c10bc01cf10c
SHA256: 3a8d1aa2721ddbe87bfdc7bf5ca6a08515747523a3921119d2952a95e1e3d210
SSDeep: 49152:YsZBG69/5aMzynMOUUp3J/dy7YJGzA4T47csNJ:Ys35 nMK5/M7GqAz7csNJ
Size: 1765376 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, ACProtect141
Company: EU Millennium Business LP
Created at: 2016-08-15 06:55:19
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
ipseccmd.dll:1556
ipseccmd.dll:1944
ipseccmd.dll:1860
ipseccmd.dll:372
ipseccmd.dll:1740
ipseccmd.dll:492
ipseccmd.dll:516
regini.exe:824
regini.exe:1364
regini.exe:1856
The Trojan injects its code into the following process(es):
%original file name%.exe:508
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (7433 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xctz18[1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\26430000220167882842196[1].htm (174233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bg1[1].jpg (9706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\LM[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@lqa-prtq.xctz18[1].txt (222 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
C:\polstore.dll (103 bytes)
%System%\drivers\etc\hosts (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\z_stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
C:\winipsec.dll (32 bytes)
C:\regset.ini (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\footer_bg[1].jpg (3504 bytes)
C:\ipseccmd.dll (106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pic[1].gif (719 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%System%\setie.bat (24 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\26430000220167882842196[1].htm (0 bytes)
Registry activity
The process ipseccmd.dll:1556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{ee7fde0d-7609-4ae0-81ec-5bff2f60ba2a}]
"ipsecName" = "D120.25.210.101 filter list"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}"
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{ee7fde0d-7609-4ae0-81ec-5bff2f60ba2a}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b649e300-ccfd-4fc2-96c9-fc80bf218ade}]
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ClassName" = "ipsecPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{831fef59-0ae0-4e6a-8119-c55a9f15b528}]
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b649e300-ccfd-4fc2-96c9-fc80bf218ade}]
"ipsecDataType" = "256"
"ClassName" = "ipsecISAKMPPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}]
"ipsecID" = "{c44e1235-21b4-43f6-854e-48e5350e99d8}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{ee7fde0d-7609-4ae0-81ec-5bff2f60ba2a}]
"ipsecID" = "{ee7fde0d-7609-4ae0-81ec-5bff2f60ba2a}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}]
"ipsecName" = "D120.25.210.101"
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{831fef59-0ae0-4e6a-8119-c55a9f15b528}]
"ClassName" = "ipsecNegotiationPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{ee7fde0d-7609-4ae0-81ec-5bff2f60ba2a}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"Name" = "ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
"ipsecID" = "{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{ee7fde0d-7609-4ae0-81ec-5bff2f60ba2a}]
"Name" = "ipsecFilter{ee7fde0d-7609-4ae0-81ec-5bff2f60ba2a}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecName" = "HFUT_SECU"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{831fef59-0ae0-4e6a-8119-c55a9f15b528}]
"Name" = "ipsecNegotiationPolicy{831fef59-0ae0-4e6a-8119-c55a9f15b528}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{831fef59-0ae0-4e6a-8119-c55a9f15b528}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}"
"ipsecID" = "{831fef59-0ae0-4e6a-8119-c55a9f15b528}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b649e300-ccfd-4fc2-96c9-fc80bf218ade}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c8e31781-dafb-46c8-a28f-f2cd1f82a69b}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}]
"Name" = "ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c8e31781-dafb-46c8-a28f-f2cd1f82a69b}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{ee7fde0d-7609-4ae0-81ec-5bff2f60ba2a}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{831fef59-0ae0-4e6a-8119-c55a9f15b528}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 D9 A2 21 0A 8C 1F AF AE C4 C4 60 AD 28 AA 4B"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{ee7fde0d-7609-4ae0-81ec-5bff2f60ba2a}]
"ClassName" = "ipsecFilter"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{831fef59-0ae0-4e6a-8119-c55a9f15b528}]
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}]
"ClassName" = "ipsecNFA"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b649e300-ccfd-4fc2-96c9-fc80bf218ade}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{831fef59-0ae0-4e6a-8119-c55a9f15b528}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{ee7fde0d-7609-4ae0-81ec-5bff2f60ba2a}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{831fef59-0ae0-4e6a-8119-c55a9f15b528}]
"ipsecName" = "D120.25.210.101 filter action"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b649e300-ccfd-4fc2-96c9-fc80bf218ade}]
"ipsecID" = "{b649e300-ccfd-4fc2-96c9-fc80bf218ade}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}]
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{ee7fde0d-7609-4ae0-81ec-5bff2f60ba2a}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{831fef59-0ae0-4e6a-8119-c55a9f15b528}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b649e300-ccfd-4fc2-96c9-fc80bf218ade}]
"Name" = "ipsecISAKMPPolicy{b649e300-ccfd-4fc2-96c9-fc80bf218ade}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{831fef59-0ae0-4e6a-8119-c55a9f15b528}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c8e31781-dafb-46c8-a28f-f2cd1f82a69b}]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{831fef59-0ae0-4e6a-8119-c55a9f15b528}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b649e300-ccfd-4fc2-96c9-fc80bf218ade}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c8e31781-dafb-46c8-a28f-f2cd1f82a69b}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{ee7fde0d-7609-4ae0-81ec-5bff2f60ba2a}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"description"
The process ipseccmd.dll:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{0e7ec503-136e-4d44-8683-7359ba72c077}]
"ipsecID" = "{0e7ec503-136e-4d44-8683-7359ba72c077}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}]
"ipsecID" = "{d62c2757-87e6-463c-b1ca-1e839688292d}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}]
"whenChanged" = "1473903963"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{0e7ec503-136e-4d44-8683-7359ba72c077}]
"whenChanged" = "1473903963"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1278a888-b314-47b6-8f8d-d970b058a04b}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{0e7ec503-136e-4d44-8683-7359ba72c077}]
"Name" = "ipsecFilter{0e7ec503-136e-4d44-8683-7359ba72c077}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ClassName" = "ipsecPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{0e7ec503-136e-4d44-8683-7359ba72c077}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "D125.88.183.199 filter list"
"ClassName" = "ipsecFilter"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c8e31781-dafb-46c8-a28f-f2cd1f82a69b}]
"Name" = "ipsecISAKMPPolicy{c8e31781-dafb-46c8-a28f-f2cd1f82a69b}"
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1278a888-b314-47b6-8f8d-d970b058a04b}]
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c8e31781-dafb-46c8-a28f-f2cd1f82a69b}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"Name" = "ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
"ipsecID" = "{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecName" = "HFUT_SECU"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{0e7ec503-136e-4d44-8683-7359ba72c077}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1278a888-b314-47b6-8f8d-d970b058a04b}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}"
"ipsecID" = "{1278a888-b314-47b6-8f8d-d970b058a04b}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c8e31781-dafb-46c8-a28f-f2cd1f82a69b}]
"ClassName" = "ipsecISAKMPPolicy"
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}]
"ipsecName" = "D125.88.183.199"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c8e31781-dafb-46c8-a28f-f2cd1f82a69b}]
"ipsecID" = "{c8e31781-dafb-46c8-a28f-f2cd1f82a69b}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1278a888-b314-47b6-8f8d-d970b058a04b}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}]
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{0e7ec503-136e-4d44-8683-7359ba72c077}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1278a888-b314-47b6-8f8d-d970b058a04b}]
"ClassName" = "ipsecNegotiationPolicy"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 27 AA 65 A0 39 CA EA 01 E4 7C 74 7E FE 39 99"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{0e7ec503-136e-4d44-8683-7359ba72c077}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"whenChanged" = "1473903963"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1278a888-b314-47b6-8f8d-d970b058a04b}"
"ClassName" = "ipsecNFA"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1278a888-b314-47b6-8f8d-d970b058a04b}]
"Name" = "ipsecNegotiationPolicy{1278a888-b314-47b6-8f8d-d970b058a04b}"
"whenChanged" = "1473903963"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1278a888-b314-47b6-8f8d-d970b058a04b}]
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"
"ipsecName" = "D125.88.183.199 filter action"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}]
"Name" = "ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c8e31781-dafb-46c8-a28f-f2cd1f82a69b}]
"whenChanged" = "1473903963"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{0e7ec503-136e-4d44-8683-7359ba72c077}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1278a888-b314-47b6-8f8d-d970b058a04b}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c8e31781-dafb-46c8-a28f-f2cd1f82a69b}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"description"
The process ipseccmd.dll:1860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f63fe881-7711-4a0e-9fa0-99d5b762f276}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}"
"ipsecID" = "{f63fe881-7711-4a0e-9fa0-99d5b762f276}"
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}"
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f63fe881-7711-4a0e-9fa0-99d5b762f276}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{15c2b119-3306-442a-b92f-e1a904bc5c02}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bf50ce96-79c6-4c57-9076-c43fa138a0be}]
"Name" = "ipsecNegotiationPolicy{bf50ce96-79c6-4c57-9076-c43fa138a0be}"
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ClassName" = "ipsecPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bf50ce96-79c6-4c57-9076-c43fa138a0be}]
"ipsecID" = "{bf50ce96-79c6-4c57-9076-c43fa138a0be}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bf50ce96-79c6-4c57-9076-c43fa138a0be}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}]
"ipsecID" = "{7019eadb-1ff1-4db6-bf34-050b8d7c9041}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{15c2b119-3306-442a-b92f-e1a904bc5c02}]
"ClassName" = "ipsecISAKMPPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bf50ce96-79c6-4c57-9076-c43fa138a0be}]
"ipsecName" = "D121.41.16.196 filter action"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{15c2b119-3306-442a-b92f-e1a904bc5c02}]
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bf50ce96-79c6-4c57-9076-c43fa138a0be}"
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f63fe881-7711-4a0e-9fa0-99d5b762f276}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"Name" = "ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
"ipsecID" = "{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
"ClassName" = "ipsecNFA"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecName" = "HFUT_SECU"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b649e300-ccfd-4fc2-96c9-fc80bf218ade}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}]
"Name" = "ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{15c2b119-3306-442a-b92f-e1a904bc5c02}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b649e300-ccfd-4fc2-96c9-fc80bf218ade}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f63fe881-7711-4a0e-9fa0-99d5b762f276}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bf50ce96-79c6-4c57-9076-c43fa138a0be}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f63fe881-7711-4a0e-9fa0-99d5b762f276}]
"ClassName" = "ipsecFilter"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bf50ce96-79c6-4c57-9076-c43fa138a0be}]
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 82 83 81 F3 C6 F7 D0 EA 70 F4 8C 0C D3 72 BF"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bf50ce96-79c6-4c57-9076-c43fa138a0be}]
"ipsecDataType" = "256"
"ClassName" = "ipsecNegotiationPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{15c2b119-3306-442a-b92f-e1a904bc5c02}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f63fe881-7711-4a0e-9fa0-99d5b762f276}]
"ipsecName" = "D121.41.16.196 filter list"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{15c2b119-3306-442a-b92f-e1a904bc5c02}]
"Name" = "ipsecISAKMPPolicy{15c2b119-3306-442a-b92f-e1a904bc5c02}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f63fe881-7711-4a0e-9fa0-99d5b762f276}]
"Name" = "ipsecFilter{f63fe881-7711-4a0e-9fa0-99d5b762f276}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{15c2b119-3306-442a-b92f-e1a904bc5c02}]
"ipsecID" = "{15c2b119-3306-442a-b92f-e1a904bc5c02}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}]
"ipsecName" = "D121.41.16.196"
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bf50ce96-79c6-4c57-9076-c43fa138a0be}]
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b649e300-ccfd-4fc2-96c9-fc80bf218ade}]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f63fe881-7711-4a0e-9fa0-99d5b762f276}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{15c2b119-3306-442a-b92f-e1a904bc5c02}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b649e300-ccfd-4fc2-96c9-fc80bf218ade}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bf50ce96-79c6-4c57-9076-c43fa138a0be}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"description"
The process ipseccmd.dll:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{939636c2-8b57-4bcc-a620-3385cb7b53dd}]
"ipsecName" = "D125.88.183.192 filter list"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6c156db8-258d-4f62-a403-6e959dfda9e9}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{939636c2-8b57-4bcc-a620-3385cb7b53dd}]
"ipsecID" = "{939636c2-8b57-4bcc-a620-3385cb7b53dd}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6c156db8-258d-4f62-a403-6e959dfda9e9}]
"ClassName" = "ipsecNegotiationPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ClassName" = "ipsecPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{1c77472e-a705-4186-ac28-3af4805e1631}]
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6c156db8-258d-4f62-a403-6e959dfda9e9}]
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}]
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{939636c2-8b57-4bcc-a620-3385cb7b53dd}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{939636c2-8b57-4bcc-a620-3385cb7b53dd}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{939636c2-8b57-4bcc-a620-3385cb7b53dd}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6c156db8-258d-4f62-a403-6e959dfda9e9}]
"ipsecName" = "D125.88.183.192 filter action"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{1c77472e-a705-4186-ac28-3af4805e1631}]
"Name" = "ipsecISAKMPPolicy{1c77472e-a705-4186-ac28-3af4805e1631}"
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6c156db8-258d-4f62-a403-6e959dfda9e9}]
"ipsecID" = "{6c156db8-258d-4f62-a403-6e959dfda9e9}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{1c77472e-a705-4186-ac28-3af4805e1631}]
"ipsecID" = "{1c77472e-a705-4186-ac28-3af4805e1631}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{939636c2-8b57-4bcc-a620-3385cb7b53dd}]
"ClassName" = "ipsecFilter"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}]
"Name" = "ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"Name" = "ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
"ipsecID" = "{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}]
"ipsecID" = "{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{1c77472e-a705-4186-ac28-3af4805e1631}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecName" = "HFUT_SECU"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6c156db8-258d-4f62-a403-6e959dfda9e9}]
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
"ipsecName" = "D125.88.183.192"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{4d71f6f6-0326-492f-b09f-05686f025a89}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}]
"ClassName" = "ipsecNFA"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{939636c2-8b57-4bcc-a620-3385cb7b53dd}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"Name" = "ipsecFilter{939636c2-8b57-4bcc-a620-3385cb7b53dd}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{1c77472e-a705-4186-ac28-3af4805e1631}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 D1 CB 5E E2 91 96 A5 78 BA 22 07 E9 05 F6 DA"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6c156db8-258d-4f62-a403-6e959dfda9e9}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6c156db8-258d-4f62-a403-6e959dfda9e9}]
"Name" = "ipsecNegotiationPolicy{6c156db8-258d-4f62-a403-6e959dfda9e9}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6c156db8-258d-4f62-a403-6e959dfda9e9}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{1c77472e-a705-4186-ac28-3af4805e1631}]
"ClassName" = "ipsecISAKMPPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{4d71f6f6-0326-492f-b09f-05686f025a89}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{939636c2-8b57-4bcc-a620-3385cb7b53dd}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6c156db8-258d-4f62-a403-6e959dfda9e9}]
"ipsecDataType" = "256"
"whenChanged" = "1473903964"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{4d71f6f6-0326-492f-b09f-05686f025a89}]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{1c77472e-a705-4186-ac28-3af4805e1631}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6c156db8-258d-4f62-a403-6e959dfda9e9}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{4d71f6f6-0326-492f-b09f-05686f025a89}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{939636c2-8b57-4bcc-a620-3385cb7b53dd}]
"description"
The process ipseccmd.dll:1740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e4090b67-4c16-4528-a62e-f82af691f263}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bb8f8604-4bba-479f-983f-ff8bbbbcfc83}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1d535eab-e067-4ed9-be12-2d64fc88eed2}]
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e4090b67-4c16-4528-a62e-f82af691f263}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"
"ipsecID" = "{e4090b67-4c16-4528-a62e-f82af691f263}"
"Name" = "ipsecNFA{e4090b67-4c16-4528-a62e-f82af691f263}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{1ff14b2c-19f8-4f15-8380-70764228af90}]
"ipsecID" = "{1ff14b2c-19f8-4f15-8380-70764228af90}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ClassName" = "ipsecPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e4090b67-4c16-4528-a62e-f82af691f263}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1d535eab-e067-4ed9-be12-2d64fc88eed2}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{1ff14b2c-19f8-4f15-8380-70764228af90}]
"Name" = "ipsecFilter{1ff14b2c-19f8-4f15-8380-70764228af90}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{55d024c2-5633-443e-8d2d-5805212acc51}]
"whenChanged" = "1473903964"
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1d535eab-e067-4ed9-be12-2d64fc88eed2}]
"Name" = "ipsecNegotiationPolicy{1d535eab-e067-4ed9-be12-2d64fc88eed2}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e4090b67-4c16-4528-a62e-f82af691f263}]
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{1ff14b2c-19f8-4f15-8380-70764228af90}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1d535eab-e067-4ed9-be12-2d64fc88eed2}]
"ipsecName" = "D98.126.99.13 filter action"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{1ff14b2c-19f8-4f15-8380-70764228af90}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{55d024c2-5633-443e-8d2d-5805212acc51}]
"ipsecID" = "{55d024c2-5633-443e-8d2d-5805212acc51}"
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"Name" = "ipsecISAKMPPolicy{55d024c2-5633-443e-8d2d-5805212acc51}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1d535eab-e067-4ed9-be12-2d64fc88eed2}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"Name" = "ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
"ipsecID" = "{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e4090b67-4c16-4528-a62e-f82af691f263}]
"ipsecName" = "D98.126.99.13"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{1c77472e-a705-4186-ac28-3af4805e1631}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecName" = "HFUT_SECU"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{55d024c2-5633-443e-8d2d-5805212acc51}]
"ClassName" = "ipsecISAKMPPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e4090b67-4c16-4528-a62e-f82af691f263}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1d535eab-e067-4ed9-be12-2d64fc88eed2}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"
"ClassName" = "ipsecNegotiationPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{1ff14b2c-19f8-4f15-8380-70764228af90}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{55d024c2-5633-443e-8d2d-5805212acc51}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{1c77472e-a705-4186-ac28-3af4805e1631}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{1ff14b2c-19f8-4f15-8380-70764228af90}]
"ipsecName" = "D98.126.99.13 filter list"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e4090b67-4c16-4528-a62e-f82af691f263}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{1ff14b2c-19f8-4f15-8380-70764228af90}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 F4 AE CC C7 54 81 D2 2C 78 67 4C 0E F1 0C AA"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{1ff14b2c-19f8-4f15-8380-70764228af90}]
"ClassName" = "ipsecFilter"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1d535eab-e067-4ed9-be12-2d64fc88eed2}]
"whenChanged" = "1473903964"
"ipsecID" = "{1d535eab-e067-4ed9-be12-2d64fc88eed2}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{1ff14b2c-19f8-4f15-8380-70764228af90}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e4090b67-4c16-4528-a62e-f82af691f263}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1d535eab-e067-4ed9-be12-2d64fc88eed2}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e4090b67-4c16-4528-a62e-f82af691f263}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e4090b67-4c16-4528-a62e-f82af691f263}]
"whenChanged" = "1473903964"
"ClassName" = "ipsecNFA"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{1c77472e-a705-4186-ac28-3af4805e1631}]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{1c77472e-a705-4186-ac28-3af4805e1631}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{55d024c2-5633-443e-8d2d-5805212acc51}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{1d535eab-e067-4ed9-be12-2d64fc88eed2}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{1ff14b2c-19f8-4f15-8380-70764228af90}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e4090b67-4c16-4528-a62e-f82af691f263}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"description"
The process ipseccmd.dll:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{4a343da9-20fa-4b4e-b74c-710d8da81c16}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"Name" = "ipsecNegotiationPolicy{4a343da9-20fa-4b4e-b74c-710d8da81c16}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}]
"Name" = "ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}"
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ClassName" = "ipsecPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{4d71f6f6-0326-492f-b09f-05686f025a89}]
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{4a343da9-20fa-4b4e-b74c-710d8da81c16}]
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"
"ipsecName" = "D120.55.91.99 filter action"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{87391c24-b030-4ea4-9e35-59cf4c7cabc7}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{7019eadb-1ff1-4db6-bf34-050b8d7c9041}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{c44e1235-21b4-43f6-854e-48e5350e99d8}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d62c2757-87e6-463c-b1ca-1e839688292d}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{87391c24-b030-4ea4-9e35-59cf4c7cabc7}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{4d71f6f6-0326-492f-b09f-05686f025a89}]
"ipsecID" = "{4d71f6f6-0326-492f-b09f-05686f025a89}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{4a343da9-20fa-4b4e-b74c-710d8da81c16}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}"
"ClassName" = "ipsecNegotiationPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{87391c24-b030-4ea4-9e35-59cf4c7cabc7}]
"ipsecDataType" = "256"
"ipsecID" = "{87391c24-b030-4ea4-9e35-59cf4c7cabc7}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"Name" = "ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
"ipsecID" = "{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{87391c24-b030-4ea4-9e35-59cf4c7cabc7}]
"Name" = "ipsecFilter{87391c24-b030-4ea4-9e35-59cf4c7cabc7}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}]
"ipsecID" = "{f18a76ac-667d-4abd-8117-89dc2e6a9a83}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{4a343da9-20fa-4b4e-b74c-710d8da81c16}]
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecName" = "HFUT_SECU"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{4d71f6f6-0326-492f-b09f-05686f025a89}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{87391c24-b030-4ea4-9e35-59cf4c7cabc7}]
"ipsecName" = "D120.55.91.99 filter list"
"ClassName" = "ipsecFilter"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}]
"ClassName" = "ipsecNFA"
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{4a343da9-20fa-4b4e-b74c-710d8da81c16}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{4d71f6f6-0326-492f-b09f-05686f025a89}]
"Name" = "ipsecISAKMPPolicy{4d71f6f6-0326-492f-b09f-05686f025a89}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{4a343da9-20fa-4b4e-b74c-710d8da81c16}]
"ipsecID" = "{4a343da9-20fa-4b4e-b74c-710d8da81c16}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{4d71f6f6-0326-492f-b09f-05686f025a89}]
"ClassName" = "ipsecISAKMPPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}]
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{87391c24-b030-4ea4-9e35-59cf4c7cabc7}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}]
"ipsecName" = "D120.55.91.99"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{4a343da9-20fa-4b4e-b74c-710d8da81c16}]
"whenChanged" = "1473903964"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 CB D7 D5 60 E1 F9 09 9D 71 FC D0 91 FC F7 C5"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{15c2b119-3306-442a-b92f-e1a904bc5c02}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"whenChanged" = "1473903964"
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{15c2b119-3306-442a-b92f-e1a904bc5c02}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{4a343da9-20fa-4b4e-b74c-710d8da81c16}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{4d71f6f6-0326-492f-b09f-05686f025a89}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{87391c24-b030-4ea4-9e35-59cf4c7cabc7}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{15c2b119-3306-442a-b92f-e1a904bc5c02}]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{15c2b119-3306-442a-b92f-e1a904bc5c02}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f18a76ac-667d-4abd-8117-89dc2e6a9a83}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{87391c24-b030-4ea4-9e35-59cf4c7cabc7}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{4d71f6f6-0326-492f-b09f-05686f025a89}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{4a343da9-20fa-4b4e-b74c-710d8da81c16}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"description"
The process ipseccmd.dll:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ccaf6bbb-8d93-4b66-8fc9-27e412025276}]
"Name" = "ipsecNegotiationPolicy{ccaf6bbb-8d93-4b66-8fc9-27e412025276}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{a5f98cfd-d44d-48c6-bb8f-48d1cd6c7df6}]
"ClassName" = "ipsecFilter"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}]
"Name" = "ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{a5f98cfd-d44d-48c6-bb8f-48d1cd6c7df6}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ccaf6bbb-8d93-4b66-8fc9-27e412025276}]
"ipsecNegotiationPolicyType" = "{62f49e13-6c37-11d1-864c-14a300000000}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ccaf6bbb-8d93-4b66-8fc9-27e412025276}]
"whenChanged" = "1473903963"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}]
"Name" = "ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ClassName" = "ipsecPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ccaf6bbb-8d93-4b66-8fc9-27e412025276}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}]
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{a5f98cfd-d44d-48c6-bb8f-48d1cd6c7df6}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6dc603e4-3ee3-40e0-b3b0-17b7f8f8f646}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6dc603e4-3ee3-40e0-b3b0-17b7f8f8f646}]
"ClassName" = "ipsecNegotiationPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ccaf6bbb-8d93-4b66-8fc9-27e412025276}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}]
"whenChanged" = "1473903963"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}]
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6dc603e4-3ee3-40e0-b3b0-17b7f8f8f646}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ccaf6bbb-8d93-4b66-8fc9-27e412025276}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6dc603e4-3ee3-40e0-b3b0-17b7f8f8f646}]
"whenChanged" = "1473903963"
"ipsecName" = "D23.234.50.137 filter action"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}]
"ipsecID" = "{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ccaf6bbb-8d93-4b66-8fc9-27e412025276}]
"ClassName" = "ipsecNegotiationPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}]
"ClassName" = "ipsecNFA"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"Name" = "ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
"ipsecID" = "{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecName" = "HFUT_SECU"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{a5f98cfd-d44d-48c6-bb8f-48d1cd6c7df6}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6dc603e4-3ee3-40e0-b3b0-17b7f8f8f646}]
"Name" = "ipsecNegotiationPolicy{6dc603e4-3ee3-40e0-b3b0-17b7f8f8f646}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}]
"ipsecName" = "D23.234.50.137"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{a5f98cfd-d44d-48c6-bb8f-48d1cd6c7df6}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}"
"ipsecName" = "D23.234.50.137 filter list"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ccaf6bbb-8d93-4b66-8fc9-27e412025276}]
"ipsecNegotiationPolicyAction" = "{8a171dd3-77e3-11d1-8659-a04f00000000}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{a5f98cfd-d44d-48c6-bb8f-48d1cd6c7df6}]
"Name" = "ipsecFilter{a5f98cfd-d44d-48c6-bb8f-48d1cd6c7df6}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6dc603e4-3ee3-40e0-b3b0-17b7f8f8f646}]
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}]
"ClassName" = "ipsecISAKMPPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6dc603e4-3ee3-40e0-b3b0-17b7f8f8f646}]
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ccaf6bbb-8d93-4b66-8fc9-27e412025276}]
"ipsecID" = "{ccaf6bbb-8d93-4b66-8fc9-27e412025276}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6dc603e4-3ee3-40e0-b3b0-17b7f8f8f646}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ccaf6bbb-8d93-4b66-8fc9-27e412025276}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 2F 2A 01 6D 5E E5 7A BE 7D E5 1E B5 61 69 4F"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}]
"whenChanged" = "1473903963"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{a5f98cfd-d44d-48c6-bb8f-48d1cd6c7df6}]
"ipsecID" = "{a5f98cfd-d44d-48c6-bb8f-48d1cd6c7df6}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"whenChanged" = "1473903963"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}]
"ipsecID" = "{214aef42-87cb-4f45-9f4a-016e8c9f2c99}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}]
"ipsecID" = "{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}]
"whenChanged" = "1473903963"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6dc603e4-3ee3-40e0-b3b0-17b7f8f8f646}]
"ipsecID" = "{6dc603e4-3ee3-40e0-b3b0-17b7f8f8f646}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6dc603e4-3ee3-40e0-b3b0-17b7f8f8f646}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}]
"ClassName" = "ipsecNFA"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}]
"Name" = "ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{a5f98cfd-d44d-48c6-bb8f-48d1cd6c7df6}]
"whenChanged" = "1473903963"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6dc603e4-3ee3-40e0-b3b0-17b7f8f8f646}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{214aef42-87cb-4f45-9f4a-016e8c9f2c99}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ccaf6bbb-8d93-4b66-8fc9-27e412025276}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f0f7ba91-aea7-4b12-b6e2-28fe477da5ae}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{a5f98cfd-d44d-48c6-bb8f-48d1cd6c7df6}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{99cf5cf7-fa01-4671-a42e-b29e0c846a8b}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{154f81bd-d134-49ea-aba8-99479c570c1f}]
"description"
The process %original file name%.exe:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 E9 86 47 6B F5 2B 74 70 B5 10 3D FD D9 3C 09"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL" = "http://13147758521.888pojie.com:8080/rules.pac"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process regini.exe:824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 2A 59 81 CA A0 4F CA E2 F1 42 57 F0 7C 89 C3"
The process regini.exe:1364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 B3 8A 88 A5 2F EA 6C 87 76 9A 3A 5D 87 79 48"
The process regini.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 8E B6 2B 27 C9 B3 18 41 2F 00 72 19 D3 41 66"
Dropped PE files
MD5 | File path |
---|---|
11e5a276a93c4604c175ca3ebce6d77a | c:\ipseccmd.dll |
4e50a8a52dc5aac3c9d3e70d792e9e0c | c:\polstore.dll |
24b0db7e532076d5fc17c56cc50140b4 | c:\winipsec.dll |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 98 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.915youxi.com |
127.0.0.1 | 915youxi.com |
127.0.0.1 | www.52anzu.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ipseccmd.dll:1556
ipseccmd.dll:1944
ipseccmd.dll:1860
ipseccmd.dll:372
ipseccmd.dll:1740
ipseccmd.dll:492
ipseccmd.dll:516
regini.exe:824
regini.exe:1364
regini.exe:1856 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (7433 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xctz18[1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\26430000220167882842196[1].htm (174233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bg1[1].jpg (9706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\LM[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@lqa-prtq.xctz18[1].txt (222 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
C:\polstore.dll (103 bytes)
%System%\drivers\etc\hosts (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\z_stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
C:\winipsec.dll (32 bytes)
C:\regset.ini (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\footer_bg[1].jpg (3504 bytes)
C:\ipseccmd.dll (106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pic[1].gif (719 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%System%\setie.bat (24 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral
Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1523712 | 679936 | 5.54384 | 0114af7c634c22adc877f9e016de7581 |
.sedata | 1527808 | 1056768 | 1056768 | 5.16516 | e21fc61b74f1363dad24bc259b6dca20 |
.idata | 2584576 | 4096 | 4096 | 1.18759 | e2ca725d6dc451c9f1ede4381c835788 |
.rsrc | 2588672 | 8192 | 8192 | 1.99004 | 98a29b97f26c33505991d8de156cc4a9 |
.sedata | 2596864 | 4096 | 4096 | 5.53429 | 785f2c6bab868445e6e1cfb3695fd187 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.941pojie.com/ | 162.212.182.231 |
hxxp://13147758521.474613024.com/rules.txt | 114.55.181.40 |
hxxp://all.cnzz.com.danuoyi.tbcache.com/z_stat.php?id=1260357342&show=pic | |
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1260357342&show=pic&t=z | |
hxxp://z.gds.cnzz.com/stat.htm?id=1260357342&r=&lg=en-us&ntime=none&cnzz_eid=1777730263-1473901011-&showp=1276x846&t=11111&h=1&rnd=409035717 | |
hxxp://log.gds.mmstat.com/9.gif?abc=1&rnd=1225226847 | |
hxxp://icon.cnzz.com.danuoyi.tbcache.com/img/pic.gif | 125.76.247.199 |
hxxp://qqbaiduxiake.blog.163.com/blog/static/26430000220167882842196/# | 115.238.126.133 |
hxxp://www.521pojie.com/ | 162.212.182.231 |
hxxp://icon.cnzz.com/img/pic.gif | 125.76.247.199 |
hxxp://13147758521.474613024.com:8080/rules.txt | 114.55.181.40 |
hxxp://s95.cnzz.com/z_stat.php?id=1260357342&show=pic | 1.99.192.16 |
hxxp://z4.cnzz.com/stat.htm?id=1260357342&r=&lg=en-us&ntime=none&cnzz_eid=1777730263-1473901011-&showp=1276x846&t=11111&h=1&rnd=409035717 | 1.122.192.15 |
hxxp://c.cnzz.com/core.php?web_id=1260357342&show=pic&t=z | 116.253.191.237 |
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1225226847 | 140.205.35.57 |
pcookie.cnzz.com | 106.11.68.5 |
lqa-prtq.xctz18.com | 115.231.220.19 |
www.lszwg.com | 162.212.182.231 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /stat.htm?id=1260357342&r=&lg=en-us&ntime=none&cnzz_eid=1777730263-1473901011-&showp=1276x846&t=11111&h=1&rnd=409035717 HTTP/1.1
Accept: */*
Referer: hXXp://lqa-prtq.xctz18.com:6578/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: z4.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Date: Thu, 15 Sep 2016 01:46:07 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Thu, 16 Apr 2015 02:22:36 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..
GET / HTTP/1.1
Accept: */*
Referer: hXXp://VVV.941pojie.com
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
Host: VVV.941pojie.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 37052
Content-Type: text/html
Content-Location: hXXp://VVV.941pojie.com/index.html
Last-Modified: Thu, 15 Sep 2016 01:18:34 GMT
Accept-Ranges: bytes
ETag: "bebb6314efed21:bd80"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 15 Sep 2016 01:45:04 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>941......-........-VVV.941pojie.com</title>..<meta name="keywords" content="..................................,............941........941..........">..<meta name="description" content="941......,......................................,........,....................">..<link href="css/style.css" rel="stylesheet" type="text/css" />..<link href="css/style.css" rel="stylesheet" type="text/css" />..<style type="text/css">..<!--...down td { font-family: Arial, Helvetica, sans-serif; height: 24px; line-height: 24px; padding-left: 5px; }...down img { width: 87px; height: 24px; border: 0 }...STYLE1 { color: #FF0000 }...STYLE2 { color: #00FFFF }...STYLE3 { color: #FF0000; font-weight: bold; }...STYLE4 { color: #0000FF }...STYLE5 { color: #FF3300 }...STYLE6 { color: #315500 }...STYLE7 { color: #FFFFFF }...gf2 { font-family: "...."; font-size: 18px; font-weight: bold; color: #BD0000; float: right; line-height: 33px; }...gf3 { font-family: "...."; font-size: 18px; font-weight: bold; color: #BD0000; float: left; line-height: 33px; }...tp { background: url(img/zs.gif) repeat-y; overflow: hidden }...lf { float: left; }...rg { float: right; }..
<<< skipped >>>
GET /img/pic.gif HTTP/1.1
Accept: */*
Referer: hXXp://lqa-prtq.xctz18.com:6578/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: icon.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Content-Type: image/gif
Content-Length: 719
Connection: keep-alive
Date: Wed, 14 Sep 2016 02:37:17 GMT
Last-Modified: Thu, 12 Feb 2015 08:15:09 GMT
Expires: Thu, 15 Sep 2016 02:37:17 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
Via: cache54.l2cn44[56,200-0,M], cache8.l2cn44[57,0], kunlun5.cn44[0,200-0,H], kunlun5.cn44[0,0]
Age: 83331
X-Cache: HIT TCP_MEM_HIT dirn:10:480096790
X-Swift-SaveTime: Wed, 14 Sep 2016 02:37:17 GMT
X-Swift-CacheTime: 86400
Timing-Allow-Origin: *
EagleId: 7522074514739039687251553e
GIF89a2.........f..3...33....................................................................................!..NETSCAPE2.0.....!..Powered by AFEI.!.......,....2...... !.di.hjBl..p,....x......`P.(...GR.D6...CH....,..@8.... -..EQc.8...........`...."....................~"..H........H......"...$....#.........."..........."Z.......*...%!.!.......,....2...... !.di.hjBl..p,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h.......7..l..v..-....."....................~"..I........I......"...$....#.........."..........."\.......*...%!.!.......,....2...... !.di.hjBl..p,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h.......7..l..v..-....."....................~"..I........I......"...$....#.........."..........."\.......*...%!.;HTTP/1.1 200 OK..Server: Tengine..Content-Type: image/gif..Content-Length: 719..Connection: keep-alive..Date: Wed, 14 Sep 2016 02:37:17 GMT..Last-Modified: Thu, 12 Feb 2015 08:15:09 GMT..Expires: Thu, 15 Sep 2016 02:37:17 GMT..Cache-Control: max-age=86400..Accept-Ranges: bytes..Via: cache54.l2cn44[56,200-0,M], cache8.l2cn44[57,0], kunlun5.cn44[0,200-0,H], kunlun5.cn44[0,0]..Age: 83331..X-Cache: HIT TCP_MEM_HIT dirn:10:480096790..X-Swift-SaveTime: Wed, 14 Sep 2016 02:37:17 GMT..X-Swift-CacheTime: 86400..Timing-Allow-Origin: *..EagleId: 7522074514739039687251553e..GIF89a2.........f..3...33....................................................................................!..NETSCAPE2.0.....!..Powered by AFEI.!.......,....2...... !.di.hjBl..p,....x......`P.(...GR.D6...CH....,..@8.... -..EQc.8...........`...."
<<< skipped >>>
GET /z_stat.php?id=1260357342&show=pic HTTP/1.1
Accept: */*
Referer: hXXp://lqa-prtq.xctz18.com:6578/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s95.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 9944
Connection: keep-alive
Date: Thu, 15 Sep 2016 00:56:51 GMT
Last-Modified: Thu, 15 Sep 2016 00:56:51 GMT
Cache-Control: max-age=5400,s-maxage=5400
Via: cache14.l2et15[0,200-0,H], cache5.l2et15[1,0], kunlun4.cn293[0,200-0,H], kunlun1.cn293[0,0]
Age: 2955
X-Cache: HIT TCP_MEM_HIT dirn:9:335307047
X-Swift-SaveTime: Thu, 15 Sep 2016 00:58:03 GMT
X-Swift-CacheTime: 5328
Timing-Allow-Origin: *
EagleId: 7ce89d4114739039668916439e
(function(){function k(){this.c="1260357342";this.R="z";this.N="pic";this.K="";this.M="";this.r="1473901011";this.P="z4.cnzz.com";this.L="";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la()}function g(a,b){try{var c=.[];c.push("siteid=1260357342");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURIComponent,n=unescape;k.prototype={la:function(){try{this.U(),this.J(),this.ia(),this.H(),this.o(),this.ga(),.this.fa(),this.ja(),this.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.pa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},na:function(){try{var a=this;e._czc={push:function(){return a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},pa:function(){try{if("undefined"===typeof e._cz_account||e._cz_account===this.c){e._cz_account=this.c;if("[obj
<<< skipped >>>
GET /core.php?web_id=1260357342&show=pic&t=z HTTP/1.1
Accept: */*
Referer: hXXp://lqa-prtq.xctz18.com:6578/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 765
Connection: keep-alive
Date: Thu, 15 Sep 2016 01:34:26 GMT
Last-Modified: Thu, 15 Sep 2016 01:34:26 GMT
Expires: Thu, 15 Sep 2016 01:49:26 GMT
Via: cache14.l2et15[0,200-0,H], cache20.l2et15[1,0], kunlun5.cn133[0,200-0,H], kunlun5.cn133[0,0]
Age: 701
X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
X-Swift-SaveTime: Thu, 15 Sep 2016 01:34:40 GMT
X-Swift-CacheTime: 886
Timing-Allow-Origin: *
EagleId: ab6f9ac514739039676984136e
!function(){var p,q,r,a=encodeURIComponent,b="1260357342",c="pic",d="",e="online_v3.php",f="z4.cnzz.com",g="1",h="pic",i="z",j="站长统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k["createScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='" q "' target=_blank title='" j "'>" j "</a>",k["createIcon"]([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application/javascript..Content-Length: 765..Connection: keep-alive..Date: Thu, 15 Sep 2016 01:34:26 GMT..Last-Modified: Thu, 15 Sep 2016 01:34:26 GMT..Expires: Thu, 15 Sep 2016 01:49:26 GMT..Via: cache14.l2et15[0,200-0,H], cache20.l2et15[1,0], kunlun5.cn133[0,200-0,H], kunlun5.cn133[0,0]..Age: 701..X-Cache: HIT TCP_MEM_HIT dirn:-2:-2..X-Swift-SaveTime: Thu, 15 Sep 2016 01:34:40 GMT..X-Swift-CacheTime: 886..Timing-Allow-Origin: *..EagleId: ab6f9ac514739039676984136e..!function(){var p,q,r,a=encodeURIComponent,b="1260357342",c="pic",d="",e="online_v3.php",f="z4.cnzz.com",g="1",h="pic",i="z",j="站长统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m="0",n=l
<<< skipped >>>
GET / HTTP/1.1
Accept: */*
Referer: hXXp://VVV.521pojie.com
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
Host: VVV.521pojie.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 37052
Content-Type: text/html
Content-Location: hXXp://VVV.521pojie.com/index.html
Last-Modified: Thu, 15 Sep 2016 01:18:34 GMT
Accept-Ranges: bytes
ETag: "bebb6314efed21:bd80"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 15 Sep 2016 01:45:11 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>941......-........-VVV.941pojie.com</title>..<meta name="keywords" content="..................................,............941........941..........">..<meta name="description" content="941......,......................................,........,....................">..<link href="css/style.css" rel="stylesheet" type="text/css" />..<link href="css/style.css" rel="stylesheet" type="text/css" />..<style type="text/css">..<!--...down td { font-family: Arial, Helvetica, sans-serif; height: 24px; line-height: 24px; padding-left: 5px; }...down img { width: 87px; height: 24px; border: 0 }...STYLE1 { color: #FF0000 }...STYLE2 { color: #00FFFF }...STYLE3 { color: #FF0000; font-weight: bold; }...STYLE4 { color: #0000FF }...STYLE5 { color: #FF3300 }...STYLE6 { color: #315500 }...STYLE7 { color: #FFFFFF }...gf2 { font-family: "...."; font-size: 18px; font-weight: bold; color: #BD0000; float: right; line-height: 33px; }...gf3 { font-family: "...."; font-size: 18px; font-weight: bold; color: #BD0000; float: left; line-height: 33px; }...tp { background: url(img/zs.gif) repeat-y; overflow: hidden }...lf { float: left; }...rg { float: right; }..
<<< skipped >>>
GET /9.gif?abc=1&rnd=1225226847 HTTP/1.1
Accept: */*
Referer: hXXp://lqa-prtq.xctz18.com:6578/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Thu, 15 Sep 2016 01:46:08 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=YOtgEM24ahICAcLyYNqXVBg1; expires=Sun, 13-Sep-26 01:46:08 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=c5c08923; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=328eafa579e5f7f143e3e55d_1473903968; expires=Sun, 13-Sep-26 01:46:08 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna=YOtgEM24ahICAcLyYNqXVBg1
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;HTTP/1.1 302 Found..Date: Thu, 15 Sep 2016 01:46:08 GMT..Content-Type: image/gif..Content-Length: 43..Connection: keep-alive..P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"..Set-Cookie: cna=YOtgEM24ahICAcLyYNqXVBg1; expires=Sun, 13-Sep-26 01:46:08 GMT; path=/; domain=.mmstat.com..Set-Cookie: sca=c5c08923; path=/; domain=.cnzz.mmstat.com..Set-Cookie: atpsida=328eafa579e5f7f143e3e55d_1473903968; expires=Sun, 13-Sep-26 01:46:08 GMT; path=/; domain=.cnzz.mmstat.com..Location: hXXp://pcookie.cnzz.com/app.gif?&cna=YOtgEM24ahICAcLyYNqXVBg1..Expires: Thu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache..Pragma: no-cache..GIF89a.............!.......,...........L..;..
GET /blog/static/26430000220167882842196/# HTTP/1.1
Accept: */*
Referer: hXXp://qqbaiduxiake.blog.163.com/blog/static/26430000220167882842196/#
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: qqbaiduxiake.blog.163.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 15 Sep 2016 01:45:52 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=03B82CC00D8910D849678ECF48162B11.blog167-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hVfZ/VBiBX/7DOf0Ag==; expires=Fri, 15-Sep-17 01:45:52 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
51e.. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.. <meta http-equiv="content-type" content="text/html;charset=gbk"/>.. <meta http-equiv="content-style-type" content="text/css"/>.. <meta http-equiv="content-script-type" content="text/javascript"/>.. <meta name="version" content="neblog-1.0"/>.. <script type="text/javascript">.. .. .. document.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=location.hash); .. document.domain = location.hostname.replace(/^.*\.([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicTimeStamp=function(){return 'c9e1a79c06743938a6680729fd8bce50';};.. .. //BLOG-647:....OS.............................. (function(){.. window.setTimeout(function(){.. var _loginUserIcon = document.getElementById('loginUserIcon');.. var _rsavatarimg = document.getElementById('rsavatarimg');.. if(!!_loginUserIcon){.. var _loaded1 = false;.. var _img1 = new Image();.. _img1.onload = function(){.. _loaded1 = true;.. _im..5a8..g1.onload = null;.. };.. _img1.src = _loginUserIcon.src;.. window.setTimeout(function(){.. if(!_loaded1){..
<<< skipped >>>
GET /blog/static/26430000220167882842196/# HTTP/1.1
Accept: */*
Referer: hXXp://qqbaiduxiake.blog.163.com/blog/static/26430000220167882842196/#
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: qqbaiduxiake.blog.163.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 15 Sep 2016 01:45:53 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=8E07DAD2F4DD24E25FD07CAB12CBF796.blogxs2-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hVfZ/VFiBX/7DOggAg==; expires=Fri, 15-Sep-17 01:45:53 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
51e.. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.. <meta http-equiv="content-type" content="text/html;charset=gbk"/>.. <meta http-equiv="content-style-type" content="text/css"/>.. <meta http-equiv="content-script-type" content="text/javascript"/>.. <meta name="version" content="neblog-1.0"/>.. <script type="text/javascript">.. .. .. document.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=location.hash); .. document.domain = location.hostname.replace(/^.*\.([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicTimeStamp=function(){return 'c9e1a79c06743938a6680729fd8bce50';};.. .. //BLOG-647:....OS.............................. (function(){.. window.setTimeout(function(){.. var _loginUserIcon = document.getElementById('loginUserIcon');.. var _rsavatarimg = document.getElementById('rsavatarimg');.. if(!!_loginUserIcon){.. var _loaded1 = false;.. var _img1 = new Image();.. _img1.onload = function(){.. _loaded1 = true;.. _im..5a8..g1.onload = null;.. };.. _img1.src = _loginUserIcon.src;.. window.setTimeout(function(){.. if(!_loaded1){..
<<< skipped >>>
GET /blog/static/26430000220167882842196/# HTTP/1.1
Accept: */*
Referer: hXXp://qqbaiduxiake.blog.163.com/blog/static/26430000220167882842196/#
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: qqbaiduxiake.blog.163.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 15 Sep 2016 01:45:55 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=E870439A288D180AE8BAA29C806F4842.blog0-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hVfZ/VNiBX/7DOhkAg==; expires=Fri, 15-Sep-17 01:45:55 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
520.. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.. <meta http-equiv="content-type" content="text/html;charset=gbk"/>.. <meta http-equiv="content-style-type" content="text/css"/>.. <meta http-equiv="content-script-type" content="text/javascript"/>.. <meta name="version" content="neblog-1.0"/>.. <script type="text/javascript">.. .. .. document.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=location.hash); .. document.domain = location.hostname.replace(/^.*\.([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicTimeStamp=function(){return 'c9e1a79c06743938a6680729fd8bce50';};.. .. //BLOG-647:....OS.............................. (function(){.. window.setTimeout(function(){.. var _loginUserIcon = document.getElementById('loginUserIcon');.. var _rsavatarimg = document.getElementById('rsavatarimg');.. if(!!_loginUserIcon){.. var _loaded1 = false;.. var _img1 = new Image();.. _img1.onload = function(){.. _loaded1 = true;.. _img1..5a8...onload = null;.. };.. _img1.src = _loginUserIcon.src;.. window.setTimeout(function(){.. if(!_loaded1){..
<<< skipped >>>
GET /blog/static/26430000220167882842196/# HTTP/1.1
Accept: */*
Referer: hXXp://qqbaiduxiake.blog.163.com/blog/static/26430000220167882842196/#
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: qqbaiduxiake.blog.163.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 15 Sep 2016 01:45:58 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=2697D786DF66FD11690A2BD03726811E.blogxs3-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hVfZ/VZiBX/7DOidAg==; expires=Fri, 15-Sep-17 01:45:58 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
51e.. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.. <meta http-equiv="content-type" content="text/html;charset=gbk"/>.. <meta http-equiv="content-style-type" content="text/css"/>.. <meta http-equiv="content-script-type" content="text/javascript"/>.. <meta name="version" content="neblog-1.0"/>.. <script type="text/javascript">.. .. .. document.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=location.hash); .. document.domain = location.hostname.replace(/^.*\.([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicTimeStamp=function(){return 'c9e1a79c06743938a6680729fd8bce50';};.. .. //BLOG-647:....OS.............................. (function(){.. window.setTimeout(function(){.. var _loginUserIcon = document.getElementById('loginUserIcon');.. var _rsavatarimg = document.getElementById('rsavatarimg');.. if(!!_loginUserIcon){.. var _loaded1 = false;.. var _img1 = new Image();.. _img1.onload = function(){.. _loaded1 = true;.. _im..5a8..g1.onload = null;.. };.. _img1.src = _loginUserIcon.src;.. window.setTimeout(function(){.. if(!_loaded1){..
<<< skipped >>>
GET /rules.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 13147758521.474613024.com:8080
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 15 Sep 2016 01:45:53 GMT
Content-Type: text/plain
Content-Length: 98
Connection: keep-alive
Last-Modified: Tue, 28 Jun 2016 17:48:08 GMT
Accept-Ranges: bytes
ETag: "fd1f6a3b65d1d11:0"
X-Powered-By: ASP.NET
127.0.0.1 VVV.915youxi.com..127.0.0.1 915youxi.com..127.0.0.1 VVV.52anzu.com..127.0.0.1 52anzu.comHTTP/1.1 200 OK..Date: Thu, 15 Sep 2016 01:45:53 GMT..Content-Type: text/plain..Content-Length: 98..Connection: keep-alive..Last-Modified: Tue, 28 Jun 2016 17:48:08 GMT..Accept-Ranges: bytes..ETag: "fd1f6a3b65d1d11:0"..X-Powered-By: ASP.NET..127.0.0.1 VVV.915youxi.com..127.0.0.1 915youxi.com..127.0.0.1 VVV.52anzu.com..127.0.0.1 52anzu.com..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_508:
.text
.text
`.sedata
`.sedata
h.idata
h.idata
H.rsrc
H.rsrc
@.sedata
@.sedata
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
advapi32.dll
advapi32.dll
Advapi32.dll
Advapi32.dll
shlwapi.dll
shlwapi.dll
wininet.dll
wininet.dll
rasapi32.dll
rasapi32.dll
ole32.dll
ole32.dll
ShellExecuteA
ShellExecuteA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
\winipsec.dll
\winipsec.dll
\ipseccmd.dll
\ipseccmd.dll
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
msvcirt.dll
msvcirt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
WS2_32.dll
WS2_32.dll
RPCRT4.dll
RPCRT4.dll
CRYPT32.dll
CRYPT32.dll
WLDAP32.dll
WLDAP32.dll
USERENV.dll
USERENV.dll
WINIPSEC.DLL
WINIPSEC.DLL
POLSTORE.DLL
POLSTORE.DLL
INPASS
INPASS
Fatal error occured processing cmd line at line %d
Fatal error occured processing cmd line at line %d
Unexpected flag: %s. Check usage.
Unexpected flag: %s. Check usage.
You must specify rule name: %s. Check usage.
You must specify rule name: %s. Check usage.
You must specify policy name: %s. Check usage.
You must specify policy name: %s. Check usage.
You must specify storage info: %s. Check usage.
You must specify storage info: %s. Check usage.
Unknown flag: %s
Unknown flag: %s
Polstore operation returned 0x%x!
Polstore operation returned 0x%x!
CERT
CERT
export
export
import
import
%s could not be opened for read! GetLastError = 0x%x
%s could not be opened for read! GetLastError = 0x%x
ipseccmd
ipseccmd
AscAddUint(X,X, X) ERROR - bad parameters
AscAddUint(X,X, X) ERROR - bad parameters
AscMultUint(X,X, X) ERROR - bad parameters
AscMultUint(X,X, X) ERROR - bad parameters
4294967296
4294967296
Encapsulation Type : %s
Encapsulation Type : %s
To %s
To %s
From %s
From %s
Transport Bytes Received %s
Transport Bytes Received %s
Transport Bytes Sent %s
Transport Bytes Sent %s
Bytes Received In Tunnels %s
Bytes Received In Tunnels %s
Bytes Sent In Tunnels %s
Bytes Sent In Tunnels %s
Offloaded Bytes Received %s
Offloaded Bytes Received %s
Offloaded Bytes Sent %s
Offloaded Bytes Sent %s
Authenticated Bytes Received %s
Authenticated Bytes Received %s
Authenticated Bytes Sent %s
Authenticated Bytes Sent %s
Confidential Bytes Received %s
Confidential Bytes Received %s
Confidential Bytes Sent %s
Confidential Bytes Sent %s
ConnListSize %d
ConnListSize %d
IsadbListSize %d
IsadbListSize %d
KeyUpdateFail %d
KeyUpdateFail %d
KeyAddFail %d
KeyAddFail %d
GetSpiFail %d
GetSpiFail %d
TotalKeyUpdate %d
TotalKeyUpdate %d
TotalKeyAdd %d
TotalKeyAdd %d
TotalGetSpi %d
TotalGetSpi %d
Total Acquire %d
Total Acquire %d
Invalid Cookies Rcvd %d
Invalid Cookies Rcvd %d
Negotiation Failures %d
Negotiation Failures %d
Receive Heap size %d
Receive Heap size %d
Acquire Heap size %d
Acquire Heap size %d
Send fail %d
Send fail %d
Receive fail %d
Receive fail %d
Acquire fail %d
Acquire fail %d
Active Receive %d
Active Receive %d
Active Acquire %d
Active Acquire %d
Authentication Failures %d
Authentication Failures %d
Soft SAs %d
Soft SAs %d
Quick Modes %d
Quick Modes %d
Main Modes %d
Main Modes %d
.ipsec
.ipsec
Couldn't get GUID for mirror filter - UuidCreate failed with status: %ul
Couldn't get GUID for mirror filter - UuidCreate failed with status: %ul
Couldn't get GUID for MM filter - UuidCreate failed with status: %ul
Couldn't get GUID for MM filter - UuidCreate failed with status: %ul
ipseccmd.pdb
ipseccmd.pdb
t.IIt
t.IIt
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
CertStrToNameW
CertStrToNameW
CertNameToStrW
CertNameToStrW
IPSecImportPolicies
IPSecImportPolicies
IPSecExportPolicies
IPSecExportPolicies
\polstore.dll
\polstore.dll
@.reloc
@.reloc
NETAPI32.dll
NETAPI32.dll
PSSh,
PSSh,
PSShT
PSShT
RegDeleteKeyW
RegDeleteKeyW
RegSaveKeyW
RegSaveKeyW
RegRestoreKeyW
RegRestoreKeyW
RegOpenKeyW
RegOpenKeyW
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegEnumKeyExW
GetProcessHeap
GetProcessHeap
polstore.pdb
polstore.pdb
winipsec.pdb
winipsec.pdb
AddTransportFilter
AddTransportFilter
CloseTransportFilterHandle
CloseTransportFilterHandle
DeleteTransportFilter
DeleteTransportFilter
EnumTransportFilters
EnumTransportFilters
GetTransportFilter
GetTransportFilter
MatchTransportFilter
MatchTransportFilter
OpenTransportFilterHandle
OpenTransportFilterHandle
SetTransportFilter
SetTransportFilter
https
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
http=
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
hXXp://
hXXp://
Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
VVV.ip138.com
VVV.ip138.com
VVV.qq.com
VVV.qq.com
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Ms.exe
Ms.exe
wWw.941Pojie.coM
wWw.941Pojie.coM
.oNIT
.oNIT
=%xgH|*
=%xgH|*
:%%f&
:%%f&
%ßRY
%ßRY
VVV.meitu.com
VVV.meitu.com
te.Jt
te.Jt
3.mcp
3.mcp
%SnVv
%SnVv
pi,%Upom
pi,%Upom
.ZThS
.ZThS
%X`iG
%X`iG
.Jj5% s7
.Jj5% s7
.JukW
.JukW
q.TjQ
q.TjQ
qN.PjQN
qN.PjQN
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
1.2.18
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
user32.dll
user32.dll
"103*2-
"103*2-
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
(*.avi)|*.avi
(*.avi)|*.avi
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
127.0.0.1 VVV.915youxi.com
127.0.0.1 VVV.915youxi.com
127.0.0.1 915youxi.com
127.0.0.1 915youxi.com
127.0.0.1 VVV.52anzu.com
127.0.0.1 VVV.52anzu.com
127.0.0.1 52anzu.com
127.0.0.1 52anzu.com
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
~V%F-A7
~V%F-A7
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
hid.dll
hid.dll
iphlpapi.dll
iphlpapi.dll
mscoree.dll
mscoree.dll
mscorwks.dll
mscorwks.dll
mscorsvr.dll
mscorsvr.dll
KernelBase.dll
KernelBase.dll
mscoreei.dll
mscoreei.dll
clr.dll
clr.dll
diasymreader.dll
diasymreader.dll
SEGetNumExecUsed
SEGetNumExecUsed
SEGetNumExecLeft
SEGetNumExecLeft
SESetNumExecUsed
SESetNumExecUsed
SEGetExecTimeUsed
SEGetExecTimeUsed
SEGetExecTimeLeft
SEGetExecTimeLeft
SESetExecTime
SESetExecTime
SEGetTotalExecTimeUsed
SEGetTotalExecTimeUsed
SEGetTotalExecTimeLeft
SEGetTotalExecTimeLeft
SESetTotalExecTime
SESetTotalExecTime
SECheckExecTime
SECheckExecTime
SECheckTotalExecTime
SECheckTotalExecTime
&&&&6666????
&&&&6666????
""""****
""""****
2222::::
2222::::
$$$$\\\\
$$$$\\\\
00006666
00006666
####====
####====
MSVCRT.dll
MSVCRT.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
PSAPI.DLL
PSAPI.DLL
USER32.dll
USER32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
SHELL32.dll
SHELL32.dll
.rm|O
.rm|O
.rm|Of
.rm|Of
.fTf[
.fTf[
`Cs%u$oD
`Cs%u$oD
l*CMD
l*CMD
.KH]=
.KH]=
uS%xvI
uS%xvI
b\.LqD
b\.LqD
eQ.lT
eQ.lT
%.Xcif
%.Xcif
Cs%u$
Cs%u$
%D,kq
%D,kq
ZB7{.GjpO
ZB7{.GjpO
W.KH]vs
W.KH]vs
GMSsh}U
GMSsh}U
D[8.Hrw
D[8.Hrw
M%d-]
M%d-]
j$m"Z0%F
j$m"Z0%F
M#.Nx
M#.Nx
~V%F-A
~V%F-A
.fq%:
.fq%:
.PzYm
.PzYm
mM%X#
mM%X#
]_(.RM
]_(.RM
s.HrE
s.HrE
3 .Km
3 .Km
ykeY
ykeY
.yl}9
.yl}9
!e.WN
!e.WN
%CI>L
%CI>L
OLEAUT32.dll
OLEAUT32.dll
GDI32.dll
GDI32.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
RASAPI32.dll
RASAPI32.dll
WININET.dll
WININET.dll
AVIFIL32.dll
AVIFIL32.dll
MSVFW32.dll
MSVFW32.dll
COMCTL32.dll
COMCTL32.dll
G|.nb
G|.nb
comdlg32.dll
comdlg32.dll
oledlg.dll
oledlg.dll
GetCPInfo
GetCPInfo
qAVIFIL32.dll
qAVIFIL32.dll
WinExec
WinExec
.GetProcessVersion
.GetProcessVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
CreateDialogIndirectParamA
CreateDialogIndirectParamA
GetKeyState
GetKeyState
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
OffsetViewportOrgEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
,RegCreateKeyA
,RegCreateKeyA
8IPHLPAPI.DLL
8IPHLPAPI.DLL
rm|MSVCRT.dll
rm|MSVCRT.dll
Safengine Shielden v2.3.8.0
Safengine Shielden v2.3.8.0
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
|ORASAPI32.dll
|ORASAPI32.dll
%s%sFlags : %lu
%s%sFlags : %lu
%s%sPFS : %s
%s%sPFS : %s
%s%sAlgo #%d :
%s%sAlgo #%d :
%sOffer #%d
%sOffer #%d
%sFlags : %lu %s %s %s
%sFlags : %lu %s %s %s
%sPolicy Id : %s
%sPolicy Id : %s
%sName : %s
%sName : %s
%s%sQuickmode limit : %lu, Lifetime %luKbytes/%luseconds
%s%sQuickmode limit : %lu, Lifetime %luKbytes/%luseconds
%s%s%s
%s%s%s
IP Addr %S
IP Addr %S
interface id %s
interface id %s
mask %S
mask %S
subnet %S
subnet %S
Interface Type : %s
Interface Type : %s
Mirrored : %s
Mirrored : %s
Direction : %s, Weight : %lu
Direction : %s, Weight : %lu
Outbound Passthru
Outbound Passthru
Inbound Passthru
Inbound Passthru
Protocol : %lu Src Port : %u Des Port : %u
Protocol : %lu Src Port : %u Des Port : %u
Policy Id : %s
Policy Id : %s
Filter Id : %s
Filter Id : %s
Name : %s
Name : %s
AM #%d :
AM #%d :
%sAuth Methods Id: %s
%sAuth Methods Id: %s
%sSoft SA expiration time : %lu
%sSoft SA expiration time : %lu
%sFlags : %lu %s %s
%sFlags : %lu %s %s
Auth Methods Id: %s
Auth Methods Id: %s
Filter %d
Filter %d
MM Filter %d
MM Filter %d
%s filter action
%s filter action
%s filter list
%s filter list
Example: ipseccmd export PERS persistent.ipsec
Example: ipseccmd export PERS persistent.ipsec
specify the .ipsec file extension, this extension will be appended.
specify the .ipsec file extension, this extension will be appended.
Name of file to import/export from/to. If an export file name does not
Name of file to import/export from/to. If an export file name does not
Ipseccmd imports or exports a .ipsec file.
Ipseccmd imports or exports a .ipsec file.
Import/Export MODE
Import/Export MODE
Example: ipseccmd set logike
Example: ipseccmd set logike
Ipseccmd sets configuration parameters for IPSec.
Ipseccmd sets configuration parameters for IPSec.
Example: ipseccmd show filters policies
Example: ipseccmd show filters policies
stats - shows Internet Key Exchange(IKE) and IPSec statistics
stats - shows Internet Key Exchange(IKE) and IPSec statistics
Ipseccmd displays requested data from the IPSec Security Policies Database
Ipseccmd displays requested data from the IPSec Security Policies Database
INPASS will set any inbound filters in the FilterList as Pass filters while
INPASS will set any inbound filters in the FilterList as Pass filters while
will make all of the filters in the FilterList Pass filters.
will make all of the filters in the FilterList Pass filters.
PASS will ignore any methods in NegotiationMethodList and
PASS will ignore any methods in NegotiationMethodList and
values you can pass in the NegotiationMethodList that have special meaning:
values you can pass in the NegotiationMethodList that have special meaning:
made to signify filters as Pass (or permit) and Block. In Static mode, these
made to signify filters as Pass (or permit) and Block. In Static mode, these
originally created with ipseccmd. Policies can be set as either Assigned or
originally created with ipseccmd. Policies can be set as either Assigned or
Example: 10Q/3600S will rekey after 10 quick modes or every hour.
Example: 10Q/3600S will rekey after 10 quick modes or every hour.
The number of Quick Modes and/or seconds after which IKE should rekey a
The number of Quick Modes and/or seconds after which IKE should rekey a
-1k MMRekeyTime
-1k MMRekeyTime
The strings provided as the preshared key or CA info are case sensitive
The strings provided as the preshared key or CA info are case sensitive
PRESHARE:""
PRESHARE:""
CERT:"", e.g. CERT:"CN=CA1,OU=O,O=MEME,C=DE,E=ME@here"
CERT:"", e.g. CERT:"CN=CA1,OU=O,O=MEME,C=DE,E=ME@here"
DEFAULT: Omission of tunnel address assumes transport mode.
DEFAULT: Omission of tunnel address assumes transport mode.
ipseccmd twice-- once for the outbound filters and outgoing tunnel
ipseccmd twice-- once for the outbound filters and outgoing tunnel
NOTE: If you need to set up a tunnel policy, you will need to execute
NOTE: If you need to set up a tunnel policy, you will need to execute
Example: ESP[DES,SHA]5120k/3600s will rekey after 5MB or 1 hour
Example: ESP[DES,SHA]5120k/3600s will rekey after 5MB or 1 hour
after which IKE should rekey a Quick Mode security association.
after which IKE should rekey a Quick Mode security association.
Rekey: Optional setting to specify the number of KBytes and/or seconds
Rekey: Optional setting to specify the number of KBytes and/or seconds
NOTE: ESP[NONE,NONE] is not a supported configuration.
NOTE: ESP[NONE,NONE] is not a supported configuration.
AH[HashAlg] ESP[ConfAlg,AuthAlg]RekeyPFS
AH[HashAlg] ESP[ConfAlg,AuthAlg]RekeyPFS
AH[HashAlg]RekeyPFS
AH[HashAlg]RekeyPFS
ESP[ConfAlg,AuthAlg]RekeyPFS
ESP[ConfAlg,AuthAlg]RekeyPFS
Example: (0 128.2.1.1) will create 2 filters that will be exempted
Example: (0 128.2.1.1) will create 2 filters that will be exempted
the filter will be a Pass (or Permit) filter. If you surround the
the filter will be a Pass (or Permit) filter. If you surround the
PASS and BLOCK filters: By surrounding a filter specification with (),
PASS and BLOCK filters: By surrounding a filter specification with (),
all TCP traffic from the first subnet and the second subnet on port 80.
all TCP traffic from the first subnet and the second subnet on port 80.
172.31.0.0/255.255.0.0:80 157.0.0.0/255.0.0.0:80:TCP will filter
172.31.0.0/255.255.0.0:80 157.0.0.0/255.0.0.0:80:TCP will filter
M1 M2::6 will filter TCP traffic between addresses M1 and M2 on any port
M1 M2::6 will filter TCP traffic between addresses M1 and M2 on any port
You can use also use these protocol symbols: ICMP TCP UDP RAW
You can use also use these protocol symbols: ICMP TCP UDP RAW
If you indicate a protocol, a port value or '::' must precede it.
If you indicate a protocol, a port value or '::' must precede it.
Port and Protocol are optional. If omitted, the values are set to ANY
Port and Protocol are optional. If omitted, the values are set to ANY
128.*.* is the same as above
128.*.* is the same as above
128.*.*.* is same as 128.0.0.0/255.0.0.0
128.*.*.* is same as 128.0.0.0/255.0.0.0
144.92.*.* is the same as 144.92.0.0/255.255.0.0
144.92.*.* is the same as 144.92.0.0/255.255.0.0
Mask: Optional subnet mask. If omitted, 255.255.255.255 will be used.
Mask: Optional subnet mask. If omitted, 255.255.255.255 will be used.
Optionally, you can specify the keyword DEFAULT to set the
Optionally, you can specify the keyword DEFAULT to set the
A.B.C.D/mask:port=A.B.C.D/mask:port:protocol
A.B.C.D/mask:port=A.B.C.D/mask:port:protocol
Each execution of ipseccmd sets an IPSec rule, an IKE policy, or both.
Each execution of ipseccmd sets an IPSec rule, an IKE policy, or both.
Import and export mode will import or export a .ipsec policy file to/from the
Import and export mode will import or export a .ipsec policy file to/from the
To delete all dynamic policies, execute "ipseccmd -u"
To delete all dynamic policies, execute "ipseccmd -u"
import, and export. The default mode is dynamic.
import, and export. The default mode is dynamic.
Ipseccmd has multiple mutually exclusive modes: dynamic, static, show, set
Ipseccmd has multiple mutually exclusive modes: dynamic, static, show, set
For extended usage, run: ipseccmd -?
For extended usage, run: ipseccmd -?
Executes a file containing regular static or dynamic ipseccmd commands.
Executes a file containing regular static or dynamic ipseccmd commands.
ipseccmd -file FileName
ipseccmd -file FileName
Imports or exports a static policy file.
Imports or exports a static policy file.
ipseccmd \\machinename [import OR export] Location FileName
ipseccmd \\machinename [import OR export] Location FileName
ipseccmd \\machinename set [logike OR dontlogike]
ipseccmd \\machinename set [logike OR dontlogike]
ipseccmd \\machinename show gpo filters policies auth stats sas all
ipseccmd \\machinename show gpo filters policies auth stats sas all
{-w Location -p PolicyName:PollInterval -r RuleName [-x OR -y] -o}
{-w Location -p PolicyName:PollInterval -r RuleName [-x OR -y] -o}
-a AuthMethodList -1s SecurityMethodList -1k MMRekeyTime
-a AuthMethodList -1s SecurityMethodList -1k MMRekeyTime
ipseccmd \\machinename -f FilterList -n NegotiationMethodList -t TunnelAddr
ipseccmd \\machinename -f FilterList -n NegotiationMethodList -t TunnelAddr
Failed to add policy, error 0x%x
Failed to add policy, error 0x%x
PA RPC not ready. Sleeping for %d seconds...
PA RPC not ready. Sleeping for %d seconds...
Couldn't check status of Policy Agent service, error 0x%x, Exiting.
Couldn't check status of Policy Agent service, error 0x%x, Exiting.
Couldn't start Policy Agent service, error 0x%x, Exiting.
Couldn't start Policy Agent service, error 0x%x, Exiting.
Error converting policy: 0x%x
Error converting policy: 0x%x
Error 0x%x occurred:
Error 0x%x occurred:
text2pol.dll
text2pol.dll
Error: the argument is too long (>%d symbols)
Error: the argument is too long (>%d symbols)
EnumQMSAs failed with error %d
EnumQMSAs failed with error %d
Source UDP Encap port : %u Dest UDP Encap port: %u
Source UDP Encap port : %u Dest UDP Encap port: %u
Direction : %s
Direction : %s
Protocol : %lu Src Port : %u Des Port : %u
Protocol : %lu Src Port : %u Des Port : %u
%s Filter
%s Filter
IPSecEnumMMSAs failed with error %d
IPSecEnumMMSAs failed with error %d
Transport
Transport
Quick Mode SA #%d:
Quick Mode SA #%d:
Source UDP Encap port : %u Dest UDP Encap port: %u
Source UDP Encap port : %u Dest UDP Encap port: %u
Auth Used : %s
Auth Used : %s
Main Mode SA #%d:
Main Mode SA #%d:
ReKeys %lu
ReKeys %lu
Key Deletes %lu
Key Deletes %lu
Key Adds %lu
Key Adds %lu
Pending Key %lu
Pending Key %lu
QueryIPSecStatistics failed with error %d
QueryIPSecStatistics failed with error %d
EnumMMAuthMethods failed with error %d
EnumMMAuthMethods failed with error %d
EnumQMPolicies failed with error %d
EnumQMPolicies failed with error %d
IPSecQueryIKEStatistics failed with error %d
IPSecQueryIKEStatistics failed with error %d
Main Mode Authentication Methods #%d:
Main Mode Authentication Methods #%d:
Quick Mode Policy #%d:
Quick Mode Policy #%d:
EnumMMPolicies failed with error %d
EnumMMPolicies failed with error %d
Main Mode Policy #%d:
Main Mode Policy #%d:
EnumTunnelFilters failed with error %d
EnumTunnelFilters failed with error %d
Specific Tunnel Filter #%d:
Specific Tunnel Filter #%d:
Generic Tunnel Filter #%d:
Generic Tunnel Filter #%d:
EnumTransportFilters failed with error %d
EnumTransportFilters failed with error %d
Specific Transport Filter #%d:
Specific Transport Filter #%d:
Specific Transport Filters
Specific Transport Filters
Generic Transport Filter #%d:
Generic Transport Filter #%d:
Generic Transport Filters
Generic Transport Filters
EnumMMFilters failed with error %d
EnumMMFilters failed with error %d
Specific MM Filter #%d:
Specific MM Filter #%d:
Generic MM Filter #%d:
Generic MM Filter #%d:
Policy Path: %s
Policy Path: %s
Directory Policy Name: %s
Directory Policy Name: %s
Policy Path: HKLM\%s
Policy Path: HKLM\%s
Description: %s
Description: %s
Local Policy Name: %s
Local Policy Name: %s
A failure occured getting policy information: error %d
A failure occured getting policy information: error %d
An error occurred importing data.
An error occurred importing data.
An error occurred exporting data.
An error occurred exporting data.
{e437bc1c-aa7d-11d2-a382-00c04f991e27}
{e437bc1c-aa7d-11d2-a382-00c04f991e27}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
MainMode Key Exchange
MainMode Key Exchange
MainMode Key Authorizated
MainMode Key Authorizated
Preshared Key
Preshared Key
RSA (Cert) Signature
RSA (Cert) Signature
RSA (Cert) Encryption
RSA (Cert) Encryption
ipseccmd
ipseccmd
SOFTWARE\Policies\Microsoft\Windows\IPSEC\GPTIPSECPolicy
SOFTWARE\Policies\Microsoft\Windows\IPSEC\GPTIPSECPolicy
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Cache
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Cache
The operation was successful.
The operation was successful.
pass-thru filter indicated but not closed properly
pass-thru filter indicated but not closed properly
A string was used to designate protocol and it was not supported.
A string was used to designate protocol and it was not supported.
The unit for phase 2 rekey time is invalid.
The unit for phase 2 rekey time is invalid.
Designated hash algorithm for AH is either invalid or not supported.
Designated hash algorithm for AH is either invalid or not supported.
An undefined parse error occured due to unsupported/invalid syntax.
An undefined parse error occured due to unsupported/invalid syntax.
ESP with NULL encryption and NULL authentication is not currently supported.
ESP with NULL encryption and NULL authentication is not currently supported.
Preshared key indicated, but not supplied.
Preshared key indicated, but not supplied.
The authentication method specified is invalid or unsupported.
The authentication method specified is invalid or unsupported.
Invalid or unsupported DH group specified.
Invalid or unsupported DH group specified.
The unit for phase 1 rekey time is invalid.
The unit for phase 1 rekey time is invalid.
The TYPE of storage is not supported.
The TYPE of storage is not supported.
Storage mode indicated but no storage info passed- internal error.
Storage mode indicated but no storage info passed- internal error.
The minimum rekey for Phase 2 is 20480 KB and 300 seconds.
The minimum rekey for Phase 2 is 20480 KB and 300 seconds.
Windows IPSec Command Utility
Windows IPSec Command Utility
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ipseccmd.exe
ipseccmd.exe
Windows
Windows
Operating System
Operating System
5.1.2600.2180
5.1.2600.2180
SOFTWARE\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy
SOFTWARE\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Save
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Save
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Persistent
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Persistent
OperationMode
OperationMode
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Cache
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Cache
polstore.dll
polstore.dll
TypesSupported
TypesSupported
%SystemRoot%\System32\oakley.dll
%SystemRoot%\System32\oakley.dll
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local
SOFTWARE\Policies\Microsoft\Windows\IPSec
SOFTWARE\Policies\Microsoft\Windows\IPSec
dddddd
dddddd
!"#$%&'()* ,-./0123456789:;
!"#$%&'()* ,-./0123456789:;
5.1.2600.5512 (xpsp.080413-0852)
5.1.2600.5512 (xpsp.080413-0852)
Microsoft(R) Windows(R) Operating System
Microsoft(R) Windows(R) Operating System
5.1.2600.5512
5.1.2600.5512
/024 (;%
/024 (;%
Windows IPSec SPD Client DLL
Windows IPSec SPD Client DLL
winipsec.dll
winipsec.dll
(*.*)
(*.*)
1.0.0.0
1.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
%original file name%.exe_508_rwx_00401000_00175000:
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
advapi32.dll
advapi32.dll
Advapi32.dll
Advapi32.dll
shlwapi.dll
shlwapi.dll
wininet.dll
wininet.dll
rasapi32.dll
rasapi32.dll
ole32.dll
ole32.dll
ShellExecuteA
ShellExecuteA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
\winipsec.dll
\winipsec.dll
\ipseccmd.dll
\ipseccmd.dll
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
msvcirt.dll
msvcirt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
WS2_32.dll
WS2_32.dll
RPCRT4.dll
RPCRT4.dll
CRYPT32.dll
CRYPT32.dll
WLDAP32.dll
WLDAP32.dll
USERENV.dll
USERENV.dll
WINIPSEC.DLL
WINIPSEC.DLL
POLSTORE.DLL
POLSTORE.DLL
INPASS
INPASS
Fatal error occured processing cmd line at line %d
Fatal error occured processing cmd line at line %d
Unexpected flag: %s. Check usage.
Unexpected flag: %s. Check usage.
You must specify rule name: %s. Check usage.
You must specify rule name: %s. Check usage.
You must specify policy name: %s. Check usage.
You must specify policy name: %s. Check usage.
You must specify storage info: %s. Check usage.
You must specify storage info: %s. Check usage.
Unknown flag: %s
Unknown flag: %s
Polstore operation returned 0x%x!
Polstore operation returned 0x%x!
CERT
CERT
export
export
import
import
%s could not be opened for read! GetLastError = 0x%x
%s could not be opened for read! GetLastError = 0x%x
ipseccmd
ipseccmd
AscAddUint(X,X, X) ERROR - bad parameters
AscAddUint(X,X, X) ERROR - bad parameters
AscMultUint(X,X, X) ERROR - bad parameters
AscMultUint(X,X, X) ERROR - bad parameters
4294967296
4294967296
Encapsulation Type : %s
Encapsulation Type : %s
To %s
To %s
From %s
From %s
Transport Bytes Received %s
Transport Bytes Received %s
Transport Bytes Sent %s
Transport Bytes Sent %s
Bytes Received In Tunnels %s
Bytes Received In Tunnels %s
Bytes Sent In Tunnels %s
Bytes Sent In Tunnels %s
Offloaded Bytes Received %s
Offloaded Bytes Received %s
Offloaded Bytes Sent %s
Offloaded Bytes Sent %s
Authenticated Bytes Received %s
Authenticated Bytes Received %s
Authenticated Bytes Sent %s
Authenticated Bytes Sent %s
Confidential Bytes Received %s
Confidential Bytes Received %s
Confidential Bytes Sent %s
Confidential Bytes Sent %s
ConnListSize %d
ConnListSize %d
IsadbListSize %d
IsadbListSize %d
KeyUpdateFail %d
KeyUpdateFail %d
KeyAddFail %d
KeyAddFail %d
GetSpiFail %d
GetSpiFail %d
TotalKeyUpdate %d
TotalKeyUpdate %d
TotalKeyAdd %d
TotalKeyAdd %d
TotalGetSpi %d
TotalGetSpi %d
Total Acquire %d
Total Acquire %d
Invalid Cookies Rcvd %d
Invalid Cookies Rcvd %d
Negotiation Failures %d
Negotiation Failures %d
Receive Heap size %d
Receive Heap size %d
Acquire Heap size %d
Acquire Heap size %d
Send fail %d
Send fail %d
Receive fail %d
Receive fail %d
Acquire fail %d
Acquire fail %d
Active Receive %d
Active Receive %d
Active Acquire %d
Active Acquire %d
Authentication Failures %d
Authentication Failures %d
Soft SAs %d
Soft SAs %d
Quick Modes %d
Quick Modes %d
Main Modes %d
Main Modes %d
.ipsec
.ipsec
Couldn't get GUID for mirror filter - UuidCreate failed with status: %ul
Couldn't get GUID for mirror filter - UuidCreate failed with status: %ul
Couldn't get GUID for MM filter - UuidCreate failed with status: %ul
Couldn't get GUID for MM filter - UuidCreate failed with status: %ul
ipseccmd.pdb
ipseccmd.pdb
t.IIt
t.IIt
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
CertStrToNameW
CertStrToNameW
CertNameToStrW
CertNameToStrW
IPSecImportPolicies
IPSecImportPolicies
IPSecExportPolicies
IPSecExportPolicies
\polstore.dll
\polstore.dll
@.reloc
@.reloc
NETAPI32.dll
NETAPI32.dll
PSSh,
PSSh,
PSShT
PSShT
RegDeleteKeyW
RegDeleteKeyW
RegSaveKeyW
RegSaveKeyW
RegRestoreKeyW
RegRestoreKeyW
RegOpenKeyW
RegOpenKeyW
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegEnumKeyExW
GetProcessHeap
GetProcessHeap
polstore.pdb
polstore.pdb
winipsec.pdb
winipsec.pdb
AddTransportFilter
AddTransportFilter
CloseTransportFilterHandle
CloseTransportFilterHandle
DeleteTransportFilter
DeleteTransportFilter
EnumTransportFilters
EnumTransportFilters
GetTransportFilter
GetTransportFilter
MatchTransportFilter
MatchTransportFilter
OpenTransportFilterHandle
OpenTransportFilterHandle
SetTransportFilter
SetTransportFilter
https
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
http=
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
hXXp://
hXXp://
Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
VVV.ip138.com
VVV.ip138.com
VVV.qq.com
VVV.qq.com
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Ms.exe
Ms.exe
wWw.941Pojie.coM
wWw.941Pojie.coM
.oNIT
.oNIT
=%xgH|*
=%xgH|*
:%%f&
:%%f&
%ßRY
%ßRY
VVV.meitu.com
VVV.meitu.com
te.Jt
te.Jt
3.mcp
3.mcp
%SnVv
%SnVv
pi,%Upom
pi,%Upom
.ZThS
.ZThS
%X`iG
%X`iG
.Jj5% s7
.Jj5% s7
.JukW
.JukW
q.TjQ
q.TjQ
qN.PjQN
qN.PjQN
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
1.2.18
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
user32.dll
user32.dll
"103*2-
"103*2-
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
(*.avi)|*.avi
(*.avi)|*.avi
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
127.0.0.1 VVV.915youxi.com
127.0.0.1 VVV.915youxi.com
127.0.0.1 915youxi.com
127.0.0.1 915youxi.com
127.0.0.1 VVV.52anzu.com
127.0.0.1 VVV.52anzu.com
127.0.0.1 52anzu.com
127.0.0.1 52anzu.com
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
%s%sFlags : %lu
%s%sFlags : %lu
%s%sPFS : %s
%s%sPFS : %s
%s%sAlgo #%d :
%s%sAlgo #%d :
%sOffer #%d
%sOffer #%d
%sFlags : %lu %s %s %s
%sFlags : %lu %s %s %s
%sPolicy Id : %s
%sPolicy Id : %s
%sName : %s
%sName : %s
%s%sQuickmode limit : %lu, Lifetime %luKbytes/%luseconds
%s%sQuickmode limit : %lu, Lifetime %luKbytes/%luseconds
%s%s%s
%s%s%s
IP Addr %S
IP Addr %S
interface id %s
interface id %s
mask %S
mask %S
subnet %S
subnet %S
Interface Type : %s
Interface Type : %s
Mirrored : %s
Mirrored : %s
Direction : %s, Weight : %lu
Direction : %s, Weight : %lu
Outbound Passthru
Outbound Passthru
Inbound Passthru
Inbound Passthru
Protocol : %lu Src Port : %u Des Port : %u
Protocol : %lu Src Port : %u Des Port : %u
Policy Id : %s
Policy Id : %s
Filter Id : %s
Filter Id : %s
Name : %s
Name : %s
AM #%d :
AM #%d :
%sAuth Methods Id: %s
%sAuth Methods Id: %s
%sSoft SA expiration time : %lu
%sSoft SA expiration time : %lu
%sFlags : %lu %s %s
%sFlags : %lu %s %s
Auth Methods Id: %s
Auth Methods Id: %s
Filter %d
Filter %d
MM Filter %d
MM Filter %d
%s filter action
%s filter action
%s filter list
%s filter list
Example: ipseccmd export PERS persistent.ipsec
Example: ipseccmd export PERS persistent.ipsec
specify the .ipsec file extension, this extension will be appended.
specify the .ipsec file extension, this extension will be appended.
Name of file to import/export from/to. If an export file name does not
Name of file to import/export from/to. If an export file name does not
Ipseccmd imports or exports a .ipsec file.
Ipseccmd imports or exports a .ipsec file.
Import/Export MODE
Import/Export MODE
Example: ipseccmd set logike
Example: ipseccmd set logike
Ipseccmd sets configuration parameters for IPSec.
Ipseccmd sets configuration parameters for IPSec.
Example: ipseccmd show filters policies
Example: ipseccmd show filters policies
stats - shows Internet Key Exchange(IKE) and IPSec statistics
stats - shows Internet Key Exchange(IKE) and IPSec statistics
Ipseccmd displays requested data from the IPSec Security Policies Database
Ipseccmd displays requested data from the IPSec Security Policies Database
INPASS will set any inbound filters in the FilterList as Pass filters while
INPASS will set any inbound filters in the FilterList as Pass filters while
will make all of the filters in the FilterList Pass filters.
will make all of the filters in the FilterList Pass filters.
PASS will ignore any methods in NegotiationMethodList and
PASS will ignore any methods in NegotiationMethodList and
values you can pass in the NegotiationMethodList that have special meaning:
values you can pass in the NegotiationMethodList that have special meaning:
made to signify filters as Pass (or permit) and Block. In Static mode, these
made to signify filters as Pass (or permit) and Block. In Static mode, these
originally created with ipseccmd. Policies can be set as either Assigned or
originally created with ipseccmd. Policies can be set as either Assigned or
Example: 10Q/3600S will rekey after 10 quick modes or every hour.
Example: 10Q/3600S will rekey after 10 quick modes or every hour.
The number of Quick Modes and/or seconds after which IKE should rekey a
The number of Quick Modes and/or seconds after which IKE should rekey a
-1k MMRekeyTime
-1k MMRekeyTime
The strings provided as the preshared key or CA info are case sensitive
The strings provided as the preshared key or CA info are case sensitive
PRESHARE:""
PRESHARE:""
CERT:"", e.g. CERT:"CN=CA1,OU=O,O=MEME,C=DE,E=ME@here"
CERT:"", e.g. CERT:"CN=CA1,OU=O,O=MEME,C=DE,E=ME@here"
DEFAULT: Omission of tunnel address assumes transport mode.
DEFAULT: Omission of tunnel address assumes transport mode.
ipseccmd twice-- once for the outbound filters and outgoing tunnel
ipseccmd twice-- once for the outbound filters and outgoing tunnel
NOTE: If you need to set up a tunnel policy, you will need to execute
NOTE: If you need to set up a tunnel policy, you will need to execute
Example: ESP[DES,SHA]5120k/3600s will rekey after 5MB or 1 hour
Example: ESP[DES,SHA]5120k/3600s will rekey after 5MB or 1 hour
after which IKE should rekey a Quick Mode security association.
after which IKE should rekey a Quick Mode security association.
Rekey: Optional setting to specify the number of KBytes and/or seconds
Rekey: Optional setting to specify the number of KBytes and/or seconds
NOTE: ESP[NONE,NONE] is not a supported configuration.
NOTE: ESP[NONE,NONE] is not a supported configuration.
AH[HashAlg] ESP[ConfAlg,AuthAlg]RekeyPFS
AH[HashAlg] ESP[ConfAlg,AuthAlg]RekeyPFS
AH[HashAlg]RekeyPFS
AH[HashAlg]RekeyPFS
ESP[ConfAlg,AuthAlg]RekeyPFS
ESP[ConfAlg,AuthAlg]RekeyPFS
Example: (0 128.2.1.1) will create 2 filters that will be exempted
Example: (0 128.2.1.1) will create 2 filters that will be exempted
the filter will be a Pass (or Permit) filter. If you surround the
the filter will be a Pass (or Permit) filter. If you surround the
PASS and BLOCK filters: By surrounding a filter specification with (),
PASS and BLOCK filters: By surrounding a filter specification with (),
all TCP traffic from the first subnet and the second subnet on port 80.
all TCP traffic from the first subnet and the second subnet on port 80.
172.31.0.0/255.255.0.0:80 157.0.0.0/255.0.0.0:80:TCP will filter
172.31.0.0/255.255.0.0:80 157.0.0.0/255.0.0.0:80:TCP will filter
M1 M2::6 will filter TCP traffic between addresses M1 and M2 on any port
M1 M2::6 will filter TCP traffic between addresses M1 and M2 on any port
You can use also use these protocol symbols: ICMP TCP UDP RAW
You can use also use these protocol symbols: ICMP TCP UDP RAW
If you indicate a protocol, a port value or '::' must precede it.
If you indicate a protocol, a port value or '::' must precede it.
Port and Protocol are optional. If omitted, the values are set to ANY
Port and Protocol are optional. If omitted, the values are set to ANY
128.*.* is the same as above
128.*.* is the same as above
128.*.*.* is same as 128.0.0.0/255.0.0.0
128.*.*.* is same as 128.0.0.0/255.0.0.0
144.92.*.* is the same as 144.92.0.0/255.255.0.0
144.92.*.* is the same as 144.92.0.0/255.255.0.0
Mask: Optional subnet mask. If omitted, 255.255.255.255 will be used.
Mask: Optional subnet mask. If omitted, 255.255.255.255 will be used.
Optionally, you can specify the keyword DEFAULT to set the
Optionally, you can specify the keyword DEFAULT to set the
A.B.C.D/mask:port=A.B.C.D/mask:port:protocol
A.B.C.D/mask:port=A.B.C.D/mask:port:protocol
Each execution of ipseccmd sets an IPSec rule, an IKE policy, or both.
Each execution of ipseccmd sets an IPSec rule, an IKE policy, or both.
Import and export mode will import or export a .ipsec policy file to/from the
Import and export mode will import or export a .ipsec policy file to/from the
To delete all dynamic policies, execute "ipseccmd -u"
To delete all dynamic policies, execute "ipseccmd -u"
import, and export. The default mode is dynamic.
import, and export. The default mode is dynamic.
Ipseccmd has multiple mutually exclusive modes: dynamic, static, show, set
Ipseccmd has multiple mutually exclusive modes: dynamic, static, show, set
For extended usage, run: ipseccmd -?
For extended usage, run: ipseccmd -?
Executes a file containing regular static or dynamic ipseccmd commands.
Executes a file containing regular static or dynamic ipseccmd commands.
ipseccmd -file FileName
ipseccmd -file FileName
Imports or exports a static policy file.
Imports or exports a static policy file.
ipseccmd \\machinename [import OR export] Location FileName
ipseccmd \\machinename [import OR export] Location FileName
ipseccmd \\machinename set [logike OR dontlogike]
ipseccmd \\machinename set [logike OR dontlogike]
ipseccmd \\machinename show gpo filters policies auth stats sas all
ipseccmd \\machinename show gpo filters policies auth stats sas all
{-w Location -p PolicyName:PollInterval -r RuleName [-x OR -y] -o}
{-w Location -p PolicyName:PollInterval -r RuleName [-x OR -y] -o}
-a AuthMethodList -1s SecurityMethodList -1k MMRekeyTime
-a AuthMethodList -1s SecurityMethodList -1k MMRekeyTime
ipseccmd \\machinename -f FilterList -n NegotiationMethodList -t TunnelAddr
ipseccmd \\machinename -f FilterList -n NegotiationMethodList -t TunnelAddr
Failed to add policy, error 0x%x
Failed to add policy, error 0x%x
PA RPC not ready. Sleeping for %d seconds...
PA RPC not ready. Sleeping for %d seconds...
Couldn't check status of Policy Agent service, error 0x%x, Exiting.
Couldn't check status of Policy Agent service, error 0x%x, Exiting.
Couldn't start Policy Agent service, error 0x%x, Exiting.
Couldn't start Policy Agent service, error 0x%x, Exiting.
Error converting policy: 0x%x
Error converting policy: 0x%x
Error 0x%x occurred:
Error 0x%x occurred:
text2pol.dll
text2pol.dll
Error: the argument is too long (>%d symbols)
Error: the argument is too long (>%d symbols)
EnumQMSAs failed with error %d
EnumQMSAs failed with error %d
Source UDP Encap port : %u Dest UDP Encap port: %u
Source UDP Encap port : %u Dest UDP Encap port: %u
Direction : %s
Direction : %s
Protocol : %lu Src Port : %u Des Port : %u
Protocol : %lu Src Port : %u Des Port : %u
%s Filter
%s Filter
IPSecEnumMMSAs failed with error %d
IPSecEnumMMSAs failed with error %d
Transport
Transport
Quick Mode SA #%d:
Quick Mode SA #%d:
Source UDP Encap port : %u Dest UDP Encap port: %u
Source UDP Encap port : %u Dest UDP Encap port: %u
Auth Used : %s
Auth Used : %s
Main Mode SA #%d:
Main Mode SA #%d:
ReKeys %lu
ReKeys %lu
Key Deletes %lu
Key Deletes %lu
Key Adds %lu
Key Adds %lu
Pending Key %lu
Pending Key %lu
QueryIPSecStatistics failed with error %d
QueryIPSecStatistics failed with error %d
EnumMMAuthMethods failed with error %d
EnumMMAuthMethods failed with error %d
EnumQMPolicies failed with error %d
EnumQMPolicies failed with error %d
IPSecQueryIKEStatistics failed with error %d
IPSecQueryIKEStatistics failed with error %d
Main Mode Authentication Methods #%d:
Main Mode Authentication Methods #%d:
Quick Mode Policy #%d:
Quick Mode Policy #%d:
EnumMMPolicies failed with error %d
EnumMMPolicies failed with error %d
Main Mode Policy #%d:
Main Mode Policy #%d:
EnumTunnelFilters failed with error %d
EnumTunnelFilters failed with error %d
Specific Tunnel Filter #%d:
Specific Tunnel Filter #%d:
Generic Tunnel Filter #%d:
Generic Tunnel Filter #%d:
EnumTransportFilters failed with error %d
EnumTransportFilters failed with error %d
Specific Transport Filter #%d:
Specific Transport Filter #%d:
Specific Transport Filters
Specific Transport Filters
Generic Transport Filter #%d:
Generic Transport Filter #%d:
Generic Transport Filters
Generic Transport Filters
EnumMMFilters failed with error %d
EnumMMFilters failed with error %d
Specific MM Filter #%d:
Specific MM Filter #%d:
Generic MM Filter #%d:
Generic MM Filter #%d:
Policy Path: %s
Policy Path: %s
Directory Policy Name: %s
Directory Policy Name: %s
Policy Path: HKLM\%s
Policy Path: HKLM\%s
Description: %s
Description: %s
Local Policy Name: %s
Local Policy Name: %s
A failure occured getting policy information: error %d
A failure occured getting policy information: error %d
An error occurred importing data.
An error occurred importing data.
An error occurred exporting data.
An error occurred exporting data.
{e437bc1c-aa7d-11d2-a382-00c04f991e27}
{e437bc1c-aa7d-11d2-a382-00c04f991e27}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
MainMode Key Exchange
MainMode Key Exchange
MainMode Key Authorizated
MainMode Key Authorizated
Preshared Key
Preshared Key
RSA (Cert) Signature
RSA (Cert) Signature
RSA (Cert) Encryption
RSA (Cert) Encryption
ipseccmd
ipseccmd
SOFTWARE\Policies\Microsoft\Windows\IPSEC\GPTIPSECPolicy
SOFTWARE\Policies\Microsoft\Windows\IPSEC\GPTIPSECPolicy
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Cache
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Cache
The operation was successful.
The operation was successful.
pass-thru filter indicated but not closed properly
pass-thru filter indicated but not closed properly
A string was used to designate protocol and it was not supported.
A string was used to designate protocol and it was not supported.
The unit for phase 2 rekey time is invalid.
The unit for phase 2 rekey time is invalid.
Designated hash algorithm for AH is either invalid or not supported.
Designated hash algorithm for AH is either invalid or not supported.
An undefined parse error occured due to unsupported/invalid syntax.
An undefined parse error occured due to unsupported/invalid syntax.
ESP with NULL encryption and NULL authentication is not currently supported.
ESP with NULL encryption and NULL authentication is not currently supported.
Preshared key indicated, but not supplied.
Preshared key indicated, but not supplied.
The authentication method specified is invalid or unsupported.
The authentication method specified is invalid or unsupported.
Invalid or unsupported DH group specified.
Invalid or unsupported DH group specified.
The unit for phase 1 rekey time is invalid.
The unit for phase 1 rekey time is invalid.
The TYPE of storage is not supported.
The TYPE of storage is not supported.
Storage mode indicated but no storage info passed- internal error.
Storage mode indicated but no storage info passed- internal error.
The minimum rekey for Phase 2 is 20480 KB and 300 seconds.
The minimum rekey for Phase 2 is 20480 KB and 300 seconds.
Windows IPSec Command Utility
Windows IPSec Command Utility
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ipseccmd.exe
ipseccmd.exe
Windows
Windows
Operating System
Operating System
5.1.2600.2180
5.1.2600.2180
SOFTWARE\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy
SOFTWARE\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Save
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Save
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Persistent
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Persistent
OperationMode
OperationMode
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Cache
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Cache
polstore.dll
polstore.dll
TypesSupported
TypesSupported
%SystemRoot%\System32\oakley.dll
%SystemRoot%\System32\oakley.dll
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local
SOFTWARE\Policies\Microsoft\Windows\IPSec
SOFTWARE\Policies\Microsoft\Windows\IPSec
dddddd
dddddd
!"#$%&'()* ,-./0123456789:;
!"#$%&'()* ,-./0123456789:;
5.1.2600.5512 (xpsp.080413-0852)
5.1.2600.5512 (xpsp.080413-0852)
Microsoft(R) Windows(R) Operating System
Microsoft(R) Windows(R) Operating System
5.1.2600.5512
5.1.2600.5512
/024 (;%
/024 (;%
Windows IPSec SPD Client DLL
Windows IPSec SPD Client DLL
winipsec.dll
winipsec.dll
(*.*)
(*.*)
%original file name%.exe_508_rwx_0058C000_00001000:
MSVCRT.dll
MSVCRT.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
PSAPI.DLL
PSAPI.DLL
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
%original file name%.exe_508_rwx_00596000_00003000:
MSVCRT.dll
MSVCRT.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
PSAPI.DLL
PSAPI.DLL
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
%original file name%.exe_508_rwx_0062A000_00047000:
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
OLEAUT32.dll
OLEAUT32.dll
ole32.dll
ole32.dll
GDI32.dll
GDI32.dll
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
RASAPI32.dll
RASAPI32.dll
WININET.dll
WININET.dll
AVIFIL32.dll
AVIFIL32.dll
MSVFW32.dll
MSVFW32.dll
COMCTL32.dll
COMCTL32.dll
G|.nb
G|.nb
comdlg32.dll
comdlg32.dll
oledlg.dll
oledlg.dll
%original file name%.exe_508_rwx_00673000_00002000:
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
OffsetViewportOrgEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
ole32.dll
ole32.dll
comdlg32.dll
comdlg32.dll
ADVAPI32.dll
ADVAPI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
,RegCreateKeyA
,RegCreateKeyA
RegOpenKeyExA
RegOpenKeyExA
oledlg.dll
oledlg.dll
SHELL32.dll
SHELL32.dll
ShellExecuteA
ShellExecuteA
WS2_32.dll
WS2_32.dll
COMCTL32.dll
COMCTL32.dll
WININET.dll
WININET.dll
OLEAUT32.dll
OLEAUT32.dll
PSAPI.DLL
PSAPI.DLL
%original file name%.exe_508_rwx_00B60000_0001D000:
iphlpapi.dll
iphlpapi.dll
AllocateAndGetTcpExTable2FromStack
AllocateAndGetTcpExTable2FromStack
AllocateAndGetTcpExTableFromStack
AllocateAndGetTcpExTableFromStack
AllocateAndGetTcpTableFromStack
AllocateAndGetTcpTableFromStack
AllocateAndGetUdpExTable2FromStack
AllocateAndGetUdpExTable2FromStack
AllocateAndGetUdpExTableFromStack
AllocateAndGetUdpExTableFromStack
AllocateAndGetUdpTableFromStack
AllocateAndGetUdpTableFromStack
GetExtendedTcpTable
GetExtendedTcpTable
GetExtendedUdpTable
GetExtendedUdpTable
GetOwnerModuleFromTcp6Entry
GetOwnerModuleFromTcp6Entry
GetOwnerModuleFromTcpEntry
GetOwnerModuleFromTcpEntry
GetOwnerModuleFromUdp6Entry
GetOwnerModuleFromUdp6Entry
GetOwnerModuleFromUdpEntry
GetOwnerModuleFromUdpEntry
GetTcpExTable2FromStack
GetTcpExTable2FromStack
GetTcpStatistics
GetTcpStatistics
GetTcpStatisticsEx
GetTcpStatisticsEx
GetTcpStatsFromStack
GetTcpStatsFromStack
GetTcpStatsFromStackEx
GetTcpStatsFromStackEx
GetTcpTable
GetTcpTable
GetTcpTableFromStack
GetTcpTableFromStack
GetUdpExTable2FromStack
GetUdpExTable2FromStack
GetUdpStatistics
GetUdpStatistics
GetUdpStatisticsEx
GetUdpStatisticsEx
GetUdpStatsFromStack
GetUdpStatsFromStack
GetUdpStatsFromStackEx
GetUdpStatsFromStackEx
GetUdpTable
GetUdpTable
GetUdpTableFromStack
GetUdpTableFromStack
InternalGetTcpTable
InternalGetTcpTable
InternalGetUdpTable
InternalGetUdpTable
InternalSetTcpEntry
InternalSetTcpEntry
SetTcpEntry
SetTcpEntry
SetTcpEntryToStack
SetTcpEntryToStack
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
\Device\NetBT_Tcpip_
\Device\NetBT_Tcpip_
%d.%d.%d.%d
%d.%d.%d.%d
\\.\Ip
\\.\Ip
TCP/IP not bound to any adapters
TCP/IP not bound to any adapters
Cannot access adapter bindings registry key
Cannot access adapter bindings registry key
TCP/IP is not running on this system
TCP/IP is not running on this system
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
PSSSSh8
PSSSSh8
wsock32.dll
wsock32.dll
\\.\Ip6
\\.\Ip6
SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\
SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\
advapi32.dll
advapi32.dll
PSSSSh
PSSSSh
uùH
uùH
{lX-X-X-XX-XXXXXX}
{lX-X-X-XX-XXXXXX}
DHCPCSVC.DLL
DHCPCSVC.DLL
MPRAPI.dll
MPRAPI.dll
netman.dll
netman.dll
ole32.dll
ole32.dll
PSAPI.DLL
PSAPI.DLL
RASAPI32.dll
RASAPI32.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
ntdll.dll
ntdll.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
GetProcessHeap
GetProcessHeap
iphlpapi.pdb
iphlpapi.pdb
MS TCP Loopback interface
MS TCP Loopback interface
1!2C2V2
1!2C2V2
\Device\Tcp6
\Device\Tcp6
\Device\Tcp
\Device\Tcp
rundll32.exe
rundll32.exe
wininet.dll
wininet.dll
ipnathlp.dll
ipnathlp.dll
ntoskrnl.exe
ntoskrnl.exe
RPCRT4.dll
RPCRT4.dll
ws2_32.dll
ws2_32.dll
\DEVICE\TCPIP_
\DEVICE\TCPIP_
svchost.exe
svchost.exe
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection
\ras\router.pbk
\ras\router.pbk
router.pbk
router.pbk
System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces
System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces
5.1.2600.5512 (xpsp.080413-0852)
5.1.2600.5512 (xpsp.080413-0852)
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Destination port unreachable.
Destination port unreachable.
Parallel Port
Parallel Port
ATM Logical Port
ATM Logical Port
ISO 802.5r DTR$Ext Position Locaction Report System Appletalk Remote Access Protocol#Proprietary Connectionless Protocol
ISO 802.5r DTR$Ext Position Locaction Report System Appletalk Remote Access Protocol#Proprietary Connectionless Protocol
IBM multi-proto channel support
IBM multi-proto channel support
Transport HDLP
Transport HDLP
%original file name%.exe_508_rwx_00C50000_000B0000:
ntdll.dll
ntdll.dll
LdrQueryImageFileExecutionOptions
LdrQueryImageFileExecutionOptions
NtAcceptConnectPort
NtAcceptConnectPort
NtCompactKeys
NtCompactKeys
NtCompleteConnectPort
NtCompleteConnectPort
NtCompressKey
NtCompressKey
NtConnectPort
NtConnectPort
NtCreateKey
NtCreateKey
NtCreateKeyedEvent
NtCreateKeyedEvent
NtCreateNamedPipeFile
NtCreateNamedPipeFile
NtCreatePort
NtCreatePort
NtCreateWaitablePort
NtCreateWaitablePort
NtDelayExecution
NtDelayExecution
NtDeleteKey
NtDeleteKey
NtDeleteValueKey
NtDeleteValueKey
NtEnumerateKey
NtEnumerateKey
NtEnumerateValueKey
NtEnumerateValueKey
NtFlushKey
NtFlushKey
NtImpersonateClientOfPort
NtImpersonateClientOfPort
NtListenPort
NtListenPort
NtLoadKey
NtLoadKey
NtLoadKey2
NtLoadKey2
NtLockProductActivationKeys
NtLockProductActivationKeys
NtLockRegistryKey
NtLockRegistryKey
NtNotifyChangeKey
NtNotifyChangeKey
NtNotifyChangeMultipleKeys
NtNotifyChangeMultipleKeys
NtOpenKey
NtOpenKey
NtOpenKeyedEvent
NtOpenKeyedEvent
NtQueryInformationPort
NtQueryInformationPort
NtQueryKey
NtQueryKey
NtQueryMultipleValueKey
NtQueryMultipleValueKey
NtQueryOpenSubKeys
NtQueryOpenSubKeys
NtQueryPortInformationProcess
NtQueryPortInformationProcess
NtQueryValueKey
NtQueryValueKey
NtRegisterThreadTerminatePort
NtRegisterThreadTerminatePort
NtReleaseKeyedEvent
NtReleaseKeyedEvent
NtRenameKey
NtRenameKey
NtReplaceKey
NtReplaceKey
NtReplyPort
NtReplyPort
NtReplyWaitReceivePort
NtReplyWaitReceivePort
NtReplyWaitReceivePortEx
NtReplyWaitReceivePortEx
NtReplyWaitReplyPort
NtReplyWaitReplyPort
NtRequestPort
NtRequestPort
NtRequestWaitReplyPort
NtRequestWaitReplyPort
NtRestoreKey
NtRestoreKey
NtSaveKey
NtSaveKey
NtSaveKeyEx
NtSaveKeyEx
NtSaveMergedKeys
NtSaveMergedKeys
NtSecureConnectPort
NtSecureConnectPort
NtSetDefaultHardErrorPort
NtSetDefaultHardErrorPort
NtSetInformationKey
NtSetInformationKey
NtSetThreadExecutionState
NtSetThreadExecutionState
NtSetValueKey
NtSetValueKey
NtUnloadKey
NtUnloadKey
NtUnloadKeyEx
NtUnloadKeyEx
NtWaitForKeyedEvent
NtWaitForKeyedEvent
NtYieldExecution
NtYieldExecution
RtlCheckRegistryKey
RtlCheckRegistryKey
RtlComputeImportTableHash
RtlComputeImportTableHash
RtlCreateRegistryKey
RtlCreateRegistryKey
RtlEnumProcessHeaps
RtlEnumProcessHeaps
RtlFormatCurrentUserKeyPath
RtlFormatCurrentUserKeyPath
RtlGetProcessHeaps
RtlGetProcessHeaps
RtlQueryProcessHeapInformation
RtlQueryProcessHeapInformation
RtlValidateProcessHeaps
RtlValidateProcessHeaps
RtlpNtCreateKey
RtlpNtCreateKey
RtlpNtEnumerateSubKey
RtlpNtEnumerateSubKey
RtlpNtMakeTemporaryKey
RtlpNtMakeTemporaryKey
RtlpNtOpenKey
RtlpNtOpenKey
RtlpNtQueryValueKey
RtlpNtQueryValueKey
RtlpNtSetValueKey
RtlpNtSetValueKey
ZwAcceptConnectPort
ZwAcceptConnectPort
ZwCompactKeys
ZwCompactKeys
ZwCompleteConnectPort
ZwCompleteConnectPort
ZwCompressKey
ZwCompressKey
ZwConnectPort
ZwConnectPort
ZwCreateKey
ZwCreateKey
ZwCreateKeyedEvent
ZwCreateKeyedEvent
ZwCreateNamedPipeFile
ZwCreateNamedPipeFile
ZwCreatePort
ZwCreatePort
ZwCreateWaitablePort
ZwCreateWaitablePort
ZwDelayExecution
ZwDelayExecution
ZwDeleteKey
ZwDeleteKey
ZwDeleteValueKey
ZwDeleteValueKey
ZwEnumerateKey
ZwEnumerateKey
ZwEnumerateValueKey
ZwEnumerateValueKey
ZwFlushKey
ZwFlushKey
ZwImpersonateClientOfPort
ZwImpersonateClientOfPort
ZwListenPort
ZwListenPort
ZwLoadKey
ZwLoadKey
ZwLoadKey2
ZwLoadKey2
ZwLockProductActivationKeys
ZwLockProductActivationKeys
ZwLockRegistryKey
ZwLockRegistryKey
ZwNotifyChangeKey
ZwNotifyChangeKey
ZwNotifyChangeMultipleKeys
ZwNotifyChangeMultipleKeys
ZwOpenKey
ZwOpenKey
ZwOpenKeyedEvent
ZwOpenKeyedEvent
ZwQueryInformationPort
ZwQueryInformationPort
ZwQueryKey
ZwQueryKey
ZwQueryMultipleValueKey
ZwQueryMultipleValueKey
ZwQueryOpenSubKeys
ZwQueryOpenSubKeys
ZwQueryPortInformationProcess
ZwQueryPortInformationProcess
ZwQueryValueKey
ZwQueryValueKey
ZwRegisterThreadTerminatePort
ZwRegisterThreadTerminatePort
ZwReleaseKeyedEvent
ZwReleaseKeyedEvent
ZwRenameKey
ZwRenameKey
ZwReplaceKey
ZwReplaceKey
ZwReplyPort
ZwReplyPort
ZwReplyWaitReceivePort
ZwReplyWaitReceivePort
ZwReplyWaitReceivePortEx
ZwReplyWaitReceivePortEx
ZwReplyWaitReplyPort
ZwReplyWaitReplyPort
ZwRequestPort
ZwRequestPort
ZwRequestWaitReplyPort
ZwRequestWaitReplyPort
ZwRestoreKey
ZwRestoreKey
ZwSaveKey
ZwSaveKey
ZwSaveKeyEx
ZwSaveKeyEx
ZwSaveMergedKeys
ZwSaveMergedKeys
ZwSecureConnectPort
ZwSecureConnectPort
ZwSetDefaultHardErrorPort
ZwSetDefaultHardErrorPort
ZwSetInformationKey
ZwSetInformationKey
ZwSetThreadExecutionState
ZwSetThreadExecutionState
ZwSetValueKey
ZwSetValueKey
ZwUnloadKey
ZwUnloadKey
ZwUnloadKeyEx
ZwUnloadKeyEx
ZwWaitForKeyedEvent
ZwWaitForKeyedEvent
ZwYieldExecution
ZwYieldExecution
?SsHd
?SsHd
>SsHd
>SsHd
secserv.dll
secserv.dll
.aspack
.aspack
.pcle
.pcle
.sforce
.sforce
|BaseProcessInitPostImport
|BaseProcessInitPostImport
.txt2
.txt2
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ
LDR: %s - failing because LdrpLoadDll(%wZ) returned status %x
LDR: %s - failing because LdrpLoadDll(%wZ) returned status %x
LDR: %s - Exception lx thrown running initialization routines for %wZ
LDR: %s - Exception lx thrown running initialization routines for %wZ
LDR: exception lx thrown within function %s
LDR: exception lx thrown within function %s
|_CorExeMain
|_CorExeMain
Invalid flags (x) specified to RtlCreateHeap
Invalid flags (x) specified to RtlCreateHeap
LDR: LdrpWalkImportDescriptor() failed to probe %wZ for its manifest, ntstatus 0xlx
LDR: LdrpWalkImportDescriptor() failed to probe %wZ for its manifest, ntstatus 0xlx
LDR: %s - failed to allocate dynamic array of %u DLL initializers to run
LDR: %s - failed to allocate dynamic array of %u DLL initializers to run
[%x,%x] LDR: Real INIT LIST for process %wZ pid %u 0x%x
[%x,%x] LDR: Real INIT LIST for process %wZ pid %u 0x%x
[%x,%x] %wZ init routine %p
[%x,%x] %wZ init routine %p
[%x,%x] LDR: %wZ loaded
[%x,%x] LDR: %wZ loaded
[%x,%x] LDR: calling init routine %p for DLL_PROCESS_ATTACH
[%x,%x] LDR: calling init routine %p for DLL_PROCESS_ATTACH
[%x,%x] LDR: DLL_PROCESS_ATTACH for dll "%wZ" (InitRoutine: %p) failed
[%x,%x] LDR: DLL_PROCESS_ATTACH for dll "%wZ" (InitRoutine: %p) failed
LDR: %s - caught exception lx snapping thunks (#1)
LDR: %s - caught exception lx snapping thunks (#1)
LDR: %s - caught exception lx snapping thunks (#2)
LDR: %s - caught exception lx snapping thunks (#2)
LDR: TlsVector %x Index %d = %x copied from %x to %x
LDR: TlsVector %x Index %d = %x copied from %x to %x
LDR: %s - caught exception lx calling TLS callbacks
LDR: %s - caught exception lx calling TLS callbacks
Failed to initialize a new segment (%x)
Failed to initialize a new segment (%x)
Abandoning uncommitted range (%x for %x)
Abandoning uncommitted range (%x for %x)
Failing creating uncommitted range (%x for %x)
Failing creating uncommitted range (%x for %x)
NAME - %s
NAME - %s
LDR: %s - Exception %x thrown by LdrpRunInitializeRoutines
LDR: %s - Exception %x thrown by LdrpRunInitializeRoutines
LDR: %s - caught exception lx while checking image checksums
LDR: %s - caught exception lx while checking image checksums
LDR: %s - Caught exception lx
LDR: %s - Caught exception lx
(%d) [%ws] %ws (%lx) deinit %lx
(%d) [%ws] %ws (%lx) deinit %lx
LDR: %s - exception lx caught while sending DLL_PROCESS_DETACH
LDR: %s - exception lx caught while sending DLL_PROCESS_DETACH
LDR: %s - Dll name missing extension; with extension added the length is too long
LDR: %s - Dll name missing extension; with extension added the length is too long
DllName->Length: %u
DllName->Length: %u
LDR: %s - Exception %x thrown by LdrpWalkImportDescriptor
LDR: %s - Exception %x thrown by LdrpWalkImportDescriptor
LDR: Unloading %wZ due to error %x walking import descriptors
LDR: Unloading %wZ due to error %x walking import descriptors
LDR: Unloading %wZ because either its init routine or one of its static imports failed; status = 0xlx
LDR: Unloading %wZ because either its init routine or one of its static imports failed; status = 0xlx
LDR: failed to load mscoree.dll, status=%x
LDR: failed to load mscoree.dll, status=%x
LDR: PID: 0x%x finished - '%wZ'
LDR: PID: 0x%x finished - '%wZ'
LDR: %s - failing because we were unable to map the image base address (%p) to the PIMAGE_NT_HEADERS
LDR: %s - failing because we were unable to map the image base address (%p) to the PIMAGE_NT_HEADERS
LDR: PID: 0x%x started - '%wZ'
LDR: PID: 0x%x started - '%wZ'
LDR: Stack trace database size is %u Mb
LDR: Stack trace database size is %u Mb
LDR: %s - unable to create process heap
LDR: %s - unable to create process heap
LDR: %s failing process initialization due to inability to create loader private heap.
LDR: %s failing process initialization due to inability to create loader private heap.
LDR: %s - failed call to NtQuerySymbolicLinkObject with status %x
LDR: %s - failed call to NtQuerySymbolicLinkObject with status %x
LDR: %s - unable to allocate current working directory buffer
LDR: %s - unable to allocate current working directory buffer
LDR: %s - failed to allocate PEB_LDR_DATA
LDR: %s - failed to allocate PEB_LDR_DATA
LDR: %s - failing process initialization due to inability allocate "%wZ"'s LDR_DATA_TABLE_ENTRY
LDR: %s - failing process initialization due to inability allocate "%wZ"'s LDR_DATA_TABLE_ENTRY
LDR: %s - failing process initialization due to inability to allocate NTDLL's LDR_DATA_TABLE_ENTRY
LDR: %s - failing process initialization due to inability to allocate NTDLL's LDR_DATA_TABLE_ENTRY
LDR: %s - unable to set current directory to "%wZ"; status = %x
LDR: %s - unable to set current directory to "%wZ"; status = %x
LDR: %s - unable to set current directory to NtSystemRoot; status = %x
LDR: %s - unable to set current directory to NtSystemRoot; status = %x
LDR: %s - unable to allocate heap for the image's .local path
LDR: %s - unable to allocate heap for the image's .local path
LDR: Unable to load kernel32.dll. Status=%x
LDR: Unable to load kernel32.dll. Status=%x
LDR: Failed to find post-import process init function in kernel32; ntstatus 0xlx
LDR: Failed to find post-import process init function in kernel32; ntstatus 0xlx
LDR: %s - call to LdrpWalkImportDescriptor failed with status %x
LDR: %s - call to LdrpWalkImportDescriptor failed with status %x
LDR: %s - call to LdrpSetProtection(%p, FALSE, TRUE) failed with status %x
LDR: %s - call to LdrpSetProtection(%p, FALSE, TRUE) failed with status %x
LDR: %s - call to LdrRelocateImage failed with status %x
LDR: %s - call to LdrRelocateImage failed with status %x
LDR: %s - call to LdrpSetProtection(%p, TRUE, TRUE) failed with status %x
LDR: %s - call to LdrpSetProtection(%p, TRUE, TRUE) failed with status %x
LDR: %s - failed to initialize TLS slots; status %x
LDR: %s - failed to initialize TLS slots; status %x
LDR: %s - Failed running kernel32 post-import function; status 0xlx
LDR: %s - Failed running kernel32 post-import function; status 0xlx
LDR: %s - Failed running initialization routines; status %x
LDR: %s - Failed running initialization routines; status %x
LDR: %s - failed call to NtOpenSymbolicLinkObject with status %x
LDR: %s - failed call to NtOpenSymbolicLinkObject with status %x
LDR: ***NONFATAL*** %s - call to NtDelayExecution waiting on loader lock failed; ntstatus = %x
LDR: ***NONFATAL*** %s - call to NtDelayExecution waiting on loader lock failed; ntstatus = %x
LDR: %s - Call to NtQueryVirtualMemory failed with ntstaus %x
LDR: %s - Call to NtQueryVirtualMemory failed with ntstaus %x
LDR: %s - call to LdrpInitializeProcess() failed with ntstatus %x
LDR: %s - call to LdrpInitializeProcess() failed with ntstatus %x
because path search required %u bytes
because path search required %u bytes
LDR: %s - NtOpenFile failed; status = %x
LDR: %s - NtOpenFile failed; status = %x
LDR: %s %wZ (%lx)
LDR: %s %wZ (%lx)
LDR: %s call to RtlComputePrivatizedDllName_U() failed with status %lx
LDR: %s call to RtlComputePrivatizedDllName_U() failed with status %lx
LDR: %s calling LdrpCopyUnicodeString() failed; exiting with status %lx
LDR: %s calling LdrpCopyUnicodeString() failed; exiting with status %lx
LDR: %s failed calling LdrpResolveDllNameForAppPrivateRediretion with status %lx
LDR: %s failed calling LdrpResolveDllNameForAppPrivateRediretion with status %lx
LDR: %s failed call to LdrpCopyUnicodeString() in redirected case; status = %lx
LDR: %s failed call to LdrpCopyUnicodeString() in redirected case; status = %lx
LDR: %s - call to RtlDosSearchPath_U failed
LDR: %s - call to RtlDosSearchPath_U failed
LDR: LdrResolveDllName - Failing resolution because found path too long (%u bytes; max is %u bytes)
LDR: LdrResolveDllName - Failing resolution because found path too long (%u bytes; max is %u bytes)
LDR: %s - failed to allocate string for full dll name; length requested: %u
LDR: %s - failed to allocate string for full dll name; length requested: %u
LDR: %s - Required path length required for %ws changed from %lu to %lu; try launching the app again.
LDR: %s - Required path length required for %ws changed from %lu to %lu; try launching the app again.
LDR: %s - failing because RtlFindCharInUnicodeString failed with status %x
LDR: %s - failing because RtlFindCharInUnicodeString failed with status %x
LDR: %s - call back to app compat redirection function @ %p (cb data: %p) failed with status %x
LDR: %s - call back to app compat redirection function @ %p (cb data: %p) failed with status %x
LDR: %s - call to LdrpCheckForKnownDll("%ws", ...) failed with status %x
LDR: %s - call to LdrpCheckForKnownDll("%ws", ...) failed with status %x
LDR: %s - call to LdrpResolveDllName on dll "%ws" failed with status %x
LDR: %s - call to LdrpResolveDllName on dll "%ws" failed with status %x
LDR: Loading (%s, %s) %wZ
LDR: Loading (%s, %s) %wZ
LDR: %s - call to RtlDosPathNameToNtPathName_U on path "%wZ" failed; returning status %x
LDR: %s - call to RtlDosPathNameToNtPathName_U on path "%wZ" failed; returning status %x
LDR: %s - LdrpCreateDllSection (%wZ) failed with status %x
LDR: %s - LdrpCreateDllSection (%wZ) failed with status %x
LDR: %s - failed to map view of section; status = %x
LDR: %s - failed to map view of section; status = %x
LDR: %s - unable to map ViewBase (%p) to image headers; failing with status %x
LDR: %s - unable to map ViewBase (%p) to image headers; failing with status %x
LDR: %s - failed to allocate new data table entry for %p
LDR: %s - failed to allocate new data table entry for %p
[%x,%x] LDR: Failed to map view of section; ntstatus = %x
[%x,%x] LDR: Failed to map view of section; ntstatus = %x
[%x,%x] LDR: %s - NtMapViewOfSection on no reloc needed dll failed with status %x
[%x,%x] LDR: %s - NtMapViewOfSection on no reloc needed dll failed with status %x
LdrpLoadImportModule
LdrpLoadImportModule
LDR: %s - RtlDosApplyFileIsolationRedirection_Ustr failed with status %x
LDR: %s - RtlDosApplyFileIsolationRedirection_Ustr failed with status %x
LDR: %s - LdrpMapDll(%p, %ls, NULL, TRUE, %d, %p) failed with status %x
LDR: %s - LdrpMapDll(%p, %ls, NULL, TRUE, %d, %p) failed with status %x
LDR: %s - LdrpWalkImportDescriptor [dll %ls] failed with status %x
LDR: %s - LdrpWalkImportDescriptor [dll %ls] failed with status %x
LDR: %wZ bound to %s
LDR: %wZ bound to %s
LDR: %wZ failed to load import module %s; status = %x
LDR: %wZ failed to load import module %s; status = %x
LDR: %wZ has correct binding to %s
LDR: %wZ has correct binding to %s
LDR: %wZ has stale binding to %s
LDR: %wZ has stale binding to %s
LDR: %wZ bound to %s via forwarder(s) from %wZ
LDR: %wZ bound to %s via forwarder(s) from %wZ
LDR: LdrpWalkImportTable - failing with STATUS_OBJECT_NAME_INVALID due to no import descriptor name
LDR: LdrpWalkImportTable - failing with STATUS_OBJECT_NAME_INVALID due to no import descriptor name
LDR: Stale Bind %s from %wZ
LDR: Stale Bind %s from %wZ
LDR: LdrpWalkImportTable - LdrpSnapIAT failed with status %x
LDR: LdrpWalkImportTable - LdrpSnapIAT failed with status %x
LDR: %s used by %wZ
LDR: %s used by %wZ
LDR: LdrpWalkImportTable - LdrpLoadImportModule failed on import %s with status %x
LDR: LdrpWalkImportTable - LdrpLoadImportModule failed on import %s with status %x
LDR: Snapping imports for %wZ from %s
LDR: Snapping imports for %wZ from %s
LDR: LdrpWalkImportTable - LdrpSnapIAT #2 failed with status %x
LDR: LdrpWalkImportTable - LdrpSnapIAT #2 failed with status %x
Execute '.cxr %p' to dump context
Execute '.cxr %p' to dump context
RTL: Acquire Shared Sem Timeout %d(%I64u secs)
RTL: Acquire Shared Sem Timeout %d(%I64u secs)
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)
RTL: Convert Exclusive Sem Timeout %d (%I64u secs)
RTL: Convert Exclusive Sem Timeout %d (%I64u secs)
RTL: Enter Critical Section Timeout (%I64u secs) %d
RTL: Enter Critical Section Timeout (%I64u secs) %d
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu
SXS: %s() passed the empty activation context data
SXS: %s() passed the empty activation context data
SXS: %s() called with invalid flags 0xlx
SXS: %s() called with invalid flags 0xlx
SXS: %s() called with invalid cookie type 0xI64x
SXS: %s() called with invalid cookie type 0xI64x
SXS: %s() called with invalid cookie tid 0xI64x - should be lx
SXS: %s() called with invalid cookie tid 0xI64x - should be lx
SXS: %s() Active frame is not the frame being deactivated %p != %p
SXS: %s() Active frame is not the frame being deactivated %p != %p
SXS/RTL: Extended TOC section TOC %d (offset: %ld, size: %u) is outside activation context data bounds (%lu bytes)
SXS/RTL: Extended TOC section TOC %d (offset: %ld, size: %u) is outside activation context data bounds (%lu bytes)
SXS/RTL: Extended TOC entry array (starting at offset %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)
SXS/RTL: Extended TOC entry array (starting at offset %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)
SXS/RTL: TOC entry array (offset: %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)
SXS/RTL: TOC entry array (offset: %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0xlx.
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0xlx.
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0xlx.
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0xlx.
RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.
RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.
SXS: String hash table entry at %p has invalid key offset (= %ld)
SXS: String hash table entry at %p has invalid key offset (= %ld)
8SsHdu
8SsHdu
SXS: %s() received invalid non-zero sub-instance index %lu
SXS: %s() received invalid non-zero sub-instance index %lu
SXS: %s() found activation context data at %p with assembly roster that has no root
SXS: %s() found activation context data at %p with assembly roster that has no root
SXS: %s() - Caller passed invalid flags (0xlx)
SXS: %s() - Caller passed invalid flags (0xlx)
SXS: %s() - Caller passed meaningless flags/class combination (0xlx/0xlx)
SXS: %s() - Caller passed meaningless flags/class combination (0xlx/0xlx)
SXS: %s() - caller asked for unknown information class %lu
SXS: %s() - caller asked for unknown information class %lu
SXS: %s() - caller passed nonzero buffer length but NULL buffer pointer
SXS: %s() - caller passed nonzero buffer length but NULL buffer pointer
SXS: %s() - caller supplied no buffer to populate and no place to return required byte count
SXS: %s() - caller supplied no buffer to populate and no place to return required byte count
SXS: %s() - Caller asked to use activation context from address in .dll but passed NULL
SXS: %s() - Caller asked to use activation context from address in .dll but passed NULL
SXS: %s() - Caller passed invalid address, not in any .dll (%p)
SXS: %s() - Caller passed invalid address, not in any .dll (%p)
SXS: %s() - Caller asked to use activation context from hmodule but passed NULL
SXS: %s() - Caller asked to use activation context from hmodule but passed NULL
SXS: %s() - Caller passed invalid hmodule (%p)
SXS: %s() - Caller passed invalid hmodule (%p)
SXS: %s() - caller asked to use active activation context but passed %p
SXS: %s() - caller asked to use active activation context but passed %p
SXS: %s() - internal coding error; missing switch statement branch for InfoClass == %lu
SXS: %s() - internal coding error; missing switch statement branch for InfoClass == %lu
SXS: Unable to expand %%SystemRoot%%\WinSxS\ Status = 0x08lx
SXS: Unable to expand %%SystemRoot%%\WinSxS\ Status = 0x08lx
SXS: Unable to enumerate assembly storage subkey #%lu Status = 0xlx
SXS: Unable to enumerate assembly storage subkey #%lu Status = 0xlx
SXS: Attempt to get storage location from subkey %wZ failed; Status = 0xlx
SXS: Attempt to get storage location from subkey %wZ failed; Status = 0xlx
SXS: Unable to open registry key %wZ Status = 0xlx
SXS: Unable to open registry key %wZ Status = 0xlx
SXS: %s() bad parameters:
SXS: %s() bad parameters:
SXS: %s() bad parameters
SXS: %s() bad parameters
SXS: StorageLocation->Length: 0x%x
SXS: StorageLocation->Length: 0x%x
SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.
SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.
SXS: Attempt to translate DOS path name "%S" to NT format failed
SXS: Attempt to translate DOS path name "%S" to NT format failed
SXS: Unable to open assembly directory under storage root "%S"; Status = 0xlx
SXS: Unable to open assembly directory under storage root "%S"; Status = 0xlx
SXS: %s() passed the empty activation context
SXS: %s() passed the empty activation context
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx
d:\xpsp\base\ntdll\sxsisol.cpp
d:\xpsp\base\ntdll\sxsisol.cpp
rUS.Length PrivatePreallocatedString->MaximumLength
rUS.Length PrivatePreallocatedString->MaximumLength
[%x.%x] SXS: %s - Relative redirection plus env var expansion.
[%x.%x] SXS: %s - Relative redirection plus env var expansion.
!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)
!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)
%s: %s() failed 0x%lx
%s: %s() failed 0x%lx
%s: OldBase : %p
%s: OldBase : %p
%s: NewBase : %p
%s: NewBase : %p
%s: Diff : 0x%I64x
%s: Diff : 0x%I64x
%s: NextOffset : %p
%s: NextOffset : %p
%s: *NextOffset : 0x%x
%s: *NextOffset : 0x%x
%s: SizeOfBlock : 0x%lx
%s: SizeOfBlock : 0x%lx
Heap missing last entry in committed range near %x
Heap missing last entry in committed range near %x
RTL: Expand variables for %wZ failed - Status == %lx Size %x > %x
RTL: Expand variables for %wZ failed - Status == %lx Size %x > %x
RtlpCallQueryRegistryRoutine: skipping expansion. Status=%x RequiredLength=%x
RtlpCallQueryRegistryRoutine: skipping expansion. Status=%x RequiredLength=%x
RtlpCallQueryRegistryRoutine: skipping environment expansion. ValueLength=%x
RtlpCallQueryRegistryRoutine: skipping environment expansion. ValueLength=%x
RtlQueryRegistryValues: Miscomputed buffer size at line %d
RtlQueryRegistryValues: Miscomputed buffer size at line %d
Invalid heap signature for heap at %x
Invalid heap signature for heap at %x
, passed to %s
, passed to %s
Unable to release memory at %p for %p bytes - Status == %x
Unable to release memory at %p for %p bytes - Status == %x
ProcessHeapsListIndex
ProcessHeapsListIndex
i9\\.\WMIDataDevice
i9\\.\WMIDataDevice
Set 0x%X protection for %p section for %d bytes, old protection 0x%X
Set 0x%X protection for %p section for %d bytes, old protection 0x%X
CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X
CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X
LDR: %s - exception lx caught while copying %u bytes from %p to %p
LDR: %s - exception lx caught while copying %u bytes from %p to %p
Last checkpoint: %s line %d
Last checkpoint: %s line %d
NTDLL: Calling thread (%X) not owner of CritSect: %p Owner ThreadId: %X
NTDLL: Calling thread (%X) not owner of CritSect: %p Owner ThreadId: %X
AVRF: chain: thunk: %s == %s ?
AVRF: chain: thunk: %s == %s ?
AVRF: Found duplicate for (%ws: %s) in %ws
AVRF: Found duplicate for (%ws: %s) in %ws
AVRF: Checking %ws for duplicate (%ws: %s)
AVRF: Checking %ws for duplicate (%ws: %s)
AVRF: Chaining (%ws: %s) to %ws
AVRF: Chaining (%ws: %s) to %ws
AVRF: Unable to unprotect IAT to modify thunks (status X).
AVRF: Unable to unprotect IAT to modify thunks (status X).
AVRF:SilviuC: New thunk for %s is null.
AVRF:SilviuC: New thunk for %s is null.
AVRF: Snapped (%ws: %s) with (%ws: %p).
AVRF: Snapped (%ws: %s) with (%ws: %p).
AVRF: found verified export %s @ %p
AVRF: found verified export %s @ %p
AVRF: failed to enable handle checking (status %X)
AVRF: failed to enable handle checking (status %X)
VERIFIER INTERNAL ERROR %p: pid 0x%X: %s
VERIFIER INTERNAL ERROR %p: pid 0x%X: %s
%p : %s
%p : %s
VERIFIER INTERNAL WARNING %p: pid 0x%X: %s
VERIFIER INTERNAL WARNING %p: pid 0x%X: %s
VERIFIER STOP %p: pid 0x%X: %s
VERIFIER STOP %p: pid 0x%X: %s
Page heap: found %s @ address %p
Page heap: found %s @ address %p
Page heap: detected CRT heap @ %p
Page heap: detected CRT heap @ %p
AVRF: %ws: failed to load provider `%ws' (status X) from %ws
AVRF: %ws: failed to load provider `%ws' (status X) from %ws
AVRF: provider %ws passed an invalid descriptor @ %p
AVRF: provider %ws passed an invalid descriptor @ %p
AVRF: pid 0x%X: found dll descriptor for `%ws' with verified exports
AVRF: pid 0x%X: found dll descriptor for `%ws' with verified exports
Snapped (%ws) operator new ...
Snapped (%ws) operator new ...
Snapped (%ws) operator delete ...
Snapped (%ws) operator delete ...
Snapped (%ws) operator new[] ...
Snapped (%ws) operator new[] ...
Snapped (%ws) operator delete[] ...
Snapped (%ws) operator delete[] ...
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.
SsHd;
SsHd;
SXS: %s() passed string section at %p only %lu bytes long; that's not even enough for the 4-byte magic and 4-byte header length!
SXS: %s() passed string section at %p only %lu bytes long; that's not even enough for the 4-byte magic and 4-byte header length!
SXS: %s() found assembly information section with wrong magic value
SXS: %s() found assembly information section with wrong magic value
SXS: %s() passed string section at %p claims %lu byte header size; that doesn't even include the HeaderSize member!
SXS: %s() passed string section at %p claims %lu byte header size; that doesn't even include the HeaderSize member!
SXS: %s() passed string section at %p with too small of a header
SXS: %s() passed string section at %p with too small of a header
SXS: %s() found assembly information section with element list overlapping section header
SXS: %s() found assembly information section with element list overlapping section header
SXS: %s() found assembly information section with search structure overlapping section header
SXS: %s() found assembly information section with search structure overlapping section header
SXS: %s() found assembly information section with user data overlapping section header
SXS: %s() found assembly information section with user data overlapping section header
SXS: %s() found assembly information section with user data too small
SXS: %s() found assembly information section with user data too small
SXS: %s() found assembly information section with user data extending beyond section data
SXS: %s() found assembly information section with user data extending beyond section data
SXS: %s() received invalid sub-instance index %lu out of %lu Assemblies in the Acitvation Context
SXS: %s() received invalid sub-instance index %lu out of %lu Assemblies in the Acitvation Context
SXS: %s() received invalid file index (%d) in Assembly (%d)
SXS: %s() received invalid file index (%d) in Assembly (%d)
|SXS: Unable to open storage root subkey %wZ; Status = 0xlx
|SXS: Unable to open storage root subkey %wZ; Status = 0xlx
SXS: Unabel to query location from storage root subkey %wZ; Status = 0xlx
SXS: Unabel to query location from storage root subkey %wZ; Status = 0xlx
*** Assertion failed: %s%s
*** Assertion failed: %s%s
*** %s%s%sSource File: %s, line %ld
*** %s%s%sSource File: %s, line %ld
VirtualQuery Failed 0xx %x
VirtualQuery Failed 0xx %x
VirtualProtect Failed 0xx %x
VirtualProtect Failed 0xx %x
::%hs%u.%u.%u.%u
::%hs%u.%u.%u.%u
::ffff:0:%u.%u.%u.%u
::ffff:0:%u.%u.%u.%u
:%u.%u.%u.%u
:%u.%u.%u.%u
%u.%u.%u.%u
%u.%u.%u.%u
>%u}F
>%u}F
Trace database: failing attempt to save biiiiig trace (size %u)
Trace database: failing attempt to save biiiiig trace (size %u)
*** Unhandled exception 0xlx, hit in %ws:%s
*** Unhandled exception 0xlx, hit in %ws:%s
*** A stack buffer overrun occurred in %ws:%s
*** A stack buffer overrun occurred in %ws:%s
The stack trace should show the guilty function (the function directly above __report_gsfailure).
The stack trace should show the guilty function (the function directly above __report_gsfailure).
*** Resource timeout (%p) in %ws:%s
*** Resource timeout (%p) in %ws:%s
The resource is owned exclusively by thread %x
The resource is owned exclusively by thread %x
The resource is owned shared by %d threads
The resource is owned shared by %d threads
*** Critical Section Timeout (%p) in %ws:%s
*** Critical Section Timeout (%p) in %ws:%s
The critical section is owned by thread %x.
The critical section is owned by thread %x.
*** Inpage error in %ws:%s
*** Inpage error in %ws:%s
This failed because of error %x.
This failed because of error %x.
This means that the I/O device reported an I/O error. Check your hardware.
This means that the I/O device reported an I/O error. Check your hardware.
*** An Access Violation occurred in %ws:%s
*** An Access Violation occurred in %ws:%s
The instruction at %p tried to %s
The instruction at %p tried to %s
*** enter .exr %p for the exception record
*** enter .exr %p for the exception record
*** enter .cxr %p for the context
*** enter .cxr %p for the context
*** Restarting wait on critsec or resource at %p (in %ws:%s)
*** Restarting wait on critsec or resource at %p (in %ws:%s)
.hotp1
.hotp1
I64X: VA64 6I64X -> 6I64X %s
I64X: VA64 6I64X -> 6I64X %s
I64X: PC32 X -> X (target X) %s
I64X: PC32 X -> X (target X) %s
I64X: VA32 X -> X %s
I64X: VA32 X -> X %s
None%s
None%s
Validation failed for global range %u of %u
Validation failed for global range %u of %u
I64X: jmp X (PC X) {
I64X: jmp X (PC X) {
Inserting %u hooks into target image
Inserting %u hooks into target image
Header too large (%u>%u) for copy/normalize/validate
Header too large (%u>%u) for copy/normalize/validate
PAGE_EXECUTE
PAGE_EXECUTE
0xX
0xX
PAGE_EXECUTE_WRITECOPY
PAGE_EXECUTE_WRITECOPY
PAGE_EXECUTE_READWRITE
PAGE_EXECUTE_READWRITE
PAGE_EXECUTE_READ
PAGE_EXECUTE_READ
Page heap: Failed changing VM at X size 0x%X
Page heap: Failed changing VM at X size 0x%X
from %s to %s (Status X)
from %s to %s (Status X)
Exception record (.exr on 1st word, .cxr on 2nd word)
Exception record (.exr on 1st word, .cxr on 2nd word)
Page heap: pid 0x%X: vm limit: vspace: disabling full page heap
Page heap: pid 0x%X: vm limit: vspace: disabling full page heap
Page heap: pid 0x%X: vm limit: pfile: disabling full page heap
Page heap: pid 0x%X: vm limit: pfile: disabling full page heap
Page heap: pid 0x%X: vm limit: reenabling full page heap
Page heap: pid 0x%X: vm limit: reenabling full page heap
Page heap: enabling fault injection for process 0x%X
Page heap: enabling fault injection for process 0x%X
Page heap: assert: (SystemInfo.PageSize == PAGE_SIZE)
Page heap: assert: (SystemInfo.PageSize == PAGE_SIZE)
Page heap: assert: (SystemInfo.AllocationGranularity == VM_UNIT_SIZE)
Page heap: assert: (SystemInfo.AllocationGranularity == VM_UNIT_SIZE)
HEAP %p (Seg %p) At %p Error: %s
HEAP %p (Seg %p) At %p Error: %s
Heap %x - headers modified (%x is %x instead of %x)
Heap %x - headers modified (%x is %x instead of %x)
This is located in the %s field of the heap header.
This is located in the %s field of the heap header.
Heap block at %p is not last block in segment (%x)
Heap block at %p is not last block in segment (%x)
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)
Heap entry %p is beyond uncommited range [%x .. %x)
Heap entry %p is beyond uncommited range [%x .. %x)
Heap entry %p has incorrect PreviousSize field (x instead of x)
Heap entry %p has incorrect PreviousSize field (x instead of x)
Heap block at %p has incorrect segment index (%x)
Heap block at %p has incorrect segment index (%x)
Heap block at %p does not match address of next uncommitted address (%x)
Heap block at %p does not match address of next uncommitted address (%x)
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)
Invalid Address specified to %s( %p, %p )
Invalid Address specified to %s( %p, %p )
dedicated (x) free list empty but marked as non-empty
dedicated (x) free list empty but marked as non-empty
dedicated (x) free list non-empty but marked as empty
dedicated (x) free list non-empty but marked as empty
dedicated (x) free list element %p is marked busy
dedicated (x) free list element %p is marked busy
Dedicated (x) free list element %p is wrong size (x)
Dedicated (x) free list element %p is wrong size (x)
Non-Dedicated free list element %p with too small size (x)
Non-Dedicated free list element %p with too small size (x)
Pseudo Tag x size incorrect (%x != %x) %x
Pseudo Tag x size incorrect (%x != %x) %x
Tag x (%ws) size incorrect (%x != %x) %x
Tag x (%ws) size incorrect (%x != %x) %x
May not destroy the process heap at %x
May not destroy the process heap at %x
Just allocated block at %p for 0x%x bytes
Just allocated block at %p for 0x%x bytes
Just allocated block at %p for 0x%x bytes with tag %ws
Just allocated block at %p for 0x%x bytes with tag %ws
Invalid allocation size - %p (exceeded %x)
Invalid allocation size - %p (exceeded %x)
About to reallocate block at %p to 0x%x bytes
About to reallocate block at %p to 0x%x bytes
About to rellocate block at %p to 0x%x bytes with tag %ws
About to rellocate block at %p to 0x%x bytes with tag %ws
Just reallocated block at %p to 0x%x bytes
Just reallocated block at %p to 0x%x bytes
Just reallocated block at %p to 0x%x bytes with tag %ws
Just reallocated block at %p to 0x%x bytes with tag %ws
ntdll.pdb
ntdll.pdb
: :$:(:,:
: :$:(:,:
2-3}6
2-3}6
:&: :6:?:
:&: :6:?:
3 3(3.343]3
3 3(3.343]3
5_5P5
5_5P5
2#3 3;3^3|3
2#3 3;3^3|3
1(1/161@1
1(1/161@1
5 5$505?6
5 5$505?6
&0\00181
&0\00181
\\.\CON
\\.\CON
{lx-x-x-xx-xxxxxx}
{lx-x-x-xx-xxxxxx}
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
kernel32.dll
kernel32.dll
user32.dll
user32.dll
.Local\
.Local\
%SystemRoot%\WinSxS\
%SystemRoot%\WinSxS\
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
.Local
.Local
ApiPort
ApiPort
!CSRPORT
!CSRPORT
CSRPORT!
CSRPORT!
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Registry\User\.Default
\Registry\User\.Default
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion
\bootstat.dat
\bootstat.dat
\system32\mscoree.dll
\system32\mscoree.dll
mscoree.dll
mscoree.dll
DebugProcessHeapOnly
DebugProcessHeapOnly
\WindowsSS
\WindowsSS
%%%u!%s!
%%%u!%s!
\\?\UNC\
\\?\UNC\
\\?\UNC
\\?\UNC
ADVAPI32.DLL
ADVAPI32.DLL
"/\[]:| =;,?*
"/\[]:| =;,?*
Objects>%4u
Objects>%4u
Objects=%4u
Objects=%4u
verifier.dll
verifier.dll
msvcrt.dll
msvcrt.dll
ole32.dll
ole32.dll
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
\system32\kernel32.dll
\system32\kernel32.dll
%s_%d
%s_%d
lX-X-X-XX-XXXXXX
lX-X-X-XX-XXXXXX
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards
%ws\%u
%ws\%u
\Registry\Machine\Hardware\DeviceMap\Scsi\Scsi Port %d\Scsi Bus %d\Target ID %d\Logical Unit Id %d
\Registry\Machine\Hardware\DeviceMap\Scsi\Scsi Port %d\Scsi Bus %d\Target ID %d\Logical Unit Id %d
\Device\Harddisk%d\Partition0
\Device\Harddisk%d\Partition0
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
The operation that was requested is pending completion.
The operation that was requested is pending completion.
An open/create operation completed while an oplock break is underway.
An open/create operation completed while an oplock break is underway.
{Connect Failure on Primary Transport}
{Connect Failure on Primary Transport}
An attempt was made to connect to the remote server %hs on the primary transport, but the connection failed.
An attempt was made to connect to the remote server %hs on the primary transport, but the connection failed.
The computer WAS able to connect on a secondary transport.
The computer WAS able to connect on a secondary transport.
Cached page was locked during operation.
Cached page was locked during operation.
An operation is blocked waiting for an oplock.
An operation is blocked waiting for an oplock.
{Local Session Key}
{Local Session Key}
A user session key was requested for a local RPC connection. The session key returned is a constant value and not unique to this connection.
A user session key was requested for a local RPC connection. The session key returned is a constant value and not unique to this connection.
A serial I/O operation was completed by another write to a serial port.
A serial I/O operation was completed by another write to a serial port.
A serial I/O operation completed because the time-out period expired.
A serial I/O operation completed because the time-out period expired.
{Password Too Complex}
{Password Too Complex}
The Windows password is too complex to be converted to a LAN Manager password.
The Windows password is too complex to be converted to a LAN Manager password.
The LAN Manager password returned is a NULL string.
The LAN Manager password returned is a NULL string.
The network transport returned partial data to its client. The remaining data will be sent later.
The network transport returned partial data to its client. The remaining data will be sent later.
The network transport returned data to its client that was marked as expedited by the remote system.
The network transport returned data to its client that was marked as expedited by the remote system.
The network transport returned partial data to its client and this data was marked as expedited by the remote system. The remaining data will be sent later.
The network transport returned partial data to its client and this data was marked as expedited by the remote system. The remaining data will be sent later.
The specified registry key is referenced by a predefined handle.
The specified registry key is referenced by a predefined handle.
A yield execution was performed and no thread was available to run.
A yield execution was performed and no thread was available to run.
The operating system will currently accept only 16-bit (R2) pc-cards on this controller.
The operating system will currently accept only 16-bit (R2) pc-cards on this controller.
The CPUs in this multiprocessor system are not all the same revision level. To use all processors the operating system restricts itself to the features of the least capable processor in the system. Should problems occur with this system, contact
The CPUs in this multiprocessor system are not all the same revision level. To use all processors the operating system restricts itself to the features of the least capable processor in the system. Should problems occur with this system, contact
the CPU manufacturer to see if this mix of processors is supported.
the CPU manufacturer to see if this mix of processors is supported.
A single step or trace operation has just been completed.
A single step or trace operation has just been completed.
Handles to objects have been automatically closed as a result of the requested operation.
Handles to objects have been automatically closed as a result of the requested operation.
During the translation of a global identifier (GUID) to a Windows security ID (SID), no administratively-defined GUID prefix was found.
During the translation of a global identifier (GUID) to a Windows security ID (SID), no administratively-defined GUID prefix was found.
The media has changed and a verify operation is in progress so no reads or writes may be performed to the device, except those used in the verify operation.
The media has changed and a verify operation is in progress so no reads or writes may be performed to the device, except those used in the verify operation.
No more entries are available from an enumeration operation.
No more entries are available from an enumeration operation.
A long jump has been executed.
A long jump has been executed.
The Plug and Play query operation was not successful.
The Plug and Play query operation was not successful.
A frame consolidation has been executed.
A frame consolidation has been executed.
The device has indicated that it's door is open. Further operations require it closed and secured.
The device has indicated that it's door is open. Further operations require it closed and secured.
{Operation Failed}
{Operation Failed}
The requested operation was unsuccessful.
The requested operation was unsuccessful.
The requested operation is not implemented.
The requested operation is not implemented.
The instruction at "0xlx" referenced memory at "0xlx". The memory could not be "%s".
The instruction at "0xlx" referenced memory at "0xlx". The memory could not be "%s".
An invalid parameter was passed to a service or function.
An invalid parameter was passed to a service or function.
The specified request is not a valid operation for the target device.
The specified request is not a valid operation for the target device.
The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.
The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.
Not enough virtual memory or paging file quota is available to complete the specified operation.
Not enough virtual memory or paging file quota is available to complete the specified operation.
An attempt was made to execute an illegal instruction.
An attempt was made to execute an illegal instruction.
An attempt was made to execute an invalid lock sequence.
An attempt was made to execute an invalid lock sequence.
There is a mismatch between the type of object required by the requested operation and the type of object that is specified in the request.
There is a mismatch between the type of object required by the requested operation and the type of object that is specified in the request.
Windows cannot continue from this exception.
Windows cannot continue from this exception.
An invalid or unaligned stack was encountered during an unwind operation.
An invalid or unaligned stack was encountered during an unwind operation.
An invalid unwind target was encountered during an unwind operation.
An invalid unwind target was encountered during an unwind operation.
Device parity error on I/O operation.
Device parity error on I/O operation.
Invalid Object Attributes specified to NtCreatePort or invalid Port Attributes specified to NtConnectPort
Invalid Object Attributes specified to NtCreatePort or invalid Port Attributes specified to NtConnectPort
Length of message passed to NtRequestPort or NtRequestWaitReplyPort was longer than the maximum message allowed by the port.
Length of message passed to NtRequestPort or NtRequestWaitReplyPort was longer than the maximum message allowed by the port.
Attempt to send a message to a disconnected communication port.
Attempt to send a message to a disconnected communication port.
The NtConnectPort request is refused.
The NtConnectPort request is refused.
The type of port handle is invalid for the operation requested.
The type of port handle is invalid for the operation requested.
Insufficient quota exists to complete the operation
Insufficient quota exists to complete the operation
An attempt to set a processes DebugPort or ExceptionPort was made, but a port already exists in the process.
An attempt to set a processes DebugPort or ExceptionPort was made, but a port already exists in the process.
An operation involving EAs failed because the file system does not support EAs.
An operation involving EAs failed because the file system does not support EAs.
An EA operation failed because EA set is too large.
An EA operation failed because EA set is too large.
An EA operation failed because the name or EA index is invalid.
An EA operation failed because the name or EA index is invalid.
A non close operation has been requested of a file object with a delete pending.
A non close operation has been requested of a file object with a delete pending.
An attempt was made to set the control attribute on a file. This attribute is not supported in the target file system.
An attempt was made to set the control attribute on a file. This attribute is not supported in the target file system.
An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.
An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.
Indicates the requested operation would disable or delete the last remaining administration account.
Indicates the requested operation would disable or delete the last remaining administration account.
When trying to update a password, this return status indicates that the value provided as the current password is not correct.
When trying to update a password, this return status indicates that the value provided as the current password is not correct.
When trying to update a password, this return status indicates that the value provided for the new password contains values that are not allowed in passwords.
When trying to update a password, this return status indicates that the value provided for the new password contains values that are not allowed in passwords.
When trying to update a password, this status indicates that some password update rule has been violated. For example, the password may not meet length criteria.
When trying to update a password, this status indicates that some password update rule has been violated. For example, the password may not meet length criteria.
The user account's password has expired.
The user account's password has expired.
The application or DLL %hs is not a valid Windows image. Please check this against your installation diskette.
The application or DLL %hs is not a valid Windows image. Please check this against your installation diskette.
An operation failed because the disk was full.
An operation failed because the disk was full.
Floating-point denormal operand.
Floating-point denormal operand.
Floating-point invalid operation.
Floating-point invalid operation.
An attempt was made to install more paging files than the system supports.
An attempt was made to install more paging files than the system supports.
An attempt was made to execute an instruction at an unaligned address and the host system does not support unaligned instruction references.
An attempt was made to execute an instruction at an unaligned address and the host system does not support unaligned instruction references.
The maximum named pipe instance count has been reached.
The maximum named pipe instance count has been reached.
An instance of a named pipe cannot be found in the listening state.
An instance of a named pipe cannot be found in the listening state.
The named pipe is not in the connected or closing state.
The named pipe is not in the connected or closing state.
The specified pipe is set to complete operations and there are current I/O operations queued so it cannot be changed to queue operations.
The specified pipe is set to complete operations and there are current I/O operations queued so it cannot be changed to queue operations.
The specified handle is not open to the server end of the named pipe.
The specified handle is not open to the server end of the named pipe.
The specified named pipe is in the disconnected state.
The specified named pipe is in the disconnected state.
The specified named pipe is in the closing state.
The specified named pipe is in the closing state.
The specified named pipe is in the connected state.
The specified named pipe is in the connected state.
The specified named pipe is in the listening state.
The specified named pipe is in the listening state.
The specified named pipe is not in message mode.
The specified named pipe is not in message mode.
The specified I/O operation on %hs was not completed before the time-out period expired.
The specified I/O operation on %hs was not completed before the time-out period expired.
The passed ACL did not contain the minimum required information.
The passed ACL did not contain the minimum required information.
The request is not supported.
The request is not supported.
Indicates an attempt was made to operate on the security of an object that does not have security associated with it.
Indicates an attempt was made to operate on the security of an object that does not have security associated with it.
Used to indicate that an operation cannot continue without blocking for I/O.
Used to indicate that an operation cannot continue without blocking for I/O.
Used to indicate that a read operation was done on an empty pipe.
Used to indicate that a read operation was done on an empty pipe.
Indicates the Sam Server was in the wrong state to perform the desired operation.
Indicates the Sam Server was in the wrong state to perform the desired operation.
Indicates the Domain was in the wrong state to perform the desired operation.
Indicates the Domain was in the wrong state to perform the desired operation.
This operation is only allowed for the Primary Domain Controller of the domain.
This operation is only allowed for the Primary Domain Controller of the domain.
This error indicates that the requested operation cannot be completed due to a catastrophic media failure or on-disk data structure corruption.
This error indicates that the requested operation cannot be completed due to a catastrophic media failure or on-disk data structure corruption.
An invalid parameter was passed to a service or function as the first argument.
An invalid parameter was passed to a service or function as the first argument.
An invalid parameter was passed to a service or function as the second argument.
An invalid parameter was passed to a service or function as the second argument.
An invalid parameter was passed to a service or function as the third argument.
An invalid parameter was passed to a service or function as the third argument.
An invalid parameter was passed to a service or function as the fourth argument.
An invalid parameter was passed to a service or function as the fourth argument.
An invalid parameter was passed to a service or function as the fifth argument.
An invalid parameter was passed to a service or function as the fifth argument.
An invalid parameter was passed to a service or function as the sixth argument.
An invalid parameter was passed to a service or function as the sixth argument.
An invalid parameter was passed to a service or function as the seventh argument.
An invalid parameter was passed to a service or function as the seventh argument.
An invalid parameter was passed to a service or function as the eighth argument.
An invalid parameter was passed to a service or function as the eighth argument.
An invalid parameter was passed to a service or function as the ninth argument.
An invalid parameter was passed to a service or function as the ninth argument.
An invalid parameter was passed to a service or function as the tenth argument.
An invalid parameter was passed to a service or function as the tenth argument.
An invalid parameter was passed to a service or function as the eleventh argument.
An invalid parameter was passed to a service or function as the eleventh argument.
An invalid parameter was passed to a service or function as the twelfth argument.
An invalid parameter was passed to a service or function as the twelfth argument.
A malformed function table was encountered during an unwind operation.
A malformed function table was encountered during an unwind operation.
The logon session is not in a state that is consistent with the requested operation.
The logon session is not in a state that is consistent with the requested operation.
Indicates that an attempt has been made to impersonate via a named pipe that has not yet been read from.
Indicates that an attempt has been made to impersonate via a named pipe that has not yet been read from.
Indicates that the transaction state of a registry sub-tree is incompatible with the requested operation.
Indicates that the transaction state of a registry sub-tree is incompatible with the requested operation.
This error should only be returned by the Windows redirector on a remote drive.
This error should only be returned by the Windows redirector on a remote drive.
Indicates an operation has been attempted on a built-in (special) SAM account which is incompatible with built-in accounts.
Indicates an operation has been attempted on a built-in (special) SAM account which is incompatible with built-in accounts.
The operation requested may not be performed on the specified group because it is a built-in special group.
The operation requested may not be performed on the specified group because it is a built-in special group.
The operation requested may not be performed on the specified user because it is a built-in special user.
The operation requested may not be performed on the specified user because it is a built-in special user.
An I/O request other than close and several other special case operations was attempted using a file object that had already been closed.
An I/O request other than close and several other special case operations was attempted using a file object that had already been closed.
An attempt was made to operate on a thread within a specific process, but the thread specified is not in the process specified.
An attempt was made to operate on a thread within a specific process, but the thread specified is not in the process specified.
Your system is low on virtual memory. To ensure that Windows runs properly, increase the size of your virtual memory paging file. For more information, see Help.
Your system is low on virtual memory. To ensure that Windows runs properly, increase the size of your virtual memory paging file. For more information, see Help.
The specified image file did not have the correct format, it appears to be a 16-bit Windows image.
The specified image file did not have the correct format, it appears to be a 16-bit Windows image.
The SAM database on a Windows Server is significantly out of synchronization with the copy on the Domain Controller. A complete synchronization is required.
The SAM database on a Windows Server is significantly out of synchronization with the copy on the Domain Controller. A complete synchronization is required.
The NtCreateFile API failed. This error should never be returned to an application, it is a place holder for the Windows Lan Manager Redirector to use in its internal error mapping routines.
The NtCreateFile API failed. This error should never be returned to an application, it is a place holder for the Windows Lan Manager Redirector to use in its internal error mapping routines.
The network transport on your computer has closed a network connection. There may or may not be I/O requests outstanding.
The network transport on your computer has closed a network connection. There may or may not be I/O requests outstanding.
The network transport on a remote computer has closed a network connection. There may or may not be I/O requests outstanding.
The network transport on a remote computer has closed a network connection. There may or may not be I/O requests outstanding.
The network transport on your computer has closed a network connection because it had to wait too long for a response from the remote computer.
The network transport on your computer has closed a network connection because it had to wait too long for a response from the remote computer.
The connection handle given to the transport was invalid.
The connection handle given to the transport was invalid.
The address handle given to the transport was invalid.
The address handle given to the transport was invalid.
The exception %s (0xlx) occurred in the application at location 0xlx.
The exception %s (0xlx) occurred in the application at location 0xlx.
An invalid level was passed into the specified system call.
An invalid level was passed into the specified system call.
{Incorrect Password to LAN Manager Server}
{Incorrect Password to LAN Manager Server}
You specified an incorrect password to a LAN Manager 2.x or MS-NET server.
You specified an incorrect password to a LAN Manager 2.x or MS-NET server.
The pipe operation has failed because the other end of the pipe has been closed.
The pipe operation has failed because the other end of the pipe has been closed.
An I/O operation initiated by the Registry failed unrecoverably.
An I/O operation initiated by the Registry failed unrecoverably.
An event pair synchronization operation was performed using the thread specific client/server event pair object, but no event pair object was associated with the thread.
An event pair synchronization operation was performed using the thread specific client/server event pair object, but no event pair object was associated with the thread.
The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department export restrictions.
The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department export restrictions.
The length of a secret exceeds the maximum length allowed. The length and number of secrets is limited to satisfy United States State Department export restrictions.
The length of a secret exceeds the maximum length allowed. The length and number of secrets is limited to satisfy United States State Department export restrictions.
The requested operation cannot be performed in fullscreen mode.
The requested operation cannot be performed in fullscreen mode.
An attempt was made to change a user password in the security account manager without providing the necessary Windows cross-encrypted password.
An attempt was made to change a user password in the security account manager without providing the necessary Windows cross-encrypted password.
A Windows Server has an incorrect configuration.
A Windows Server has an incorrect configuration.
The floppy disk controller reported an error that is not recognized by the floppy disk driver.
The floppy disk controller reported an error that is not recognized by the floppy disk driver.
While accessing the hard disk, a recalibrate operation failed, even after retries.
While accessing the hard disk, a recalibrate operation failed, even after retries.
While accessing the hard disk, a disk operation failed even after retries.
While accessing the hard disk, a disk operation failed even after retries.
Two concurrent opens of devices that share an IRQ and only work via interrupts is not supported for the particular bus type that the devices use.
Two concurrent opens of devices that share an IRQ and only work via interrupts is not supported for the particular bus type that the devices use.
Illegal operation attempted on a registry key which has been marked for deletion.
Illegal operation attempted on a registry key which has been marked for deletion.
An attempt was made to change a user password in the security account manager without providing the necessary LM cross-encrypted password.
An attempt was made to change a user password in the security account manager without providing the necessary LM cross-encrypted password.
An attempt was made to create a symbolic link in a registry key that already has subkeys or values.
An attempt was made to create a symbolic link in a registry key that already has subkeys or values.
An attempt was made to create a Stable subkey under a Volatile parent key.
An attempt was made to create a Stable subkey under a Volatile parent key.
The I/O device reported an I/O error.
The I/O device reported an I/O error.
Log file space is insufficient to support this operation.
Log file space is insufficient to support this operation.
A write operation was attempted to a volume after it was dismounted.
A write operation was attempted to a volume after it was dismounted.
The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.
The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.
There is no user session key for the specified logon session.
There is no user session key for the specified logon session.
The size of the buffer is invalid for the specified operation.
The size of the buffer is invalid for the specified operation.
The transport rejected the network address specified as invalid.
The transport rejected the network address specified as invalid.
The transport rejected the network address specified due to an invalid use of a wildcard.
The transport rejected the network address specified due to an invalid use of a wildcard.
The transport address could not be opened because all the available addresses are in use.
The transport address could not be opened because all the available addresses are in use.
The transport address could not be opened because it already exists.
The transport address could not be opened because it already exists.
The transport address is now closed.
The transport address is now closed.
The transport connection is now disconnected.
The transport connection is now disconnected.
The transport connection has been reset.
The transport connection has been reset.
The transport cannot dynamically acquire any more nodes.
The transport cannot dynamically acquire any more nodes.
The transport aborted a pending transaction.
The transport aborted a pending transaction.
The transport timed out a request waiting for a response.
The transport timed out a request waiting for a response.
The transport did not receive a release for a pending response.
The transport did not receive a release for a pending response.
The transport did not find a transaction matching the specific
The transport did not find a transaction matching the specific
The transport had previously responded to a transaction request.
The transport had previously responded to a transaction request.
The transport does not recognized the transaction request identifier specified.
The transport does not recognized the transaction request identifier specified.
The transport does not recognize the transaction request type specified.
The transport does not recognize the transaction request type specified.
The transport can only process the specified request on the server side of a session.
The transport can only process the specified request on the server side of a session.
The transport can only process the specified request on the client side of a session.
The transport can only process the specified request on the client side of a session.
The %hs system process terminated unexpectedly with a status of 0xx (0xx 0xx).
The %hs system process terminated unexpectedly with a status of 0xx (0xx 0xx).
Windows was unable to save all the data for the file %hs. The data has been lost.
Windows was unable to save all the data for the file %hs. The data has been lost.
The parameter(s) passed to the server in the client/server shared memory window were invalid. Too much data may have been put in the shared memory window.
The parameter(s) passed to the server in the client/server shared memory window were invalid. Too much data may have been put in the shared memory window.
The user's password must be changed before logging on the first time.
The user's password must be changed before logging on the first time.
Internal OFS status codes indicating how an allocation operation is handled. Either it is retried after the containing onode is moved or the extent stream is converted to a large stream.
Internal OFS status codes indicating how an allocation operation is handled. Either it is retried after the containing onode is moved or the extent stream is converted to a large stream.
The attempt to find the object found an object matching by ID on the volume but it is out of the scope of the handle used for the operation.
The attempt to find the object found an object matching by ID on the volume but it is out of the scope of the handle used for the operation.
The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
The transport connection attempt was refused by the remote system.
The transport connection attempt was refused by the remote system.
The transport connection was gracefully closed.
The transport connection was gracefully closed.
The transport endpoint already has an address associated with it.
The transport endpoint already has an address associated with it.
An address has not yet been associated with the transport endpoint.
An address has not yet been associated with the transport endpoint.
An operation was attempted on a nonexistent transport connection.
An operation was attempted on a nonexistent transport connection.
An invalid operation was attempted on an active transport connection.
An invalid operation was attempted on an active transport connection.
The remote network is not reachable by the transport.
The remote network is not reachable by the transport.
The remote system is not reachable by the transport.
The remote system is not reachable by the transport.
The remote system does not support the transport protocol.
The remote system does not support the transport protocol.
No service is operating at the destination port of the transport on the remote system.
No service is operating at the destination port of the transport on the remote system.
The transport connection was aborted by the local system.
The transport connection was aborted by the local system.
The requested operation cannot be performed on a file with a user mapped section open.
The requested operation cannot be performed on a file with a user mapped section open.
Attempting to login during an unauthorized time of day for this account.
Attempting to login during an unauthorized time of day for this account.
The account is not authorized to login from this station.
The account is not authorized to login from this station.
The entrypoint should be declared as WINAPI or STDCALL. Select YES to fail the DLL load. Select NO to continue execution. Selecting NO may cause the application to operate incorrectly.
The entrypoint should be declared as WINAPI or STDCALL. Select YES to fail the DLL load. Select NO to continue execution. Selecting NO may cause the application to operate incorrectly.
The callback entrypoint should be declared as WINAPI or STDCALL. Selecting OK will cause the service to continue operation. However, the service process may operate incorrectly.
The callback entrypoint should be declared as WINAPI or STDCALL. Selecting OK will cause the service to continue operation. However, the service process may operate incorrectly.
The contacted server does not support the indicated part of the DFS namespace.
The contacted server does not support the indicated part of the DFS namespace.
A callback return system service cannot be executed when no callback is active.
A callback return system service cannot be executed when no callback is active.
The password provided is too short to meet the policy of your user account.
The password provided is too short to meet the policy of your user account.
Please choose a longer password.
Please choose a longer password.
The policy of your user account does not allow you to change passwords too frequently.
The policy of your user account does not allow you to change passwords too frequently.
This is done to prevent users from changing back to a familiar, but potentially discovered, password.
This is done to prevent users from changing back to a familiar, but potentially discovered, password.
If you feel your password has been compromised then please contact your administrator immediately to have a new one assigned.
If you feel your password has been compromised then please contact your administrator immediately to have a new one assigned.
You have attempted to change your password to one that you have used in the past.
You have attempted to change your password to one that you have used in the past.
The policy of your user account does not allow this. Please select a password that you have not previously used.
The policy of your user account does not allow this. Please select a password that you have not previously used.
The specified compression format is unsupported.
The specified compression format is unsupported.
An attempt was made to create more links on a file than the file system supports.
An attempt was made to create more links on a file than the file system supports.
{Windows Evaluation Notification}
{Windows Evaluation Notification}
The evaluation period for this installation of Windows has expired. This system will shutdown in 1 hour. To restore access to this installation of Windows, please upgrade this installation using a licensed distribution of this product.
The evaluation period for this installation of Windows has expired. This system will shutdown in 1 hour. To restore access to this installation of Windows, please upgrade this installation using a licensed distribution of this product.
The relocation occurred because the DLL %hs occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.
The relocation occurred because the DLL %hs occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.
Error Status was 0x%x
Error Status was 0x%x
An operation was attempted to a volume after it was dismounted.
An operation was attempted to a volume after it was dismounted.
There was no match for the specified key in the index.
There was no match for the specified key in the index.
The Windows I/O reparse tag passed for the NTFS reparse point is invalid.
The Windows I/O reparse tag passed for the NTFS reparse point is invalid.
The Windows I/O reparse tag does not match the one present in the NTFS reparse point.
The Windows I/O reparse tag does not match the one present in the NTFS reparse point.
The user data passed for the NTFS reparse point is invalid.
The user data passed for the NTFS reparse point is invalid.
There are no EFS keys defined for the user.
There are no EFS keys defined for the user.
The specified file is not in the defined EFS export format.
The specified file is not in the defined EFS export format.
The guid passed was not recognized as valid by a WMI data provider.
The guid passed was not recognized as valid by a WMI data provider.
The instance name passed was not recognized as valid by a WMI data provider.
The instance name passed was not recognized as valid by a WMI data provider.
The data item id passed was not recognized as valid by a WMI data provider.
The data item id passed was not recognized as valid by a WMI data provider.
The remote storage service is not operational at this time.
The remote storage service is not operational at this time.
The requested operation could not be performed because the directory service is not the master for that type of operation.
The requested operation could not be performed because the directory service is not the master for that type of operation.
The requested operation did not satisfy one or more constraints associated with the class of the object.
The requested operation did not satisfy one or more constraints associated with the class of the object.
The directory service can perform the requested operation only on a leaf object.
The directory service can perform the requested operation only on a leaf object.
The directory service cannot perform the requested operation on the Relatively Defined Name (RDN) attribute of an object.
The directory service cannot perform the requested operation on the Relatively Defined Name (RDN) attribute of an object.
An error occurred while performing a cross domain move operation.
An error occurred while performing a cross domain move operation.
The requested operation requires a directory service, and none was available.
The requested operation requires a directory service, and none was available.
The requested interface is not supported.
The requested interface is not supported.
The driver %hs does not support standby mode. Updating this driver may allow the system to go to standby mode.
The driver %hs does not support standby mode. Updating this driver may allow the system to go to standby mode.
Mutual Authentication failed. The server's password is out of date at the domain controller.
Mutual Authentication failed. The server's password is out of date at the domain controller.
Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file.
Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file.
The medium changer's transport element contains media, which is causing the operation to fail.
The medium changer's transport element contains media, which is causing the operation to fail.
Error Status: 0x%x.
Error Status: 0x%x.
This operation is supported only when you are connected to the server.
This operation is supported only when you are connected to the server.
The system image %s is not properly signed.
The system image %s is not properly signed.
Current device power state cannot support this request.
Current device power state cannot support this request.
The WMI operation is not supported by the data block or method.
The WMI operation is not supported by the data block or method.
There is not enough power to complete the requested operation.
There is not enough power to complete the requested operation.
Security Account Manager needs to get the boot password.
Security Account Manager needs to get the boot password.
Security Account Manager needs to get the boot key from floppy disk.
Security Account Manager needs to get the boot key from floppy disk.
The requested operation can be performed only on a global catalog server.
The requested operation can be performed only on a global catalog server.
Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
This operation can not be performed on the current domain.
This operation can not be performed on the current domain.
The other end of the security negotiation is requires strong crypto but it is not supported on the local machine.
The other end of the security negotiation is requires strong crypto but it is not supported on the local machine.
The client cert name does not matches the user name or the KDC name is incorrect.
The client cert name does not matches the user name or the KDC name is incorrect.
The encryption type requested is not supported by the KDC.
The encryption type requested is not supported by the KDC.
This operation is not supported on a Microsoft Small Business Server
This operation is not supported on a Microsoft Small Business Server
The Master File Table on the volume is too fragmented to complete this operation.
The Master File Table on the volume is too fragmented to complete this operation.
Copy protection error - The given sector does not contain a valid key.
Copy protection error - The given sector does not contain a valid key.
Copy protection error - DVD session key not established.
Copy protection error - DVD session key not established.
The kerberos protocol encountered an error while validating the KDC certificate during smartcard Logon
The kerberos protocol encountered an error while validating the KDC certificate during smartcard Logon
The transport determined that the remote system is down.
The transport determined that the remote system is down.
An unsupported preauthentication mechanism was presented to the kerberos package.
An unsupported preauthentication mechanism was presented to the kerberos package.
The encryption algorithm used on the source file needs a bigger key buffer than the one used on the destination file.
The encryption algorithm used on the source file needs a bigger key buffer than the one used on the destination file.
An attempt to remove a processes DebugPort was made, but a port was not already associated with the process.
An attempt to remove a processes DebugPort was made, but a port was not already associated with the process.
An attempt to do an operation on a debug port failed because the port is in the process of being deleted.
An attempt to do an operation on a debug port failed because the port is in the process of being deleted.
This version of Windows is not compatible with the behavior version of directory forest, domain or domain controller.
This version of Windows is not compatible with the behavior version of directory forest, domain or domain controller.
The specified image file did not have the correct format, it appears to be a 32-bit Windows image.
The specified image file did not have the correct format, it appears to be a 32-bit Windows image.
The specified image file did not have the correct format, it appears to be a 64-bit Windows image.
The specified image file did not have the correct format, it appears to be a 64-bit Windows image.
The SID filtering operation removed all SIDs.
The SID filtering operation removed all SIDs.
The create operation failed because the name contained at least one mount point which resolves to a volume to which the specified device object is not attached.
The create operation failed because the name contained at least one mount point which resolves to a volume to which the specified device object is not attached.
A dynamic link library (DLL) referenced a module that was neither a DLL nor the process's executable image.
A dynamic link library (DLL) referenced a module that was neither a DLL nor the process's executable image.
The requested key container does not exist on the smart card
The requested key container does not exist on the smart card
The requested certificate does not exist on the smart card
The requested certificate does not exist on the smart card
The requested keyset does not exist
The requested keyset does not exist
The smartcard certificate used for authentication has been revoked.
The smartcard certificate used for authentication has been revoked.
An untrusted certificate authority was detected While processing the
An untrusted certificate authority was detected While processing the
smartcard certificate used for authentication. Please contact your system
smartcard certificate used for authentication. Please contact your system
The revocation status of the smartcard certificate used for
The revocation status of the smartcard certificate used for
The smartcard certificate used for authentication was not trusted. Please
The smartcard certificate used for authentication was not trusted. Please
The smartcard certificate used for authentication has expired. Please
The smartcard certificate used for authentication has expired. Please
The RPC protocol sequence is not supported.
The RPC protocol sequence is not supported.
Not enough resources are available to complete this operation.
Not enough resources are available to complete this operation.
The RPC server is too busy to complete this operation.
The RPC server is too busy to complete this operation.
The remote procedure call failed and did not execute.
The remote procedure call failed and did not execute.
The transfer syntax is not supported by the RPC server.
The transfer syntax is not supported by the RPC server.
The type UUID is not supported.
The type UUID is not supported.
The name syntax is not supported.
The name syntax is not supported.
The operation cannot be performed.
The operation cannot be performed.
No interfaces have been exported.
No interfaces have been exported.
There is nothing to unexport.
There is nothing to unexport.
The requested operation is not supported.
The requested operation is not supported.
A floating point operation at the RPC server caused a divide by zero.
A floating point operation at the RPC server caused a divide by zero.
The requested authentication level is not supported.
The requested authentication level is not supported.
The error specified is not a valid Windows RPC error code.
The error specified is not a valid Windows RPC error code.
Invalid asynchronous RPC call handle for this operation.
Invalid asynchronous RPC call handle for this operation.
A null context handle is passed as an [in] parameter.
A null context handle is passed as an [in] parameter.
The binding handles passed to a remote procedure call do not match.
The binding handles passed to a remote procedure call do not match.
A null reference pointer was passed to the stub.
A null reference pointer was passed to the stub.
Invalid operation on the encoding/decoding handle.
Invalid operation on the encoding/decoding handle.
The RPC pipe object is invalid or corrupted.
The RPC pipe object is invalid or corrupted.
An invalid operation was attempted on an RPC pipe object.
An invalid operation was attempted on an RPC pipe object.
Unsupported RPC pipe version.
Unsupported RPC pipe version.
The RPC pipe object has already been closed.
The RPC pipe object has already been closed.
The RPC call completed before all pipes were processed.
The RPC call completed before all pipes were processed.
No more data is available from the RPC pipe.
No more data is available from the RPC pipe.
A close operation is pending on the Terminal Connection.
A close operation is pending on the Terminal Connection.
The MODEM.INF file was not found.
The MODEM.INF file was not found.
The modem (%1) was not found in MODEM.INF.
The modem (%1) was not found in MODEM.INF.
Transport driver error
Transport driver error
The requested operation cannot be completed because the Terminal Connection is currently busy processing a connect, disconnect, reset, or delete operation.
The requested operation cannot be completed because the Terminal Connection is currently busy processing a connect, disconnect, reset, or delete operation.
An attempt has been made to connect to a session whose video mode is not supported by the current client.
An attempt has been made to connect to a session whose video mode is not supported by the current client.
DOS graphics mode is not supported.
DOS graphics mode is not supported.
The requested operation can be performed only on the system console.
The requested operation can be performed only on the system console.
Disconnecting the console session is not supported.
Disconnecting the console session is not supported.
Reconnecting a disconnected session to the console is not supported.
Reconnecting a disconnected session to the console is not supported.
The remote control of the console was terminated because the display mode was changed. Changing the display mode in a remote control session is not supported.
The remote control of the console was terminated because the display mode was changed. Changing the display mode in a remote control session is not supported.
A node is in the process of joining the cluster.
A node is in the process of joining the cluster.
A cluster join operation is not in progress.
A cluster join operation is not in progress.
Windows was not able to process the application binding information.
Windows was not able to process the application binding information.
The requested lookup key was not found in any active activation context.
The requested lookup key was not found in any active activation context.
Lack of system resources has required isolated activation to be disabled for the current thread of execution.
Lack of system resources has required isolated activation to be disabled for the current thread of execution.
The activation context being deactivated is not active for the current thread of execution.
The activation context being deactivated is not active for the current thread of execution.
%original file name%.exe_508_rwx_00D00000_00092000:
ImmProcessKey
ImmProcessKey
USER32.dll
USER32.dll
ActivateKeyboardLayout
ActivateKeyboardLayout
ArrangeIconicWindows
ArrangeIconicWindows
CallMsgFilter
CallMsgFilter
CallMsgFilterA
CallMsgFilterA
CallMsgFilterW
CallMsgFilterW
CascadeChildWindows
CascadeChildWindows
CascadeWindows
CascadeWindows
CliImmSetHotKey
CliImmSetHotKey
CloseWindowStation
CloseWindowStation
CreateDialogIndirectParamA
CreateDialogIndirectParamA
CreateDialogIndirectParamAorW
CreateDialogIndirectParamAorW
CreateDialogIndirectParamW
CreateDialogIndirectParamW
CreateWindowStationA
CreateWindowStationA
CreateWindowStationW
CreateWindowStationW
DisableProcessWindowsGhosting
DisableProcessWindowsGhosting
DisplayExitWindowsWarnings
DisplayExitWindowsWarnings
EnumChildWindows
EnumChildWindows
EnumDesktopWindows
EnumDesktopWindows
EnumThreadWindows
EnumThreadWindows
EnumWindowStationsA
EnumWindowStationsA
EnumWindowStationsW
EnumWindowStationsW
EnumWindows
EnumWindows
ExitWindowsEx
ExitWindowsEx
GetAsyncKeyState
GetAsyncKeyState
GetKeyNameTextA
GetKeyNameTextA
GetKeyNameTextW
GetKeyNameTextW
GetKeyState
GetKeyState
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayoutNameA
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
GetKeyboardLayoutNameW
GetKeyboardState
GetKeyboardState
GetKeyboardType
GetKeyboardType
GetProcessWindowStation
GetProcessWindowStation
LoadKeyboardLayoutA
LoadKeyboardLayoutA
LoadKeyboardLayoutEx
LoadKeyboardLayoutEx
LoadKeyboardLayoutW
LoadKeyboardLayoutW
LockWindowStation
LockWindowStation
MapVirtualKeyA
MapVirtualKeyA
MapVirtualKeyExA
MapVirtualKeyExA
MapVirtualKeyExW
MapVirtualKeyExW
MapVirtualKeyW
MapVirtualKeyW
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
OemKeyScan
OemKeyScan
OpenWindowStationA
OpenWindowStationA
OpenWindowStationW
OpenWindowStationW
RegisterHotKey
RegisterHotKey
SetConsoleReserveKeys
SetConsoleReserveKeys
SetKeyboardState
SetKeyboardState
SetProcessWindowStation
SetProcessWindowStation
SetWindowStationUser
SetWindowStationUser
SetWindowsHookA
SetWindowsHookA
SetWindowsHookExA
SetWindowsHookExA
SetWindowsHookExW
SetWindowsHookExW
SetWindowsHookW
SetWindowsHookW
TileChildWindows
TileChildWindows
TileWindows
TileWindows
UnhookWindowsHook
UnhookWindowsHook
UnhookWindowsHookEx
UnhookWindowsHookEx
UnloadKeyboardLayout
UnloadKeyboardLayout
UnlockWindowStation
UnlockWindowStation
UnregisterHotKey
UnregisterHotKey
VkKeyScanA
VkKeyScanA
VkKeyScanExA
VkKeyScanExA
VkKeyScanExW
VkKeyScanExW
VkKeyScanW
VkKeyScanW
WINNLSGetIMEHotkey
WINNLSGetIMEHotkey
keybd_event
keybd_event
=.cmd
=.cmd
=.pif
=.pif
=.lnk
=.lnk
=.com
=.com
=.bat
=.bat
F\ FTP
F\ FTP
s.RPRP
s.RPRP
tcPV
tcPV
*9]0t#SSh
*9]0t#SSh
u.KKt*
u.KKt*
~,SSSh
~,SSSh
SSSSh
SSSSh
SSSh$6A~P
SSSh$6A~P
6SSSSh
6SSSSh
t>SSh`
t>SSh`
u"SSh`
u"SSh`
ADVAPI32.dll
ADVAPI32.dll
MSIMG32.dll
MSIMG32.dll
POWRPROF.dll
POWRPROF.dll
WINSTA.dll
WINSTA.dll
RegCreateKeyExW
RegCreateKeyExW
RegCloseKey
RegCloseKey
RegDeleteKeyW
RegDeleteKeyW
ReportEventW
ReportEventW
RegQueryInfoKeyW
RegQueryInfoKeyW
GDI32.dll
GDI32.dll
KERNEL32.dll
KERNEL32.dll
ntdll.dll
ntdll.dll
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GetViewportExtEx
GetCPInfo
GetCPInfo
GetSystemWindowsDirectoryW
GetSystemWindowsDirectoryW
NtQueryKey
NtQueryKey
NtEnumerateValueKey
NtEnumerateValueKey
NtYieldExecution
NtYieldExecution
NtCreateKey
NtCreateKey
NtSetValueKey
NtSetValueKey
NtDeleteValueKey
NtDeleteValueKey
NtEnumerateKey
NtEnumerateKey
NtOpenKey
NtOpenKey
NtQueryValueKey
NtQueryValueKey
user32.pdb
user32.pdb
windows.hlp
windows.hlp
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
$$$006666
$$$006666
&$%Uooqkezs
&$%Uooqkezs
['$$#%&(4
['$$#%&(4
2
2
0 00@0[0
0 00@0[0
0V0
0V0
9œ9S9|9
9œ9S9|9
;";&;*;.;2;6;:;
;";&;*;.;2;6;:;
8$8-858E8L8S8Z8a8h8o8v8}8
8$8-858E8L8S8Z8a8h8o8v8}8
;(;7;>;};
;(;7;>;};
2$3 363@3
2$3 363@3
;#
;#
7 8$8(8,8|8
7 8$8(8,8|8
IMM32.DLL
IMM32.DLL
SETUPAPI.DLL
SETUPAPI.DLL
&%d %ws
&%d %ws
Control Panel\Input Method\Hot Keys
Control Panel\Input Method\Hot Keys
Virtual Key
Virtual Key
Key Modifiers
Key Modifiers
kbdus.dll
kbdus.dll
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\
$winnt$.inf
$winnt$.inf
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Fonts
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Fonts
Keyboard Layout\Preload
Keyboard Layout\Preload
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\LastFontSweep
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\LastFontSweep
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\Type 1 Fonts
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\Type 1 Fonts
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\Upgraded Type1
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\Upgraded Type1
keyboardlayout.ini
keyboardlayout.ini
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\LastType1Sweep
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\LastType1Sweep
\Windows\WindowStations
\Windows\WindowStations
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows
\Windows
\Windows
Keyboard Layout
Keyboard Layout
kbdkor.dll
kbdkor.dll
kbdjpn.dll
kbdjpn.dll
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout
imm32.dll
imm32.dll
Hot Keys
Hot Keys
00000409
00000409
x:\...\
x:\...\
OLE32.DLL
OLE32.DLL
%SystemRoot%\System32\user32.dll
%SystemRoot%\System32\user32.dll
Software\Microsoft\Windows\CurrentVersion\Reliability
Software\Microsoft\Windows\CurrentVersion\Reliability
hh.exe
hh.exe
indicdll.dll
indicdll.dll
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout\
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout\
IgnoreRemoteKeyboardLayout
IgnoreRemoteKeyboardLayout
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\Reliability
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\Reliability
\snapshot.dll
\snapshot.dll
Windows XP USER API Client DLL
Windows XP USER API Client DLL
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Error Instrument: ProcessName: %1 WindowTitle: %2 MsgCaption: %3 MsgText: %4 CallerModuleName: %5 BaseAddr: %6 ImageSize: %7 ReturnAddr: %8
Error Instrument: ProcessName: %1 WindowTitle: %2 MsgCaption: %3 MsgText: %4 CallerModuleName: %5 BaseAddr: %6 ImageSize: %7 ReturnAddr: %8
Zero width &joiner
Zero width &joiner
Zero width &non-joiner
Zero width &non-joiner
&More Windows...gInsufficient memory to create the bitmap. Close one or more applications to increase available memory.
&More Windows...gInsufficient memory to create the bitmap. Close one or more applications to increase available memory.
Op&en Soft Keyboard
Op&en Soft Keyboard
Close So&ft Keyboard
Close So&ft Keyboard
Windows
Windows
Other people are logged on to this remote computer. Shutting down Windows might cause them to lose data. Also, someone at the remote location will have to restart the computer manually.
Other people are logged on to this remote computer. Shutting down Windows might cause them to lose data. Also, someone at the remote location will have to restart the computer manually.
Other people are logged on to this computer. Shutting down Windows might cause them to lose data.
Other people are logged on to this computer. Shutting down Windows might cause them to lose data.
Other people are logged on to this computer. Restarting Windows might cause them to lose data.
Other people are logged on to this computer. Restarting Windows might cause them to lose data.
Hardware: Maintenance (Planned)"Hardware: Installation (Unplanned) Hardware: Installation (Planned)%Operating System: Upgrade (Unplanned)#Operating System: Upgrade (Planned)
Hardware: Maintenance (Planned)"Hardware: Installation (Unplanned) Hardware: Installation (Planned)%Operating System: Upgrade (Unplanned)#Operating System: Upgrade (Planned)
-Operating System: Reconfiguration (Unplanned) Operating System: Reconfiguration (Planned)
-Operating System: Reconfiguration (Unplanned) Operating System: Reconfiguration (Planned)
8A restart or shutdown to service hardware on the system.AA restart or shutdown to begin or complete hardware installation.6A restart or shutdown to upgrade the operating system.CA restart or shutdown to change the operating system configuration.BA restart or shutdown to troubleshoot an unresponsive application.>A restart or shutdown to troubleshoot an unstable application.0A restart or shutdown to service an application. A shutdown or restart for an unknown reason1The computer displayed a blue screen crash event.
8A restart or shutdown to service hardware on the system.AA restart or shutdown to begin or complete hardware installation.6A restart or shutdown to upgrade the operating system.CA restart or shutdown to change the operating system configuration.BA restart or shutdown to troubleshoot an unresponsive application.>A restart or shutdown to troubleshoot an unstable application.0A restart or shutdown to service an application. A shutdown or restart for an unknown reason1The computer displayed a blue screen crash event.
The system became unresponsive.GA restart or shutdown to perform planned maintenance on an application.
The system became unresponsive.GA restart or shutdown to perform planned maintenance on an application.
%original file name%.exe_508_rwx_00E00000_000F7000:
KERNEL32.dll
KERNEL32.dll
BaseCleanupAppcompatCacheSupport
BaseCleanupAppcompatCacheSupport
BaseInitAppcompatCacheSupport
BaseInitAppcompatCacheSupport
BaseProcessInitPostImport
BaseProcessInitPostImport
CallNamedPipeA
CallNamedPipeA
CallNamedPipeW
CallNamedPipeW
CmdBatNotification
CmdBatNotification
ConnectNamedPipe
ConnectNamedPipe
CreateIoCompletionPort
CreateIoCompletionPort
CreateNamedPipeA
CreateNamedPipeA
CreateNamedPipeW
CreateNamedPipeW
CreatePipe
CreatePipe
DisconnectNamedPipe
DisconnectNamedPipe
GetCPFileNameFromRegistry
GetCPFileNameFromRegistry
GetCPInfo
GetCPInfo
GetCPInfoExA
GetCPInfoExA
GetCPInfoExW
GetCPInfoExW
GetConsoleAliasExesA
GetConsoleAliasExesA
GetConsoleAliasExesLengthA
GetConsoleAliasExesLengthA
GetConsoleAliasExesLengthW
GetConsoleAliasExesLengthW
GetConsoleAliasExesW
GetConsoleAliasExesW
GetConsoleInputExeNameA
GetConsoleInputExeNameA
GetConsoleInputExeNameW
GetConsoleInputExeNameW
GetConsoleKeyboardLayoutNameA
GetConsoleKeyboardLayoutNameA
GetConsoleKeyboardLayoutNameW
GetConsoleKeyboardLayoutNameW
GetConsoleOutputCP
GetConsoleOutputCP
GetDefaultSortkeySize
GetDefaultSortkeySize
GetLargestConsoleWindowSize
GetLargestConsoleWindowSize
GetNamedPipeHandleStateA
GetNamedPipeHandleStateA
GetNamedPipeHandleStateW
GetNamedPipeHandleStateW
GetNamedPipeInfo
GetNamedPipeInfo
GetProcessHandleCount
GetProcessHandleCount
GetProcessHeap
GetProcessHeap
GetProcessHeaps
GetProcessHeaps
GetProcessShutdownParameters
GetProcessShutdownParameters
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryW
GetSystemWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
GetWindowsDirectoryW
GetWindowsDirectoryW
PeekNamedPipe
PeekNamedPipe
RegisterWowExec
RegisterWowExec
SetCPGlobal
SetCPGlobal
SetConsoleInputExeNameA
SetConsoleInputExeNameA
SetConsoleInputExeNameW
SetConsoleInputExeNameW
SetConsoleKeyShortcuts
SetConsoleKeyShortcuts
SetConsoleMaximumWindowSize
SetConsoleMaximumWindowSize
SetConsoleOutputCP
SetConsoleOutputCP
SetNamedPipeHandleState
SetNamedPipeHandleState
SetProcessShutdownParameters
SetProcessShutdownParameters
SetThreadExecutionState
SetThreadExecutionState
TransactNamedPipe
TransactNamedPipe
VDMConsoleOperation
VDMConsoleOperation
VDMOperationStarted
VDMOperationStarted
WaitNamedPipeA
WaitNamedPipeA
WaitNamedPipeW
WaitNamedPipeW
WinExec
WinExec
NTDLL.RtlAddVectoredExceptionHandler
NTDLL.RtlAddVectoredExceptionHandler
NTDLL.RtlDecodePointer
NTDLL.RtlDecodePointer
NTDLL.RtlDecodeSystemPointer
NTDLL.RtlDecodeSystemPointer
NTDLL.RtlDeleteCriticalSection
NTDLL.RtlDeleteCriticalSection
NTDLL.RtlEncodePointer
NTDLL.RtlEncodePointer
NTDLL.RtlEncodeSystemPointer
NTDLL.RtlEncodeSystemPointer
NTDLL.RtlEnterCriticalSection
NTDLL.RtlEnterCriticalSection
NTDLL.RtlGetLastWin32Error
NTDLL.RtlGetLastWin32Error
NTDLL.RtlAllocateHeap
NTDLL.RtlAllocateHeap
NTDLL.RtlFreeHeap
NTDLL.RtlFreeHeap
NTDLL.RtlReAllocateHeap
NTDLL.RtlReAllocateHeap
NTDLL.RtlSizeHeap
NTDLL.RtlSizeHeap
NTDLL.RtlInitializeSListHead
NTDLL.RtlInitializeSListHead
NTDLL.RtlInterlockedFlushSList
NTDLL.RtlInterlockedFlushSList
NTDLL.RtlInterlockedPopEntrySList
NTDLL.RtlInterlockedPopEntrySList
NTDLL.RtlInterlockedPushEntrySList
NTDLL.RtlInterlockedPushEntrySList
NTDLL.RtlLeaveCriticalSection
NTDLL.RtlLeaveCriticalSection
NTDLL.RtlQueryDepthSList
NTDLL.RtlQueryDepthSList
NTDLL.RtlRemoveVectoredExceptionHandler
NTDLL.RtlRemoveVectoredExceptionHandler
NTDLL.RtlRestoreLastWin32Error
NTDLL.RtlRestoreLastWin32Error
NTDLL.RtlCaptureContext
NTDLL.RtlCaptureContext
NTDLL.RtlCaptureStackBackTrace
NTDLL.RtlCaptureStackBackTrace
NTDLL.RtlFillMemory
NTDLL.RtlFillMemory
NTDLL.RtlMoveMemory
NTDLL.RtlMoveMemory
NTDLL.RtlUnwind
NTDLL.RtlUnwind
NTDLL.RtlZeroMemory
NTDLL.RtlZeroMemory
NTDLL.RtlSetCriticalSectionSpinCount
NTDLL.RtlSetCriticalSectionSpinCount
NTDLL.RtlSetLastWin32Error
NTDLL.RtlSetLastWin32Error
NTDLL.RtlTryEnterCriticalSection
NTDLL.RtlTryEnterCriticalSection
NTDLL.VerSetConditionMask
NTDLL.VerSetConditionMask
DirOperationControl
DirOperationControl
UrlCanonicalizeW
UrlCanonicalizeW
SHDeleteKeyW
SHDeleteKeyW
PathCreateFromUrlW
PathCreateFromUrlW
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
GetProcessWindowStation
GetProcessWindowStation
EnumDesktopWindows
EnumDesktopWindows
CloseWindowStation
CloseWindowStation
twain_32.dll
twain_32.dll
Jt.HH;
Jt.HH;
midiOutShortMsg
midiOutShortMsg
SXS: %s() LdrFindOutOfProcessResource failed; nt status = lx
SXS: %s() LdrFindOutOfProcessResource failed; nt status = lx
advapi32.dll
advapi32.dll
ReportEventW
ReportEventW
RegSaveKeyW
RegSaveKeyW
RegSaveKeyExW
RegSaveKeyExW
RegSaveKeyA
RegSaveKeyA
RegRestoreKeyW
RegRestoreKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyW
RegOpenKeyW
RegOpenKeyExW
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyA
RegOpenKeyA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegEnumKeyW
RegEnumKeyW
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyExW
RegCreateKeyExW
RegCloseKey
RegCloseKey
ElfReportEventW
ElfReportEventW
CryptExportKey
CryptExportKey
CryptDestroyKey
CryptDestroyKey
\Device\NamedPipe\Win32Pipes.x.x
\Device\NamedPipe\Win32Pipes.x.x
CM_Open_DevNode_Key
CM_Open_DevNode_Key
CryptCATCatalogInfoFromContext
CryptCATCatalogInfoFromContext
SetPortW
SetPortW
EnumPrinterKeyW
EnumPrinterKeyW
EnumPortsW
EnumPortsW
DeletePrinterKeyW
DeletePrinterKeyW
DeletePortW
DeletePortW
ConfigurePortW
ConfigurePortW
AddPortW
AddPortW
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
ShellExecuteExA
ShellExecuteExA
ShellExecuteA
ShellExecuteA
SHFileOperationW
SHFileOperationW
SHFileOperationA
SHFileOperationA
FindExecutableW
FindExecutableW
FindExecutableA
FindExecutableA
ImportPrivacySettings
ImportPrivacySettings
MprConfigTransportGetInfo
MprConfigTransportGetInfo
MprConfigTransportGetHandle
MprConfigTransportGetHandle
MprConfigTransportDelete
MprConfigTransportDelete
MprConfigTransportCreate
MprConfigTransportCreate
MprConfigInterfaceTransportRemove
MprConfigInterfaceTransportRemove
MprConfigInterfaceTransportGetInfo
MprConfigInterfaceTransportGetInfo
MprConfigInterfaceTransportGetHandle
MprConfigInterfaceTransportGetHandle
MprConfigInterfaceTransportEnum
MprConfigInterfaceTransportEnum
MprConfigInterfaceTransportAdd
MprConfigInterfaceTransportAdd
MprAdminTransportCreate
MprAdminTransportCreate
MprAdminPortGetInfo
MprAdminPortGetInfo
MprAdminPortEnum
MprAdminPortEnum
MprAdminInterfaceTransportAdd
MprAdminInterfaceTransportAdd
MimeOleParseMhtmlUrl
MimeOleParseMhtmlUrl
ImmGetVirtualKey
ImmGetVirtualKey
ImageGetCertificateHeader
ImageGetCertificateHeader
ImageGetCertificateData
ImageGetCertificateData
ImageEnumerateCertificates
ImageEnumerateCertificates
GdiplusShutdown
GdiplusShutdown
|CAGetCertTypePropertyEx
|CAGetCertTypePropertyEx
CAGetCertTypeProperty
CAGetCertTypeProperty
CAGetCertTypeKeySpec
CAGetCertTypeKeySpec
CAGetCertTypeFlagsEx
CAGetCertTypeFlagsEx
CAGetCertTypeFlags
CAGetCertTypeFlags
CAGetCertTypeExtensionsEx
CAGetCertTypeExtensionsEx
CAGetCertTypeExtensions
CAGetCertTypeExtensions
CAGetCertTypeExpiration
CAGetCertTypeExpiration
CAGetCACertificate
CAGetCACertificate
CAFreeCertTypeProperty
CAFreeCertTypeProperty
CAFreeCertTypeExtensions
CAFreeCertTypeExtensions
CAFindCertTypeByName
CAFindCertTypeByName
CAEnumNextCertType
CAEnumNextCertType
CAEnumCertTypesForCAEx
CAEnumCertTypesForCAEx
CAEnumCertTypesForCA
CAEnumCertTypesForCA
CACountCertTypes
CACountCertTypes
CACloseCertType
CACloseCertType
CACertTypeAccessCheck
CACertTypeAccessCheck
ApphelpCheckExe
ApphelpCheckExe
WZCPassword2Key
WZCPassword2Key
EapcfgNodeFromKey
EapcfgNodeFromKey
SetupDiOpenDevRegKey
SetupDiOpenDevRegKey
SetupDiCreateDevRegKeyW
SetupDiCreateDevRegKeyW
SXS: %s() BasepSxsCreateStreams() failed
SXS: %s() BasepSxsCreateStreams() failed
winlogon.EXE
winlogon.EXE
PWVSSh
PWVSSh
SXS: %s - Failing thread create because RtlActivateActivationContextEx() failed with status lx
SXS: %s - Failing thread create because RtlActivateActivationContextEx() failed with status lx
SXS: %s - Failing thread create because RtlQueryInformationActivationContext() failed with status lx
SXS: %s - Failing thread create because RtlQueryInformationActivationContext() failed with status lx
SXS: %s - Failing thread create becuase NtQueryInformationThread() failed with status lx
SXS: %s - Failing thread create becuase NtQueryInformationThread() failed with status lx
u\SSh
u\SSh
kernel32: No mapping for ImageInformation.Machine == x
kernel32: No mapping for ImageInformation.Machine == x
TermsrvLogInstallIniFile
TermsrvLogInstallIniFile
TermsrvGetWindowsDirectoryW
TermsrvGetWindowsDirectoryW
TermsrvGetWindowsDirectoryA
TermsrvGetWindowsDirectoryA
SXS: %s failing because RtlQueryInformationActivationContext() returned status lx
SXS: %s failing because RtlQueryInformationActivationContext() returned status lx
SXS: %s - Failure getting active activation context; ntstatus lx
SXS: %s - Failure getting active activation context; ntstatus lx
SXS: %s() LdrAccessOutOfProcessResource failed; nt status = lx
SXS: %s() LdrAccessOutOfProcessResource failed; nt status = lx
SXS: %s() LdrCreateOutOfProcessImage failed
SXS: %s() LdrCreateOutOfProcessImage failed
SXS: %s() NtQueryInformationFile failed
SXS: %s() NtQueryInformationFile failed
SXS: %s() empty lpSource %ls
SXS: %s() empty lpSource %ls
SXS: %s() Calling csrss server failed
SXS: %s() Calling csrss server failed
SXS: %s() RtlMultiAppendUnicodeStringBuffer failed
SXS: %s() RtlMultiAppendUnicodeStringBuffer failed
SXS: %s() NtMapViewOfSection failed
SXS: %s() NtMapViewOfSection failed
SXS: %s() AssemblyDirectory is not null terminated
SXS: %s() AssemblyDirectory is not null terminated
SXS: %s() BaseDllMapResourceIdW failed
SXS: %s() BaseDllMapResourceIdW failed
SXS: %s() ACTCTX_FLAG_RESOURCE_NAME_VALID set but lpResourceName == 0
SXS: %s() ACTCTX_FLAG_RESOURCE_NAME_VALID set but lpResourceName == 0
SXS: %s() Bad lpAssemblyDirectory %ls
SXS: %s() Bad lpAssemblyDirectory %ls
SXS: %s() Bad lpSource PathType %ls, 0x%lx
SXS: %s() Bad lpSource PathType %ls, 0x%lx
SXS: %s() Bad lpAssemblyDirectory PathType %ls, 0x%lx
SXS: %s() Bad lpAssemblyDirectory PathType %ls, 0x%lx
SXS: %s() bad wProcessorArchitecture 0x%x
SXS: %s() bad wProcessorArchitecture 0x%x
SXS: Invalid parameter(s) passed to FindActCtxSection*()
SXS: Invalid parameter(s) passed to FindActCtxSection*()
->cbSize = %u
->cbSize = %u
SXS: %s() CsrCaptureMessageMultiUnicodeStringsInPlace failed
SXS: %s() CsrCaptureMessageMultiUnicodeStringsInPlace failed
QSSSSh
QSSSSh
\twain_32.dll
\twain_32.dll
ReportFault
ReportFault
SXS: %s() NtCreateSection() failed
SXS: %s() NtCreateSection() failed
SXS: %s() NtOpenFile(%wZ) failed
SXS: %s() NtOpenFile(%wZ) failed
SXS: %s() Null %p or size 0x%lx too small
SXS: %s() Null %p or size 0x%lx too small
SXS: %s() Bad flags/size 0x%lx/0x%lx
SXS: %s() Bad flags/size 0x%lx/0x%lx
.debug
.debug
.reloc
.reloc
.rsrc1
.rsrc1
.rsrc
.rsrc
|wzcsapi.dll
|wzcsapi.dll
wzcdlg.dll
wzcdlg.dll
wtsapi32.dll
wtsapi32.dll
ws2_32.dll
ws2_32.dll
wmvcore.dll
wmvcore.dll
wmi.dll
wmi.dll
wldap32.dll
wldap32.dll
wintrust.dll
wintrust.dll
winsta.dll
winsta.dll
winspool.drv
winspool.drv
winscard.dll
winscard.dll
winmm.dll
winmm.dll
wininet.dll
wininet.dll
winhttp.dll
winhttp.dll
version.dll
version.dll
uxtheme.dll
uxtheme.dll
utildll.dll
utildll.dll
usp10.dll
usp10.dll
userenv.dll
userenv.dll
user32.dll
user32.dll
urlmon.dll
urlmon.dll
tapi32.dll
tapi32.dll
syssetup.dll
syssetup.dll
sti.dll
sti.dll
shsvcs.dll
shsvcs.dll
shlwapi.dll
shlwapi.dll
shell32.dll
shell32.dll
shdocvw.dll
shdocvw.dll
sfc.dll
sfc.dll
setupapi.dll
setupapi.dll
secur32.dll
secur32.dll
scecli.dll
scecli.dll
samlib.dll
samlib.dll
rtutils.dll
rtutils.dll
rpcrt4.dll
rpcrt4.dll
regapi.dll
regapi.dll
rasman.dll
rasman.dll
rasdlg.dll
rasdlg.dll
rasapi32.dll
rasapi32.dll
query.dll
query.dll
pstorec.dll
pstorec.dll
psapi.dll
psapi.dll
printui.dll
printui.dll
powrprof.dll
powrprof.dll
pidgen.dll
pidgen.dll
pautoenr.dll
pautoenr.dll
oleaut32.dll
oleaut32.dll
oleacc.dll
oleacc.dll
ole32.dll
ole32.dll
odbc32.dll
odbc32.dll
ocmanage.dll
ocmanage.dll
ntmarta.dll
ntmarta.dll
ntlsapi.dll
ntlsapi.dll
ntlanman.dll
ntlanman.dll
ntdsapi.dll
ntdsapi.dll
ntdsa.dll
ntdsa.dll
netshell.dll
netshell.dll
netrap.dll
netrap.dll
netplwiz.dll
netplwiz.dll
netman.dll
netman.dll
netcfgx.dll
netcfgx.dll
netapi32.dll
netapi32.dll
mswsock.dll
mswsock.dll
mssign32.dll
mssign32.dll
msrating.dll
msrating.dll
msimg32.dll
msimg32.dll
msi.dll
msi.dll
mshtml.dll
mshtml.dll
msgina.dll
msgina.dll
mscat32.dll
mscat32.dll
msacm32.dll
msacm32.dll
mprui.dll
mprui.dll
mprapi.dll
mprapi.dll
mpr.dll
mpr.dll
mobsync.dll
mobsync.dll
mlang.dll
mlang.dll
lz32.dll
lz32.dll
linkinfo.dll
linkinfo.dll
keymgr.dll
keymgr.dll
kdcsvc.dll
kdcsvc.dll
iphlpapi.dll
iphlpapi.dll
inetcomm.dll
inetcomm.dll
imm32.dll
imm32.dll
imgutil.dll
imgutil.dll
imagehlp.dll
imagehlp.dll
hnetcfg.dll
hnetcfg.dll
gdiplus.dll
gdiplus.dll
gdi32.dll
gdi32.dll
esent.dll
esent.dll
efsadu.dll
efsadu.dll
duser.dll
duser.dll
dnsapi.dll
dnsapi.dll
dhcpcsvc.dll
dhcpcsvc.dll
devmgr.dll
devmgr.dll
ddraw.dll
ddraw.dll
d3dxof.dll
d3dxof.dll
cscdll.dll
cscdll.dll
cryptui.dll
cryptui.dll
crypt32.dll
crypt32.dll
credui.dll
credui.dll
comdlg32.dll
comdlg32.dll
comctl32.dll
comctl32.dll
certcli.dll
certcli.dll
cdfview.dll
cdfview.dll
cabinet.dll
cabinet.dll
browseui.dll
browseui.dll
authz.dll
authz.dll
apphelp.dll
apphelp.dll
advpack.dll
advpack.dll
activeds.dll
activeds.dll
WinStationIsHelpAssistantSession
WinStationIsHelpAssistantSession
WinStationEnumerate_IndexedW
WinStationEnumerate_IndexedW
|UnlockUrlCacheEntryStream
|UnlockUrlCacheEntryStream
UnlockUrlCacheEntryFileW
UnlockUrlCacheEntryFileW
UnlockUrlCacheEntryFileA
UnlockUrlCacheEntryFileA
SetUrlCacheEntryInfoW
SetUrlCacheEntryInfoW
SetUrlCacheEntryGroupW
SetUrlCacheEntryGroupW
SetUrlCacheConfigInfoA
SetUrlCacheConfigInfoA
RetrieveUrlCacheEntryStreamW
RetrieveUrlCacheEntryStreamW
RetrieveUrlCacheEntryFileW
RetrieveUrlCacheEntryFileW
RetrieveUrlCacheEntryFileA
RetrieveUrlCacheEntryFileA
RegisterUrlCacheNotification
RegisterUrlCacheNotification
ReadUrlCacheEntryStream
ReadUrlCacheEntryStream
LoadUrlCacheContent
LoadUrlCacheContent
IsHostInProxyBypassList
IsHostInProxyBypassList
InternetShowSecurityInfoByURLW
InternetShowSecurityInfoByURLW
InternetOpenUrlW
InternetOpenUrlW
InternetOpenUrlA
InternetOpenUrlA
InternetCreateUrlW
InternetCreateUrlW
InternetCreateUrlA
InternetCreateUrlA
InternetCrackUrlW
InternetCrackUrlW
InternetCrackUrlA
InternetCrackUrlA
InternetCombineUrlW
InternetCombineUrlW
InternetCanonicalizeUrlW
InternetCanonicalizeUrlW
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoW
HttpQueryInfoW
HttpQueryInfoA
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestW
HttpOpenRequestA
HttpOpenRequestA
HttpEndRequestW
HttpEndRequestW
HttpEndRequestA
HttpEndRequestA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoExW
GetUrlCacheEntryInfoExW
GetUrlCacheEntryInfoExA
GetUrlCacheEntryInfoExA
GetUrlCacheEntryInfoA
GetUrlCacheEntryInfoA
GetUrlCacheConfigInfoW
GetUrlCacheConfigInfoW
GetUrlCacheConfigInfoA
GetUrlCacheConfigInfoA
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpRenameFileA
FtpRenameFileA
FtpRemoveDirectoryA
FtpRemoveDirectoryA
FtpPutFileEx
FtpPutFileEx
FtpOpenFileW
FtpOpenFileW
FtpOpenFileA
FtpOpenFileA
FtpGetFileSize
FtpGetFileSize
FtpGetFileEx
FtpGetFileEx
FtpGetCurrentDirectoryW
FtpGetCurrentDirectoryW
FtpGetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpFindFirstFileW
FtpFindFirstFileW
FtpFindFirstFileA
FtpFindFirstFileA
FtpDeleteFileW
FtpDeleteFileW
FtpDeleteFileA
FtpDeleteFileA
FtpCreateDirectoryW
FtpCreateDirectoryW
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpCommandA
FtpCommandA
FreeUrlCacheSpaceW
FreeUrlCacheSpaceW
FindNextUrlCacheEntryW
FindNextUrlCacheEntryW
FindNextUrlCacheEntryExW
FindNextUrlCacheEntryExW
FindNextUrlCacheEntryExA
FindNextUrlCacheEntryExA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindNextUrlCacheContainerW
FindNextUrlCacheContainerW
FindNextUrlCacheContainerA
FindNextUrlCacheContainerA
FindFirstUrlCacheEntryW
FindFirstUrlCacheEntryW
FindFirstUrlCacheEntryExW
FindFirstUrlCacheEntryExW
FindFirstUrlCacheEntryExA
FindFirstUrlCacheEntryExA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheContainerW
FindFirstUrlCacheContainerW
FindFirstUrlCacheContainerA
FindFirstUrlCacheContainerA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheGroup
DeleteUrlCacheGroup
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
DeleteUrlCacheContainerA
DeleteUrlCacheContainerA
CreateUrlCacheGroup
CreateUrlCacheGroup
CreateUrlCacheEntryW
CreateUrlCacheEntryW
CreateUrlCacheEntryA
CreateUrlCacheEntryA
CreateUrlCacheContainerW
CreateUrlCacheContainerW
CreateUrlCacheContainerA
CreateUrlCacheContainerA
CommitUrlCacheEntryW
CommitUrlCacheEntryW
CommitUrlCacheEntryA
CommitUrlCacheEntryA
|WinHttpSetTimeouts
|WinHttpSetTimeouts
WinHttpSetStatusCallback
WinHttpSetStatusCallback
WinHttpSendRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpOpen
WinHttpOpen
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpConnect
WinHttpConnect
WinHttpCloseHandle
WinHttpCloseHandle
|UrlMkSetSessionOption
|UrlMkSetSessionOption
UrlMkGetSessionOption
UrlMkGetSessionOption
URLOpenBlockingStreamW
URLOpenBlockingStreamW
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToCacheFileW
URLDownloadToCacheFileW
IsValidURL
IsValidURL
GetMarkOfTheWeb
GetMarkOfTheWeb
CreateURLMoniker
CreateURLMoniker
CoInternetParseUrl
CoInternetParseUrl
CoInternetIsFeatureEnabledForUrl
CoInternetIsFeatureEnabledForUrl
CoInternetGetSecurityUrl
CoInternetGetSecurityUrl
CoInternetCombineUrl
CoInternetCombineUrl
SceSetupUpdateSecurityKey
SceSetupUpdateSecurityKey
RasShareConnection
RasShareConnection
RasIsSharedConnection
RasIsSharedConnection
DsMakePasswordCredentialsW
DsMakePasswordCredentialsW
DsFreePasswordCredentials
DsFreePasswordCredentials
|NetpUpgradePreNT5JoinInfo
|NetpUpgradePreNT5JoinInfo
NetUserChangePassword
NetUserChangePassword
NetUnjoinDomain
NetUnjoinDomain
NetJoinDomain
NetJoinDomain
NetGetJoinInformation
NetGetJoinInformation
|SpcGetCertFromKey
|SpcGetCertFromKey
GetCryptProvFromCert
GetCryptProvFromCert
FreeCryptProvFromCert
FreeCryptProvFromCert
|ShowModelessHTMLDialog
|ShowModelessHTMLDialog
MPRUI_DoPasswordDialog
MPRUI_DoPasswordDialog
PRShowSaveFromMsginaW
PRShowSaveFromMsginaW
PRShowRestoreFromMsginaW
PRShowRestoreFromMsginaW
KRShowKeyMgr
KRShowKeyMgr
GetUdpStatistics
GetUdpStatistics
GetTcpStatistics
GetTcpStatistics
|IcfGetOperationalMode
|IcfGetOperationalMode
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
JetMakeKey
JetMakeKey
CryptUIDlgViewCertificateW
CryptUIDlgViewCertificateW
CryptVerifyCertificateSignature
CryptVerifyCertificateSignature
CryptSignAndEncodeCertificate
CryptSignAndEncodeCertificate
CryptMsgGetParam
CryptMsgGetParam
CryptMsgGetAndVerifySigner
CryptMsgGetAndVerifySigner
CryptMsgClose
CryptMsgClose
CryptImportPublicKeyInfoEx
CryptImportPublicKeyInfoEx
CryptImportPublicKeyInfo
CryptImportPublicKeyInfo
CryptHashPublicKeyInfo
CryptHashPublicKeyInfo
CryptExportPublicKeyInfo
CryptExportPublicKeyInfo
CertVerifySubjectCertificateContext
CertVerifySubjectCertificateContext
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
CertStrToNameW
CertStrToNameW
CertSetCertificateContextProperty
CertSetCertificateContextProperty
CertRegisterPhysicalStore
CertRegisterPhysicalStore
CertRDNValueToStrW
CertRDNValueToStrW
CertOpenSystemStoreW
CertOpenSystemStoreW
CertOpenStore
CertOpenStore
CertNameToStrW
CertNameToStrW
CertGetPublicKeyLength
CertGetPublicKeyLength
CertGetNameStringW
CertGetNameStringW
CertGetIssuerCertificateFromStore
CertGetIssuerCertificateFromStore
CertGetEnhancedKeyUsage
CertGetEnhancedKeyUsage
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertGetCertificateChain
CertGetCertificateChain
CertFreeCertificateContext
CertFreeCertificateContext
CertFreeCertificateChain
CertFreeCertificateChain
CertFreeCTLContext
CertFreeCTLContext
CertFindSubjectInCTL
CertFindSubjectInCTL
CertFindExtension
CertFindExtension
CertFindCertificateInStore
CertFindCertificateInStore
CertFindCTLInStore
CertFindCTLInStore
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertDuplicateCTLContext
CertDuplicateCTLContext
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertCreateCertificateContext
CertCreateCertificateContext
CertCreateCTLContext
CertCreateCTLContext
CertControlStore
CertControlStore
CertCompareCertificateName
CertCompareCertificateName
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CredUICmdLinePromptForCredentialsW
CredUICmdLinePromptForCredentialsW
SSSSh
SSSSh
PSSSSSSh
PSSSSSSh
t.PSW
t.PSW
mem16.dll
mem16.dll
ImpersonateNamedPipeClient
ImpersonateNamedPipeClient
VWSSh
VWSSh
t.hlt
t.hlt
hypertrm.exe"
hypertrm.exe"
hypertrm.exe
hypertrm.exe
.exr (exception record)
.exr (exception record)
.cxr (context record)
.cxr (context record)
serialui.dll
serialui.dll
mekr386.exe
mekr386.exe
PVWSSh
PVWSSh
SXS: %s() BaseDllMapResourceIdA failed
SXS: %s() BaseDllMapResourceIdA failed
-. "%ls" %ld
-. "%ls" %ld
(LRU) (Exe Name) (FileSize)
(LRU) (Exe Name) (FileSize)
Total Entries = 0x%x
Total Entries = 0x%x
xpsp2res.dll
xpsp2res.dll
xpsp3res.dll
xpsp3res.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
|CertAutoEnrollment
|CertAutoEnrollment
VSSHP
VSSHP
ntdll.dll
ntdll.dll
NtQueryValueKey
NtQueryValueKey
NtOpenKey
NtOpenKey
NtFlushKey
NtFlushKey
NtSetValueKey
NtSetValueKey
NtCreateKey
NtCreateKey
NtEnumerateKey
NtEnumerateKey
NtEnumerateValueKey
NtEnumerateValueKey
RtlFormatCurrentUserKeyPath
RtlFormatCurrentUserKeyPath
NtQueryKey
NtQueryKey
NtDeleteValueKey
NtDeleteValueKey
RtlGetProcessHeaps
RtlGetProcessHeaps
NtCreateNamedPipeFile
NtCreateNamedPipeFile
NtSetThreadExecutionState
NtSetThreadExecutionState
LdrQueryImageFileExecutionOptions
LdrQueryImageFileExecutionOptions
NtDelayExecution
NtDelayExecution
NtYieldExecution
NtYieldExecution
kernel32.pdb
kernel32.pdb
0!1'1;1|1
0!1'1;1|1
;,
;,
67
67
2,242
2,242
: :$:(:,:0:4:8:<:>
: :$:(:,:0:4:8:<:>
8 8$8(8,8084888
8 8$8(8,8084888
$0(040:0
$0(040:0
1!202
1!202
4 4$4(4,4044484
4 4$4(4,4044484
sShortDate
sShortDate
win.ini
win.ini
.Config
.Config
.Manifest
.Manifest
\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
\Windows
\Windows
\NLS\NlsSectionSortkey
\NLS\NlsSectionSortkey
\system32\Apphelp.dll
\system32\Apphelp.dll
\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
ADVAPI32.DLL
ADVAPI32.DLL
\\.\MountPointManager
\\.\MountPointManager
\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters
\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters
hotkey.%u %s
hotkey.%u %s
wowexec.pif
wowexec.pif
cmd /c
cmd /c
hotkey.
hotkey.
setup.exe
setup.exe
\DosDevices\pipe\
\DosDevices\pipe\
\\.\pipe\
\\.\pipe\
\REGISTRY\USER\.DEFAULT
\REGISTRY\USER\.DEFAULT
WUSER32.DLL
WUSER32.DLL
~RF%4x.TMP
~RF%4x.TMP
netmsg.dll
netmsg.dll
pipe\
pipe\
c:\temp\
c:\temp\
EmbdTrst.DLL
EmbdTrst.DLL
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
%ws%u\DosDevices\%ws
%ws%u\DosDevices\%ws
WINDOWS
WINDOWS
\\?\GLOBALROOT
\\?\GLOBALROOT
Application.Manifest
Application.Manifest
"/\[]:| =;,?
"/\[]:| =;,?
\REGISTRY\Machine\Software\Microsoft\Windows NT\currentVersion\Time Zones
\REGISTRY\Machine\Software\Microsoft\Windows NT\currentVersion\Time Zones
\Registry\Machine\Software\Policies\Microsoft\Windows\System
\Registry\Machine\Software\Policies\Microsoft\Windows\System
AppCertDlls
AppCertDlls
tsappcmp.dll
tsappcmp.dll
\inifile.upd
\inifile.upd
t\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
t\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
DRMHeader.SubscriptionContentID
DRMHeader.SubscriptionContentID
DRMHeader.ContentDistributor
DRMHeader.ContentDistributor
DRMHeader.SECURITYVERSION
DRMHeader.SECURITYVERSION
DRMHeader.CID
DRMHeader.CID
DRMHeader.LAINFO
DRMHeader.LAINFO
DRMHeader.KID
DRMHeader.KID
LicenseStateData.Transfer.NONSDMI
LicenseStateData.Transfer.NONSDMI
LicenseStateData.Transfer.SDMI
LicenseStateData.Transfer.SDMI
LicenseStateData.Print.redbook
LicenseStateData.Print.redbook
LicenseStateData.Play
LicenseStateData.Play
ActionAllowed.Backup
ActionAllowed.Backup
ActionAllowed.Transfer.NONSDMI
ActionAllowed.Transfer.NONSDMI
ActionAllowed.Transfer.SDMI
ActionAllowed.Transfer.SDMI
ActionAllowed.Print.redbook
ActionAllowed.Print.redbook
ActionAllowed.Play
ActionAllowed.Play
BaseLAURL
BaseLAURL
Transfer.NONSDMI
Transfer.NONSDMI
Transfer.SDMI
Transfer.SDMI
Print.redbook
Print.redbook
Software\Microsoft\Windows NT\CurrentVersion\Time Zones
Software\Microsoft\Windows NT\CurrentVersion\Time Zones
TimeZoneKeyName
TimeZoneKeyName
PendingFileRenameOperations%d
PendingFileRenameOperations%d
PendingFileRenameOperations
PendingFileRenameOperations
%s\system32\
%s\system32\
\system32\faultrep.dll
\system32\faultrep.dll
mwowcmdline
mwowcmdline
cmdline
cmdline
CONSOLE.DLL
CONSOLE.DLL
conime.exe
conime.exe
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console
\INF\INTL.INF
\INF\INTL.INF
DNSAPI.DLL
DNSAPI.DLL
cfgmgr32.dll
cfgmgr32.dll
The operation completed successfully.
The operation completed successfully.
Not enough storage is available to complete this operation.
Not enough storage is available to complete this operation.
The process cannot access the file because another process has locked a portion of the file.
The process cannot access the file because another process has locked a portion of the file.
The request is not supported.
The request is not supported.
Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator.
Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator.
The specified server cannot perform the requested operation.
The specified server cannot perform the requested operation.
The specified network password is not correct.
The specified network password is not correct.
The pipe has been ended.
The pipe has been ended.
The system does not support the command requested.
The system does not support the command requested.
This function is not supported on this system.
This function is not supported on this system.
The data area passed to a system call is too small.
The data area passed to a system call is too small.
Attempt to use a file handle to an open disk partition for an operation other than raw disk I/O.
Attempt to use a file handle to an open disk partition for an operation other than raw disk I/O.
A JOIN or SUBST command cannot be used for a drive that contains previously joined drives.
A JOIN or SUBST command cannot be used for a drive that contains previously joined drives.
An attempt was made to use a JOIN or SUBST command on a drive that has already been joined.
An attempt was made to use a JOIN or SUBST command on a drive that has already been joined.
An attempt was made to use a JOIN or SUBST command on a drive that has already been substituted.
An attempt was made to use a JOIN or SUBST command on a drive that has already been substituted.
The system tried to delete the JOIN of a drive that is not joined.
The system tried to delete the JOIN of a drive that is not joined.
The system tried to join a drive to a directory on a joined drive.
The system tried to join a drive to a directory on a joined drive.
The system tried to join a drive to a directory on a substituted drive.
The system tried to join a drive to a directory on a substituted drive.
The system tried to SUBST a drive to a directory on a joined drive.
The system tried to SUBST a drive to a directory on a joined drive.
The system cannot perform a JOIN or SUBST at this time.
The system cannot perform a JOIN or SUBST at this time.
The system cannot join or substitute a drive to or for a directory on the same drive.
The system cannot join or substitute a drive to or for a directory on the same drive.
An attempt was made to join or substitute a drive for which a directory on the drive is the target of a previous substitute.
An attempt was made to join or substitute a drive for which a directory on the drive is the target of a previous substitute.
System trace information was not specified in your CONFIG.SYS file, or tracing is disallowed.
System trace information was not specified in your CONFIG.SYS file, or tracing is disallowed.
DosMuxSemWait did not execute; too many semaphores are already set.
DosMuxSemWait did not execute; too many semaphores are already set.
The file system does not support atomic changes to the lock type.
The file system does not support atomic changes to the lock type.
The operating system cannot run %1.
The operating system cannot run %1.
The flag passed is not correct.
The flag passed is not correct.
The operating system cannot run this application program.
The operating system cannot run this application program.
The operating system is not presently configured to run this application.
The operating system is not presently configured to run this application.
The pipe state is invalid.
The pipe state is invalid.
All pipe instances are busy.
All pipe instances are busy.
The pipe is being closed.
The pipe is being closed.
No process is on the other end of the pipe.
No process is on the other end of the pipe.
The wait operation timed out.
The wait operation timed out.
The mounted file system does not support extended attributes.
The mounted file system does not support extended attributes.
The volume is too fragmented to complete this operation.
The volume is too fragmented to complete this operation.
There is a process on other end of the pipe.
There is a process on other end of the pipe.
Waiting for a process to open the other end of the pipe.
Waiting for a process to open the other end of the pipe.
The I/O operation has been aborted because of either a thread exit or an application request.
The I/O operation has been aborted because of either a thread exit or an application request.
Overlapped I/O operation is in progress.
Overlapped I/O operation is in progress.
Error performing inpage operation.
Error performing inpage operation.
The requested operation cannot be performed in full-screen mode.
The requested operation cannot be performed in full-screen mode.
The configuration registry key is invalid.
The configuration registry key is invalid.
The configuration registry key could not be opened.
The configuration registry key could not be opened.
The configuration registry key could not be read.
The configuration registry key could not be read.
The configuration registry key could not be written.
The configuration registry key could not be written.
An I/O operation initiated by the registry failed unrecoverably. The registry could not read in, or write out, or flush, one of the files that contain the system's image of the registry.
An I/O operation initiated by the registry failed unrecoverably. The registry could not read in, or write out, or flush, one of the files that contain the system's image of the registry.
Illegal operation attempted on a registry key that has been marked for deletion.
Illegal operation attempted on a registry key that has been marked for deletion.
Cannot create a symbolic link in a registry key that already has subkeys or values.
Cannot create a symbolic link in a registry key that already has subkeys or values.
Cannot create a stable subkey under a volatile parent key.
Cannot create a stable subkey under a volatile parent key.
The account name is invalid or does not exist, or the password is invalid for the account name specified.
The account name is invalid or does not exist, or the password is invalid for the account name specified.
The executable program that this service is configured to run in does not implement the service.
The executable program that this service is configured to run in does not implement the service.
A serial I/O operation was completed by another write to the serial port.
A serial I/O operation was completed by another write to the serial port.
A serial I/O operation completed because the timeout period expired.
A serial I/O operation completed because the timeout period expired.
The floppy disk controller reported an error that is not recognized by the floppy disk driver.
The floppy disk controller reported an error that is not recognized by the floppy disk driver.
While accessing the hard disk, a recalibrate operation failed, even after retries.
While accessing the hard disk, a recalibrate operation failed, even after retries.
While accessing the hard disk, a disk operation failed even after retries.
While accessing the hard disk, a disk operation failed even after retries.
An attempt was made to create more links on a file than the file system supports.
An attempt was made to create more links on a file than the file system supports.
The specified program requires a newer version of Windows.
The specified program requires a newer version of Windows.
The specified program is not a Windows or MS-DOS program.
The specified program is not a Windows or MS-DOS program.
The specified program was written for an earlier version of Windows.
The specified program was written for an earlier version of Windows.
No application is associated with the specified file for this operation.
No application is associated with the specified file for this operation.
The message can be used only with synchronous operations.
The message can be used only with synchronous operations.
The device has indicated that cleaning is required before further operations are attempted.
The device has indicated that cleaning is required before further operations are attempted.
There was no match for the specified key in the index.
There was no match for the specified key in the index.
The point passed to GetMouseMovePoints is not in the buffer.
The point passed to GetMouseMovePoints is not in the buffer.
The format of the specified password is invalid.
The format of the specified password is invalid.
The operation was canceled by the user.
The operation was canceled by the user.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The network transport endpoint already has an address associated with it.
The network transport endpoint already has an address associated with it.
An operation was attempted on a nonexistent network connection.
An operation was attempted on a nonexistent network connection.
An invalid operation was attempted on an active network connection.
An invalid operation was attempted on an active network connection.
The network location cannot be reached. For information about network troubleshooting, see Windows Help.
The network location cannot be reached. For information about network troubleshooting, see Windows Help.
No service is operating at the destination network endpoint on the remote system.
No service is operating at the destination network endpoint on the remote system.
The operation could not be completed. A retry should be performed.
The operation could not be completed. A retry should be performed.
The network address could not be used for the operation requested.
The network address could not be used for the operation requested.
The operation being requested was not performed because the user has not been authenticated.
The operation being requested was not performed because the user has not been authenticated.
The operation being requested was not performed because the user has not logged on to the network.
The operation being requested was not performed because the user has not logged on to the network.
An attempt was made to perform an initialization operation when initialization has already been completed.
An attempt was made to perform an initialization operation when initialization has already been completed.
This operation is supported only when you are connected to the server.
This operation is supported only when you are connected to the server.
This operation is not supported on a Microsoft Small Business Server
This operation is not supported on a Microsoft Small Business Server
The remote system is not available. For information about network troubleshooting, see Windows Help.
The remote system is not available. For information about network troubleshooting, see Windows Help.
Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
KDC certificate during smartcard logon.
KDC certificate during smartcard logon.
The smartcard certificate used for authentication has been revoked.
The smartcard certificate used for authentication has been revoked.
An untrusted certificate authority was detected While processing the
An untrusted certificate authority was detected While processing the
smartcard certificate used for authentication. Please contact your system
smartcard certificate used for authentication. Please contact your system
The revocation status of the smartcard certificate used for
The revocation status of the smartcard certificate used for
The smartcard certificate used for authentication was not trusted. Please
The smartcard certificate used for authentication was not trusted. Please
The smartcard certificate used for authentication has expired. Please
The smartcard certificate used for authentication has expired. Please
A dynamic link library (DLL) referenced a module that was neither a DLL nor the process's executable image.
A dynamic link library (DLL) referenced a module that was neither a DLL nor the process's executable image.
No encryption key is available. A well-known encryption key was returned.
No encryption key is available. A well-known encryption key was returned.
The password is too complex to be converted to a LAN Manager password. The LAN Manager password returned is a NULL string.
The password is too complex to be converted to a LAN Manager password. The LAN Manager password returned is a NULL string.
An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.
An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.
Unable to update the password. The value provided as the current password is incorrect.
Unable to update the password. The value provided as the current password is incorrect.
Unable to update the password. The value provided for the new password contains values that are not allowed in passwords.
Unable to update the password. The value provided for the new password contains values that are not allowed in passwords.
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain.
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain.
Logon failure: unknown user name or bad password.
Logon failure: unknown user name or bad password.
Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.
Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.
Logon failure: the specified account password has expired.
Logon failure: the specified account password has expired.
Unable to perform a security operation on an object that has no associated security.
Unable to perform a security operation on an object that has no associated security.
The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.
The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.
The domain was in the wrong state to perform the security operation.
The domain was in the wrong state to perform the security operation.
This operation is only allowed for the Primary Domain Controller of the domain.
This operation is only allowed for the Primary Domain Controller of the domain.
Unable to complete the requested operation because of either a catastrophic media failure or a data structure corruption on the disk.
Unable to complete the requested operation because of either a catastrophic media failure or a data structure corruption on the disk.
The logon session is not in a state that is consistent with the requested operation.
The logon session is not in a state that is consistent with the requested operation.
Unable to impersonate using a named pipe until data has been read from that pipe.
Unable to impersonate using a named pipe until data has been read from that pipe.
The transaction state of a registry subtree is incompatible with the requested operation.
The transaction state of a registry subtree is incompatible with the requested operation.
Cannot perform this operation on built-in accounts.
Cannot perform this operation on built-in accounts.
Cannot perform this operation on this built-in special group.
Cannot perform this operation on this built-in special group.
Cannot perform this operation on this built-in special user.
Cannot perform this operation on this built-in special user.
A cross-encrypted password is necessary to change a user password.
A cross-encrypted password is necessary to change a user password.
A cross-encrypted password is necessary to change this user password.
A cross-encrypted password is necessary to change this user password.
There is no user session key for the specified logon session.
There is no user session key for the specified logon session.
Mutual Authentication failed. The server's password is out of date at the domain controller.
Mutual Authentication failed. The server's password is out of date at the domain controller.
This operation can not be performed on the current domain.
This operation can not be performed on the current domain.
Hot key is already registered.
Hot key is already registered.
Class still has open windows.
Class still has open windows.
Hot key is not registered.
Hot key is not registered.
This list box does not support tab stops.
This list box does not support tab stops.
Child windows cannot have menus.
Child windows cannot have menus.
All handles to windows in a multiple-window position structure must have the same parent.
All handles to windows in a multiple-window position structure must have the same parent.
The paging file is too small for this operation to complete.
The paging file is too small for this operation to complete.
Invalid keyboard layout handle.
Invalid keyboard layout handle.
This operation requires an interactive window station.
This operation requires an interactive window station.
This operation returned because the timeout period expired.
This operation returned because the timeout period expired.
The event log file has changed between read operations.
The event log file has changed between read operations.
The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
The configuration data for this product is corrupt. Contact your support personnel.
The configuration data for this product is corrupt. Contact your support personnel.
This installation package cannot be installed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.
This installation package cannot be installed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.
SQL query syntax invalid or unsupported.
SQL query syntax invalid or unsupported.
This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.
This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.
This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package.
This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package.
There was an error starting the Windows Installer service user interface. Contact your support personnel.
There was an error starting the Windows Installer service user interface. Contact your support personnel.
The language of this installation package is not supported by your system.
The language of this installation package is not supported by your system.
Function could not be executed.
Function could not be executed.
Function failed during execution.
Function failed during execution.
Data of this type is not supported.
Data of this type is not supported.
The Windows Installer service failed to start. Contact your support personnel.
The Windows Installer service failed to start. Contact your support personnel.
This installation package is not supported by this processor type. Contact your product vendor.
This installation package is not supported by this processor type. Contact your product vendor.
This patch package could not be opened. Verify that the patch package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer patch package.
This patch package could not be opened. Verify that the patch package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer patch package.
This patch package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer patch package.
This patch package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer patch package.
This patch package cannot be processed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.
This patch package cannot be processed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.
Invalid command line argument. Consult the Windows Installer SDK for detailed command line help.
Invalid command line argument. Consult the Windows Installer SDK for detailed command line help.
The requested operation completed successfully. The system will be restarted so the changes can take effect.
The requested operation completed successfully. The system will be restarted so the changes can take effect.
The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer an
The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer an
The RPC protocol sequence is not supported.
The RPC protocol sequence is not supported.
Not enough resources are available to complete this operation.
Not enough resources are available to complete this operation.
The RPC server is too busy to complete this operation.
The RPC server is too busy to complete this operation.
The remote procedure call failed and did not execute.
The remote procedure call failed and did not execute.
The transfer syntax is not supported by the RPC server.
The transfer syntax is not supported by the RPC server.
The universal unique identifier (UUID) type is not supported.
The universal unique identifier (UUID) type is not supported.
The name syntax is not supported.
The name syntax is not supported.
The server endpoint cannot perform the operation.
The server endpoint cannot perform the operation.
No interfaces have been exported.
No interfaces have been exported.
There is nothing to unexport.
There is nothing to unexport.
The requested operation is not supported.
The requested operation is not supported.
A floating-point operation at the RPC server caused a division by zero.
A floating-point operation at the RPC server caused a division by zero.
A null context handle was passed from the client to the host during a remote procedure call.
A null context handle was passed from the client to the host during a remote procedure call.
The binding handles passed to a remote procedure call do not match.
The binding handles passed to a remote procedure call do not match.
A null reference pointer was passed to the stub.
A null reference pointer was passed to the stub.
The supplied user buffer is not valid for the requested operation.
The supplied user buffer is not valid for the requested operation.
The specified port is unknown.
The specified port is unknown.
The requested authentication level is not supported.
The requested authentication level is not supported.
The error specified is not a valid Windows RPC error code.
The error specified is not a valid Windows RPC error code.
Invalid operation on the encoding/decoding handle.
Invalid operation on the encoding/decoding handle.
The RPC pipe object is invalid or corrupted.
The RPC pipe object is invalid or corrupted.
An invalid operation was attempted on an RPC pipe object.
An invalid operation was attempted on an RPC pipe object.
Unsupported RPC pipe version.
Unsupported RPC pipe version.
The user's password must be changed before logging on the first time.
The user's password must be changed before logging on the first time.
The object exporter specified was not found.
The object exporter specified was not found.
Invalid asynchronous RPC call handle for this operation.
Invalid asynchronous RPC call handle for this operation.
The RPC pipe object has already been closed.
The RPC pipe object has already been closed.
The RPC call completed before all pipes were processed.
The RPC call completed before all pipes were processed.
No more data is available from the RPC pipe.
No more data is available from the RPC pipe.
Not all object UUIDs could be exported to the specified entry.
Not all object UUIDs could be exported to the specified entry.
Interface could not be exported to the specified entry.
Interface could not be exported to the specified entry.
The window style or class attribute is invalid for this operation.
The window style or class attribute is invalid for this operation.
The requested metafile operation is not supported.
The requested metafile operation is not supported.
The requested transformation operation is not supported.
The requested transformation operation is not supported.
The requested clipping operation is not supported.
The requested clipping operation is not supported.
The network connection was made successfully, but the user had to be prompted for a password other than the one originally specified.
The network connection was made successfully, but the user had to be prompted for a password other than the one originally specified.
The requested operation is not allowed when there are jobs queued to the printer.
The requested operation is not allowed when there are jobs queued to the printer.
The requested operation is successful. Changes will not be effective until the system is rebooted.
The requested operation is successful. Changes will not be effective until the system is rebooted.
The requested operation is successful. Changes will not be effective until the service is restarted.
The requested operation is successful. Changes will not be effective until the service is restarted.
The importation from the file failed.
The importation from the file failed.
The GUID passed was not recognized as valid by a WMI data provider.
The GUID passed was not recognized as valid by a WMI data provider.
The instance name passed was not recognized as valid by a WMI data provider.
The instance name passed was not recognized as valid by a WMI data provider.
The data item ID passed was not recognized as valid by a WMI data provider.
The data item ID passed was not recognized as valid by a WMI data provider.
The medium currently exists in an offline library and must be online to perform this operation.
The medium currently exists in an offline library and must be online to perform this operation.
The operation cannot be performed on an offline library.
The operation cannot be performed on an offline library.
The library, drive, or media pool must be empty to perform this operation.
The library, drive, or media pool must be empty to perform this operation.
A resource required for this operation is disabled.
A resource required for this operation is disabled.
The drive cannot be cleaned or does not support cleaning.
The drive cannot be cleaned or does not support cleaning.
The resource required for this operation does not exist.
The resource required for this operation does not exist.
The operation identifier is not valid.
The operation identifier is not valid.
The operator or administrator has refused the request.
The operator or administrator has refused the request.
The transport cannot access the medium.
The transport cannot access the medium.
Unable to retrieve status about the transport.
Unable to retrieve status about the transport.
Cannot use the transport because it is already in use.
Cannot use the transport because it is already in use.
Unable to open or close the inject/eject port.
Unable to open or close the inject/eject port.
The media type cannot be removed from this library since at least one drive in the library reports it can support this media type.
The media type cannot be removed from this library since at least one drive in the library reports it can support this media type.
The remote storage service is not operational at this time.
The remote storage service is not operational at this time.
A cluster node is not available for this operation.
A cluster node is not available for this operation.
The operation could not be completed because the cluster group is not online.
The operation could not be completed because the cluster group is not online.
The operation could not be completed because the cluster resource is online.
The operation could not be completed because the cluster resource is online.
The group or resource is not in the correct state to perform the requested operation.
The group or resource is not in the correct state to perform the requested operation.
A cluster network is not available for this operation.
A cluster network is not available for this operation.
All cluster nodes must be running to perform this operation.
All cluster nodes must be running to perform this operation.
A node is in the process of joining the cluster.
A node is in the process of joining the cluster.
A cluster join operation is not in progress.
A cluster join operation is not in progress.
This operation cannot be performed on the cluster resource as it the quorum resource. You may not bring the quorum resource offline or modify its possible owners list.
This operation cannot be performed on the cluster resource as it the quorum resource. You may not bring the quorum resource offline or modify its possible owners list.
The cluster node is not ready to perform the requested operation.
The cluster node is not ready to perform the requested operation.
The cluster join operation was aborted.
The cluster join operation was aborted.
The cluster join operation failed due to incompatible software versions between the joining node and its sponsor.
The cluster join operation failed due to incompatible software versions between the joining node and its sponsor.
The system configuration changed during the cluster join or form operation. The join or form operation was aborted.
The system configuration changed during the cluster join or form operation. The join or form operation was aborted.
The specified node does not support a resource of this type. This may be due to version inconsistencies or due to the absence of the resource DLL on this node.
The specified node does not support a resource of this type. This may be due to version inconsistencies or due to the absence of the resource DLL on this node.
The specified resource name is not supported by this resource DLL. This may be due to a bad (or changed) name supplied to the resource DLL.
The specified resource name is not supported by this resource DLL. This may be due to a bad (or changed) name supplied to the resource DLL.
The join operation failed because the cluster database sequence number has changed or is incompatible with the locker node. This may happen during a join operation if the cluster database was changing during the join.
The join operation failed because the cluster database sequence number has changed or is incompatible with the locker node. This may happen during a join operation if the cluster database was changing during the join.
The resource monitor will not allow the fail operation to be performed while the resource is in its current state. This may happen if the resource is in a pending state.
The resource monitor will not allow the fail operation to be performed while the resource is in its current state. This may happen if the resource is in a pending state.
An operation was attempted that is incompatible with the current membership state of the node.
An operation was attempted that is incompatible with the current membership state of the node.
The join operation failed because the cluster instance ID of the joining node does not match the cluster instance ID of the sponsor node.
The join operation failed because the cluster instance ID of the joining node does not match the cluster instance ID of the sponsor node.
This computer cannot be made a member of a cluster because it does not have the correct version of Windows installed.
This computer cannot be made a member of a cluster because it does not have the correct version of Windows installed.
There are no EFS keys defined for the user.
There are no EFS keys defined for the user.
The specified file is not in the defined EFS export format.
The specified file is not in the defined EFS export format.
The server is not trusted for remote encryption operation.
The server is not trusted for remote encryption operation.
Recovery policy configured for this system contains invalid recovery certificate.
Recovery policy configured for this system contains invalid recovery certificate.
The encryption algorithm used on the source file needs a bigger key buffer than the one on the destination file.
The encryption algorithm used on the source file needs a bigger key buffer than the one on the destination file.
The disk partition does not support file encryption.
The disk partition does not support file encryption.
A registry key for event logging could not be created for this session.
A registry key for event logging could not be created for this session.
A close operation is pending on the session.
A close operation is pending on the session.
The MODEM.INF file was not found.
The MODEM.INF file was not found.
The modem name was not found in MODEM.INF.
The modem name was not found in MODEM.INF.
Transport driver error
Transport driver error
The requested operation cannot be completed because the terminal connection is currently busy processing a connect, disconnect, reset, or delete operation.
The requested operation cannot be completed because the terminal connection is currently busy processing a connect, disconnect, reset, or delete operation.
An attempt has been made to connect to a session whose video mode is not supported by the current client.
An attempt has been made to connect to a session whose video mode is not supported by the current client.
DOS graphics mode is not supported.
DOS graphics mode is not supported.
The requested operation can be performed only on the system console.
The requested operation can be performed only on the system console.
Disconnecting the console session is not supported.
Disconnecting the console session is not supported.
Reconnecting a disconnected session to the console is not supported.
Reconnecting a disconnected session to the console is not supported.
The remote control of the console was terminated because the display mode was changed. Changing the display mode in a remote control session is not supported.
The remote control of the console was terminated because the display mode was changed. Changing the display mode in a remote control session is not supported.
The requested operation could not be performed because the directory service is not the master for that type of operation.
The requested operation could not be performed because the directory service is not the master for that type of operation.
The requested operation did not satisfy one or more constraints associated with the class of the object.
The requested operation did not satisfy one or more constraints associated with the class of the object.
The directory service can perform the requested operation only on a leaf object.
The directory service can perform the requested operation only on a leaf object.
The directory service cannot perform the requested operation on the RDN attribute of an object.
The directory service cannot perform the requested operation on the RDN attribute of an object.
The requested cross-domain move operation could not be performed.
The requested cross-domain move operation could not be performed.
An operations error occurred.
An operations error occurred.
The requested authentication method is not supported by the server.
The requested authentication method is not supported by the server.
The server does not support the requested critical extension.
The server does not support the requested critical extension.
The operation affects multiple DSAs
The operation affects multiple DSAs
The server is not operational.
The server is not operational.
The specified method is not supported.
The specified method is not supported.
The specified control is not supported by the server.
The specified control is not supported by the server.
The add replica operation cannot be performed. The naming context must be writable in order to create the replica.
The add replica operation cannot be performed. The naming context must be writable in order to create the replica.
The attribute specified in the operation is not present on the object.
The attribute specified in the operation is not present on the object.
Illegal modify operation. Some aspect of the modification is not permitted.
Illegal modify operation. Some aspect of the modification is not permitted.
The operation must be performed at a master DSA.
The operation must be performed at a master DSA.
The operation could not be performed because the object's parent is either uninstantiated or deleted.
The operation could not be performed because the object's parent is either uninstantiated or deleted.
The operation cannot be performed because child objects exist. This operation can only be performed on a leaf object.
The operation cannot be performed because child objects exist. This operation can only be performed on a leaf object.
The operation is out of scope.
The operation is out of scope.
The operation cannot continue because the object is in the process of being removed.
The operation cannot continue because the object is in the process of being removed.
The operation can only be performed on an internal master DSA object.
The operation can only be performed on an internal master DSA object.
Insufficient access rights to perform the operation.
Insufficient access rights to perform the operation.
The operation cannot be performed on a back link.
The operation cannot be performed on a back link.
The operation could not be performed because the directory service is shutting down.
The operation could not be performed because the directory service is shutting down.
The requested FSMO operation failed. The current FSMO holder could not be contacted.
The requested FSMO operation failed. The current FSMO holder could not be contacted.
Subtree notifications are only supported on NC heads.
Subtree notifications are only supported on NC heads.
The requested delete operation could not be performed.
The requested delete operation could not be performed.
The global catalog verification failed. The global catalog is not available or does not support the operation. Some part of the directory is currently not available.
The global catalog verification failed. The global catalog is not available or does not support the operation. Some part of the directory is currently not available.
The replication operation failed because of a schema mismatch between the servers involved.
The replication operation failed because of a schema mismatch between the servers involved.
The operation cannot replace the hidden record.
The operation cannot replace the hidden record.
This directory server is shutting down, and cannot take ownership of new floating single-master operation roles.
This directory server is shutting down, and cannot take ownership of new floating single-master operation roles.
The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
The directory service was unable to transfer ownership of one or more floating single-master operation roles to other servers.
The directory service was unable to transfer ownership of one or more floating single-master operation roles to other servers.
The replication operation failed.
The replication operation failed.
An invalid parameter was specified for this replication operation.
An invalid parameter was specified for this replication operation.
The directory service is too busy to complete the replication operation at this time.
The directory service is too busy to complete the replication operation at this time.
The distinguished name specified for this replication operation is invalid.
The distinguished name specified for this replication operation is invalid.
The naming context specified for this replication operation is invalid.
The naming context specified for this replication operation is invalid.
The distinguished name specified for this replication operation already exists.
The distinguished name specified for this replication operation already exists.
The replication operation encountered a database inconsistency.
The replication operation encountered a database inconsistency.
The server specified for this replication operation could not be contacted.
The server specified for this replication operation could not be contacted.
The replication operation encountered an object with an invalid instance type.
The replication operation encountered an object with an invalid instance type.
The replication operation failed to allocate memory.
The replication operation failed to allocate memory.
The replication operation encountered an error with the mail system.
The replication operation encountered an error with the mail system.
The replication operation encountered a database error.
The replication operation encountered a database error.
The requested operation is not supported by this version of the directory service.
The requested operation is not supported by this version of the directory service.
The replication operation failed due to a collision of object names.
The replication operation failed due to a collision of object names.
The replication operation failed because a required parent object is missing.
The replication operation failed because a required parent object is missing.
The replication operation was preempted.
The replication operation was preempted.
The replication operation was terminated because the system is shutting down.
The replication operation was terminated because the system is shutting down.
The server specified for this replication operation was contacted, but that server was unable to contact an additional server needed to complete the operation.
The server specified for this replication operation was contacted, but that server was unable to contact an additional server needed to complete the operation.
The version of the Active Directory schema of the source forest is not compatible with the version of Active Directory on this computer. You must upgrade the operating system on a domain controller in the source forest before this computer can be added as a domain controller to that forest.
The version of the Active Directory schema of the source forest is not compatible with the version of Active Directory on this computer. You must upgrade the operating system on a domain controller in the source forest before this computer can be added as a domain controller to that forest.
The requested operation requires a directory service, and none was available.
The requested operation requires a directory service, and none was available.
The requested search operation is only supported for base searches.
The requested search operation is only supported for base searches.
The schema update operation tried to add a backward link attribute that has no corresponding forward link.
The schema update operation tried to add a backward link attribute that has no corresponding forward link.
Source and destination for the cross-domain move operation are identical. Caller should use local move operation instead of cross-domain move operation.
Source and destination for the cross-domain move operation are identical. Caller should use local move operation instead of cross-domain move operation.
Another operation which requires exclusive access to the PDC FSMO is already in progress.
Another operation which requires exclusive access to the PDC FSMO is already in progress.
A cross-domain move operation failed such that two versions of the moved object exist - one each in the source and destination domains. The destination object needs to be removed to restore the system to a consistent state.
A cross-domain move operation failed such that two versions of the moved object exist - one each in the source and destination domains. The destination object needs to be removed to restore the system to a consistent state.
The directory cannot validate the proposed naming context name because it does not hold a replica of the naming context above the proposed naming context. Please ensure that the domain naming master role is held by a server that is configured as a global catalog server, and that the server is up to date with its replication partners. (Applies only to Windows 2000 Domain Naming masters)
The directory cannot validate the proposed naming context name because it does not hold a replica of the naming context above the proposed naming context. Please ensure that the domain naming master role is held by a server that is configured as a global catalog server, and that the server is up to date with its replication partners. (Applies only to Windows 2000 Domain Naming masters)
The operation can not be performed because the server does not have an infrastructure container in the domain of interest.
The operation can not be performed because the server does not have an infrastructure container in the domain of interest.
The replica/child install failed to read the objectVersion attribute in the SCHEMA section of the file schema.ini in the system32 directory.
The replica/child install failed to read the objectVersion attribute in the SCHEMA section of the file schema.ini in the system32 directory.
Only DSAs configured to be Global Catalog servers should be allowed to hold the Domain Naming Master FSMO role. (Applies only to Windows 2000 servers)
Only DSAs configured to be Global Catalog servers should be allowed to hold the Domain Naming Master FSMO role. (Applies only to Windows 2000 servers)
The DSA operation is unable to proceed because of a DNS lookup failure.
The DSA operation is unable to proceed because of a DNS lookup failure.
The object requested was not found, but an object with that key was found.
The object requested was not found, but an object with that key was found.
The syntax of the linked attribute being added is incorrect. Forward links can only have syntax 2.5.5.1, 2.5.5.7, and 2.5.5.14, and backlinks can only have syntax 2.5.5.1
The syntax of the linked attribute being added is incorrect. Forward links can only have syntax 2.5.5.1, 2.5.5.7, and 2.5.5.14, and backlinks can only have syntax 2.5.5.1
Security Account Manager needs to get the boot password.
Security Account Manager needs to get the boot password.
Security Account Manager needs to get the boot key from floppy disk.
Security Account Manager needs to get the boot key from floppy disk.
The operation requires that destination domain auditing be enabled.
The operation requires that destination domain auditing be enabled.
The operation couldn't locate a DC for the source domain.
The operation couldn't locate a DC for the source domain.
The replication operation could not be completed due to a schema incompatibility.
The replication operation could not be completed due to a schema incompatibility.
The replication operation could not be completed due to a previous schema incompatibility.
The replication operation could not be completed due to a previous schema incompatibility.
The replication update could not be applied because either the source or the destination has not yet received information regarding a recent cross-domain move operation.
The replication update could not be applied because either the source or the destination has not yet received information regarding a recent cross-domain move operation.
The requested operation can be performed only on a global catalog server.
The requested operation can be performed only on a global catalog server.
The operation requires that source domain auditing be enabled.
The operation requires that source domain auditing be enabled.
A Filter was passed that uses constructed attributes.
A Filter was passed that uses constructed attributes.
Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
For security reasons, the operation must be run on the destination DC.
For security reasons, the operation must be run on the destination DC.
Critical Directory Service System objects cannot be deleted during tree delete operations. The tree delete may have been partially performed.
Critical Directory Service System objects cannot be deleted during tree delete operations. The tree delete may have been partially performed.
This version of Windows is too old to support the current directory forest behavior. You must upgrade the operating system on this server before it can become a domain controller in this forest.
This version of Windows is too old to support the current directory forest behavior. You must upgrade the operating system on this server before it can become a domain controller in this forest.
This version of Windows is too old to support the current domain behavior. You must upgrade the operating system on this server before it can become a domain controller in this domain.
This version of Windows is too old to support the current domain behavior. You must upgrade the operating system on this server before it can become a domain controller in this domain.
This version of Windows no longer supports the behavior version in use in this directory forest. You must advance the forest behavior version before this server can become a domain controller in the forest.
This version of Windows no longer supports the behavior version in use in this directory forest. You must advance the forest behavior version before this server can become a domain controller in the forest.
This version of Windows no longer supports the behavior version in use in this domain. You must advance the domain behavior version before this server can become a domain controller in the domain.
This version of Windows no longer supports the behavior version in use in this domain. You must advance the domain behavior version before this server can become a domain controller in the domain.
The version of Windows is incompatible with the behavior version of the domain or forest.
The version of Windows is incompatible with the behavior version of the domain or forest.
The sort order requested is not supported.
The sort order requested is not supported.
Unable to continue operation because multiple conflicting controls were used.
Unable to continue operation because multiple conflicting controls were used.
Rename or move operations on naming context heads or read-only objects are not allowed.
Rename or move operations on naming context heads or read-only objects are not allowed.
Move operations on objects in the schema naming context are not allowed.
Move operations on objects in the schema naming context are not allowed.
The requested action is not supported on standard server.
The requested action is not supported on standard server.
The directory service cannot perform the requested operation because the servers
The directory service cannot perform the requested operation because the servers
Operation not allowed on a disabled cross ref.
Operation not allowed on a disabled cross ref.
Schema update failed: Duplicate msDS-INtId. Retry the operation.
Schema update failed: Duplicate msDS-INtId. Retry the operation.
The remote create cross reference operation failed on the Domain Naming Master FSMO. The operation's error is in the extended data.
The remote create cross reference operation failed on the Domain Naming Master FSMO. The operation's error is in the extended data.
DNS request not supported by name server.
DNS request not supported by name server.
DNS operation refused.
DNS operation refused.
DNS bad key.
DNS bad key.
Try DNS operation again later.
Try DNS operation again later.
The operation requested is not permitted on a DNS root server.
The operation requested is not permitted on a DNS root server.
Invalid operation for DNS zone.
Invalid operation for DNS zone.
The operation cannot be performed because this zone is shutdown.
The operation cannot be performed because this zone is shutdown.
TCP/IP network protocol not installed.
TCP/IP network protocol not installed.
A blocking operation was interrupted by a call to WSACancelBlockingCall.
A blocking operation was interrupted by a call to WSACancelBlockingCall.
A non-blocking socket operation could not be completed immediately.
A non-blocking socket operation could not be completed immediately.
A blocking operation is currently executing.
A blocking operation is currently executing.
An operation was attempted on a non-blocking socket that already had an operation in progress.
An operation was attempted on a non-blocking socket that already had an operation in progress.
An operation was attempted on something that is not a socket.
An operation was attempted on something that is not a socket.
A required address was omitted from an operation on a socket.
A required address was omitted from an operation on a socket.
A protocol was specified in the socket function call that does not support the semantics of the socket type requested.
A protocol was specified in the socket function call that does not support the semantics of the socket type requested.
An unknown, invalid, or unsupported option or level was specified in a getsockopt or setsockopt call.
An unknown, invalid, or unsupported option or level was specified in a getsockopt or setsockopt call.
The support for the specified socket type does not exist in this address family.
The support for the specified socket type does not exist in this address family.
The attempted operation is not supported for the type of object referenced.
The attempted operation is not supported for the type of object referenced.
Only one usage of each socket address (protocol/network address/port) is normally permitted.
Only one usage of each socket address (protocol/network address/port) is normally permitted.
A socket operation encountered a dead network.
A socket operation encountered a dead network.
A socket operation was attempted to an unreachable network.
A socket operation was attempted to an unreachable network.
The connection has been broken due to keep-alive activity detecting a failure while the operation was in progress.
The connection has been broken due to keep-alive activity detecting a failure while the operation was in progress.
An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
A socket operation failed because the destination host was down.
A socket operation failed because the destination host was down.
A socket operation was attempted to an unreachable host.
A socket operation was attempted to an unreachable host.
A Windows Sockets implementation may have a limit on the number of applications that may use it simultaneously.
A Windows Sockets implementation may have a limit on the number of applications that may use it simultaneously.
The Windows Sockets version requested is not supported.
The Windows Sockets version requested is not supported.
The specified transport mode filter already exists.
The specified transport mode filter already exists.
The specified transport mode filter does not exist.
The specified transport mode filter does not exist.
The requested lookup key was not found in any active activation context.
The requested lookup key was not found in any active activation context.
The transport filter is pending deletion.
The transport filter is pending deletion.
IKE failed to find valid machine certificate
IKE failed to find valid machine certificate
Certificate Revocation Check failed
Certificate Revocation Check failed
Invalid certificate key usage
Invalid certificate key usage
Invalid certificate type
Invalid certificate type
No private key associated with machine certificate
No private key associated with machine certificate
Peer's certificate did not have a public key
Peer's certificate did not have a public key
Error processing Cert payload
Error processing Cert payload
Error processing Certificate Request payload
Error processing Certificate Request payload
Peer failed to send valid machine certificate
Peer failed to send valid machine certificate
Certification Revocation check of peer's certificate failed
Certification Revocation check of peer's certificate failed
Failed to load SECURITY.DLL.
Failed to load SECURITY.DLL.
Unsupported ID
Unsupported ID
Invalid certificate signature
Invalid certificate signature
The lifetime value received in the Responder Lifetime Notify is below the Windows 2000 configured minimum value. Please fix the policy on the peer machine.
The lifetime value received in the Responder Lifetime Notify is below the Windows 2000 configured minimum value. Please fix the policy on the peer machine.
Key length in certificate is too small for configured security requirements.
Key length in certificate is too small for configured security requirements.
Lack of system resources has required isolated activation to be disabled for the current thread of execution.
Lack of system resources has required isolated activation to be disabled for the current thread of execution.
Manifest Parse Error : System does not support the specified encoding.
Manifest Parse Error : System does not support the specified encoding.
Manifest Parse Error : Switch from current encoding to specified encoding not supported.
Manifest Parse Error : Switch from current encoding to specified encoding not supported.
Assembly Protection Error : The public key for an assembly was too short to be allowed.
Assembly Protection Error : The public key for an assembly was too short to be allowed.
The storage operation should block until more data is available.
The storage operation should block until more data is available.
The storage operation should retry immediately.
The storage operation should retry immediately.
The notified event sink will not influence the storage operation.
The notified event sink will not influence the storage operation.
Drag-drop operation canceled
Drag-drop operation canceled
FORMATETC not supported
FORMATETC not supported
Invalid window handle passed
Invalid window handle passed
An asynchronous operation was specified. The operation has begun, but its outcome is not known yet.
An asynchronous operation was specified. The operation has begun, but its outcome is not known yet.
The transaction was successfully aborted. However, this is a coordinated transaction, and some number of enlisted resources were aborted outright because they could not support abort-retaining semantics
The transaction was successfully aborted. However, this is a coordinated transaction, and some number of enlisted resources were aborted outright because they could not support abort-retaining semantics
An abort operation was already in progress.
An abort operation was already in progress.
No such interface supported
No such interface supported
Operation aborted
Operation aborted
The data necessary to complete this operation is not yet available.
The data necessary to complete this operation is not yet available.
Use of Ole1 services requiring DDE windows is disabled
Use of Ole1 services requiring DDE windows is disabled
The server process could not be started because the configured identity is incorrect. Check the username and password.
The server process could not be started because the configured identity is incorrect. Check the username and password.
The operation attempted is not supported.
The operation attempted is not supported.
Unable to complete the call since there is no COM security context inside IObjectControl.Activate.
Unable to complete the call since there is no COM security context inside IObjectControl.Activate.
The callee (server [not server application]) is not available and disappeared; all connections are invalid. The call may have executed.
The callee (server [not server application]) is not available and disappeared; all connections are invalid. The call may have executed.
The callee (server [not server application]) is not available and disappeared; all connections are invalid. The call did not execute.
The callee (server [not server application]) is not available and disappeared; all connections are invalid. The call did not execute.
Impersonate on unsecure calls is not supported.
Impersonate on unsecure calls is not supported.
Unable to obtain the Windows directory
Unable to obtain the Windows directory
The version of ACL format in the stream is not supported by this implementation of IAccessControl
The version of ACL format in the stream is not supported by this implementation of IAccessControl
Does not support a collection.
Does not support a collection.
Wrong module kind for the operation.
Wrong module kind for the operation.
Unable to perform requested operation.
Unable to perform requested operation.
Attempted an operation on an invalid object.
Attempted an operation on an invalid object.
There is insufficient memory available to complete operation.
There is insufficient memory available to complete operation.
An error occurred during a seek operation.
An error occurred during a seek operation.
A disk error occurred during a write operation.
A disk error occurred during a write operation.
A disk error occurred during a read operation.
A disk error occurred during a read operation.
There is insufficient disk space to complete operation.
There is insufficient disk space to complete operation.
Share.exe or equivalent is required for operation.
Share.exe or equivalent is required for operation.
Illegal operation called on non-file based storage.
Illegal operation called on non-file based storage.
Illegal operation called on object with extant marshallings.
Illegal operation called on object with extant marshallings.
OLE32.DLL has been loaded at the wrong address.
OLE32.DLL has been loaded at the wrong address.
Copy Protection Error - The given sector does not have a valid CSS key.
Copy Protection Error - The given sector does not have a valid CSS key.
Copy Protection Error - DVD session key not established.
Copy Protection Error - DVD session key not established.
Need to run the object to perform this operation
Need to run the object to perform this operation
There is no cache to operate on
There is no cache to operate on
Object is static; operation not allowed
Object is static; operation not allowed
compobj.dll is too old for the ole2.dll initialized
compobj.dll is too old for the ole2.dll initialized
Not able to perform the operation because object is not given storage yet
Not able to perform the operation because object is not given storage yet
Object doesn't support IViewObject interface
Object doesn't support IViewObject interface
Class does not support aggregation (or class object is remote)
Class does not support aggregation (or class object is remote)
Could not read key from registry
Could not read key from registry
Could not write key to registry
Could not write key to registry
Could not find the key in the registry
Could not find the key in the registry
A network error interrupted the operation.
A network error interrupted the operation.
There was an error in a Windows GDI call while converting the bitmap to a DIB
There was an error in a Windows GDI call while converting the bitmap to a DIB
There was an error in a Windows GDI call while converting the DIB to a bitmap.
There was an error in a Windows GDI call while converting the DIB to a bitmap.
Operation exceeded deadline
Operation exceeded deadline
Operation unavailable
Operation unavailable
Intermediate operation failed
Intermediate operation failed
User input required for operation to succeed
User input required for operation to succeed
COM is required for this operation, but is not installed
COM is required for this operation, but is not installed
Task Scheduler security services are available only on Windows NT.
Task Scheduler security services are available only on Windows NT.
The task object version is either unsupported or invalid.
The task object version is either unsupported or invalid.
The task has been configured with an unsupported combination of account settings and run time options.
The task has been configured with an unsupported combination of account settings and run time options.
A retaining commit or abort is not supported
A retaining commit or abort is not supported
The requested isolation level is not valid or supported.
The requested isolation level is not valid or supported.
The transaction manager doesn't support an asynchronous operation for this method.
The transaction manager doesn't support an asynchronous operation for this method.
The requested semantics of retention of isolation across retaining commit and abort boundaries cannot be supported by this transaction implementation, or isoFlags was not equal to zero.
The requested semantics of retention of isolation across retaining commit and abort boundaries cannot be supported by this transaction implementation, or isoFlags was not equal to zero.
An import object for the transaction could not be found.
An import object for the transaction could not be found.
A time-out was specified, but time-outs are not supported.
A time-out was specified, but time-outs are not supported.
The requested operation is already in progress for the transaction.
The requested operation is already in progress for the transaction.
The Transaction Manager has disabled its support for TIP.
The Transaction Manager has disabled its support for TIP.
The transaction manager has disabled its support for remote/network transactions.
The transaction manager has disabled its support for remote/network transactions.
The partner transaction manager has disabled its support for remote/network transactions.
The partner transaction manager has disabled its support for remote/network transactions.
The transaction manager has disabled its support for XA transactions.
The transaction manager has disabled its support for XA transactions.
The requested operation requires that JIT be in the current context and it is not
The requested operation requires that JIT be in the current context and it is not
The requested operation requires that the current context have a Transaction, and it does not
The requested operation requires that the current context have a Transaction, and it does not
Server execution failed
Server execution failed
Bad Key.
Bad Key.
Key not valid for use in specified state.
Key not valid for use in specified state.
Key does not exist.
Key does not exist.
Insufficient memory available for the operation.
Insufficient memory available for the operation.
Provider's public key is invalid.
Provider's public key is invalid.
Keyset does not exist
Keyset does not exist
The keyset is not defined.
The keyset is not defined.
Keyset as registered is invalid.
Keyset as registered is invalid.
The Keyset parameter is invalid.
The Keyset parameter is invalid.
The key parameters could not be set because the CSP uses fixed parameters.
The key parameters could not be set because the CSP uses fixed parameters.
The function requested is not supported
The function requested is not supported
The per-message Quality of Protection is not supported by the security package
The per-message Quality of Protection is not supported by the security package
The certificate chain was issued by an authority that is not trusted.
The certificate chain was issued by an authority that is not trusted.
An unknown error occurred while processing the certificate.
An unknown error occurred while processing the certificate.
The received certificate has expired.
The received certificate has expired.
The other end of the security negotiation is requires strong crypto but it is not supported on the local machine.
The other end of the security negotiation is requires strong crypto but it is not supported on the local machine.
The client cert name does not matches the user name or the KDC name is incorrect.
The client cert name does not matches the user name or the KDC name is incorrect.
The encryption type requested is not supported by the KDC.
The encryption type requested is not supported by the KDC.
An unsupported preauthentication mechanism was presented to the kerberos package.
An unsupported preauthentication mechanism was presented to the kerberos package.
The requested operation requires delegation to be enabled on the machine.
The requested operation requires delegation to be enabled on the machine.
The received certificate was mapped to multiple accounts.
The received certificate was mapped to multiple accounts.
SEC_E_NO_KERB_KEY
SEC_E_NO_KERB_KEY
An error occurred while performing an operation on a cryptographic message.
An error occurred while performing an operation on a cryptographic message.
The streamed cryptographic message requires more data to complete the decode operation.
The streamed cryptographic message requires more data to complete the decode operation.
An error occurred during encode or decode operation.
An error occurred during encode or decode operation.
The specified certificate is self signed.
The specified certificate is self signed.
The previous certificate or CRL context was deleted.
The previous certificate or CRL context was deleted.
The certificate does not have a property that references a private key.
The certificate does not have a property that references a private key.
Cannot find the certificate and private key for decryption.
Cannot find the certificate and private key for decryption.
Cannot find the certificate and private key to use for decryption.
Cannot find the certificate and private key to use for decryption.
The certificate is revoked.
The certificate is revoked.
No Dll or exported function was found to verify revocation.
No Dll or exported function was found to verify revocation.
The revocation function was unable to check revocation for the certificate.
The revocation function was unable to check revocation for the certificate.
The certificate is not in the revocation server's database.
The certificate is not in the revocation server's database.
The string contains an invalid X500 name attribute key, oid, value or delimiter.
The string contains an invalid X500 name attribute key, oid, value or delimiter.
The dwValueType for the CERT_NAME_VALUE is not one of the character strings. Most likely it is either a CERT_RDN_ENCODED_BLOB or CERT_TDN_OCTED_STRING.
The dwValueType for the CERT_NAME_VALUE is not one of the character strings. Most likely it is either a CERT_RDN_ENCODED_BLOB or CERT_TDN_OCTED_STRING.
The Put operation can not continue. The file needs to be resized. However, there is already a signature present. A complete signing operation must be done.
The Put operation can not continue. The file needs to be resized. However, there is already a signature present. A complete signing operation must be done.
The cryptographic operation failed due to a local security option setting.
The cryptographic operation failed due to a local security option setting.
No DLL or exported function was found to verify subject usage.
No DLL or exported function was found to verify subject usage.
The subject was not found in a Certificate Trust List (CTL).
The subject was not found in a Certificate Trust List (CTL).
None of the signers of the cryptographic message or certificate trust list is trusted.
None of the signers of the cryptographic message or certificate trust list is trusted.
The public key's algorithm parameters are missing.
The public key's algorithm parameters are missing.
OSS Certificate encode/decode error code base
OSS Certificate encode/decode error code base
OSS ASN.1 Error: Unsupported BER indefinite-length encoding.
OSS ASN.1 Error: Unsupported BER indefinite-length encoding.
ASN1 Certificate encode/decode error code base.
ASN1 Certificate encode/decode error code base.
ASN1 function not supported for this PDU.
ASN1 function not supported for this PDU.
The request's current status does not allow this operation.
The request's current status does not allow this operation.
The certification authority's certificate contains invalid data.
The certification authority's certificate contains invalid data.
Certificate service has been suspended for a database restore operation.
Certificate service has been suspended for a database restore operation.
The certificate contains an encoded length that is potentially incompatible with older enrollment software.
The certificate contains an encoded length that is potentially incompatible with older enrollment software.
The operation is denied. The user has multiple roles assigned and the certification authority is configured to enforce role separation.
The operation is denied. The user has multiple roles assigned and the certification authority is configured to enforce role separation.
The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.
The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.
Cannot archive private key. The certification authority is not configured for key archival.
Cannot archive private key. The certification authority is not configured for key archival.
Cannot archive private key. The certification authority could not verify one or more key recovery certificates.
Cannot archive private key. The certification authority could not verify one or more key recovery certificates.
The request is incorrectly formatted. The encrypted private key must be in an unauthenticated attribute in an outermost signature.
The request is incorrectly formatted. The encrypted private key must be in an unauthenticated attribute in an outermost signature.
The request contains an invalid renewal certificate attribute.
The request contains an invalid renewal certificate attribute.
An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions.
An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions.
The permissions on this certification authority do not allow the current user to enroll for certificates.
The permissions on this certification authority do not allow the current user to enroll for certificates.
The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
The requested certificate template is not supported by this CA.
The requested certificate template is not supported by this CA.
The request contains no certificate template information.
The request contains no certificate template information.
The request is missing a required private key for archival by the server.
The request is missing a required private key for archival by the server.
The request was made on behalf of a subject other than the caller. The certificate template must be configured to require at least one signature to authorize the request.
The request was made on behalf of a subject other than the caller. The certificate template must be configured to require at least one signature to authorize the request.
The request template version is newer than the supported template version.
The request template version is newer than the supported template version.
The request includes a private key for archival by the server, but key archival is not enabled for the specified certificate template.
The request includes a private key for archival by the server, but key archival is not enabled for the specified certificate template.
The public key does not meet the minimum size required by the specified certificate template.
The public key does not meet the minimum size required by the specified certificate template.
The key is not exportable.
The key is not exportable.
You cannot add the root CA certificate into your local store.
You cannot add the root CA certificate into your local store.
The key archival hash attribute was not found in the response.
The key archival hash attribute was not found in the response.
An unexpetced key archival hash attribute was found in the response.
An unexpetced key archival hash attribute was found in the response.
There is a key archival hash mismatch between the request and the response.
There is a key archival hash mismatch between the request and the response.
Signing certificate cannot include SMIME extension.
Signing certificate cannot include SMIME extension.
The certificate for the signer of the message is invalid or not found.
The certificate for the signer of the message is invalid or not found.
The signature of the certificate can not be verified.
The signature of the certificate can not be verified.
The timestamp signature and/or certificate could not be verified or is malformed.
The timestamp signature and/or certificate could not be verified or is malformed.
A certificate's basic constraint extension has not been observed.
A certificate's basic constraint extension has not been observed.
The certificate does not meet or contain the Authenticode financial extensions.
The certificate does not meet or contain the Authenticode financial extensions.
The file did not pass the hints check.
The file did not pass the hints check.
Failed on a file operation (open, map, read, write).
Failed on a file operation (open, map, read, write).
The trust verification action specified is not supported by the specified trust provider.
The trust verification action specified is not supported by the specified trust provider.
The form specified for the subject is not one supported or known by the specified trust provider.
The form specified for the subject is not one supported or known by the specified trust provider.
A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
The validity periods of the certification chain do not nest correctly.
The validity periods of the certification chain do not nest correctly.
A certificate that can only be used as an end-entity is being used as a CA or visa versa.
A certificate that can only be used as an end-entity is being used as a CA or visa versa.
A path length constraint in the certification chain has been violated.
A path length constraint in the certification chain has been violated.
A certificate contains an unknown extension that is marked 'critical'.
A certificate contains an unknown extension that is marked 'critical'.
A certificate being used for a purpose other than the ones specified by its CA.
A certificate being used for a purpose other than the ones specified by its CA.
A parent of a given certificate in fact did not issue that child certificate.
A parent of a given certificate in fact did not issue that child certificate.
A certificate is missing or has an empty value for an important field, such as a subject or issuer name.
A certificate is missing or has an empty value for an important field, such as a subject or issuer name.
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
An internal certificate chaining error has occurred.
An internal certificate chaining error has occurred.
A certificate was explicitly revoked by its issuer.
A certificate was explicitly revoked by its issuer.
The certification path terminates with the test root which is not trusted with the current policy settings.
The certification path terminates with the test root which is not trusted with the current policy settings.
The revocation process could not continue - the certificate(s) could not be checked.
The revocation process could not continue - the certificate(s) could not be checked.
The certificate's CN name does not match the passed value.
The certificate's CN name does not match the passed value.
The certificate is not valid for the requested usage.
The certificate is not valid for the requested usage.
The certificate was explicitly marked as untrusted by the user.
The certificate was explicitly marked as untrusted by the user.
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
The certificate has invalid policy.
The certificate has invalid policy.
The certificate has an invalid name. The name is not included in the permitted list or is explicitly excluded.
The certificate has an invalid name. The name is not included in the permitted list or is explicitly excluded.
The requested device registry key does not exist.
The requested device registry key does not exist.
The operation cannot be performed on a device information element that has not been registered.
The operation cannot be performed on a device information element that has not been registered.
The operation does not require any files to be copied.
The operation does not require any files to be copied.
The operation cannot be performed because the device information set is locked.
The operation cannot be performed because the device information set is locked.
The operation cannot be performed because the device information element is locked.
The operation cannot be performed because the device information element is locked.
The operation cannot be performed because the file queue is locked.
The operation cannot be performed because the file queue is locked.
The operation cannot be performed because the device interface is currently active.
The operation cannot be performed because the device interface is currently active.
The operation cannot be performed because the device interface has been removed from the system.
The operation cannot be performed because the device interface has been removed from the system.
The driver selected for this device does not support Windows XP.
The driver selected for this device does not support Windows XP.
The driver selected for this device does not support Windows.
The driver selected for this device does not support Windows.
Operation not allowed in WOW64.
Operation not allowed in WOW64.
The operation involving unsigned file copying was rolled back, so that a system restore point could be set.
The operation involving unsigned file copying was rolled back, so that a system restore point could be set.
An INF was copied into the Windows INF directory in an improper manner.
An INF was copied into the Windows INF directory in an improper manner.
The operation requires a Smart Card, but no Smart Card is currently in the device.
The operation requires a Smart Card, but no Smart Card is currently in the device.
The operation has been aborted to allow the server application to exit.
The operation has been aborted to allow the server application to exit.
The reader driver does not meet minimal requirements for support.
The reader driver does not meet minimal requirements for support.
The smart card does not meet minimal requirements for support.
The smart card does not meet minimal requirements for support.
The requested order of object creation is not supported.
The requested order of object creation is not supported.
This smart card does not support the requested feature.
This smart card does not support the requested feature.
The requested certificate does not exist.
The requested certificate does not exist.
The requested certificate could not be obtained.
The requested certificate could not be obtained.
A communications error with the smart card has been detected. Retry the operation.
A communications error with the smart card has been detected. Retry the operation.
The requested key container does not exist on the smart card.
The requested key container does not exist on the smart card.
The identity or password set on the application is not valid
The identity or password set on the application is not valid
The DLL does not support the components listed in the TypeLib
The DLL does not support the components listed in the TypeLib
The server catalog version is not supported
The server catalog version is not supported
This operation can not be performed on the system application
This operation can not be performed on the system application
This operation is not enabled on this platform
This operation is not enabled on this platform
Application Proxy is not exportable
Application Proxy is not exportable
System application is not exportable
System application is not exportable
Can not subscribe to this component (the component may have been imported)
Can not subscribe to this component (the component may have been imported)
The partition cannot be exported, because one or more components in the partition have the same file name
The partition cannot be exported, because one or more components in the partition have the same file name
Applications that contain one or more imported components cannot be installed into a non-base partition
Applications that contain one or more imported components cannot be installed into a non-base partition
The COM Catalog Server threw an exception during execution
The COM Catalog Server threw an exception during execution
MSMQ is required for the requested operation and is not installed
MSMQ is required for the requested operation and is not installed
Unable to marshal an interface that does not support IPersistStream
Unable to marshal an interface that does not support IPersistStream
The ProgID provided to the copy operation is invalid. The ProgID is in use by another registered CLSID.
The ProgID provided to the copy operation is invalid. The ProgID is in use by another registered CLSID.
Only Application Files (*.MSI files) can be installed into partitions.
Only Application Files (*.MSI files) can be installed into partitions.
Applications containing one or more legacy components may not be exported to 1.0 format.
Applications containing one or more legacy components may not be exported to 1.0 format.
The SID filtering operation removed all SIDs.
The SID filtering operation removed all SIDs.
Windows NT BASE API Client DLL
Windows NT BASE API Client DLL
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
$$$$Guinea$Republic of Guinea)$$$$Guyana$Cooperative Republic of Guyana
$$$$Guinea$Republic of Guinea)$$$$Guyana$Cooperative Republic of Guyana
$$$$Panama$Republic of Panama $$$$Portugal$Portuguese Republic:$$$$Papua New Guinea$Independent State of Papua New Guinea
$$$$Panama$Republic of Panama $$$$Portugal$Portuguese Republic:$$$$Papua New Guinea$Independent State of Papua New Guinea
$$$$Turkey$Republic of Turkey
$$$$Turkey$Republic of Turkey
$$$860 (OEM - Portuguese)
$$$860 (OEM - Portuguese)
Portuguese (Brazil)$Brazil $$$1047 (IBM EBCDIC - Latin-1/Open System)
Portuguese (Brazil)$Brazil $$$1047 (IBM EBCDIC - Latin-1/Open System)
Turkish$Turkey
Turkish$Turkey
Portuguese (Portugal)$Portugal
Portuguese (Portugal)$Portugal
%original file name%.exe_508_rwx_00F00000_0009C000:
ADVAPI32.dll
ADVAPI32.dll
CryptDeriveKey
CryptDeriveKey
CryptDestroyKey
CryptDestroyKey
CryptDuplicateKey
CryptDuplicateKey
CryptExportKey
CryptExportKey
CryptGenKey
CryptGenKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
CryptHashSessionKey
CryptHashSessionKey
CryptImportKey
CryptImportKey
CryptSetKeyParam
CryptSetKeyParam
ElfReportEventA
ElfReportEventA
ElfReportEventW
ElfReportEventW
EncryptedFileKeyInfo
EncryptedFileKeyInfo
FreeEncryptedFileKeyInfo
FreeEncryptedFileKeyInfo
FreeEncryptionCertificateHashList
FreeEncryptionCertificateHashList
GetEventLogInformation
GetEventLogInformation
GetMultipleTrusteeOperationA
GetMultipleTrusteeOperationA
GetMultipleTrusteeOperationW
GetMultipleTrusteeOperationW
GetServiceKeyNameA
GetServiceKeyNameA
GetServiceKeyNameW
GetServiceKeyNameW
GetWindowsAccountDomainSid
GetWindowsAccountDomainSid
ImpersonateNamedPipeClient
ImpersonateNamedPipeClient
MSChapSrvChangePassword
MSChapSrvChangePassword
MSChapSrvChangePassword2
MSChapSrvChangePassword2
QueryWindows31FilesMigration
QueryWindows31FilesMigration
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCreateKeyW
RegDeleteKeyA
RegDeleteKeyA
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyA
RegEnumKeyA
RegEnumKeyExA
RegEnumKeyExA
RegEnumKeyExW
RegEnumKeyExW
RegEnumKeyW
RegEnumKeyW
RegFlushKey
RegFlushKey
RegGetKeySecurity
RegGetKeySecurity
RegLoadKeyA
RegLoadKeyA
RegLoadKeyW
RegLoadKeyW
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyA
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegOpenKeyW
RegOpenKeyW
RegOverridePredefKey
RegOverridePredefKey
RegQueryInfoKeyA
RegQueryInfoKeyA
RegQueryInfoKeyW
RegQueryInfoKeyW
RegReplaceKeyA
RegReplaceKeyA
RegReplaceKeyW
RegReplaceKeyW
RegRestoreKeyA
RegRestoreKeyA
RegRestoreKeyW
RegRestoreKeyW
RegSaveKeyA
RegSaveKeyA
RegSaveKeyExA
RegSaveKeyExA
RegSaveKeyExW
RegSaveKeyExW
RegSaveKeyW
RegSaveKeyW
RegSetKeySecurity
RegSetKeySecurity
RegUnLoadKeyA
RegUnLoadKeyA
RegUnLoadKeyW
RegUnLoadKeyW
ReportEventA
ReportEventA
ReportEventW
ReportEventW
SaferiIsExecutableFileType
SaferiIsExecutableFileType
SetUserFileEncryptionKey
SetUserFileEncryptionKey
SynchronizeWindows31FilesAndWindowsNTRegistry
SynchronizeWindows31FilesAndWindowsNTRegistry
WmiExecuteMethodA
WmiExecuteMethodA
WmiExecuteMethodW
WmiExecuteMethodW
PSSSSSSh
PSSSSSSh
PSSSSSSh#
PSSSSSSh#
PSSSSSSh
PSSSSSSh
PSSSSSSh
PSSSSSSh
(PSSSSSSh
(PSSSSSSh
0PSSSSSSh
0PSSSSSSh
8PSSSSSSh
8PSSSSSSh
SSSSSSh
SSSSSSh
PSSSSSSh!
PSSSSSSh!
CPDuplicateKey
CPDuplicateKey
CPGetUserKey
CPGetUserKey
CPHashSessionKey
CPHashSessionKey
CPImportKey
CPImportKey
CPExportKey
CPExportKey
CPGetKeyParam
CPGetKeyParam
CPSetKeyParam
CPSetKeyParam
CPDestroyKey
CPDestroyKey
CPDeriveKey
CPDeriveKey
CPGenKey
CPGenKey
kernel32.dll
kernel32.dll
PSSSh
PSSSh
PSShZ
PSShZ
CloseWindowStation
CloseWindowStation
GetProcessWindowStation
GetProcessWindowStation
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
8.YYu
8.YYu
TermsrvSetKeySecurity
TermsrvSetKeySecurity
TermsrvRestoreKey
TermsrvRestoreKey
TermsrvDeleteKey
TermsrvDeleteKey
TermsrvSetValueKey
TermsrvSetValueKey
tsappcmp.dll
tsappcmp.dll
Windows Setup
Windows Setup
user32.dll
user32.dll
sndrec32.exe
sndrec32.exe
soundrec.exe
soundrec.exe
packgr32.exe
packgr32.exe
packager.exe
packager.exe
mplay32.exe
mplay32.exe
mplayer.exe
mplayer.exe
mciole16.dll
mciole16.dll
mciole.dll
mciole.dll
$Microsoft Root Certificate Authority
$Microsoft Root Certificate Authority
Windows 3.1 Migration
Windows 3.1 Migration
t%SVW)E
t%SVW)E
mpr.dll
mpr.dll
Unable to locate init routine, error = %d
Unable to locate init routine, error = %d
Unable to load client dll, error = %d
Unable to load client dll, error = %d
ldap_msgfree
ldap_msgfree
1.2.840.113556.1.4.529
1.2.840.113556.1.4.529
wldap32.dll
wldap32.dll
SamiChangePasswordUser2
SamiChangePasswordUser2
SamiChangePasswordUser
SamiChangePasswordUser
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationW
OpenWindowStationW
It.Iu
It.Iu
PSShL
PSShL
t.Ht#Ht Ht
t.Ht#Ht Ht
ShellExecuteExW
ShellExecuteExW
AccProvGetOperationResults
AccProvGetOperationResults
AccProvCancelOperation
AccProvCancelOperation
WINREG: Frame %d = 0x%x
WINREG: Frame %d = 0x%x
Frames %d
Frames %d
WINREG: Name: %S
WINREG: Name: %S
WINREG: Unable to retrieve object name error 0x%x
WINREG: Unable to retrieve object name error 0x%x
WINREG: Tracked key data for object 0x%x
WINREG: Tracked key data for object 0x%x
imagehlp.dll
imagehlp.dll
SSSSSh
SSSSSh
WINTRUST.dll
WINTRUST.dll
Secur32.dll
Secur32.dll
KERNEL32.dll
KERNEL32.dll
ntdll.dll
ntdll.dll
RPCRT4.dll
RPCRT4.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetSystemWindowsDirectoryW
GetSystemWindowsDirectoryW
SetNamedPipeHandleState
SetNamedPipeHandleState
GetProcessHeap
GetProcessHeap
WaitNamedPipeW
WaitNamedPipeW
NtQueryKey
NtQueryKey
NtEnumerateKey
NtEnumerateKey
RtlFormatCurrentUserKeyPath
RtlFormatCurrentUserKeyPath
NtNotifyChangeKey
NtNotifyChangeKey
NtDeleteValueKey
NtDeleteValueKey
NtEnumerateValueKey
NtEnumerateValueKey
NtDeleteKey
NtDeleteKey
NtQueryValueKey
NtQueryValueKey
NtSetValueKey
NtSetValueKey
NtOpenKey
NtOpenKey
NtCreateKey
NtCreateKey
NtFlushKey
NtFlushKey
NtLoadKey
NtLoadKey
NtUnloadKey
NtUnloadKey
NtReplaceKey
NtReplaceKey
NtNotifyChangeMultipleKeys
NtNotifyChangeMultipleKeys
NtQueryMultipleValueKey
NtQueryMultipleValueKey
NtRestoreKey
NtRestoreKey
NtSaveKey
NtSaveKey
NtSaveMergedKeys
NtSaveMergedKeys
NtSaveKeyEx
NtSaveKeyEx
advapi32.pdb
advapi32.pdb
0p.yx
0p.yx
%x~O>
%x~O>
%D$#>
%D$#>
7,7
7,7
9#:*:@:{:
9#:*:@:{:
3 3%3.3=3
3 3%3.3=3
8$9(90949@9
8$9(90949@9
1&2,263@3
1&2,263@3
:,:0:<:_:>
:,:0:<:_:>
3 3$303;3
3 3$303;3
3M4H4Z4`4e4
3M4H4Z4`4e4
3"3'333
3"3'333
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer
\Software\Policies\Microsoft\Windows\Safer
\Software\Policies\Microsoft\Windows\Safer
\UrlZones
\UrlZones
%HKEY_CURRENT_USER
%HKEY_CURRENT_USER
\PIPE\
\PIPE\
NTMARTA.DLL
NTMARTA.DLL
%SystemRoot%\
%SystemRoot%\
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%s\u
%s\u
REG.DAT
REG.DAT
Windows 3.1 Migration Status
Windows 3.1 Migration Status
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
t\\.\pipe\net\NtControlPipe
t\\.\pipe\net\NtControlPipe
lX-X-X-XX-XXXXXX
lX-X-X-XX-XXXXXX
\\.\WMIDataDevice
\\.\WMIDataDevice
Software\Microsoft\Windows\CurrentVersion\Group Policy\Appmgmt
Software\Microsoft\Windows\CurrentVersion\Group Policy\Appmgmt
nuser32.dll
nuser32.dll
msi.dll
msi.dll
\PIPE\InitShutdown
\PIPE\InitShutdown
.u
.u
system.ini
system.ini
reg.dat
reg.dat
%SystemRoot%\Debug\UserMode\appmgmt.log
%SystemRoot%\Debug\UserMode\appmgmt.log
%SystemRoot%\Debug\UserMode\appmgmt.bak
%SystemRoot%\Debug\UserMode\appmgmt.bak
%HKEY_LOCAL_MACHINE
%HKEY_LOCAL_MACHINE
%s%s%d%s%s%s%s%s%s%s{lx-x-x-xx-xxxxxx}
%s%s%d%s%s%s%s%s%s%s{lx-x-x-xx-xxxxxx}
certificate
certificate
%SystemRoot%\System32\Drivers\
%SystemRoot%\System32\Drivers\
\pipe\svcctl
\pipe\svcctl
Group%d
Group%d
ncacn_ip_tcp
ncacn_ip_tcp
UrlZones
UrlZones
DisallowExecution
DisallowExecution
iphlpapi.dll
iphlpapi.dll
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
perfh004.dat
perfh004.dat
perfc004.dat
perfc004.dat
progman.ini
progman.ini
SoftWare\Microsoft\Windows NT\CurrentVersion\Program Manager\Settings
SoftWare\Microsoft\Windows NT\CurrentVersion\Program Manager\Settings
SoftWare\Microsoft\Windows NT\CurrentVersion\Program Manager\UNICODE Groups
SoftWare\Microsoft\Windows NT\CurrentVersion\Program Manager\UNICODE Groups
Windows NT Network Provider
Windows NT Network Provider
\\.\Pipe\TerminalServer\SystemExecSrvr\%d
\\.\Pipe\TerminalServer\SystemExecSrvr\%d
W\winsta.dll
W\winsta.dll
feclient.dll
feclient.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
samlib.dll
samlib.dll
SupportUrl
SupportUrl
Wshell32.dll
Wshell32.dll
CEvents::Report called with more params then expected!
CEvents::Report called with more params then expected!
APPMGMT (%x.%x) d:d:d:d
APPMGMT (%x.%x) d:d:d:d
appmgmts.dll
appmgmts.dll
%s_%d
%s_%d
{x-x-x-xx-xxxxxx}
{x-x-x-xx-xxxxxx}
setupapi.dll
setupapi.dll
%ws\%u
%ws\%u
\\.\%s
\\.\%s
\Registry\Machine\Hardware\DeviceMap\Scsi\Scsi Port %d\Scsi Bus %d\Target ID %d\Logical Unit Id %d
\Registry\Machine\Hardware\DeviceMap\Scsi\Scsi Port %d\Scsi Bus %d\Target ID %d\Logical Unit Id %d
\Device\Harddisk%d\Partition0
\Device\Harddisk%d\Partition0
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
W%s\%s
W%s\%s
\Device\Video%d
\Device\Video%d
DefaultSettings.YResolution
DefaultSettings.YResolution
DefaultSettings.XResolution
DefaultSettings.XResolution
DefaultSettings.VRefresh
DefaultSettings.VRefresh
DefaultSettings.BitsPerPel
DefaultSettings.BitsPerPel
HardwareInformation.BiosString
HardwareInformation.BiosString
HardwareInformation.AdapterString
HardwareInformation.AdapterString
HardwareInformation.DacType
HardwareInformation.DacType
HardwareInformation.ChipType
HardwareInformation.ChipType
HardwareInformation.MemorySize
HardwareInformation.MemorySize
SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3
SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3
PerfDbg.Etl
PerfDbg.Etl
C:\perfdbg.etl
C:\perfdbg.etl
$winnt$.inf
$winnt$.inf
Export
Export
ncacn_nb_tcp
ncacn_nb_tcp
\PIPE\winreg
\PIPE\winreg
\SystemRoot\system32\perf0000.dat
\SystemRoot\system32\perf0000.dat
\SystemRoot\system32\prf00000.dat
\SystemRoot\system32\prf00000.dat
Advanced Windows 32 Base API
Advanced Windows 32 Base API
5.1.2600.5512 (xpsp.080413-2113)
5.1.2600.5512 (xpsp.080413-2113)
advapi32.dll
advapi32.dll
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
An exception occurred while performing Windows 3.1 migration. Some data
An exception occurred while performing Windows 3.1 migration. Some data
The entire contents of %1 was migrated into the Windows NT registry.
The entire contents of %1 was migrated into the Windows NT registry.
Windows NT registry.
Windows NT registry.
the Windows NT registry.
the Windows NT registry.
The contents of the Windows 3.X Program Manager group file %1 was not
The contents of the Windows 3.X Program Manager group file %1 was not
migrated into the Windows NT registry, as a group of that name, %2,
migrated into the Windows NT registry, as a group of that name, %2,
Contents of %1 migrated to the Windows NT registry.
Contents of %1 migrated to the Windows NT registry.
Unable to migrate all or part of the %1 file into the Windows NT registry.
Unable to migrate all or part of the %1 file into the Windows NT registry.
Unable to migrate all or part of the %1 section of %2 into the Windows
Unable to migrate all or part of the %1 section of %2 into the Windows
into the Windows NT registry.
into the Windows NT registry.
Unable to load the contents of the Windows 3.1 Program Manager group file %1.
Unable to load the contents of the Windows 3.1 Program Manager group file %1.
Error Code was %2. Group not migrated to the Windows NT registry.
Error Code was %2. Group not migrated to the Windows NT registry.
Unable to convert the contents of the Windows 3.1 Program Manager group
Unable to convert the contents of the Windows 3.1 Program Manager group
file %1. into the Windows NT format. Error Code was %2. Group not
file %1. into the Windows NT format. Error Code was %2. Group not
migrated to the Windows NT registry.
migrated to the Windows NT registry.
Unable to migrate all or part of %1 to the Windows NT registry.
Unable to migrate all or part of %1 to the Windows NT registry.
the Windows NT registry. It is incompatible with Windows NT.
the Windows NT registry. It is incompatible with Windows NT.
Allows programs to execute with only access to resources granted to open well-known groups, blocking access Administrator and Power User privileges, and personally granted rights.
Allows programs to execute with only access to resources granted to open well-known groups, blocking access Administrator and Power User privileges, and personally granted rights.
Software cannot access certain resources, such as cryptographic keys and credentials, regardless of the access rights of the user.
Software cannot access certain resources, such as cryptographic keys and credentials, regardless of the access rights of the user.
Allows programs to execute as a user that does not have Administrator or Power User access rights, but can still access resouces accessible by normal users.
Allows programs to execute as a user that does not have Administrator or Power User access rights, but can still access resouces accessible by normal users.