c: not present Windows 2000 ISO found 0+0 records in 0+0 records out 0 bytes (0 B) copied, 2.7937e-05 seconds, 0.0 kB/s 0+0 records in 0+0 records out 0 bytes (0 B) copied, 2.5143e-05 seconds, 0.0 kB/s 0+0 records in 0+0 records out 0 bytes (0 B) copied, 2.5143e-05 seconds, 0.0 kB/s 0+0 records in 0+0 records out 0 bytes (0 B) copied, 2.4863e-05 seconds, 0.0 kB/s 0+0 records in 0+0 records out 0 bytes (0 B) copied, 2.5702e-05 seconds, 0.0 kB/s Extracting ADVAPI32.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/advapi32.dll All done, no errors. Copying autochk.exe Extracting BASESRV.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/basesrv.dll All done, no errors. Extracting C_1252.NL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/c_1252.nls All done, no errors. Extracting C_850.NL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/c_850.nls All done, no errors. Extracting C_437.NL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/c_437.nls All done, no errors. Extracting CGA80WOA.FO_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/cga80woa.fon All done, no errors. Extracting CGA40WOA.FO_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/cga40woa.fon All done, no errors. Extracting CSRSRV.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/csrsrv.dll All done, no errors. Extracting CSRSS.EX_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/csrss.exe All done, no errors. Extracting CMD.EX_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/cmd.exe All done, no errors. Extracting COMCTL32.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/comctl32.dll All done, no errors. Extracting CRYPT32.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/crypt32.dll All done, no errors. Extracting CRYPTDLL.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/cryptdll.dll All done, no errors. Extracting CTYPE.NL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/ctype.nls All done, no errors. Extracting DIGEST.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/digest.dll All done, no errors. Extracting DNSAPI.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/dnsapi.dll All done, no errors. Extracting DOSAPP.FO_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/dosapp.fon All done, no errors. Extracting EGA80WOA.FO_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/ega80woa.fon All done, no errors. Extracting EGA40WOA.FO_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/ega40woa.fon All done, no errors. Extracting GDI32.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/gdi32.dll All done, no errors. Extracting IMM32.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/imm32.dll All done, no errors. Copying kbdus.dll Extracting KERNEL32.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/kernel32.dll All done, no errors. Extracting KERBEROS.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/kerberos.dll All done, no errors. Extracting L_INTL.NL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/l_intl.nls All done, no errors. Extracting LOCALE.NL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/locale.nls All done, no errors. Extracting LSASRV.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/lsasrv.dll All done, no errors. Extracting LSASS.EX_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/lsass.exe All done, no errors. Extracting MSASN1.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/msasn1.dll All done, no errors. Extracting MSAPSSPC.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/msapsspc.dll All done, no errors. Extracting MSGINA.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/msgina.dll All done, no errors. Extracting MSNSSPC.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/msnsspc.dll All done, no errors. Extracting MSPRIVS.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/msprivs.dll All done, no errors. Extracting MSV1_0.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/msv1_0.dll All done, no errors. Copying msvcrt.dll Extracting MSVCIRT.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/msvcirt.dll All done, no errors. Extracting MSVCRT40.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/msvcrt40.dll All done, no errors. Extracting NDDEAPI.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/nddeapi.dll All done, no errors. Extracting NETAPI32.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/netapi32.dll All done, no errors. Extracting NETRAP.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/netrap.dll All done, no errors. Copying ntdll.dll Extracting NTDSAPI.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/ntdsapi.dll All done, no errors. Extracting PROFMAP.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/profmap.dll All done, no errors. Extracting RPCRT4.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/rpcrt4.dll All done, no errors. Extracting SAMLIB.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/samlib.dll All done, no errors. Extracting SAMSRV.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/samsrv.dll All done, no errors. Extracting SAVEDUMP.EX_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/savedump.exe All done, no errors. Extracting SCESRV.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/scesrv.dll All done, no errors. Copying schannel.dll Extracting SECUR32.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/secur32.dll All done, no errors. Extracting SERVICES.EX_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/services.exe All done, no errors. Extracting SFC.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/sfc.dll All done, no errors. Extracting SFCFILES.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/sfcfiles.dll All done, no errors. Extracting SHELL32.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/shell32.dll All done, no errors. Extracting SHLWAPI.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/shlwapi.dll All done, no errors. Extracting SMSS.EX_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/smss.exe All done, no errors. Extracting SORTKEY.NL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/sortkey.nls All done, no errors. Extracting SORTTBLS.NL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/sorttbls.nls All done, no errors. Extracting UMPNPMGR.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/umpnpmgr.dll All done, no errors. Extracting USER32.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/user32.dll All done, no errors. Extracting USERENV.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/userenv.dll All done, no errors. Extracting UNICODE.NL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/unicode.nls All done, no errors. Extracting UNIPROC/WINSRV.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/winsrv.dll All done, no errors. Extracting WINLOGON.EX_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/winlogon.exe All done, no errors. Extracting WINSTA.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/winsta.dll All done, no errors. Extracting WLDAP32.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/wldap32.dll All done, no errors. Extracting WS2_32.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/ws2_32.dll All done, no errors. Extracting WS2HELP.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/ws2help.dll All done, no errors. Extracting WSOCK32.DL_ Extracting cabinet: .12371.temp.cab extracting drive/winnt/system32/wsock32.dll All done, no errors. init_skas using skas3 open_file root = (nil) name = \??\c:\winnt\system32\ntdll.dll open_unicode_file open file : c:/winnt/system32/ntdll.dll get_proc_address KiIntSystemCall init_ntdll KiIntSystemCall = 00000000 open_file root = (nil) name = \??\c:\winnt\system32\smss.exe open_unicode_file open file : c:/winnt/system32/smss.exe mapit image at 0x48580000 mapit read 4 sections, load at 48580000 mapit .text 00001000 00000600 00009800 00009774 mapit .data 0000b000 00009e00 00000400 00000b00 mapit .rsrc 0000c000 0000a200 00000400 000003d0 mapit .reloc 0000d000 0000a600 00000c00 00000b52 mapit image at 0x77f80000 mapit read 6 sections, load at 77f80000 mapit .text 00001000 00000400 00044a00 000448f9 mapit ECODE 00046000 00044e00 00004400 00004371 mapit PAGE 0004b000 00049200 00003e00 00003dfd mapit .data 0004f000 0004d000 00002200 00002a54 mapit .rsrc 00052000 0004f200 00026e00 00026d18 mapit .reloc 00079000 00076000 00002000 00001f40 mapit anonymous map mapit anonymous map create_initial_process entry point = 4858983e mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc NtCreatePort 0xb7b55fd8 0xb7b55f90 256 256 (nil) NtCreatePort root = (nil) port = \SeRmCommandPort process_alloc_user_handle handle = 00000004 NtListenPort 0x4 0xb7b55e90 access_allowed fixme: no access check 0304: NtOpenKey(7ff7fc74,80000000,7ff7fc50) ret=77f91379 NtOpenKey 0x7ff7fc74 80000000 0x7ff7fc50 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe open_parse_key remaining = Image File Execution Options\smss.exe NtOpenKey open_key returned c000003a 0304: NtOpenKey retval=c000003a ret=77f91379 0304: NtOpenKey(7ff7fc74,80000000,7ff7fc50) ret=77f91379 NtOpenKey 0x7ff7fc74 80000000 0x7ff7fc50 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe open_parse_key remaining = Image File Execution Options\smss.exe NtOpenKey open_key returned c000003a 0304: NtOpenKey retval=c000003a ret=77f91379 0304 (debug 7ff7f754,0,37) : LDR: PID: 0x3 started - '"c:\winnt\system32\smss.exe"' 0304: NtCreateEvent(7ff7f974,00100003,00000000,00000001,00000000) ret=77f8c9cd NtCreateEvent 0x7ff7f974 00100003 (nil) 1 0 process_alloc_user_handle handle = 00000004 0304: NtCreateEvent retval=00000000 ret=77f8c9cd 0304: NtCreateEvent(77fcf670,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x77fcf670 00100003 (nil) 1 0 process_alloc_user_handle handle = 00000008 0304: NtCreateEvent retval=00000000 ret=77f94ac1 0304: NtQuerySystemInformation(00000000,7ff7f8cc,0000002c,00000000) ret=77fcb540 NtQuerySystemInformation 0 0x7ff7f8cc 44 (nil) 0304: NtQuerySystemInformation retval=00000000 ret=77fcb540 0304: NtAllocateVirtualMemory(ffffffff,7ff7f894,00000000,7ff7f970,00002000,00000004) ret=77fcb607 NtAllocateVirtualMemory returns 0x30000 00100000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fcb607 0304: NtAllocateVirtualMemory(ffffffff,7ff7f940,00000000,7ff7f974,00001000,00000004) ret=77fcb640 NtAllocateVirtualMemory returns 0x30000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fcb640 0304: NtCreateEvent(00030618,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x30618 00100003 (nil) 1 0 process_alloc_user_handle handle = 0000000c 0304: NtCreateEvent retval=00000000 ret=77f94ac1 0304: NtAllocateVirtualMemory(ffffffff,7ff7f680,00000000,7ff7f6a0,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x31000 00002000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0304: NtOpenKey(7ff7f950,80000000,7ff7f92c) ret=77f91379 NtOpenKey 0x7ff7f950 80000000 0x7ff7f92c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe open_parse_key remaining = Image File Execution Options\smss.exe NtOpenKey open_key returned c000003a 0304: NtOpenKey retval=c000003a ret=77f91379 0304: NtOpenDirectoryObject(77fcf000,00000003,7ff7fc30) ret=77f8584a nt_open_object object = \KnownDlls 0304: NtOpenDirectoryObject retval=c0000034 ret=77f8584a 0304 (debug 7ff7f75c,30178,11) : LDR: NEW PROCESS 0304 (debug 7ff7f754,11,37) : Image Path: c:\winnt\system32\smss.exe (smss.exe) 0304 (debug 7ff7f758,37,1c) : Current Directory: c:\ 0304 (debug 7ff7f758,37,16) : Search Path: c:\ 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7f7f4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7f7f4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtFreeVirtualMemory(ffffffff,7ff7f804,7ff7f808,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x7ff7f804 0x7ff7f808 16384 NtFreeVirtualMemory returning 00000000 0304: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7f7f4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7f7f4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304 (debug 7ff7f708,30000,21) : LDR: smss.exe bound to ntdll.dll 0304 (debug 7ff7f708,30000,2f) : LDR: smss.exe has correct binding to ntdll.dll 0304: NtOpenKey(7ff7f794,80000000,7ff7f770) ret=77f91379 NtOpenKey 0x7ff7f794 80000000 0x7ff7f770 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe open_parse_key remaining = Image File Execution Options\smss.exe NtOpenKey open_key returned c000003a 0304: NtOpenKey retval=c000003a ret=77f91379 0304 (debug 7ff7f6e8,49005c,14) : LDR: Real INIT LIST 0304: NtTestAlert() ret=77f84bcb 0304: NtTestAlert retval=00000000 ret=77f84bcb 0304: NtContinue(7ff7fd28,00000001) ret=77f8855e NtContinue 0x7ff7fd28 1 eax 00000000 ebx 00000000 ecx 00000000 edx 00000000 esi 00000000 edi 00000000 ebp 00000000 efl 00000296 cs:eip 0073:4858983e ss:esp 007b:7ff7fff8 ds 007b es 007b fs 003b gs 0000 0304: NtContinue retval=00000000 ret=77f8855e 0304: NtAllocateVirtualMemory(ffffffff,7ff7fde8,00000000,7ff7fe08,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x32000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0304: NtSetInformationProcess(ffffffff,00000005,7ff7ff48,00000004) ret=48588d1c NtSetInformationProcess 0xffffffff 5 0x7ff7ff48 4 0304: NtSetInformationProcess retval=00000000 ret=48588d1c 0304: NtSetInformationProcess(ffffffff,0000000c,7ff7ff08,00000004) ret=485845d5 NtSetInformationProcess 0xffffffff 12 0x7ff7ff08 4 NtSetInformationProcess set ProcessDefaultHardErrorMode 0304: NtSetInformationProcess retval=00000000 ret=485845d5 0304: NtCreatePort(7ff7ff10,7ff7fee0,000000f4,00000130,00002200) ret=485846b9 NtCreatePort 0x7ff7ff10 0x7ff7fee0 244 304 0x2200 NtCreatePort root = (nil) port = \SmApiPort process_alloc_user_handle handle = 00000010 0304: NtCreatePort retval=00000000 ret=485846b9 0304: NtQuerySystemInformation(00000000,7ff7fb4c,0000002c,00000000) ret=77faf12b NtQuerySystemInformation 0 0x7ff7fb4c 44 (nil) 0304: NtQuerySystemInformation retval=00000000 ret=77faf12b 0304: NtAllocateVirtualMemory(ffffffff,7ff7fb80,00000000,7ff7fb90,00002000,00000004) ret=77faf1b0 NtAllocateVirtualMemory returns 0x130000 00040000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1b0 0304: NtAllocateVirtualMemory(ffffffff,7ff7fb80,00000000,7ff7fb94,00001000,00000004) ret=77faf1fa NtAllocateVirtualMemory returns 0x16e000 00002000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1fa 0304: NtProtectVirtualMemory(ffffffff,7ff7fb80,7ff7fb7c,00000104,7ff7fb78) ret=77faf226 NtProtectVirtualMemory 0xffffffff 0x7ff7fb80 0x7ff7fb7c 260 0x7ff7fb78 NtProtectVirtualMemory 0x16e000 00001000 0304: NtProtectVirtualMemory retval=00000000 ret=77faf226 0304: NtWriteVirtualMemory(ffffffff,0016fffc,7ff7fb90,00000004,00000000) ret=77fb126d NtWriteVirtualMemory 0xffffffff 0x16fffc 0x7ff7fb90 00000004 (nil) NtWriteVirtualMemory 0xb7631ffc <- 0xb7843b90 4 NtWriteVirtualMemory wrote 4 bytes 0304: NtWriteVirtualMemory retval=00000000 ret=77fb126d 0304: NtCreateThread(7ff7feb8,001f03ff,7ff7fe84,ffffffff,7ff7fe9c,7ff7fba4,7ff7fe70,00000000) ret=77faf6ee NtCreateThread 0x7ff7feb8 001f03ff 0x7ff7fe84 0xffffffff 0x7ff7fe9c 0x7ff7fba4 0x7ff7fe70 0 mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 00000014 0304: NtCreateThread retval=00000000 ret=77faf6ee 0305: NtTestAlert() ret=77f84bcb 0305: NtTestAlert retval=00000000 ret=77f84bcb 0304: NtQuerySystemInformation(00000000,7ff7fb4c,0000002c,00000000) ret=77faf12b NtQuerySystemInformation 0 0x7ff7fb4c 44 (nil) 0304: NtQuerySystemInformation retval=00000000 ret=77faf12b 0305: NtContinue(0016fd28,00000001) ret=77f8855e NtContinue 0x16fd28 1 eax 00000000 ebx 00000001 ecx 00000002 edx 00000003 esi 00000004 edi 00000005 ebp 00000000 efl 00000200 cs:eip 0018:4858818d ss:esp 0020:0016fff8 ds 007b es 007b fs 003b gs 0000 0305: NtContinue retval=00000000 ret=77f8855e 0304: NtAllocateVirtualMemory(ffffffff,7ff7fb80,00000000,7ff7fb90,00002000,00000004) ret=77faf1b0 NtAllocateVirtualMemory returns 0x170000 00040000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1b0 0305: NtQueryInformationProcess(ffffffff,00000000,0016fe80,00000018,00000000) ret=485881cd NtQueryInformationProcess 0xffffffff 0 0x16fe80 24 (nil) 0305: NtQueryInformationProcess retval=00000000 ret=485881cd 0304: NtAllocateVirtualMemory(ffffffff,7ff7fb80,00000000,7ff7fb94,00001000,00000004) ret=77faf1fa NtAllocateVirtualMemory returns 0x1ae000 00002000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1fa 0305: NtReplyWaitReceivePort(00000010,0016fea8,00000000,0016feac) ret=485881ff NtReplyWaitReceivePort 0x10 0x16fea8 (nil) 0x16feac access_allowed fixme: no access check reply_wait_receive 0x80b3538 (nil) (nil) 0304: NtProtectVirtualMemory(ffffffff,7ff7fb80,7ff7fb7c,00000104,7ff7fb78) ret=77faf226 NtProtectVirtualMemory 0xffffffff 0x7ff7fb80 0x7ff7fb7c 260 0x7ff7fb78 NtProtectVirtualMemory 0x1ae000 00001000 0304: NtProtectVirtualMemory retval=00000000 ret=77faf226 0304: NtWriteVirtualMemory(ffffffff,001afffc,7ff7fb90,00000004,00000000) ret=77fb126d NtWriteVirtualMemory 0xffffffff 0x1afffc 0x7ff7fb90 00000004 (nil) NtWriteVirtualMemory 0xb75dfffc <- 0xb7843b90 4 NtWriteVirtualMemory wrote 4 bytes 0304: NtWriteVirtualMemory retval=00000000 ret=77fb126d 0304: NtCreateThread(7ff7feb8,001f03ff,7ff7fe84,ffffffff,7ff7fe9c,7ff7fba4,7ff7fe70,00000000) ret=77faf6ee NtCreateThread 0x7ff7feb8 001f03ff 0x7ff7fe84 0xffffffff 0x7ff7fe9c 0x7ff7fba4 0x7ff7fe70 0 mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 00000018 0304: NtCreateThread retval=00000000 ret=77faf6ee 0306: NtTestAlert() ret=77f84bcb 0306: NtTestAlert retval=00000000 ret=77f84bcb 0304: NtCreateEvent(7ff7ff0c,001f0003,7ff7fee0,00000000,00000000) ret=48584728 NtCreateEvent 0x7ff7ff0c 001f0003 0x7ff7fee0 0 0 create name = \Device\VolumesSafeForWriteAccess process_alloc_user_handle handle = 0000001c 0304: NtCreateEvent retval=00000000 ret=48584728 0306: NtContinue(001afd28,00000001) ret=77f8855e NtContinue 0x1afd28 1 eax 00000000 ebx 00000001 ecx 00000002 edx 00000003 esi 00000004 edi 00000005 ebp 00000000 efl 00000200 cs:eip 0018:4858818d ss:esp 0020:001afff8 ds 007b es 007b fs 003b gs 0000 0306: NtContinue retval=00000000 ret=77f8855e 0304: NtQueryVirtualMemory(ffffffff,00020000,00000000,7ff7fe44,0000001c,00000000) ret=77f97a63 NtQueryVirtualMemory 0xffffffff 0x20000 0 0x7ff7fe44 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f97a63 0306: NtQueryInformationProcess(ffffffff,00000000,001afe80,00000018,00000000) ret=485881cd NtQueryInformationProcess 0xffffffff 0 0x1afe80 24 (nil) 0306: NtQueryInformationProcess retval=00000000 ret=485881cd 0304: NtAllocateVirtualMemory(ffffffff,7ff7fe38,00000000,7ff7fe50,00001000,00000004) ret=77f97a85 NtAllocateVirtualMemory returns 0x1b0000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77f97a85 0306: NtReplyWaitReceivePort(00000010,001afea8,00000000,001afeac) ret=485881ff NtReplyWaitReceivePort 0x10 0x1afea8 (nil) 0x1afeac access_allowed fixme: no access check reply_wait_receive 0x80b3538 (nil) (nil) 0304: NtOpenKey(7ff7fec4,000f003f,7ff7fe94) ret=485848ab NtOpenKey 0x7ff7fec4 000f003f 0x7ff7fe94 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Session Manager\Environment NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000020 0304: NtOpenKey retval=00000000 ret=485848ab 0304: NtDeleteValueKey(00000020,7ff7feb4) ret=485848c7 NtDeleteValueKey 0x20 0x7ff7feb4 delete_value deleting SAFEBOOT_OPTION 0304: NtDeleteValueKey retval=00000000 ret=485848c7 0304: NtClose(00000020) ret=485848d0 NtClose 0x20 0304: NtClose retval=00000000 ret=485848d0 0304: NtOpenKey(7ff7fe5c,82000000,7ff7fde4) ret=77fabd71 NtOpenKey 0x7ff7fe5c 82000000 0x7ff7fde4 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Session Manager NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000020 0304: NtOpenKey retval=00000000 ret=77fabd71 0304: NtAllocateVirtualMemory(ffffffff,7ff7fe08,00000000,7ff7fe68,00001000,00000004) ret=77fac38f NtAllocateVirtualMemory returns 0x1c0000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fac38f 0304: NtQueryValueKey(00000020,7ff7fe50,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac634 NtQueryValueKey 0x20 0x7ff7fe50 1 0x1c0000 4094 0x7ff7fe64 NtQueryValueKey ProtectionMode reg_query_value ProtectionMode 0304: NtQueryValueKey retval=00000000 ret=77fac634 0304: NtQueryValueKey(00000020,7ff7fe50,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac634 NtQueryValueKey 0x20 0x7ff7fe50 1 0x1c0000 4094 0x7ff7fe64 NtQueryValueKey AllowProtectedRenames reg_query_value AllowProtectedRenames 0304: NtQueryValueKey retval=00000000 ret=77fac634 0304: NtDeleteValueKey(00000020,7ff7fe50) ret=77fac6fc NtDeleteValueKey 0x20 0x7ff7fe50 delete_value deleting AllowProtectedRenames 0304: NtDeleteValueKey retval=00000000 ret=77fac6fc 0304: NtQueryValueKey(00000020,7ff7fe50,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac634 NtQueryValueKey 0x20 0x7ff7fe50 1 0x1c0000 4094 0x7ff7fe64 NtQueryValueKey ObjectDirectories reg_query_value ObjectDirectories 0304: NtQueryValueKey retval=00000000 ret=77fac634 0304: NtCreateDirectoryObject(7ff7fdb4,000f000f,7ff7fd84) ret=48585ecd NtCreateDirectoryObject 0x7ff7fdb4 000f000f 0x7ff7fd84 create name = \Windows process_alloc_user_handle handle = 00000024 0304: NtCreateDirectoryObject retval=00000000 ret=48585ecd 0304: NtClose(00000024) ret=48585eda NtClose 0x24 0304: NtClose retval=00000000 ret=48585eda 0304: NtCreateDirectoryObject(7ff7fdb4,000f000f,7ff7fd84) ret=48585ecd NtCreateDirectoryObject 0x7ff7fdb4 000f000f 0x7ff7fd84 create name = \RpcControl process_alloc_user_handle handle = 00000024 0304: NtCreateDirectoryObject retval=00000000 ret=48585ecd 0304: NtClose(00000024) ret=48585eda NtClose 0x24 0304: NtClose retval=00000000 ret=48585eda 0304: NtCreateDirectoryObject(7ff7fdb4,000f000f,7ff7fd84) ret=48585ecd NtCreateDirectoryObject 0x7ff7fdb4 000f000f 0x7ff7fd84 create name = \RpcControl process_alloc_user_handle handle = 00000024 0304: NtCreateDirectoryObject retval=00000000 ret=48585ecd 0304: NtClose(00000024) ret=48585eda NtClose 0x24 0304: NtClose retval=00000000 ret=48585eda 0304: NtQueryValueKey(00000020,7ff7fe50,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac634 NtQueryValueKey 0x20 0x7ff7fe50 1 0x1c0000 4094 0x7ff7fe64 NtQueryValueKey BootExecute reg_query_value BootExecute 0304: NtQueryValueKey retval=00000000 ret=77fac634 0304: NtQueryValueKey(00000020,7ff7fe50,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac634 NtQueryValueKey 0x20 0x7ff7fe50 1 0x1c0000 4094 0x7ff7fe64 NtQueryValueKey SetupExecute 0304: NtQueryValueKey retval=c0000034 ret=77fac634 0304: NtQueryValueKey(00000020,7ff7fe50,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac634 NtQueryValueKey 0x20 0x7ff7fe50 1 0x1c0000 4094 0x7ff7fe64 NtQueryValueKey PendingFileRenameOperations 0304: NtQueryValueKey retval=c0000034 ret=77fac634 0304: NtQueryValueKey(00000020,7ff7fe50,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac634 NtQueryValueKey 0x20 0x7ff7fe50 1 0x1c0000 4094 0x7ff7fe64 NtQueryValueKey PendingFileRenameOperations2 0304: NtQueryValueKey retval=c0000034 ret=77fac634 0304: NtQueryValueKey(00000020,7ff7fe50,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac634 NtQueryValueKey 0x20 0x7ff7fe50 1 0x1c0000 4094 0x7ff7fe64 NtQueryValueKey ExcludeFromKnownDlls reg_query_value ExcludeFromKnownDlls 0304: NtQueryValueKey retval=00000000 ret=77fac634 0304: NtOpenKey(7ff7fe60,02000000,7ff7fe30) ret=77fac552 NtOpenKey 0x7ff7fe60 02000000 0x7ff7fe30 NtOpenKey len 00000018 root 0x20 attr 00000040 Memory Management NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 0304: NtOpenKey retval=00000000 ret=77fac552 0304: NtQueryValueKey(00000024,7ff7fe50,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac634 NtQueryValueKey 0x24 0x7ff7fe50 1 0x1c0000 4094 0x7ff7fe64 NtQueryValueKey PagingFiles reg_query_value PagingFiles 0304: NtQueryValueKey retval=00000000 ret=77fac634 0304: NtClose(00000024) ret=77fac4e6 NtClose 0x24 0304: NtClose retval=00000000 ret=77fac4e6 0304: NtOpenKey(7ff7fe60,02000000,7ff7fe30) ret=77fac552 NtOpenKey 0x7ff7fe60 02000000 0x7ff7fe30 NtOpenKey len 00000018 root 0x20 attr 00000040 DOS Devices NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 0304: NtOpenKey retval=00000000 ret=77fac552 0304: NtEnumerateValueKey(00000024,00000000,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 0 1 0x1c0000 4094 0x7ff7fe64 reg_query_value AUX 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000001,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 1 1 0x1c0000 4094 0x7ff7fe64 reg_query_value MAILSLOT 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000002,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 2 1 0x1c0000 4094 0x7ff7fe64 reg_query_value NUL 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000003,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 3 1 0x1c0000 4094 0x7ff7fe64 reg_query_value PIPE 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000004,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 4 1 0x1c0000 4094 0x7ff7fe64 reg_query_value PRN 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000005,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 5 1 0x1c0000 4094 0x7ff7fe64 reg_query_value UNC 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000006,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 6 1 0x1c0000 4094 0x7ff7fe64 0304: NtEnumerateValueKey retval=8000001a ret=77fac573 0304: NtClose(00000024) ret=77fac4e6 NtClose 0x24 0304: NtClose retval=00000000 ret=77fac4e6 0304: NtOpenKey(7ff7fe60,02000000,7ff7fe30) ret=77fac552 NtOpenKey 0x7ff7fe60 02000000 0x7ff7fe30 NtOpenKey len 00000018 root 0x20 attr 00000040 KnownDlls NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 0304: NtOpenKey retval=00000000 ret=77fac552 0304: NtEnumerateValueKey(00000024,00000000,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 0 1 0x1c0000 4094 0x7ff7fe64 reg_query_value advapi32 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000001,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 1 1 0x1c0000 4094 0x7ff7fe64 reg_query_value gdi32 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000002,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 2 1 0x1c0000 4094 0x7ff7fe64 reg_query_value DllDirectory 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000003,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 3 1 0x1c0000 4094 0x7ff7fe64 reg_query_value kernel32 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000004,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 4 1 0x1c0000 4094 0x7ff7fe64 reg_query_value user32 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000005,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 5 1 0x1c0000 4094 0x7ff7fe64 0304: NtEnumerateValueKey retval=8000001a ret=77fac573 0304: NtClose(00000024) ret=77fac4e6 NtClose 0x24 0304: NtClose retval=00000000 ret=77fac4e6 0304: NtOpenKey(7ff7fe60,02000000,7ff7fe30) ret=77fac552 NtOpenKey 0x7ff7fe60 02000000 0x7ff7fe30 NtOpenKey len 00000018 root 0x20 attr 00000040 Environment NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 0304: NtOpenKey retval=00000000 ret=77fac552 0304: NtEnumerateValueKey(00000024,00000000,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 0 1 0x1c0000 4094 0x7ff7fe64 reg_query_value ComSpec 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtQueryVirtualMemory(ffffffff,001b0000,00000000,7ff7fd44,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x1b0000 0 0x7ff7fd44 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtEnumerateValueKey(00000024,00000001,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 1 1 0x1c0000 4094 0x7ff7fe64 reg_query_value NUMBER_OF_PROCESSORS 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtQueryVirtualMemory(ffffffff,001b0000,00000000,7ff7fd44,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x1b0000 0 0x7ff7fd44 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtEnumerateValueKey(00000024,00000002,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 2 1 0x1c0000 4094 0x7ff7fe64 reg_query_value OS 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtQueryVirtualMemory(ffffffff,001b0000,00000000,7ff7fd44,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x1b0000 0 0x7ff7fd44 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtEnumerateValueKey(00000024,00000003,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 3 1 0x1c0000 4094 0x7ff7fe64 reg_query_value PROCESSOR_ARCHITECTURE 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtQueryVirtualMemory(ffffffff,001b0000,00000000,7ff7fd44,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x1b0000 0 0x7ff7fd44 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtEnumerateValueKey(00000024,00000004,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 4 1 0x1c0000 4094 0x7ff7fe64 reg_query_value PROCESSOR_ARCHITECTURE 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000005,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 5 1 0x1c0000 4094 0x7ff7fe64 reg_query_value PROCESSOR_IDENTIFIER 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtQueryVirtualMemory(ffffffff,001b0000,00000000,7ff7fd44,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x1b0000 0 0x7ff7fd44 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtEnumerateValueKey(00000024,00000006,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 6 1 0x1c0000 4094 0x7ff7fe64 reg_query_value PROCESSOR_LEVEL 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtQueryVirtualMemory(ffffffff,001b0000,00000000,7ff7fd44,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x1b0000 0 0x7ff7fd44 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtEnumerateValueKey(00000024,00000007,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 7 1 0x1c0000 4094 0x7ff7fe64 reg_query_value PROCESSOR_REVISION 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtQueryVirtualMemory(ffffffff,001b0000,00000000,7ff7fd44,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x1b0000 0 0x7ff7fd44 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtEnumerateValueKey(00000024,00000008,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 8 1 0x1c0000 4094 0x7ff7fe64 reg_query_value Path 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtQueryVirtualMemory(ffffffff,001b0000,00000000,7ff7fd44,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x1b0000 0 0x7ff7fd44 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtEnumerateValueKey(00000024,00000009,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 9 1 0x1c0000 4094 0x7ff7fe64 reg_query_value TEMP 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtQueryVirtualMemory(ffffffff,001b0000,00000000,7ff7fd44,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x1b0000 0 0x7ff7fd44 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtEnumerateValueKey(00000024,0000000a,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 10 1 0x1c0000 4094 0x7ff7fe64 reg_query_value TMP 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtQueryVirtualMemory(ffffffff,001b0000,00000000,7ff7fd44,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x1b0000 0 0x7ff7fd44 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtEnumerateValueKey(00000024,0000000b,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 11 1 0x1c0000 4094 0x7ff7fe64 reg_query_value windir 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtQueryVirtualMemory(ffffffff,001b0000,00000000,7ff7fd44,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x1b0000 0 0x7ff7fd44 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtEnumerateValueKey(00000024,0000000c,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 12 1 0x1c0000 4094 0x7ff7fe64 0304: NtEnumerateValueKey retval=8000001a ret=77fac573 0304: NtClose(00000024) ret=77fac4e6 NtClose 0x24 0304: NtClose retval=00000000 ret=77fac4e6 0304: NtOpenKey(7ff7fe60,02000000,7ff7fe30) ret=77fac552 NtOpenKey 0x7ff7fe60 02000000 0x7ff7fe30 NtOpenKey len 00000018 root 0x20 attr 00000040 Environment NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 0304: NtOpenKey retval=00000000 ret=77fac552 0304: NtEnumerateValueKey(00000024,00000000,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 0 1 0x1c0000 4094 0x7ff7fe64 reg_query_value ComSpec 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000001,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 1 1 0x1c0000 4094 0x7ff7fe64 reg_query_value NUMBER_OF_PROCESSORS 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000002,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 2 1 0x1c0000 4094 0x7ff7fe64 reg_query_value OS 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000003,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 3 1 0x1c0000 4094 0x7ff7fe64 reg_query_value PROCESSOR_ARCHITECTURE 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000004,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 4 1 0x1c0000 4094 0x7ff7fe64 reg_query_value PROCESSOR_ARCHITECTURE 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000005,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 5 1 0x1c0000 4094 0x7ff7fe64 reg_query_value PROCESSOR_IDENTIFIER 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000006,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 6 1 0x1c0000 4094 0x7ff7fe64 reg_query_value PROCESSOR_LEVEL 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000007,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 7 1 0x1c0000 4094 0x7ff7fe64 reg_query_value PROCESSOR_REVISION 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000008,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 8 1 0x1c0000 4094 0x7ff7fe64 reg_query_value Path 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000009,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 9 1 0x1c0000 4094 0x7ff7fe64 reg_query_value TEMP 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,0000000a,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 10 1 0x1c0000 4094 0x7ff7fe64 reg_query_value TMP 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,0000000b,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 11 1 0x1c0000 4094 0x7ff7fe64 reg_query_value windir 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,0000000c,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 12 1 0x1c0000 4094 0x7ff7fe64 0304: NtEnumerateValueKey retval=8000001a ret=77fac573 0304: NtClose(00000024) ret=77fac4e6 NtClose 0x24 0304: NtClose retval=00000000 ret=77fac4e6 0304: NtOpenKey(7ff7fe60,02000000,7ff7fe30) ret=77fac552 NtOpenKey 0x7ff7fe60 02000000 0x7ff7fe30 NtOpenKey len 00000018 root 0x20 attr 00000040 SubSystems NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 0304: NtOpenKey retval=00000000 ret=77fac552 0304: NtEnumerateValueKey(00000024,00000000,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 0 1 0x1c0000 4094 0x7ff7fe64 reg_query_value Debug 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000001,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 1 1 0x1c0000 4094 0x7ff7fe64 reg_query_value Kmode 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000002,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 2 1 0x1c0000 4094 0x7ff7fe64 reg_query_value Optional 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000003,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 3 1 0x1c0000 4094 0x7ff7fe64 reg_query_value Os2 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000004,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 4 1 0x1c0000 4094 0x7ff7fe64 reg_query_value Posix 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000005,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 5 1 0x1c0000 4094 0x7ff7fe64 reg_query_value Required 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000006,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 6 1 0x1c0000 4094 0x7ff7fe64 reg_query_value Windows 0304: NtEnumerateValueKey retval=00000000 ret=77fac573 0304: NtEnumerateValueKey(00000024,00000007,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac573 NtEnumerateValueKey 0x24 7 1 0x1c0000 4094 0x7ff7fe64 0304: NtEnumerateValueKey retval=8000001a ret=77fac573 0304: NtQueryValueKey(00000024,7ff7fe50,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac634 NtQueryValueKey 0x24 0x7ff7fe50 1 0x1c0000 4094 0x7ff7fe64 NtQueryValueKey Required reg_query_value Required 0304: NtQueryValueKey retval=00000000 ret=77fac634 0304: NtQueryValueKey(00000024,7ff7fe50,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac634 NtQueryValueKey 0x24 0x7ff7fe50 1 0x1c0000 4094 0x7ff7fe64 NtQueryValueKey Optional reg_query_value Optional 0304: NtQueryValueKey retval=00000000 ret=77fac634 0304: NtQueryValueKey(00000024,7ff7fe50,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac634 NtQueryValueKey 0x24 0x7ff7fe50 1 0x1c0000 4094 0x7ff7fe64 NtQueryValueKey Kmode reg_query_value Kmode 0304: NtQueryValueKey retval=00000000 ret=77fac634 0304: NtClose(00000024) ret=77fac4e6 NtClose 0x24 0304: NtClose retval=00000000 ret=77fac4e6 0304: NtQueryValueKey(00000020,7ff7fe50,00000001,001c0000,00000ffe,7ff7fe64) ret=77fac634 NtQueryValueKey 0x20 0x7ff7fe50 1 0x1c0000 4094 0x7ff7fe64 NtQueryValueKey Execute 0304: NtQueryValueKey retval=c0000034 ret=77fac634 0304: NtClose(00000020) ret=77fac7b7 NtClose 0x20 0304: NtClose retval=00000000 ret=77fac7b7 0304: NtFreeVirtualMemory(ffffffff,7ff7fe18,7ff7fe1c,00008000) ret=77fac374 NtFreeVirtualMemory 0xffffffff 0x7ff7fe18 0x7ff7fe1c 32768 NtFreeVirtualMemory returning 00000000 0304: NtFreeVirtualMemory retval=00000000 ret=77fac374 0304: NtOpenDirectoryObject(4858b70c,000f000f,7ff7fe58) ret=485852c2 nt_open_object object = \?? process_alloc_user_handle handle = 00000020 0304: NtOpenDirectoryObject retval=00000000 ret=485852c2 0304: NtCreateSymbolicLinkObject(7ff7fe7c,000f0001,7ff7fe58,000323c0) ret=4858533e NtCreateSymbolicLinkObject AUX -> \DosDevices\COM1 process_alloc_user_handle handle = 00000024 0304: NtCreateSymbolicLinkObject retval=00000000 ret=4858533e 0304: NtClose(00000024) ret=485853a1 NtClose 0x24 0304: NtClose retval=00000000 ret=485853a1 0304: NtCreateSymbolicLinkObject(7ff7fe7c,000f0001,7ff7fe58,00032420) ret=4858533e NtCreateSymbolicLinkObject MAILSLOT -> \Device\MailSlot process_alloc_user_handle handle = 00000024 0304: NtCreateSymbolicLinkObject retval=00000000 ret=4858533e 0304: NtClose(00000024) ret=485853a1 NtClose 0x24 0304: NtClose retval=00000000 ret=485853a1 0304: NtCreateSymbolicLinkObject(7ff7fe7c,000f0001,7ff7fe58,000324a8) ret=4858533e NtCreateSymbolicLinkObject NUL -> \Device\Null process_alloc_user_handle handle = 00000024 0304: NtCreateSymbolicLinkObject retval=00000000 ret=4858533e 0304: NtClose(00000024) ret=485853a1 NtClose 0x24 0304: NtClose retval=00000000 ret=485853a1 0304: NtCreateSymbolicLinkObject(7ff7fe7c,000f0001,7ff7fe58,00032518) ret=4858533e NtCreateSymbolicLinkObject PIPE -> \Device\NamedPipe process_alloc_user_handle handle = 00000024 0304: NtCreateSymbolicLinkObject retval=00000000 ret=4858533e 0304: NtClose(00000024) ret=485853a1 NtClose 0x24 0304: NtClose retval=00000000 ret=485853a1 0304: NtCreateSymbolicLinkObject(7ff7fe7c,000f0001,7ff7fe58,00032598) ret=4858533e NtCreateSymbolicLinkObject PRN -> \DosDevices\LPT1 process_alloc_user_handle handle = 00000024 0304: NtCreateSymbolicLinkObject retval=00000000 ret=4858533e 0304: NtClose(00000024) ret=485853a1 NtClose 0x24 0304: NtClose retval=00000000 ret=485853a1 0304: NtCreateSymbolicLinkObject(7ff7fe7c,000f0001,7ff7fe58,00032618) ret=4858533e NtCreateSymbolicLinkObject UNC -> \Device\Mup process_alloc_user_handle handle = 00000024 0304: NtCreateSymbolicLinkObject retval=00000000 ret=4858533e 0304: NtClose(00000024) ret=485853a1 NtClose 0x24 0304: NtClose retval=00000000 ret=485853a1 0304: NtAllocateVirtualMemory(ffffffff,7ff7fa0c,00000000,7ff7fa2c,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x33000 00002000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7f7b8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7f7b8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtQueryAttributesFile(7ff7fb7c,7ff7fb54) ret=77f8cb7a NtQueryAttributesFile 0x7ff7fb7c 0x7ff7fb54 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\native.exe stat_unicode c:/winnt/system32/native.exe -> -1 0304: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0304: NtFreeVirtualMemory(ffffffff,7ff7fa98,7ff7fa9c,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x7ff7fa98 0x7ff7fa9c 16384 NtFreeVirtualMemory returning 00000000 0304: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0304: NtAllocateVirtualMemory(ffffffff,7ff7f6c0,00000000,7ff7f6e0,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x34000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7f7b8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7f7b8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtQueryAttributesFile(7ff7fb7c,7ff7fb54) ret=77f8cb7a NtQueryAttributesFile 0x7ff7fb7c 0x7ff7fb54 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\native.exe stat_unicode c:/winnt/native.exe -> -1 0304: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0304: NtFreeVirtualMemory(ffffffff,7ff7fa98,7ff7fa9c,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x7ff7fa98 0x7ff7fa9c 16384 NtFreeVirtualMemory returning 00000000 0304: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0304: NtAllocateVirtualMemory(ffffffff,7ff7f6c0,00000000,7ff7f6e0,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x34000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7f7b8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7f7b8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtQueryAttributesFile(7ff7fb7c,7ff7fb54) ret=77f8cb7a NtQueryAttributesFile 0x7ff7fb7c 0x7ff7fb54 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\native.exe stat_unicode c:/winnt/system32/native.exe -> -1 0304: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0304: NtFreeVirtualMemory(ffffffff,7ff7fa98,7ff7fa9c,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x7ff7fa98 0x7ff7fa9c 16384 NtFreeVirtualMemory returning 00000000 0304: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0304: NtAllocateVirtualMemory(ffffffff,7ff7f6c0,00000000,7ff7f6e0,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x34000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7f7b8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7f7b8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtQueryAttributesFile(7ff7fb7c,7ff7fb54) ret=77f8cb7a NtQueryAttributesFile 0x7ff7fb7c 0x7ff7fb54 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\native.exe stat_unicode c:/winnt/system32/native.exe -> -1 0304: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0304: NtFreeVirtualMemory(ffffffff,7ff7fa98,7ff7fa9c,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x7ff7fa98 0x7ff7fa9c 16384 NtFreeVirtualMemory returning 00000000 0304: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0304: NtAllocateVirtualMemory(ffffffff,7ff7f6c0,00000000,7ff7f6e0,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x34000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7f7b8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7f7b8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtQueryAttributesFile(7ff7fb7c,7ff7fb54) ret=77f8cb7a NtQueryAttributesFile 0x7ff7fb7c 0x7ff7fb54 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\native.exe stat_unicode c:/winnt/native.exe -> -1 0304: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0304: NtFreeVirtualMemory(ffffffff,7ff7fa98,7ff7fa9c,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x7ff7fa98 0x7ff7fa9c 16384 NtFreeVirtualMemory returning 00000000 0304: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0304: NtFreeVirtualMemory(ffffffff,7ff7fb40,7ff7fb44,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x7ff7fb40 0x7ff7fb44 16384 NtFreeVirtualMemory returning 00000000 0304: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0304: NtOpenProcessToken(ffffffff,00000028,7ff7fdd4) ret=77f827ff NtOpenProcessToken 0xffffffff 00000028 0x7ff7fdd4 process_alloc_user_handle handle = 00000024 0304: NtOpenProcessToken retval=00000000 ret=77f827ff 0304: NtAdjustPrivilegesToken(00000024,00000000,7ff7fdb0,00000010,7ff7fda0,7ff7fdc0) ret=77f82839 NtAdjustPrivilegesToken 0x24 0 0x7ff7fdb0 16 0x7ff7fda0 0x7ff7fdc0 access_allowed fixme: no access check NtAdjustPrivilegesToken old privs 16 bytes dump 00000013 00000000 00000000 NtAdjustPrivilegesToken new privs dump 00000012 00000000 00000002 0304: NtAdjustPrivilegesToken retval=00000000 ret=77f82839 0304: NtClose(00000024) ret=77f82843 NtClose 0x24 0304: NtClose retval=00000000 ret=77f82843 0304: NtOpenKey(7ff7fdd8,00020019,7ff7fd98) ret=485857b9 NtOpenKey 0x7ff7fdd8 00020019 0x7ff7fd98 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Session Manager\SFC NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 0304: NtOpenKey retval=00000000 ret=485857b9 0304: NtQueryValueKey(00000024,7ff7fd84,00000002,7ff7f964,00000210,7ff7fd8c) ret=485857ea NtQueryValueKey 0x24 0x7ff7fd84 2 0x7ff7f964 528 0x7ff7fd8c NtQueryValueKey ProgramFilesDir reg_query_value ProgramFilesDir 0304: NtQueryValueKey retval=00000000 ret=485857ea 0304: NtQueryVirtualMemory(ffffffff,00020000,00000000,7ff7f8f8,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x20000 0 0x7ff7f8f8 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtQueryValueKey(00000024,7ff7fd84,00000002,7ff7f964,00000210,7ff7fd8c) ret=485857ea NtQueryValueKey 0x24 0x7ff7fd84 2 0x7ff7f964 528 0x7ff7fd8c NtQueryValueKey CommonFilesDir reg_query_value CommonFilesDir 0304: NtQueryValueKey retval=00000000 ret=485857ea 0304: NtQueryVirtualMemory(ffffffff,00020000,00000000,7ff7f8f8,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x20000 0 0x7ff7f8f8 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtClose(00000024) ret=48585835 NtClose 0x24 0304: NtClose retval=00000000 ret=48585835 0304: NtQueryVirtualMemory(ffffffff,00020000,00000000,7ff7f8f8,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x20000 0 0x7ff7f8f8 28 (nil) 0304: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 0304: NtOpenProcessToken(ffffffff,00000028,7ff7fdd4) ret=77f827ff NtOpenProcessToken 0xffffffff 00000028 0x7ff7fdd4 process_alloc_user_handle handle = 00000024 0304: NtOpenProcessToken retval=00000000 ret=77f827ff 0304: NtAdjustPrivilegesToken(00000024,00000000,7ff7fdb0,00000010,7ff7fda0,7ff7fdc0) ret=77f82839 NtAdjustPrivilegesToken 0x24 0 0x7ff7fdb0 16 0x7ff7fda0 0x7ff7fdc0 access_allowed fixme: no access check NtAdjustPrivilegesToken old privs 16 bytes dump 00000013 00000000 00000000 NtAdjustPrivilegesToken new privs dump 00000012 00000000 00000000 0304: NtAdjustPrivilegesToken retval=00000000 ret=77f82839 0304: NtClose(00000024) ret=77f82843 NtClose 0x24 0304: NtClose retval=00000000 ret=77f82843 0304: NtCreateDirectoryObject(7ff7fe54,000f000f,7ff7fe10) ret=48585507 NtCreateDirectoryObject 0x7ff7fe54 000f000f 0x7ff7fe10 create name = \KnownDlls process_alloc_user_handle handle = 00000024 0304: NtCreateDirectoryObject retval=00000000 ret=48585507 0304: NtAllocateVirtualMemory(ffffffff,7ff7f974,00000000,7ff7f994,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x33000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7fa6c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7fa6c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtOpenFile(7ff7fe50,00100001,7ff7fe10,7ff7fe28,00000003,00000021) ret=48585563 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32 open_file root = (nil) name = \??\C:\WINNT\system32 open_unicode_dir open name : c:/winnt/system32 open_unicode_dir r = 40 open_file fd = 40 process_alloc_user_handle handle = 00000028 0304: NtOpenFile retval=00000000 ret=48585563 0304: NtCreateSymbolicLinkObject(7ff7fe44,000f0001,7ff7fe10,4858b870) ret=485855c4 NtCreateSymbolicLinkObject KnownDllPath -> C:\WINNT\system32 process_alloc_user_handle handle = 0000002c 0304: NtCreateSymbolicLinkObject retval=00000000 ret=485855c4 0304: NtOpenFile(7ff7fe58,00100020,7ff7fe10,7ff7fe28,00000005,00000060) ret=4858565d NtCreateFile root 0x28 attr 00000040 advapi32.dll open_file root = 0x28 name = advapi32.dll 0304: NtOpenFile retval=c000003a ret=4858565d 0304: NtOpenFile(7ff7fe58,00100020,7ff7fe10,7ff7fe28,00000005,00000060) ret=4858565d NtCreateFile root 0x28 attr 00000040 gdi32.dll open_file root = 0x28 name = gdi32.dll 0304: NtOpenFile retval=c000003a ret=4858565d 0304: NtOpenFile(7ff7fe58,00100020,7ff7fe10,7ff7fe28,00000005,00000060) ret=4858565d NtCreateFile root 0x28 attr 00000040 kernel32.dll open_file root = 0x28 name = kernel32.dll 0304: NtOpenFile retval=c000003a ret=4858565d 0304: NtOpenFile(7ff7fe58,00100020,7ff7fe10,7ff7fe28,00000005,00000060) ret=4858565d NtCreateFile root 0x28 attr 00000040 user32.dll open_file root = 0x28 name = user32.dll 0304: NtOpenFile retval=c000003a ret=4858565d 0304: NtAllocateVirtualMemory(ffffffff,7ff7fa1c,00000000,7ff7fa3c,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x34000 00002000 c0000018 0304: NtAllocateVirtualMemory retval=c0000018 ret=77fcce74 0304: NtAllocateVirtualMemory(ffffffff,7ff7fa40,00000000,7ff7fa4c,00002000,00000004) ret=77fccd08 NtAllocateVirtualMemory returns 0x1c0000 00003000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fccd08 0304: NtAllocateVirtualMemory(ffffffff,7ff7fa40,00000000,7ff7fa34,00001000,00000004) ret=77fccd3c NtAllocateVirtualMemory returns 0x1c0000 00003000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fccd3c 0304: NtFreeVirtualMemory(ffffffff,7ff7fb50,7ff7fb54,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x7ff7fb50 0x7ff7fb54 16384 NtFreeVirtualMemory returning 00000000 0304: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7f868,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7f868 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtQueryInformationProcess(ffffffff,00000017,7ff7fe3c,00000024,00000000) ret=48586933 NtQueryInformationProcess 0xffffffff 23 0x7ff7fe3c 36 (nil) 0304: NtQueryInformationProcess retval=00000000 ret=48586933 0304: NtOpenFile(7ff7fd8c,00100080,7ff7fd64,7ff7fd7c,00000003,00000020) ret=48586783 NtCreateFile root (nil) attr 00000040 \??\C:\pagefile.sys open_file root = (nil) name = \??\C:\pagefile.sys open_unicode_file open file : c:/pagefile.sys 0304: NtOpenFile retval=c000003a ret=48586783 0304: NtOpenFile(7ff7fd8c,00100001,7ff7fd64,7ff7fd7c,00000003,00000021) ret=48586818 NtCreateFile root (nil) attr 00000040 \??\C:\ open_file root = (nil) name = \??\C:\ open_unicode_dir open name : c:/ open_unicode_dir r = 43 open_file fd = 43 process_alloc_user_handle handle = 00000030 0304: NtOpenFile retval=00000000 ret=48586818 0304: NtQueryVolumeInformationFile(00000030,7ff7fd7c,7ff7fd4c,00000018,00000003) ret=48586834 NtQueryVolumeInformationFile 0x30 0x7ff7fd7c 0x7ff7fd4c 24 3 0304: NtQueryVolumeInformationFile retval=c0000002 ret=48586834 0304: NtClose(00000030) ret=4858683f NtClose 0x30 0304: NtClose retval=00000000 ret=4858683f 0304: NtInitializeRegistry(00000000) ret=48584a4c NtInitializeRegistry 0 0304: NtInitializeRegistry retval=00000000 ret=48584a4c 0304: NtQuerySystemInformation(00000000,7ff7fc14,0000002c,00000000) ret=48584d8c NtQuerySystemInformation 0 0x7ff7fc14 44 (nil) 0304: NtQuerySystemInformation retval=00000000 ret=48584d8c 0304: NtQuerySystemInformation(00000001,7ff7fe64,0000000c,00000000) ret=48584d9f NtQuerySystemInformation 1 0x7ff7fe64 12 (nil) 0304: NtQuerySystemInformation retval=00000000 ret=48584d9f 0304: NtOpenKey(7ff7fe74,000f003f,7ff7fe4c) ret=48584de8 NtOpenKey 0x7ff7fe74 000f003f 0x7ff7fe4c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Session Manager\Environment NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000030 0304: NtOpenKey retval=00000000 ret=48584de8 0304: NtSetValueKey(00000030,7ff7fe78,00000000,00000001,48581c5c,00000016) ret=48584e21 NtSetValueKey 0x30 0x7ff7fe78 0 1 0x48581c5c 22 delete_value deleting OS 0304: NtSetValueKey retval=00000000 ret=48584e21 0304: NtSetValueKey(00000030,7ff7fe78,00000000,00000001,48581bd8,00000008) ret=48584e9a NtSetValueKey 0x30 0x7ff7fe78 0 1 0x48581bd8 8 delete_value deleting PROCESSOR_ARCHITECTURE 0304: NtSetValueKey retval=00000000 ret=48584e9a 0304: NtSetValueKey(00000030,7ff7fe78,00000000,00000001,7ff7fc40,00000004) ret=48584f05 NtSetValueKey 0x30 0x7ff7fe78 0 1 0x7ff7fc40 4 delete_value deleting PROCESSOR_LEVEL 0304: NtSetValueKey retval=00000000 ret=48584f05 0304: NtOpenKey(7ff7fe70,00020019,7ff7fe4c) ret=48584f4c NtOpenKey 0x7ff7fe70 00020019 0x7ff7fe4c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Hardware\Description\System\CentralProcessor\0 NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000034 0304: NtOpenKey retval=00000000 ret=48584f4c 0304: NtQueryValueKey(00000034,7ff7fe78,00000002,7ff7fc40,00000200,7ff7fe40) ret=48584f80 NtQueryValueKey 0x34 0x7ff7fe78 2 0x7ff7fc40 512 0x7ff7fe40 NtQueryValueKey Identifier reg_query_value Identifier 0304: NtQueryValueKey retval=00000000 ret=48584f80 0304: NtQueryValueKey(00000034,7ff7fe78,00000002,7ff7fa14,00000200,7ff7fe40) ret=48584fbe NtQueryValueKey 0x34 0x7ff7fe78 2 0x7ff7fa14 512 0x7ff7fe40 NtQueryValueKey VendorIdentifier reg_query_value VendorIdentifier 0304: NtQueryValueKey retval=00000000 ret=48584fbe 0304: NtClose(00000034) ret=48584fc9 NtClose 0x34 0304: NtClose retval=00000000 ret=48584fc9 0304: NtSetValueKey(00000030,7ff7fe78,00000000,00000001,7ff7fc4c,0000005c) ret=48585026 NtSetValueKey 0x30 0x7ff7fe78 0 1 0x7ff7fc4c 92 delete_value deleting PROCESSOR_IDENTIFIER 0304: NtSetValueKey retval=00000000 ret=48585026 0304: NtSetValueKey(00000030,7ff7fe78,00000000,00000001,7ff7fc40,0000000a) ret=4858511b NtSetValueKey 0x30 0x7ff7fe78 0 1 0x7ff7fc40 10 delete_value deleting PROCESSOR_REVISION 0304: NtSetValueKey retval=00000000 ret=4858511b 0304: NtSetValueKey(00000030,7ff7fe78,00000000,00000001,7ff7fc40,00000004) ret=48585174 NtSetValueKey 0x30 0x7ff7fe78 0 1 0x7ff7fc40 4 delete_value deleting NUMBER_OF_PROCESSORS 0304: NtSetValueKey retval=00000000 ret=48585174 0304: NtOpenKey(7ff7fe70,000f003f,7ff7fe4c) ret=485851bb NtOpenKey 0x7ff7fe70 000f003f 0x7ff7fe4c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Safeboot\Option open_parse_key remaining = Safeboot\Option NtOpenKey open_key returned c000003a 0304: NtOpenKey retval=c000003a ret=485851bb 0304: NtClose(00000030) ret=48585270 NtClose 0x30 0304: NtClose retval=00000000 ret=48585270 0304: NtOpenKey(7ff7fe44,00020019,7ff7fe2c) ret=48587ee9 NtOpenKey 0x7ff7fe44 00020019 0x7ff7fe2c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\Setup NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000030 0304: NtOpenKey retval=00000000 ret=48587ee9 0304: NtQueryValueKey(00000030,7ff7fe24,00000002,7ff7f7c4,00000210,7ff7fe04) ret=48587f1b NtQueryValueKey 0x30 0x7ff7fe24 2 0x7ff7f7c4 528 0x7ff7fe04 NtQueryValueKey SystemPartition reg_query_value SystemPartition 0304: NtQueryValueKey retval=00000000 ret=48587f1b 0304: NtClose(00000030) ret=48587f29 NtClose 0x30 0304: NtClose retval=00000000 ret=48587f29 0304: NtOpenSymbolicLinkObject(7ff7fe48,000f0001,7ff7fe2c) ret=48587f6f nt_open_object object = \Device\HarddiskVolume1 0304: NtOpenSymbolicLinkObject retval=c0000034 ret=48587f6f 0304: NtQueryDirectoryObject(00000020,7ff7fbd4,0000022a,00000001,00032701,7ff7fe00,00000000) ret=48587fd2 NtQueryDirectoryObject 0x20 0x7ff7fbd4 554 1 1 0x7ff7fe00 (nil) NtQueryDirectoryObject fixme 0304: NtQueryDirectoryObject retval=8000001a ret=48587fd2 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7fac0,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7fac0 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtOpenProcessToken(ffffffff,00000028,00033558) ret=485891ed NtOpenProcessToken 0xffffffff 00000028 0x33558 process_alloc_user_handle handle = 00000030 0304: NtOpenProcessToken retval=00000000 ret=485891ed 0304: NtAdjustPrivilegesToken(00000030,00000000,00033964,00000400,00033564,7ff7fe44) ret=48589259 NtAdjustPrivilegesToken 0x30 0 0x33964 1024 0x33564 0x7ff7fe44 access_allowed fixme: no access check NtAdjustPrivilegesToken old privs 16 bytes dump 00000013 00000000 00000000 NtAdjustPrivilegesToken new privs dump 0000000a 00000000 00000002 0304: NtAdjustPrivilegesToken retval=00000000 ret=48589259 0304: NtSetSystemInformation(00000026,7ff7fe64,00000008) ret=48584b68 NtSetSystemInformation 38 0x7ff7fe64 8 0304: NtSetSystemInformation retval=00000000 ret=48584b68 0304: NtAdjustPrivilegesToken(00000030,00000000,00033564,00000000,00000000,00000000) ret=4858931c NtAdjustPrivilegesToken 0x30 0 0x33564 0 (nil) (nil) access_allowed fixme: no access check NtAdjustPrivilegesToken new privs dump 00000013 00000000 00000000 0304: NtAdjustPrivilegesToken retval=00000000 ret=4858931c 0304: NtClose(00000030) ret=48589344 NtClose 0x30 0304: NtClose retval=00000000 ret=48589344 0304: NtCreatePort(4858b990,7ff7fddc,00000000,00000080,00001000) ret=48582ad0 NtCreatePort 0x4858b990 0x7ff7fddc 0 128 0x1000 NtCreatePort root = (nil) port = \DbgSsApiPort process_alloc_user_handle handle = 00000030 0304: NtCreatePort retval=00000000 ret=48582ad0 0304: NtCreatePort(4858b988,7ff7fddc,00000004,00000080,00001000) ret=48582b45 NtCreatePort 0x4858b988 0x7ff7fddc 4 128 0x1000 NtCreatePort root = (nil) port = \DbgUiApiPort process_alloc_user_handle handle = 00000034 0304: NtCreatePort retval=00000000 ret=48582b45 0304: NtQuerySystemInformation(00000000,7ff7fa48,0000002c,00000000) ret=77faf12b NtQuerySystemInformation 0 0x7ff7fa48 44 (nil) 0304: NtQuerySystemInformation retval=00000000 ret=77faf12b 0304: NtAllocateVirtualMemory(ffffffff,7ff7fa7c,00000000,7ff7fa8c,00002000,00000004) ret=77faf1b0 NtAllocateVirtualMemory returns 0x1d0000 00040000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1b0 0304: NtAllocateVirtualMemory(ffffffff,7ff7fa7c,00000000,7ff7fa90,00001000,00000004) ret=77faf1fa NtAllocateVirtualMemory returns 0x20e000 00002000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1fa 0304: NtProtectVirtualMemory(ffffffff,7ff7fa7c,7ff7fa78,00000104,7ff7fa74) ret=77faf226 NtProtectVirtualMemory 0xffffffff 0x7ff7fa7c 0x7ff7fa78 260 0x7ff7fa74 NtProtectVirtualMemory 0x20e000 00001000 0304: NtProtectVirtualMemory retval=00000000 ret=77faf226 0304: NtWriteVirtualMemory(ffffffff,0020fffc,7ff7fa8c,00000004,00000000) ret=77fb126d NtWriteVirtualMemory 0xffffffff 0x20fffc 0x7ff7fa8c 00000004 (nil) NtWriteVirtualMemory 0xb758cffc <- 0xb7843a8c 4 NtWriteVirtualMemory wrote 4 bytes 0304: NtWriteVirtualMemory retval=00000000 ret=77fb126d 0304: NtCreateThread(7ff7fdb4,001f03ff,7ff7fd80,ffffffff,7ff7fd98,7ff7faa0,7ff7fd6c,00000000) ret=77faf6ee NtCreateThread 0x7ff7fdb4 001f03ff 0x7ff7fd80 0xffffffff 0x7ff7fd98 0x7ff7faa0 0x7ff7fd6c 0 mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 00000038 0304: NtCreateThread retval=00000000 ret=77faf6ee 0307: NtTestAlert() ret=77f84bcb 0307: NtTestAlert retval=00000000 ret=77f84bcb 0304: NtQuerySystemInformation(00000000,7ff7fa48,0000002c,00000000) ret=77faf12b NtQuerySystemInformation 0 0x7ff7fa48 44 (nil) 0304: NtQuerySystemInformation retval=00000000 ret=77faf12b 0307: NtContinue(0020fd28,00000001) ret=77f8855e NtContinue 0x20fd28 1 eax 00000000 ebx 00000001 ecx 00000002 edx 00000003 esi 00000004 edi 00000005 ebp 00000000 efl 00000200 cs:eip 0018:48582f1f ss:esp 0020:0020fff8 ds 007b es 007b fs 003b gs 0000 0307: NtContinue retval=00000000 ret=77f8855e 0304: NtAllocateVirtualMemory(ffffffff,7ff7fa7c,00000000,7ff7fa8c,00002000,00000004) ret=77faf1b0 NtAllocateVirtualMemory returns 0x210000 00040000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1b0 0307: NtReplyWaitReceivePort(00000034,0020ffd0,00000000,0020ff50) ret=48582f77 NtReplyWaitReceivePort 0x34 0x20ffd0 (nil) 0x20ff50 access_allowed fixme: no access check reply_wait_receive 0x80b7e28 (nil) (nil) 0304: NtAllocateVirtualMemory(ffffffff,7ff7fa7c,00000000,7ff7fa90,00001000,00000004) ret=77faf1fa NtAllocateVirtualMemory returns 0x24e000 00002000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1fa 0304: NtProtectVirtualMemory(ffffffff,7ff7fa7c,7ff7fa78,00000104,7ff7fa74) ret=77faf226 NtProtectVirtualMemory 0xffffffff 0x7ff7fa7c 0x7ff7fa78 260 0x7ff7fa74 NtProtectVirtualMemory 0x24e000 00001000 0304: NtProtectVirtualMemory retval=00000000 ret=77faf226 0304: NtWriteVirtualMemory(ffffffff,0024fffc,7ff7fa8c,00000004,00000000) ret=77fb126d NtWriteVirtualMemory 0xffffffff 0x24fffc 0x7ff7fa8c 00000004 (nil) NtWriteVirtualMemory 0xb753affc <- 0xb7843a8c 4 NtWriteVirtualMemory wrote 4 bytes 0304: NtWriteVirtualMemory retval=00000000 ret=77fb126d 0304: NtCreateThread(7ff7fdb4,001f03ff,7ff7fd80,ffffffff,7ff7fd98,7ff7faa0,7ff7fd6c,00000000) ret=77faf6ee NtCreateThread 0x7ff7fdb4 001f03ff 0x7ff7fd80 0xffffffff 0x7ff7fd98 0x7ff7faa0 0x7ff7fd6c 0 mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 0000003c 0304: NtCreateThread retval=00000000 ret=77faf6ee 0308: NtTestAlert() ret=77f84bcb 0308: NtTestAlert retval=00000000 ret=77f84bcb 0304: NtConnectPort(77fcf1f0,7ff7fdf0,7ff7fde4,00000000,00000000,00000000,00000000,00000000) ret=77f9bb2c NtConnectPort 0x77fcf1f0 0x7ff7fdf0 0x7ff7fde4 (nil) (nil) (nil) (nil) (nil) NtSecureConnectPort 0x77fcf1f0 0x7ff7fdf0 0x7ff7fde4 (nil) (nil) (nil) (nil) (nil) (nil) connect_port \DbgSsApiPort dump DataSize = 0 dump MessageSize = 24 dump MessageType = 10 (LPC_CONNECTION_REQUEST) dump Offset = 0 dump ClientId = 0003, 0004 dump MessageId = 257 dump SectionSize = 00000000 address 0x80bcd5c 0308: NtContinue(0024fd28,00000001) ret=77f8855e NtContinue 0x24fd28 1 eax 00000000 ebx 00000001 ecx 00000002 edx 00000003 esi 00000004 edi 00000005 ebp 00000000 efl 00000200 cs:eip 0018:48582cb4 ss:esp 0020:0024fff8 ds 007b es 007b fs 003b gs 0000 0308: NtContinue retval=00000000 ret=77f8855e 0308: NtReplyWaitReceivePort(00000030,0024ff2c,00000000,0024ff30) ret=48582d05 NtReplyWaitReceivePort 0x30 0x24ff2c (nil) 0x24ff30 access_allowed fixme: no access check reply_wait_receive 0x80b8220 (nil) (nil) 0308: NtReplyWaitReceivePort retval=00000000 ret=48582d05 0308: NtOpenProcess(0024ff0c,00020040,0024feec,0024ff38) ret=48582e61 NtOpenProcess 0x24ff0c 00020040 0x24feec 0x24ff38 process_alloc_user_handle handle = 00000040 0308: NtOpenProcess retval=00000000 ret=48582e61 0308: NtAcceptConnectPort(0024ff08,00032938,0024ff30,00000001,00000000,00000000) ret=48582ecc NtAcceptConnectPort 0x24ff08 32938 0x24ff30 1 (nil) (nil) NtAcceptConnectPort 00000101 00000101 process_alloc_user_handle handle = 00000044 0308: NtAcceptConnectPort retval=00000000 ret=48582ecc 0308: NtCompleteConnectPort(00000044) ret=48582eff NtCompleteConnectPort 0x44 access_allowed fixme: no access check 0308: NtCompleteConnectPort retval=00000000 ret=48582eff process_alloc_user_handle handle = 00000048 connect_port ServerSharedMemory = (nil) 0304: NtConnectPort retval=00000000 ret=77f9bb2c 0308: NtReplyWaitReceivePort(00000030,0024ff2c,00000000,0024ff30) ret=48582d05 NtReplyWaitReceivePort 0x30 0x24ff2c (nil) 0x24ff30 access_allowed fixme: no access check reply_wait_receive 0x80b8220 (nil) (nil) 0304: NtQuerySystemInformation(00000000,7ff7fa78,0000002c,00000000) ret=77faf12b NtQuerySystemInformation 0 0x7ff7fa78 44 (nil) 0304: NtQuerySystemInformation retval=00000000 ret=77faf12b 0304: NtAllocateVirtualMemory(ffffffff,7ff7faac,00000000,7ff7fabc,00002000,00000004) ret=77faf1b0 NtAllocateVirtualMemory returns 0x250000 00040000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1b0 0304: NtAllocateVirtualMemory(ffffffff,7ff7faac,00000000,7ff7fac0,00001000,00000004) ret=77faf1fa NtAllocateVirtualMemory returns 0x28e000 00002000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1fa 0304: NtProtectVirtualMemory(ffffffff,7ff7faac,7ff7faa8,00000104,7ff7faa4) ret=77faf226 NtProtectVirtualMemory 0xffffffff 0x7ff7faac 0x7ff7faa8 260 0x7ff7faa4 NtProtectVirtualMemory 0x28e000 00001000 0304: NtProtectVirtualMemory retval=00000000 ret=77faf226 0304: NtWriteVirtualMemory(ffffffff,0028fffc,7ff7fabc,00000004,00000000) ret=77fb126d NtWriteVirtualMemory 0xffffffff 0x28fffc 0x7ff7fabc 00000004 (nil) NtWriteVirtualMemory 0xb74e8ffc <- 0xb7843abc 4 NtWriteVirtualMemory wrote 4 bytes 0304: NtWriteVirtualMemory retval=00000000 ret=77fb126d 0304: NtCreateThread(7ff7fde4,001f03ff,7ff7fdb0,ffffffff,7ff7fdc8,7ff7fad0,7ff7fd9c,00000000) ret=77faf6ee NtCreateThread 0x7ff7fde4 001f03ff 0x7ff7fdb0 0xffffffff 0x7ff7fdc8 0x7ff7fad0 0x7ff7fd9c 0 mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 0000004c 0304: NtCreateThread retval=00000000 ret=77faf6ee 0309: NtTestAlert() ret=77f84bcb 0309: NtTestAlert retval=00000000 ret=77f84bcb 0304: NtAllocateVirtualMemory(ffffffff,7ff7f9dc,00000000,7ff7f9fc,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x34000 00002000 c0000018 0304: NtAllocateVirtualMemory retval=c0000018 ret=77fcce74 0309: NtContinue(0028fd28,00000001) ret=77f8855e NtContinue 0x28fd28 1 eax 00000000 ebx 00000001 ecx 00000002 edx 00000003 esi 00000004 edi 00000005 ebp 00000000 efl 00000200 cs:eip 0018:77f9bf61 ss:esp 0020:0028fff8 ds 007b es 007b fs 003b gs 0000 0309: NtContinue retval=00000000 ret=77f8855e 0304: NtAllocateVirtualMemory(ffffffff,7ff7f9dc,00000000,7ff7f9fc,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x1c1000 00002000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0309: NtReplyWaitReceivePort(00000048,00000000,00000000,0028ffcc) ret=77f9bf7c NtReplyWaitReceivePort 0x48 (nil) (nil) 0x28ffcc access_allowed fixme: no access check reply_wait_receive 0x80bcd68 (nil) (nil) 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7f788,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7f788 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtQueryAttributesFile(7ff7fb4c,7ff7fb24) ret=77f8cb7a NtQueryAttributesFile 0x7ff7fb4c 0x7ff7fb24 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\csrss.exe stat_unicode c:/winnt/system32/csrss.exe -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\csrss.exe 0304: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7fa7c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7fa7c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtFreeVirtualMemory(ffffffff,7ff7fb10,7ff7fb14,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x7ff7fb10 0x7ff7fb14 16384 NtFreeVirtualMemory returning 00000000 0304: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7f828,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7f828 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtCreateEvent(00032800,001f0003,00000000,00000000,00000000) ret=4858705a NtCreateEvent 0x32800 001f0003 (nil) 0 0 process_alloc_user_handle handle = 00000050 0304: NtCreateEvent retval=00000000 ret=4858705a 0304: NtAllocateVirtualMemory(ffffffff,7ff7fab4,00000000,7ff7faac,00001000,00000004) ret=77f83e1d NtAllocateVirtualMemory returns 0x290000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77f83e1d 0304: NtOpenFile(7ff7fa44,00100020,7ff7fa14,7ff7fa2c,00000005,00000040) ret=77faf103 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\csrss.exe open_file root = (nil) name = \??\C:\WINNT\system32\csrss.exe open_unicode_file open file : c:/winnt/system32/csrss.exe process_alloc_user_handle handle = 00000054 0304: NtOpenFile retval=00000000 ret=77faf103 0304: NtCreateSection(7ff7faa8,000f001f,00000000,00000000,00000010,01000000,00000054) ret=77faf32c NtCreateSection 0x7ff7faa8 000f001f (nil) (nil) 00000010 01000000 0x54 access_allowed fixme: no access check process_alloc_user_handle handle = 00000058 0304: NtCreateSection retval=00000000 ret=77faf32c 0304: NtClose(00000054) ret=77faf336 NtClose 0x54 0304: NtClose retval=00000000 ret=77faf336 0304: NtCreateProcess(7ff7fda0,001f0fff,7ff7fa78,ffffffff,00000000,00000058,00000000,00000000) ret=77faf3e5 NtCreateProcess 0x7ff7fda0 001f0fff 0x7ff7fa78 0xffffffff 0 0x58 (nil) (nil) access_allowed fixme: no access check mapit image at 0x5fff0000 mapit read 3 sections, load at 5fff0000 mapit .text 00001000 00000600 00000600 0000042a mapit .rsrc 00002000 00000c00 00000600 00000418 mapit .reloc 00003000 00001200 00000200 0000003c mapit image at 0x77f80000 mapit read 6 sections, load at 77f80000 mapit .text 00001000 00000400 00044a00 000448f9 mapit ECODE 00046000 00044e00 00004400 00004371 mapit PAGE 0004b000 00049200 00003e00 00003dfd mapit .data 0004f000 0004d000 00002200 00002a54 mapit .rsrc 00052000 0004f200 00026e00 00026d18 mapit .reloc 00079000 00076000 00002000 00001f40 mapit anonymous map mapit anonymous map process_alloc_user_handle handle = 00000054 0304: NtCreateProcess retval=00000000 ret=77faf3e5 0304: NtQuerySection(00000058,00000001,7ff7fdb0,00000030,00000000) ret=77faf3fd NtQuerySection 0x58 1 0x7ff7fdb0 48 (nil) access_allowed fixme: no access check 0304: NtQuerySection retval=00000000 ret=77faf3fd 0304: NtQueryInformationProcess(00000054,00000000,7ff7fa60,00000018,00000000) ret=77faf413 NtQueryInformationProcess 0x54 0 0x7ff7fa60 24 (nil) access_allowed fixme: no access check 0304: NtQueryInformationProcess retval=00000000 ret=77faf413 0304: NtAllocateVirtualMemory(00000054,7ff7fa90,00000000,7ff7faa0,00002000,00000004) ret=77faf522 access_allowed fixme: no access check NtAllocateVirtualMemory returns 0x10000 00100000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf522 0304: NtAllocateVirtualMemory(00000054,7ff7fa90,00000000,7ff7faa0,00001000,00000004) ret=77faf57a access_allowed fixme: no access check NtAllocateVirtualMemory returns 0x110000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf57a 0304: NtWriteVirtualMemory(00000054,00110000,001b0000,000002a0,00000000) ret=77faf594 NtWriteVirtualMemory 0x54 0x110000 0x1b0000 000002a0 (nil) access_allowed fixme: no access check NtWriteVirtualMemory 0xb71ba000 <- 0xb758d000 672 NtWriteVirtualMemory wrote 672 bytes 0304: NtWriteVirtualMemory retval=00000000 ret=77faf594 0304: NtAllocateVirtualMemory(00000054,7ff7fab0,00000000,7ff7fa5c,00001000,00000004) ret=77faf5c4 access_allowed fixme: no access check NtAllocateVirtualMemory returns 0x120000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf5c4 0304: NtWriteVirtualMemory(00000054,00120000,00290000,0000075c,00000000) ret=77faf5dd NtWriteVirtualMemory 0x54 0x120000 0x290000 0000075c (nil) access_allowed fixme: no access check NtWriteVirtualMemory 0xb71b9000 <- 0xb7496000 1884 NtWriteVirtualMemory wrote 1884 bytes 0304: NtWriteVirtualMemory retval=00000000 ret=77faf5dd 0304: NtWriteVirtualMemory(00000054,7ffd0010,7ff7fab0,00000004,00000000) ret=77faf5f9 NtWriteVirtualMemory 0x54 0x7ffd0010 0x7ff7fab0 00000004 (nil) access_allowed fixme: no access check NtWriteVirtualMemory 0xb7203010 <- 0xb7843ab0 4 NtWriteVirtualMemory wrote 4 bytes 0304: NtWriteVirtualMemory retval=00000000 ret=77faf5f9 0304: NtQuerySystemInformation(00000000,7ff7f6c4,0000002c,00000000) ret=77faf12b NtQuerySystemInformation 0 0x7ff7f6c4 44 (nil) 0304: NtQuerySystemInformation retval=00000000 ret=77faf12b 0304: NtAllocateVirtualMemory(00000054,7ff7f6f8,00000000,7ff7f708,00002000,00000004) ret=77faf1b0 access_allowed fixme: no access check NtAllocateVirtualMemory returns 0x130000 00040000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1b0 0304: NtAllocateVirtualMemory(00000054,7ff7f6f8,00000000,7ff7f70c,00001000,00000004) ret=77faf1fa access_allowed fixme: no access check NtAllocateVirtualMemory returns 0x16d000 00003000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1fa 0304: NtProtectVirtualMemory(00000054,7ff7f6f8,7ff7f6f4,00000104,7ff7f6f0) ret=77faf226 NtProtectVirtualMemory 0x54 0x7ff7f6f8 0x7ff7f6f4 260 0x7ff7f6f0 access_allowed fixme: no access check NtProtectVirtualMemory 0x16d000 00001000 0304: NtProtectVirtualMemory retval=00000000 ret=77faf226 0304: NtWriteVirtualMemory(00000054,0016fffc,7ff7f708,00000004,00000000) ret=77fb126d NtWriteVirtualMemory 0x54 0x16fffc 0x7ff7f708 00000004 (nil) access_allowed fixme: no access check NtWriteVirtualMemory 0xb71b8ffc <- 0xb7843708 4 NtWriteVirtualMemory wrote 4 bytes 0304: NtWriteVirtualMemory retval=00000000 ret=77fb126d 0304: NtCreateThread(7ff7fa30,001f03ff,7ff7f9fc,00000054,7ff7fa14,7ff7f71c,7ff7f9e8,00000001) ret=77faf6ee NtCreateThread 0x7ff7fa30 001f03ff 0x7ff7f9fc 0x54 0x7ff7fa14 0x7ff7f71c 0x7ff7f9e8 1 access_allowed fixme: no access check mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 0000005c 0304: NtCreateThread retval=00000000 ret=77faf6ee 0304: NtClose(00000058) ret=77faf64f NtClose 0x58 0304: NtClose retval=00000000 ret=77faf64f 0304: NtFreeVirtualMemory(ffffffff,7ff7fafc,7ff7faf0,00008000) ret=77f83cc7 NtFreeVirtualMemory 0xffffffff 0x7ff7fafc 0x7ff7faf0 32768 NtFreeVirtualMemory returning 00000000 0304: NtFreeVirtualMemory retval=00000000 ret=77f83cc7 0304: NtResumeThread(0000005c,00000000) ret=485872ee NtResumeThread 0x5c (nil) access_allowed fixme: no access check 0304: NtResumeThread retval=00000000 ret=485872ee 0a0b: NtOpenKey(0016fc74,80000000,0016fc50) ret=77f91379 NtOpenKey 0x16fc74 80000000 0x16fc50 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe open_parse_key remaining = Image File Execution Options\csrss.exe NtOpenKey open_key returned c000003a 0a0b: NtOpenKey retval=c000003a ret=77f91379 0304: NtWaitForSingleObject(00000050,00000000,00000000) ret=48587512 NtWaitForSingleObject 0x50 0 (nil) wait_on_handles handle[0] = 00000050 0a0b: NtOpenKey(0016fc74,80000000,0016fc50) ret=77f91379 NtOpenKey 0x16fc74 80000000 0x16fc50 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe open_parse_key remaining = Image File Execution Options\csrss.exe NtOpenKey open_key returned c000003a 0a0b: NtOpenKey retval=c000003a ret=77f91379 0a0b (debug 16f754,0,125) : LDR: PID: 0xa started - 'C:\WINNT\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16' 0a0b: NtCreateEvent(0016f974,00100003,00000000,00000001,00000000) ret=77f8c9cd NtCreateEvent 0x16f974 00100003 (nil) 1 0 process_alloc_user_handle handle = 00000004 0a0b: NtCreateEvent retval=00000000 ret=77f8c9cd 0a0b: NtCreateEvent(77fcf670,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x77fcf670 00100003 (nil) 1 0 process_alloc_user_handle handle = 00000008 0a0b: NtCreateEvent retval=00000000 ret=77f94ac1 0a0b: NtQuerySystemInformation(00000000,0016f8cc,0000002c,00000000) ret=77fcb540 NtQuerySystemInformation 0 0x16f8cc 44 (nil) 0a0b: NtQuerySystemInformation retval=00000000 ret=77fcb540 0a0b: NtAllocateVirtualMemory(ffffffff,0016f894,00000000,0016f970,00002000,00000004) ret=77fcb607 NtAllocateVirtualMemory returns 0x170000 00100000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77fcb607 0a0b: NtAllocateVirtualMemory(ffffffff,0016f940,00000000,0016f974,00001000,00000004) ret=77fcb640 NtAllocateVirtualMemory returns 0x170000 00001000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77fcb640 0a0b: NtCreateEvent(00170618,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x170618 00100003 (nil) 1 0 process_alloc_user_handle handle = 0000000c 0a0b: NtCreateEvent retval=00000000 ret=77f94ac1 0a0b: NtAllocateVirtualMemory(ffffffff,0016f680,00000000,0016f6a0,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x171000 00002000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0a0b: NtOpenKey(0016f950,80000000,0016f92c) ret=77f91379 NtOpenKey 0x16f950 80000000 0x16f92c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe open_parse_key remaining = Image File Execution Options\csrss.exe NtOpenKey open_key returned c000003a 0a0b: NtOpenKey retval=c000003a ret=77f91379 0a0b: NtOpenDirectoryObject(77fcf000,00000003,0016fc30) ret=77f8584a nt_open_object object = \KnownDlls process_alloc_user_handle handle = 00000010 0a0b: NtOpenDirectoryObject retval=00000000 ret=77f8584a 0a0b: NtOpenSymbolicLinkObject(0016fc80,00000001,0016fc30) ret=77f8588d nt_open_object object = KnownDllPath process_alloc_user_handle handle = 00000014 0a0b: NtOpenSymbolicLinkObject retval=00000000 ret=77f8588d 0a0b: NtQuerySymbolicLinkObject(00000014,77fcf008,00000000) ret=77f858bd access_allowed fixme: no access check 0a0b: NtQuerySymbolicLinkObject retval=00000000 ret=77f858bd 0a0b: NtClose(00000014) ret=77f858c7 NtClose 0x14 0a0b: NtClose retval=00000000 ret=77f858c7 0a0b (debug 16f75c,170178,11) : LDR: NEW PROCESS 0a0b (debug 16f754,11,3d) : Image Path: \??\C:\WINNT\system32\csrss.exe (csrss.exe) 0a0b (debug 16f758,3d,2a) : Current Directory: C:\WINNT\system32 0a0b (debug 16f758,3d,3f) : Search Path: C:\WINNT\system32;C:\WINNT\system32;C:\WINNT 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f7f4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f7f4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f548,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f548 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(0016f92c,00100020,0016f940,0016f904,00000003,00000021) ret=77f850ba NtCreateFile root (nil) attr 00000042 \??\C:\WINNT\system32 open_file root = (nil) name = \??\C:\WINNT\system32 open_unicode_dir open name : c:/winnt/system32 open_unicode_dir r = 79 open_file fd = 79 process_alloc_user_handle handle = 00000014 0a0b: NtOpenFile retval=00000000 ret=77f850ba 0a0b: NtQueryVolumeInformationFile(00000014,0016f904,0016f924,00000008,00000004) ret=77f850d9 NtQueryVolumeInformationFile 0x14 0x16f904 0x16f924 8 4 0a0b: NtQueryVolumeInformationFile retval=c0000002 ret=77f850d9 0a0b: NtFreeVirtualMemory(ffffffff,0016f804,0016f808,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x16f804 0x16f808 16384 NtFreeVirtualMemory returning 00000000 0a0b: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0a0b: NtClose(00000014) ret=77f9aace NtClose 0x14 0a0b: NtClose retval=00000000 ret=77f9aace 0a0b: NtAllocateVirtualMemory(ffffffff,0016f6fc,00000000,0016f71c,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x172000 00001000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f7f4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f7f4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f548,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f548 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(0016f92c,00100020,0016f940,0016f904,00000003,00000021) ret=77f850ba NtCreateFile root (nil) attr 00000042 \??\C:\WINNT open_file root = (nil) name = \??\C:\WINNT open_unicode_dir open name : c:/winnt open_unicode_dir r = 80 open_file fd = 80 process_alloc_user_handle handle = 00000014 0a0b: NtOpenFile retval=00000000 ret=77f850ba 0a0b: NtQueryVolumeInformationFile(00000014,0016f904,0016f924,00000008,00000004) ret=77f850d9 NtQueryVolumeInformationFile 0x14 0x16f904 0x16f924 8 4 0a0b: NtQueryVolumeInformationFile retval=c0000002 ret=77f850d9 0a0b: NtFreeVirtualMemory(ffffffff,0016f804,0016f808,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x16f804 0x16f808 16384 NtFreeVirtualMemory returning 00000000 0a0b: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0a0b: NtClose(00000014) ret=77f9aace NtClose 0x14 0a0b: NtClose retval=00000000 ret=77f9aace 0a0b (debug 16f708,0,23) : LDR: csrss.exe bound to CSRSRV.dll 0a0b: NtAllocateVirtualMemory(ffffffff,0016f658,00000000,0016f678,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x172000 00001000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0a0b: NtOpenSection(0016f868,0000000e,0016f848) ret=77f935ad nt_open_object object = CSRSRV.dll 0a0b: NtOpenSection retval=c0000034 ret=77f935ad 0a0b: NtFreeVirtualMemory(ffffffff,0016f78c,0016f790,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x16f78c 0x16f790 16384 NtFreeVirtualMemory returning 00000000 0a0b: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0a0b: NtAllocateVirtualMemory(ffffffff,0016f674,00000000,0016f694,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x172000 00001000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f420,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f420 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f7e4,0016f7bc) ret=77f8cb7a NtQueryAttributesFile 0x16f7e4 0x16f7bc NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\CSRSRV.dll stat_unicode c:/winnt/system32/csrsrv.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\CSRSRV.dll 0a0b: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f714,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f714 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b (debug 16f654,0,33) : LDR: Loading (STATIC) C:\WINNT\system32\CSRSRV.dll 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f4e8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f4e8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(0016f870,00100020,0016f840,0016f858,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\CSRSRV.dll open_file root = (nil) name = \??\C:\WINNT\system32\CSRSRV.dll open_unicode_file open file : c:/winnt/system32/csrsrv.dll process_alloc_user_handle handle = 00000014 0a0b: NtOpenFile retval=00000000 ret=77f8e927 0a0b: NtCreateSection(0016f8d8,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x16f8d8 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 0a0b: NtCreateSection retval=00000000 ret=77f8e946 0a0b: NtClose(00000014) ret=77f8e951 NtClose 0x14 0a0b: NtClose retval=00000000 ret=77f8e951 0a0b: NtMapViewOfSection(00000018,ffffffff,0016f8dc,00000000,00000000,00000000,0016f8d4,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x16f8dc 0 00000000 (nil) 0x16f8d4 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x5ff90000 mapit read 5 sections, load at 5ff90000 mapit .text 00001000 00000600 00006c00 00006a32 mapit .data 00008000 00007200 00000200 000009b0 mapit .edata 00009000 00007400 00000600 00000435 mapit .rsrc 0000a000 00007a00 00000600 00000418 mapit .reloc 0000b000 00008000 00000800 000007bc NtMapViewOfSection mapped at 0x5ff90000 0a0b: NtMapViewOfSection retval=00000000 ret=77f86ff9 0a0b: NtClose(00000018) ret=77f870b4 NtClose 0x18 0a0b: NtClose retval=00000000 ret=77f870b4 0a0b (debug 16f68c,0,23) : LDR: CSRSRV.dll bound to ntdll.dll 0a0b (debug 16f68c,0,31) : LDR: CSRSRV.dll has correct binding to ntdll.dll 0a0b (debug 16f708,0,31) : LDR: csrss.exe has correct binding to CSRSRV.dll 0a0b (debug 16f708,0,22) : LDR: csrss.exe bound to ntdll.dll 0a0b (debug 16f708,0,30) : LDR: csrss.exe has correct binding to ntdll.dll 0a0b (debug 16f71c,68206578,1f) : LDR: Refcount CSRSRV.dll (1) 0a0b: NtOpenKey(0016f794,80000000,0016f770) ret=77f91379 NtOpenKey 0x16f794 80000000 0x16f770 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe open_parse_key remaining = Image File Execution Options\csrss.exe NtOpenKey open_key returned c000003a 0a0b: NtOpenKey retval=c000003a ret=77f91379 0a0b (debug 16f6e8,0,14) : LDR: Real INIT LIST 0a0b: NtTestAlert() ret=77f84bcb 0a0b: NtTestAlert retval=00000000 ret=77f84bcb 0a0b: NtContinue(0016fd28,00000001) ret=77f8855e NtContinue 0x16fd28 1 eax 00000000 ebx 00000001 ecx 00000002 edx 00000003 esi 00000004 edi 00000005 ebp 00000000 efl 00000200 cs:eip 0018:5fff1130 ss:esp 0020:0016fff8 ds 007b es 007b fs 003b gs 0000 0a0b: NtContinue retval=00000000 ret=77f8855e 0a0b: NtSetInformationProcess(ffffffff,00000005,0016ffb0,00000004) ret=5fff10da NtSetInformationProcess 0xffffffff 5 0x16ffb0 4 0a0b: NtSetInformationProcess retval=00000000 ret=5fff10da 0a0b: NtSetInformationProcess(ffffffff,00000010,00000000,00000000) ret=5fff10e4 NtSetInformationProcess 0xffffffff 16 (nil) 0 NtSetInformationProcess set ProcessUserModeIOPL 0a0b: NtSetInformationProcess retval=00000000 ret=5fff10e4 0a0b: NtCreateEvent(5ff9894c,001f0003,00000000,00000001,00000000) ret=5ff91fbc NtCreateEvent 0x5ff9894c 001f0003 (nil) 1 0 process_alloc_user_handle handle = 00000014 0a0b: NtCreateEvent retval=00000000 ret=5ff91fbc 0a0b: NtQuerySystemInformation(00000000,5ff98920,0000002c,00000000) ret=5ff91fd3 NtQuerySystemInformation 0 0x5ff98920 44 (nil) 0a0b: NtQuerySystemInformation retval=00000000 ret=5ff91fd3 0a0b: NtOpenProcessToken(ffffffff,00000008,0016ff74) ret=5ff92494 NtOpenProcessToken 0xffffffff 00000008 0x16ff74 process_alloc_user_handle handle = 00000018 0a0b: NtOpenProcessToken retval=00000000 ret=5ff92494 0a0b: NtQueryInformationToken(00000018,00000001,00000000,00000000,0016ff78) ret=5ff924af NtQueryInformationToken 0x18 1 (nil) 0 0x16ff78 access_allowed fixme: no access check NtQueryInformationToken TokenUser 0a0b: NtQueryInformationToken retval=c0000023 ret=5ff924af 0a0b: NtQueryInformationToken(00000018,00000001,00172458,00000014,0016ff78) ret=5ff924f1 NtQueryInformationToken 0x18 1 0x172458 20 0x16ff78 access_allowed fixme: no access check NtQueryInformationToken TokenUser 0a0b: NtQueryInformationToken retval=00000000 ret=5ff924f1 0a0b: NtClose(00000018) ret=5ff924fc NtClose 0x18 0a0b: NtClose retval=00000000 ret=5ff924fc 0a0b: NtSetSecurityObject(ffffffff,00000004,00172478) ret=5ff9259d NtSetSecurityObject 0xffffffff 00000004 0x172478 0a0b: NtSetSecurityObject retval=00000000 ret=5ff9259d 0a0b: NtCreateDirectoryObject(5ff98950,000f000f,0016ff4c) ret=5ff922f5 NtCreateDirectoryObject 0x5ff98950 000f000f 0x16ff4c create name = \Windows process_alloc_user_handle handle = 00000018 0a0b: NtCreateDirectoryObject retval=00000000 ret=5ff922f5 0a0b: NtSetSecurityObject(00000018,00000004,00172530) ret=5ff926fd NtSetSecurityObject 0x18 00000004 0x172530 0a0b: NtSetSecurityObject retval=00000000 ret=5ff926fd 0a0b: NtCreateSection(5ff98888,000f001f,00000000,0016fe18,00000040,04200000,00000000) ret=5ff935a5 NtCreateSection 0x5ff98888 000f001f (nil) 0x16fe18 00000040 04200000 (nil) process_alloc_user_handle handle = 0000001c 0a0b: NtCreateSection retval=00000000 ret=5ff935a5 0a0b: NtMapViewOfSection(0000001c,ffffffff,5ff988ec,00000000,00000000,00000000,0016fe2c,00000002,00100000,00000040) ret=5ff9367d NtMapViewOfSection 0x1c 0xffffffff 0x5ff988ec 0 00000000 (nil) 0x16fe2c 2 00100000 00000040 access_allowed fixme: no access check mapit anonymous map NtMapViewOfSection mapped at 0x7fe70000 0a0b: NtMapViewOfSection retval=00000000 ret=5ff9367d 0a0b: NtQuerySystemInformation(00000000,0016fd24,0000002c,00000000) ret=77fcb540 NtQuerySystemInformation 0 0x16fd24 44 (nil) 0a0b: NtQuerySystemInformation retval=00000000 ret=77fcb540 0a0b: NtQueryVirtualMemory(ffffffff,7fe70000,00000000,0016fd68,0000001c,00000000) ret=77fccbc8 NtQueryVirtualMemory 0xffffffff 0x7fe70000 0 0x16fd68 28 (nil) 0a0b: NtQueryVirtualMemory retval=00000000 ret=77fccbc8 0a0b: NtQueryVirtualMemory(ffffffff,7ff70000,00000000,0016fd68,0000001c,00000000) ret=77fcd26c NtQueryVirtualMemory 0xffffffff 0x7ff70000 0 0x16fd68 28 (nil) 0a0b: NtQueryVirtualMemory retval=00000000 ret=77fcd26c 0a0b: NtCreateEvent(7fe70618,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x7fe70618 00100003 (nil) 1 0 process_alloc_user_handle handle = 00000020 0a0b: NtCreateEvent retval=00000000 ret=77f94ac1 0a0b (debug 16f8d8,1,2b) : LDR: LdrLoadDll, loading basesrv.dll from 0a0b: NtOpenSection(0016fa68,0000000e,0016fa48) ret=77f935ad nt_open_object object = basesrv.dll 0a0b: NtOpenSection retval=c0000034 ret=77f935ad 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f620,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f620 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f9e4,0016f9bc) ret=77f8cb7a NtQueryAttributesFile 0x16f9e4 0x16f9bc NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\basesrv.dll stat_unicode c:/winnt/system32/basesrv.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\basesrv.dll 0a0b: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f914,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f914 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b (debug 16f854,0,35) : LDR: Loading (DYNAMIC) C:\WINNT\system32\basesrv.dll 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f6e8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f6e8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(0016fa70,00100020,0016fa40,0016fa58,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\basesrv.dll open_file root = (nil) name = \??\C:\WINNT\system32\basesrv.dll open_unicode_file open file : c:/winnt/system32/basesrv.dll process_alloc_user_handle handle = 00000024 0a0b: NtOpenFile retval=00000000 ret=77f8e927 0a0b: NtCreateSection(0016fad8,0000000f,00000000,00000000,00000010,01000000,00000024) ret=77f8e946 NtCreateSection 0x16fad8 0000000f (nil) (nil) 00000010 01000000 0x24 access_allowed fixme: no access check process_alloc_user_handle handle = 00000028 0a0b: NtCreateSection retval=00000000 ret=77f8e946 0a0b: NtClose(00000024) ret=77f8e951 NtClose 0x24 0a0b: NtClose retval=00000000 ret=77f8e951 0a0b: NtMapViewOfSection(00000028,ffffffff,0016fadc,00000000,00000000,00000000,0016fad4,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x28 0xffffffff 0x16fadc 0 00000000 (nil) 0x16fad4 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x5ffa0000 mapit read 4 sections, load at 5ffa0000 mapit .text 00001000 00000600 00008c00 00008b7b mapit .data 0000a000 00009200 00000400 00000590 mapit .rsrc 0000b000 00009600 00000400 000003d0 mapit .reloc 0000c000 00009a00 00000a00 000009f6 NtMapViewOfSection mapped at 0x5ffa0000 0a0b: NtMapViewOfSection retval=00000000 ret=77f86ff9 0a0b: NtClose(00000028) ret=77f870b4 NtClose 0x28 0a0b: NtClose retval=00000000 ret=77f870b4 0a0b (debug 16f88c,0,24) : LDR: basesrv.dll bound to ntdll.dll 0a0b (debug 16f88c,0,32) : LDR: basesrv.dll has correct binding to ntdll.dll 0a0b (debug 16f88c,0,25) : LDR: basesrv.dll bound to CSRSRV.dll 0a0b (debug 16f88c,0,33) : LDR: basesrv.dll has correct binding to CSRSRV.dll 0a0b (debug 16f86c,0,14) : LDR: Real INIT LIST 0a0b (debug 16fac0,7ff70bf8,1f) : LDR: LdrGetProcedureAddress by 0a0b (debug 16fabc,16fac0,1f) : NAME - ServerDllInitialization 0a0b: NtQuerySystemInformation(00000003,7feef7d8,00000030,00000000) ret=5ffa216e NtQuerySystemInformation 3 0x7feef7d8 48 (nil) 0a0b: NtQuerySystemInformation retval=00000000 ret=5ffa216e 0a0b: NtOpenKey(0016f604,82000000,0016f58c) ret=77fabd71 NtOpenKey 0x16f604 82000000 0x16f58c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Windows NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 0a0b: NtOpenKey retval=00000000 ret=77fabd71 0a0b: NtAllocateVirtualMemory(ffffffff,0016f5b0,00000000,0016f610,00001000,00000004) ret=77fac38f NtAllocateVirtualMemory returns 0x270000 00001000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77fac38f 0a0b: NtQueryValueKey(00000024,0016f5f8,00000001,00270000,00000ffe,0016f60c) ret=77fac634 NtQueryValueKey 0x24 0x16f5f8 1 0x270000 4094 0x16f60c NtQueryValueKey CSDVersion reg_query_value CSDVersion 0a0b: NtQueryValueKey retval=00000000 ret=77fac634 0a0b: NtClose(00000024) ret=77fac7b7 NtClose 0x24 0a0b: NtClose retval=00000000 ret=77fac7b7 0a0b: NtFreeVirtualMemory(ffffffff,0016f5c0,0016f5c4,00008000) ret=77fac374 NtFreeVirtualMemory 0xffffffff 0x16f5c0 0x16f5c4 32768 NtFreeVirtualMemory returning 00000000 0a0b: NtFreeVirtualMemory retval=00000000 ret=77fac374 0a0b: NtOpenKey(0016f604,82000000,0016f58c) ret=77fabd71 NtOpenKey 0x16f604 82000000 0x16f58c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\ NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 0a0b: NtOpenKey retval=00000000 ret=77fabd71 0a0b: NtAllocateVirtualMemory(ffffffff,0016f5b0,00000000,0016f610,00001000,00000004) ret=77fac38f NtAllocateVirtualMemory returns 0x270000 00001000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77fac38f 0a0b: NtQueryValueKey(00000024,0016f5f8,00000001,00270000,00000ffe,0016f60c) ret=77fac634 NtQueryValueKey 0x24 0x16f5f8 1 0x270000 4094 0x16f60c NtQueryValueKey CSDVersion reg_query_value CSDVersion 0a0b: NtQueryValueKey retval=00000000 ret=77fac634 0a0b: NtClose(00000024) ret=77fac7b7 NtClose 0x24 0a0b: NtClose retval=00000000 ret=77fac7b7 0a0b: NtFreeVirtualMemory(ffffffff,0016f5c0,0016f5c4,00008000) ret=77fac374 NtFreeVirtualMemory 0xffffffff 0x16f5c0 0x16f5c4 32768 NtFreeVirtualMemory returning 00000000 0a0b: NtFreeVirtualMemory retval=00000000 ret=77fac374 0a0b: NtQuerySystemInformation(00000000,7feef7ac,0000002c,00000000) ret=5ffa23ac NtQuerySystemInformation 0 0x7feef7ac 44 (nil) 0a0b: NtQuerySystemInformation retval=00000000 ret=5ffa23ac 0a0b: NtOpenKey(0016f61c,80000000,0016f5f4) ret=5ffa8410 NtOpenKey 0x16f61c 80000000 0x16f5f4 NtOpenKey len 00000018 root (nil) attr 00000040 \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 0a0b: NtOpenKey retval=00000000 ret=5ffa8410 0a0b: NtQueryValueKey(00000024,0016f5d8,00000002,0016f1c8,00000400,0016f5f0) ret=5ffa843f NtQueryValueKey 0x24 0x16f5d8 2 0x16f1c8 1024 0x16f5f0 NtQueryValueKey (null us) 0a0b: NtQueryValueKey retval=c0000034 ret=5ffa843f 0a0b: NtEnumerateKey(00000024,00000000,00000000,0016f1c8,00000400,0016f5f0) ret=5ffa84c2 0a0b: NtEnumerateKey retval=8000001a ret=5ffa84c2 0a0b: NtClose(00000024) ret=5ffa859f NtClose 0x24 0a0b: NtClose retval=00000000 ret=5ffa859f 0a0b: NtOpenKey(0016fdb0,00020019,0016fd8c) ret=5ffa240f NtOpenKey 0x16fdb0 00020019 0x16fd8c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\WOW NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 0a0b: NtOpenKey retval=00000000 ret=5ffa240f 0a0b: NtQueryValueKey(00000024,0016fd84,00000002,0016fa44,00000320,0016fd74) ret=5ffa2441 NtQueryValueKey 0x24 0x16fd84 2 0x16fa44 800 0x16fd74 NtQueryValueKey DefaultSeparateVDM reg_query_value DefaultSeparateVDM 0a0b: NtQueryValueKey retval=00000000 ret=5ffa2441 0a0b: NtClose(00000024) ret=5ffa24b5 NtClose 0x24 0a0b: NtClose retval=00000000 ret=5ffa24b5 0a0b: NtOpenKey(0016fdb0,00020019,0016fd8c) ret=5ffa24f7 NtOpenKey 0x16fdb0 00020019 0x16fd8c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\WOW NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 0a0b: NtOpenKey retval=00000000 ret=5ffa24f7 0a0b: NtQueryValueKey(00000024,0016fd84,00000002,0016fa44,00000320,0016fd74) ret=5ffa2529 NtQueryValueKey 0x24 0x16fd84 2 0x16fa44 800 0x16fd74 NtQueryValueKey ForceDos 0a0b: NtQueryValueKey retval=c0000034 ret=5ffa2529 0a0b: NtClose(00000024) ret=5ffa259b NtClose 0x24 0a0b: NtClose retval=00000000 ret=5ffa259b 0a0b: NtOpenKey(0016f5f8,00020019,0016f5d0) ret=5ffa3800 NtOpenKey 0x16f5f8 00020019 0x16f5d0 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Session Manager NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 0a0b: NtOpenKey retval=00000000 ret=5ffa3800 0a0b: NtQueryValueKey(00000024,0016f5ec,00000002,0016f590,00000040,0016f5e8) ret=5ffa382a NtQueryValueKey 0x24 0x16f5ec 2 0x16f590 64 0x16f5e8 NtQueryValueKey ProtectionMode reg_query_value ProtectionMode 0a0b: NtQueryValueKey retval=00000000 ret=5ffa382a 0a0b: NtClose(00000024) ret=5ffa384f NtClose 0x24 0a0b: NtClose retval=00000000 ret=5ffa384f 0a0b: NtCreateDirectoryObject(5ffaa558,000f000f,0016fd8c) ret=5ffa262d NtCreateDirectoryObject 0x5ffaa558 000f000f 0x16fd8c create name = \BaseNamedObjects process_alloc_user_handle handle = 00000024 0a0b: NtCreateDirectoryObject retval=00000000 ret=5ffa262d 0a0b: NtCreateSymbolicLinkObject(0016fdac,000f0001,0016fd8c,0016fd64) ret=5ffa26b4 NtCreateSymbolicLinkObject Global -> \BaseNamedObjects process_alloc_user_handle handle = 00000028 0a0b: NtCreateSymbolicLinkObject retval=00000000 ret=5ffa26b4 0a0b: NtClose(00000028) ret=5ffa26c9 NtClose 0x28 0a0b: NtClose retval=00000000 ret=5ffa26c9 0a0b: NtCreateSymbolicLinkObject(0016fdac,000f0001,0016fd8c,0016fd64) ret=5ffa2719 NtCreateSymbolicLinkObject Local -> \BaseNamedObjects process_alloc_user_handle handle = 00000028 0a0b: NtCreateSymbolicLinkObject retval=00000000 ret=5ffa2719 0a0b: NtClose(00000028) ret=5ffa272e NtClose 0x28 0a0b: NtClose retval=00000000 ret=5ffa272e 0a0b: NtCreateSymbolicLinkObject(0016fdac,000f0001,0016fd8c,0016fd64) ret=5ffa277c NtCreateSymbolicLinkObject Session -> \Sessions\BNOLINKS process_alloc_user_handle handle = 00000028 0a0b: NtCreateSymbolicLinkObject retval=00000000 ret=5ffa277c 0a0b: NtClose(00000028) ret=5ffa2791 NtClose 0x28 0a0b: NtClose retval=00000000 ret=5ffa2791 0a0b: NtCreateDirectoryObject(5ffaa520,000f000f,0016fd8c) ret=5ffa27e2 NtCreateDirectoryObject 0x5ffaa520 000f000f 0x16fd8c create name = Restricted process_alloc_user_handle handle = 00000028 0a0b: NtCreateDirectoryObject retval=00000000 ret=5ffa27e2 0a0b: NtQueryDefaultLocale(00000000,7fef106c) ret=5ffa7540 NtQueryDefaultLocale 0 0x7fef106c 0a0b: NtQueryDefaultLocale retval=00000000 ret=5ffa7540 0a0b (debug 16f8d8,0,2a) : LDR: LdrLoadDll, loading winsrv.dll from 0a0b: NtOpenSection(0016fa68,0000000e,0016fa48) ret=77f935ad nt_open_object object = winsrv.dll 0a0b: NtOpenSection retval=c0000034 ret=77f935ad 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f620,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f620 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f9e4,0016f9bc) ret=77f8cb7a NtQueryAttributesFile 0x16f9e4 0x16f9bc NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\winsrv.dll stat_unicode c:/winnt/system32/winsrv.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\winsrv.dll 0a0b: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f914,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f914 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b (debug 16f854,0,34) : LDR: Loading (DYNAMIC) C:\WINNT\system32\winsrv.dll 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f6e8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f6e8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(0016fa70,00100020,0016fa40,0016fa58,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\winsrv.dll open_file root = (nil) name = \??\C:\WINNT\system32\winsrv.dll open_unicode_file open file : c:/winnt/system32/winsrv.dll process_alloc_user_handle handle = 0000002c 0a0b: NtOpenFile retval=00000000 ret=77f8e927 0a0b: NtCreateSection(0016fad8,0000000f,00000000,00000000,00000010,01000000,0000002c) ret=77f8e946 NtCreateSection 0x16fad8 0000000f (nil) (nil) 00000010 01000000 0x2c access_allowed fixme: no access check process_alloc_user_handle handle = 00000030 0a0b: NtCreateSection retval=00000000 ret=77f8e946 0a0b: NtClose(0000002c) ret=77f8e951 NtClose 0x2c 0a0b: NtClose retval=00000000 ret=77f8e951 0a0b: NtMapViewOfSection(00000030,ffffffff,0016fadc,00000000,00000000,00000000,0016fad4,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x30 0xffffffff 0x16fadc 0 00000000 (nil) 0x16fad4 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x5ffb0000 mapit read 5 sections, load at 5ffb0000 mapit .text 00001000 00000400 00030e00 00030d60 mapit FE_TEXT 00032000 00031200 00005600 000055ed mapit .data 00038000 00036800 00001000 00000e60 mapit .rsrc 00039000 00037800 00004000 00003f88 mapit .reloc 0003d000 0003b800 00002200 00002168 NtMapViewOfSection mapped at 0x5ffb0000 0a0b: NtMapViewOfSection retval=00000000 ret=77f86ff9 0a0b: NtClose(00000030) ret=77f870b4 NtClose 0x30 0a0b: NtClose retval=00000000 ret=77f870b4 0a0b (debug 16f88c,0,24) : LDR: winsrv.dll bound to USER32.DLL 0a0b: NtOpenSection(0016f9ec,0000000e,0016f9cc) ret=77f935ad nt_open_object object = USER32.DLL 0a0b: NtOpenSection retval=c0000034 ret=77f935ad 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f5a4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f5a4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f968,0016f940) ret=77f8cb7a NtQueryAttributesFile 0x16f968 0x16f940 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\USER32.DLL stat_unicode c:/winnt/system32/user32.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\USER32.DLL 0a0b: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f898,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f898 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b (debug 16f7d8,0,33) : LDR: Loading (STATIC) C:\WINNT\system32\USER32.DLL 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f66c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f66c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(0016f9f4,00100020,0016f9c4,0016f9dc,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\USER32.DLL open_file root = (nil) name = \??\C:\WINNT\system32\USER32.DLL open_unicode_file open file : c:/winnt/system32/user32.dll process_alloc_user_handle handle = 0000002c 0a0b: NtOpenFile retval=00000000 ret=77f8e927 0a0b: NtCreateSection(0016fa5c,0000000f,00000000,00000000,00000010,01000000,0000002c) ret=77f8e946 NtCreateSection 0x16fa5c 0000000f (nil) (nil) 00000010 01000000 0x2c access_allowed fixme: no access check process_alloc_user_handle handle = 00000030 0a0b: NtCreateSection retval=00000000 ret=77f8e946 0a0b: NtClose(0000002c) ret=77f8e951 NtClose 0x2c 0a0b: NtClose retval=00000000 ret=77f8e951 0a0b: NtMapViewOfSection(00000030,ffffffff,0016fa60,00000000,00000000,00000000,0016fa58,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x30 0xffffffff 0x16fa60 0 00000000 (nil) 0x16fa58 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x77e10000 mapit read 4 sections, load at 77e10000 mapit .text 00001000 00000400 00057400 0005729a mapit .data 00059000 00057800 00000a00 00000e20 mapit .rsrc 0005a000 00058200 00007800 00007618 mapit .reloc 00062000 0005fa00 00002c00 00002ae8 NtMapViewOfSection mapped at 0x77e10000 0a0b: NtMapViewOfSection retval=00000000 ret=77f86ff9 0a0b: NtClose(00000030) ret=77f870b4 NtClose 0x30 0a0b: NtClose retval=00000000 ret=77f870b4 0a0b (debug 16f810,0,23) : LDR: USER32.DLL bound to NTDLL.DLL 0a0b (debug 16f810,0,31) : LDR: USER32.DLL has correct binding to NTDLL.DLL 0a0b (debug 16f810,0,26) : LDR: USER32.DLL bound to KERNEL32.DLL 0a0b: NtOpenSection(0016f970,0000000e,0016f950) ret=77f935ad nt_open_object object = KERNEL32.DLL 0a0b: NtOpenSection retval=c0000034 ret=77f935ad 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f528,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f528 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f8ec,0016f8c4) ret=77f8cb7a NtQueryAttributesFile 0x16f8ec 0x16f8c4 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\KERNEL32.DLL stat_unicode c:/winnt/system32/kernel32.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\KERNEL32.DLL 0a0b: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f81c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f81c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b (debug 16f75c,0,35) : LDR: Loading (STATIC) C:\WINNT\system32\KERNEL32.DLL 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f5f0,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f5f0 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(0016f978,00100020,0016f948,0016f960,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\KERNEL32.DLL open_file root = (nil) name = \??\C:\WINNT\system32\KERNEL32.DLL open_unicode_file open file : c:/winnt/system32/kernel32.dll process_alloc_user_handle handle = 0000002c 0a0b: NtOpenFile retval=00000000 ret=77f8e927 0a0b: NtCreateSection(0016f9e0,0000000f,00000000,00000000,00000010,01000000,0000002c) ret=77f8e946 NtCreateSection 0x16f9e0 0000000f (nil) (nil) 00000010 01000000 0x2c access_allowed fixme: no access check process_alloc_user_handle handle = 00000030 0a0b: NtCreateSection retval=00000000 ret=77f8e946 0a0b: NtClose(0000002c) ret=77f8e951 NtClose 0x2c 0a0b: NtClose retval=00000000 ret=77f8e951 0a0b: NtMapViewOfSection(00000030,ffffffff,0016f9e4,00000000,00000000,00000000,0016f9dc,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x30 0xffffffff 0x16f9e4 0 00000000 (nil) 0x16f9dc 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x7c4e0000 mapit read 4 sections, load at 7c4e0000 mapit .text 00001000 00000400 0005e400 0005e378 mapit .data 00060000 0005e800 00003200 000032b8 mapit .rsrc 00064000 00061a00 00050600 00050548 mapit .reloc 000b5000 000b2000 00003600 00003588 NtMapViewOfSection mapped at 0x7c4e0000 0a0b: NtMapViewOfSection retval=00000000 ret=77f86ff9 0a0b: NtClose(00000030) ret=77f870b4 NtClose 0x30 0a0b: NtClose retval=00000000 ret=77f870b4 0a0b (debug 16f794,0,25) : LDR: KERNEL32.DLL bound to NTDLL.DLL 0a0b (debug 16f794,0,33) : LDR: KERNEL32.DLL has correct binding to NTDLL.DLL 0a0b (debug 16f810,0,34) : LDR: USER32.DLL has correct binding to KERNEL32.DLL 0a0b (debug 16f80c,16f810,46) : LDR: USER32.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.DLL 0a0b (debug 16f810,46,31) : LDR: USER32.DLL has correct binding to NTDLL.DLL 0a0b (debug 16f810,46,23) : LDR: USER32.DLL bound to GDI32.DLL 0a0b: NtOpenSection(0016f970,0000000e,0016f950) ret=77f935ad nt_open_object object = GDI32.DLL 0a0b: NtOpenSection retval=c0000034 ret=77f935ad 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f528,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f528 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f8ec,0016f8c4) ret=77f8cb7a NtQueryAttributesFile 0x16f8ec 0x16f8c4 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\GDI32.DLL stat_unicode c:/winnt/system32/gdi32.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\GDI32.DLL 0a0b: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f81c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f81c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b (debug 16f75c,0,32) : LDR: Loading (STATIC) C:\WINNT\system32\GDI32.DLL 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f5f0,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f5f0 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(0016f978,00100020,0016f948,0016f960,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\GDI32.DLL open_file root = (nil) name = \??\C:\WINNT\system32\GDI32.DLL open_unicode_file open file : c:/winnt/system32/gdi32.dll process_alloc_user_handle handle = 0000002c 0a0b: NtOpenFile retval=00000000 ret=77f8e927 0a0b: NtCreateSection(0016f9e0,0000000f,00000000,00000000,00000010,01000000,0000002c) ret=77f8e946 NtCreateSection 0x16f9e0 0000000f (nil) (nil) 00000010 01000000 0x2c access_allowed fixme: no access check process_alloc_user_handle handle = 00000030 0a0b: NtCreateSection retval=00000000 ret=77f8e946 0a0b: NtClose(0000002c) ret=77f8e951 NtClose 0x2c 0a0b: NtClose retval=00000000 ret=77f8e951 0a0b: NtMapViewOfSection(00000030,ffffffff,0016f9e4,00000000,00000000,00000000,0016f9dc,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x30 0xffffffff 0x16f9e4 0 00000000 (nil) 0x16f9dc 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x77f40000 mapit read 4 sections, load at 77f40000 mapit .text 00001000 00000400 00036800 0003663a mapit .data 00038000 00036c00 00000a00 00000d28 mapit .rsrc 00039000 00037600 00000400 000003a8 mapit .reloc 0003a000 00037a00 00001600 00001518 NtMapViewOfSection mapped at 0x77f40000 0a0b: NtMapViewOfSection retval=00000000 ret=77f86ff9 0a0b: NtClose(00000030) ret=77f870b4 NtClose 0x30 0a0b: NtClose retval=00000000 ret=77f870b4 0a0b (debug 16f794,0,22) : LDR: GDI32.DLL bound to NTDLL.DLL 0a0b (debug 16f794,0,30) : LDR: GDI32.DLL has correct binding to NTDLL.DLL 0a0b (debug 16f794,0,25) : LDR: GDI32.DLL bound to KERNEL32.DLL 0a0b (debug 16f794,0,33) : LDR: GDI32.DLL has correct binding to KERNEL32.DLL 0a0b (debug 16f790,16f794,45) : LDR: GDI32.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.DLL 0a0b (debug 16f794,45,30) : LDR: GDI32.DLL has correct binding to NTDLL.DLL 0a0b (debug 16f794,45,23) : LDR: GDI32.DLL bound to USER32.DLL 0a0b (debug 16f794,45,31) : LDR: GDI32.DLL has correct binding to USER32.DLL 0a0b (debug 16f810,0,31) : LDR: USER32.DLL has correct binding to GDI32.DLL 0a0b (debug 16f88c,0,32) : LDR: winsrv.dll has correct binding to USER32.DLL 0a0b (debug 16f88c,0,23) : LDR: winsrv.dll bound to NTDLL.DLL 0a0b (debug 16f88c,0,31) : LDR: winsrv.dll has correct binding to NTDLL.DLL 0a0b (debug 16f88c,0,26) : LDR: winsrv.dll bound to KERNEL32.DLL 0a0b (debug 16f88c,0,34) : LDR: winsrv.dll has correct binding to KERNEL32.DLL 0a0b (debug 16f888,16f88c,46) : LDR: winsrv.dll bound to NTDLL.DLL via forwarder(s) from KERNEL32.DLL 0a0b (debug 16f88c,46,31) : LDR: winsrv.dll has correct binding to NTDLL.DLL 0a0b (debug 16f88c,46,25) : LDR: winsrv.dll bound to BASESRV.DLL 0a0b (debug 16f88c,46,33) : LDR: winsrv.dll has correct binding to BASESRV.DLL 0a0b (debug 16f88c,46,23) : LDR: winsrv.dll bound to GDI32.DLL 0a0b (debug 16f88c,46,31) : LDR: winsrv.dll has correct binding to GDI32.DLL 0a0b (debug 16f88c,46,24) : LDR: winsrv.dll bound to CSRSRV.DLL 0a0b (debug 16f88c,46,32) : LDR: winsrv.dll has correct binding to CSRSRV.DLL 0a0b (debug 16f8a0,206c6c64,1f) : LDR: Refcount USER32.DLL (1) 0a0b (debug 16f868,170270,21) : LDR: Refcount KERNEL32.DLL (1) 0a0b (debug 16f868,170270,1e) : LDR: Refcount GDI32.DLL (1) 0a0b (debug 16f830,20746365,21) : LDR: Refcount KERNEL32.DLL (2) 0a0b (debug 16f830,20746365,1f) : LDR: Refcount USER32.DLL (2) 0a0b (debug 16f8a0,206c6c64,21) : LDR: Refcount KERNEL32.DLL (3) 0a0b (debug 16f8a0,206c6c64,20) : LDR: Refcount BASESRV.DLL (2) 0a0b (debug 16f8a0,206c6c64,1e) : LDR: Refcount GDI32.DLL (2) 0a0b (debug 16f86c,1e,14) : LDR: Real INIT LIST 0a0b (debug 16f864,160014,3a) : C:\WINNT\system32\KERNEL32.DLL init routine 7c4ece51 0a0b (debug 16f864,160014,38) : C:\WINNT\system32\USER32.DLL init routine 77e311c5 0a0b (debug 16f868,38,19) : LDR: KERNEL32.DLL loaded. 0a0b (debug 16f868,38,24) : - Calling init routine at 7c4ece51 0a0b: NtQuerySystemInformation(00000032,7c5417b8,00000004,00000000) ret=7c4e7f8f NtQuerySystemInformation 50 0x7c5417b8 4 (nil) 0a0b: NtQuerySystemInformation retval=00000000 ret=7c4e7f8f 0a0b: NtQuerySystemInformation(00000000,77fcf600,0000002c,00000000) ret=77f8b8ed NtQuerySystemInformation 0 0x77fcf600 44 (nil) 0a0b: NtQuerySystemInformation retval=00000000 ret=77f8b8ed 0a0b (debug 16f2a0,0,35) : LDR: LdrGetDllHandle, searching for csrsrv.dll from 0a0b (debug 16f450,fffffff6,1f) : LDR: LdrGetProcedureAddress by 0a0b (debug 16f44c,16f450,1f) : NAME - CsrCallServerFromServer 0a0b: NtQueryAttributesFile(0016f7f8,0016f7d0) ret=77f8cb7a NtQueryAttributesFile 0x16f7f8 0x16f7d0 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\??\C:\WINNT\system32\csrss.exe.Local stat_unicode c:/??/c:/winnt/system32/csrss.exe.local -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtCreateDirectoryObject(0016f80c,00000006,0016f7ec) ret=7c5356a7 NtCreateDirectoryObject 0x16f80c 00000006 0x16f7ec create name = \NLS process_alloc_user_handle handle = 0000002c 0a0b: NtCreateDirectoryObject retval=00000000 ret=7c5356a7 0a0b: NtClose(0000002c) ret=7c5356cd NtClose 0x2c 0a0b: NtClose retval=00000000 ret=7c5356cd 0a0b (debug 16e31c,0,2c) : LDR: LdrLoadDll, loading kernel32.dll from 0a0b (debug 16e504,7ff70bf8,1f) : LDR: LdrGetProcedureAddress by 0a0b (debug 16e500,16e504,14) : NAME - OpenDataFile 0a0b (debug 16e504,14,1f) : LDR: LdrGetProcedureAddress by 0a0b (debug 16e500,16e504,1d) : NAME - GetDefaultSortkeySize 0a0b (debug 16e504,1d,1f) : LDR: LdrGetProcedureAddress by 0a0b (debug 16e500,16e504,1b) : NAME - GetLinguistLangSize 0a0b (debug 16e504,1b,1f) : LDR: LdrGetProcedureAddress by 0a0b (debug 16e500,16e504,19) : NAME - GetNlsSectionName 0a0b (debug 16e504,19,1f) : LDR: LdrGetProcedureAddress by 0a0b (debug 16e500,16e504,16) : NAME - ValidateLocale 0a0b (debug 16e504,16,1f) : LDR: LdrGetProcedureAddress by 0a0b (debug 16e500,16e504,21) : NAME - NlsConvertIntegerToString 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016e014,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16e014 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(0016f6f8,00100001,0016e7cc,0016e7e4,00000001,00000020) ret=7c4f91d5 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\unicode.nls open_file root = (nil) name = \??\C:\WINNT\system32\unicode.nls open_unicode_file open file : c:/winnt/system32/unicode.nls process_alloc_user_handle handle = 0000002c 0a0b: NtOpenFile retval=00000000 ret=7c4f91d5 0a0b: NtCreateSection(0016f6e0,00000004,0016f6bc,00000000,00000002,08000000,0000002c) ret=5ffa815a NtCreateSection 0x16f6e0 00000004 0x16f6bc (nil) 00000002 08000000 0x2c access_allowed fixme: no access check create name = \NLS\NlsSectionUnicode process_alloc_user_handle handle = 00000030 0a0b: NtCreateSection retval=00000000 ret=5ffa815a 0a0b: NtClose(0000002c) ret=5ffa8165 NtClose 0x2c 0a0b: NtClose retval=00000000 ret=5ffa8165 0a0b: NtOpenProcess(0016f6e4,00000040,0016f6bc,0016f780) ret=5ffa81a8 NtOpenProcess 0x16f6e4 00000040 0x16f6bc 0x16f780 process_alloc_user_handle handle = 0000002c 0a0b: NtOpenProcess retval=00000000 ret=5ffa81a8 0a0b: NtDuplicateObject(ffffffff,00000030,0000002c,0016f7a0,00000000,00000000,00000003) ret=5ffa81d0 NtDuplicateObject 0xffffffff 0x30 0x2c 0x16f7a0 00000000 00000000 00000003 NtDuplicateObject source process 0x80bd2d0 access_allowed fixme: no access check access_allowed fixme: no access check NtDuplicateObject target process 0x80bd2d0 process_alloc_user_handle handle = 00000030 NtDuplicateObject new handle is 0x30 0a0b: NtDuplicateObject retval=00000000 ret=5ffa81d0 0a0b: NtClose(0000002c) ret=5ffa81db NtClose 0x2c 0a0b: NtClose retval=00000000 ret=5ffa81db 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016e014,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16e014 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(0016f6f8,00100001,0016e7cc,0016e7e4,00000001,00000020) ret=7c4f91d5 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\locale.nls open_file root = (nil) name = \??\C:\WINNT\system32\locale.nls open_unicode_file open file : c:/winnt/system32/locale.nls process_alloc_user_handle handle = 0000002c 0a0b: NtOpenFile retval=00000000 ret=7c4f91d5 0a0b: NtCreateSection(0016f6e0,00000004,0016f6bc,00000000,00000002,08000000,0000002c) ret=5ffa815a NtCreateSection 0x16f6e0 00000004 0x16f6bc (nil) 00000002 08000000 0x2c access_allowed fixme: no access check create name = \NLS\NlsSectionLocale process_alloc_user_handle handle = 00000034 0a0b: NtCreateSection retval=00000000 ret=5ffa815a 0a0b: NtClose(0000002c) ret=5ffa8165 NtClose 0x2c 0a0b: NtClose retval=00000000 ret=5ffa8165 0a0b: NtOpenProcess(0016f6e4,00000040,0016f6bc,0016f780) ret=5ffa81a8 NtOpenProcess 0x16f6e4 00000040 0x16f6bc 0x16f780 process_alloc_user_handle handle = 0000002c 0a0b: NtOpenProcess retval=00000000 ret=5ffa81a8 0a0b: NtDuplicateObject(ffffffff,00000034,0000002c,0016f7a0,00000000,00000000,00000003) ret=5ffa81d0 NtDuplicateObject 0xffffffff 0x34 0x2c 0x16f7a0 00000000 00000000 00000003 NtDuplicateObject source process 0x80bd2d0 access_allowed fixme: no access check access_allowed fixme: no access check NtDuplicateObject target process 0x80bd2d0 process_alloc_user_handle handle = 00000034 NtDuplicateObject new handle is 0x34 0a0b: NtDuplicateObject retval=00000000 ret=5ffa81d0 0a0b: NtClose(0000002c) ret=5ffa81db NtClose 0x2c 0a0b: NtClose retval=00000000 ret=5ffa81db 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016e014,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16e014 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(0016f6f8,00100001,0016e7cc,0016e7e4,00000001,00000020) ret=7c4f91d5 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\ctype.nls open_file root = (nil) name = \??\C:\WINNT\system32\ctype.nls open_unicode_file open file : c:/winnt/system32/ctype.nls process_alloc_user_handle handle = 0000002c 0a0b: NtOpenFile retval=00000000 ret=7c4f91d5 0a0b: NtCreateSection(0016f6e0,00000004,0016f6bc,00000000,00000002,08000000,0000002c) ret=5ffa815a NtCreateSection 0x16f6e0 00000004 0x16f6bc (nil) 00000002 08000000 0x2c access_allowed fixme: no access check create name = \NLS\NlsSectionCType process_alloc_user_handle handle = 00000038 0a0b: NtCreateSection retval=00000000 ret=5ffa815a 0a0b: NtClose(0000002c) ret=5ffa8165 NtClose 0x2c 0a0b: NtClose retval=00000000 ret=5ffa8165 0a0b: NtOpenProcess(0016f6e4,00000040,0016f6bc,0016f780) ret=5ffa81a8 NtOpenProcess 0x16f6e4 00000040 0x16f6bc 0x16f780 process_alloc_user_handle handle = 0000002c 0a0b: NtOpenProcess retval=00000000 ret=5ffa81a8 0a0b: NtDuplicateObject(ffffffff,00000038,0000002c,0016f7a0,00000000,00000000,00000003) ret=5ffa81d0 NtDuplicateObject 0xffffffff 0x38 0x2c 0x16f7a0 00000000 00000000 00000003 NtDuplicateObject source process 0x80bd2d0 access_allowed fixme: no access check access_allowed fixme: no access check NtDuplicateObject target process 0x80bd2d0 process_alloc_user_handle handle = 00000038 NtDuplicateObject new handle is 0x38 0a0b: NtDuplicateObject retval=00000000 ret=5ffa81d0 0a0b: NtClose(0000002c) ret=5ffa81db NtClose 0x2c 0a0b: NtClose retval=00000000 ret=5ffa81db 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016e014,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16e014 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(0016f6f8,00100001,0016e7cc,0016e7e4,00000001,00000020) ret=7c4f91d5 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\sortkey.nls open_file root = (nil) name = \??\C:\WINNT\system32\sortkey.nls open_unicode_file open file : c:/winnt/system32/sortkey.nls process_alloc_user_handle handle = 0000002c 0a0b: NtOpenFile retval=00000000 ret=7c4f91d5 0a0b: NtCreateSection(0016f6e0,00000004,0016f6bc,00000000,00000002,08000000,0000002c) ret=5ffa815a NtCreateSection 0x16f6e0 00000004 0x16f6bc (nil) 00000002 08000000 0x2c access_allowed fixme: no access check create name = \NLS\NlsSectionSortkey process_alloc_user_handle handle = 0000003c 0a0b: NtCreateSection retval=00000000 ret=5ffa815a 0a0b: NtClose(0000002c) ret=5ffa8165 NtClose 0x2c 0a0b: NtClose retval=00000000 ret=5ffa8165 0a0b: NtOpenProcess(0016f6e4,00000040,0016f6bc,0016f780) ret=5ffa81a8 NtOpenProcess 0x16f6e4 00000040 0x16f6bc 0x16f780 process_alloc_user_handle handle = 0000002c 0a0b: NtOpenProcess retval=00000000 ret=5ffa81a8 0a0b: NtDuplicateObject(ffffffff,0000003c,0000002c,0016f7a0,00000000,00000000,00000003) ret=5ffa81d0 NtDuplicateObject 0xffffffff 0x3c 0x2c 0x16f7a0 00000000 00000000 00000003 NtDuplicateObject source process 0x80bd2d0 access_allowed fixme: no access check access_allowed fixme: no access check NtDuplicateObject target process 0x80bd2d0 process_alloc_user_handle handle = 0000003c NtDuplicateObject new handle is 0x3c 0a0b: NtDuplicateObject retval=00000000 ret=5ffa81d0 0a0b: NtClose(0000002c) ret=5ffa81db NtClose 0x2c 0a0b: NtClose retval=00000000 ret=5ffa81db 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016e014,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16e014 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(0016f6f8,00100001,0016e7cc,0016e7e4,00000001,00000020) ret=7c4f91d5 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\sorttbls.nls open_file root = (nil) name = \??\C:\WINNT\system32\sorttbls.nls open_unicode_file open file : c:/winnt/system32/sorttbls.nls process_alloc_user_handle handle = 0000002c 0a0b: NtOpenFile retval=00000000 ret=7c4f91d5 0a0b: NtCreateSection(0016f6e0,00000004,0016f6bc,00000000,00000002,08000000,0000002c) ret=5ffa815a NtCreateSection 0x16f6e0 00000004 0x16f6bc (nil) 00000002 08000000 0x2c access_allowed fixme: no access check create name = \NLS\NlsSectionSortTbls process_alloc_user_handle handle = 00000040 0a0b: NtCreateSection retval=00000000 ret=5ffa815a 0a0b: NtClose(0000002c) ret=5ffa8165 NtClose 0x2c 0a0b: NtClose retval=00000000 ret=5ffa8165 0a0b: NtOpenProcess(0016f6e4,00000040,0016f6bc,0016f780) ret=5ffa81a8 NtOpenProcess 0x16f6e4 00000040 0x16f6bc 0x16f780 process_alloc_user_handle handle = 0000002c 0a0b: NtOpenProcess retval=00000000 ret=5ffa81a8 0a0b: NtDuplicateObject(ffffffff,00000040,0000002c,0016f7a0,00000000,00000000,00000003) ret=5ffa81d0 NtDuplicateObject 0xffffffff 0x40 0x2c 0x16f7a0 00000000 00000000 00000003 NtDuplicateObject source process 0x80bd2d0 access_allowed fixme: no access check access_allowed fixme: no access check NtDuplicateObject target process 0x80bd2d0 process_alloc_user_handle handle = 00000040 NtDuplicateObject new handle is 0x40 0a0b: NtDuplicateObject retval=00000000 ret=5ffa81d0 0a0b: NtClose(0000002c) ret=5ffa81db NtClose 0x2c 0a0b: NtClose retval=00000000 ret=5ffa81db 0a0b: NtAllocateVirtualMemory(ffffffff,0016f61c,00000000,0016f63c,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x173000 00001000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0a0b: NtOpenSection(0016f7fc,00000004,0016f79c) ret=7c4ea47d nt_open_object object = \NLS\NlsSectionUnicode process_alloc_user_handle handle = 0000002c 0a0b: NtOpenSection retval=00000000 ret=7c4ea47d 0a0b: NtMapViewOfSection(0000002c,ffffffff,0016f800,00000000,00000000,00000000,0016f784,00000002,00000000,00000002) ret=7c4f9861 NtMapViewOfSection 0x2c 0xffffffff 0x16f800 0 00000000 (nil) 0x16f784 2 00000000 00000002 access_allowed fixme: no access check mapit anonymous map NtMapViewOfSection mapped at 0x270000 0a0b: NtMapViewOfSection retval=00000000 ret=7c4f9861 0a0b: NtClose(0000002c) ret=7c4f9832 NtClose 0x2c 0a0b: NtClose retval=00000000 ret=7c4f9832 0a0b: NtQueryDefaultLocale(00000000,7c541418) ret=7c4e8131 NtQueryDefaultLocale 0 0x7c541418 0a0b: NtQueryDefaultLocale retval=00000000 ret=7c4e8131 0a0b: NtOpenSection(0016f7f0,00000004,0016f7b4) ret=7c4ea47d nt_open_object object = \NLS\NlsSectionLocale process_alloc_user_handle handle = 0000002c 0a0b: NtOpenSection retval=00000000 ret=7c4ea47d 0a0b: NtMapViewOfSection(0000002c,ffffffff,0016f7f4,00000000,00000000,00000000,0016f79c,00000002,00000000,00000002) ret=7c4f9861 NtMapViewOfSection 0x2c 0xffffffff 0x16f7f4 0 00000000 (nil) 0x16f79c 2 00000000 00000002 access_allowed fixme: no access check mapit anonymous map NtMapViewOfSection mapped at 0x290000 0a0b: NtMapViewOfSection retval=00000000 ret=7c4f9861 0a0b: NtClose(0000002c) ret=7c4f9832 NtClose 0x2c 0a0b: NtClose retval=00000000 ret=7c4f9832 0a0b: NtOpenSection(0016f800,00000005,0016f7a8) ret=7c4ea47d nt_open_object object = \NLS\NlsSectionSortkey process_alloc_user_handle handle = 0000002c 0a0b: NtOpenSection retval=00000000 ret=7c4ea47d 0a0b: NtMapViewOfSection(0000002c,ffffffff,0016f7fc,00000000,00000000,00000000,0016f790,00000002,00000000,00000002) ret=7c4f9861 NtMapViewOfSection 0x2c 0xffffffff 0x16f7fc 0 00000000 (nil) 0x16f790 2 00000000 00000002 access_allowed fixme: no access check mapit anonymous map NtMapViewOfSection mapped at 0x2c0000 0a0b: NtMapViewOfSection retval=00000000 ret=7c4f9861 0a0b: NtQuerySection(0000002c,00000000,0016f7e4,00000010,00000000) ret=7c4e8534 NtQuerySection 0x2c 0 0x16f7e4 16 (nil) access_allowed fixme: no access check 0a0b: NtQuerySection retval=00000000 ret=7c4e8534 0a0b: NtClose(0000002c) ret=7c4e853f NtClose 0x2c 0a0b: NtClose retval=00000000 ret=7c4e853f 0a0b: NtOpenSection(0016f7fc,00000004,0016f7bc) ret=7c4ea47d nt_open_object object = \NLS\NlsSectionSortTbls process_alloc_user_handle handle = 0000002c 0a0b: NtOpenSection retval=00000000 ret=7c4ea47d 0a0b: NtMapViewOfSection(0000002c,ffffffff,0016f800,00000000,00000000,00000000,0016f7a4,00000002,00000000,00000002) ret=7c4f9861 NtMapViewOfSection 0x2c 0xffffffff 0x16f800 0 00000000 (nil) 0x16f7a4 2 00000000 00000002 access_allowed fixme: no access check mapit anonymous map NtMapViewOfSection mapped at 0x310000 0a0b: NtMapViewOfSection retval=00000000 ret=7c4f9861 0a0b: NtClose(0000002c) ret=7c4f9832 NtClose 0x2c 0a0b: NtClose retval=00000000 ret=7c4f9832 0a0b: NtQueryVirtualMemory(ffffffff,7ffc0000,00000000,0016f7d8,0000001c,00000000) ret=7c4e8b9f NtQueryVirtualMemory 0xffffffff 0x7ffc0000 0 0x16f7d8 28 (nil) 0a0b: NtQueryVirtualMemory retval=00000000 ret=7c4e8b9f 0a0b: NtOpenSection(0016f798,00000004,0016f348) ret=7c4ea47d nt_open_object object = \NLS\NlsSectionSortkey00000409 0a0b: NtOpenSection retval=c0000034 ret=7c4ea47d 0a0b: NtAllocateVirtualMemory(ffffffff,0016f568,00000000,0016f588,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x174000 00002000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0a0b: NtFreeVirtualMemory(ffffffff,0016f6ac,0016f6b0,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x16f6ac 0x16f6b0 16384 NtFreeVirtualMemory returning 00000000 0a0b: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0a0b (debug 16f868,38,17) : LDR: USER32.DLL loaded. 0a0b (debug 16f868,38,24) : - Calling init routine at 77e311c5 0a0b: NtQuerySystemInformation(00000000,0016fa24,0000002c,00000000) ret=77e3125a NtQuerySystemInformation 0 0x16fa24 44 (nil) 0a0b: NtQuerySystemInformation retval=00000000 ret=77e3125a 0a0b: NtOpenKey(0016f4fc,00020019,0016f4c4) ret=77e319e9 NtOpenKey 0x16f4fc 00020019 0x16f4c4 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\ NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000002c 0a0b: NtOpenKey retval=00000000 ret=77e319e9 0a0b: NtQueryValueKey(0000002c,0016f4ec,00000002,0016f4ac,00000018,0016f4f8) ret=77e59842 NtQueryValueKey 0x2c 0x16f4ec 2 0x16f4ac 24 0x16f4f8 NtQueryValueKey EnableLogging reg_query_value EnableLogging 0a0b: NtQueryValueKey retval=00000000 ret=77e59842 0a0b: NtQueryValueKey(0000002c,0016f4dc,00000002,0016f4ac,00000018,0016f4f8) ret=77e5986b NtQueryValueKey 0x2c 0x16f4dc 2 0x16f4ac 24 0x16f4f8 NtQueryValueKey LogSeverity reg_query_value LogSeverity 0a0b: NtQueryValueKey retval=00000000 ret=77e5986b 0a0b: NtQueryValueKey(0000002c,0016f4ec,00000002,0016f4ac,00000018,0016f4f8) ret=77e5989e NtQueryValueKey 0x2c 0x16f4ec 2 0x16f4ac 24 0x16f4f8 NtQueryValueKey EnableDefaultReply reg_query_value EnableDefaultReply 0a0b: NtQueryValueKey retval=00000000 ret=77e5989e 0a0b: NtClose(0000002c) ret=77e598b3 NtClose 0x2c 0a0b: NtClose retval=00000000 ret=77e598b3 0a0b: NtOpenKey(0016f494,00020019,0016f47c) ret=77e59929 NtOpenKey 0x16f494 00020019 0x16f47c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Services\EventLog\Application\Error Instrument\ NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000002c 0a0b: NtOpenKey retval=00000000 ret=77e59929 0a0b: NtQueryValueKey(0000002c,0016f468,00000002,0016f258,00000210,0016f470) ret=77e59959 NtQueryValueKey 0x2c 0x16f468 2 0x16f258 528 0x16f470 NtQueryValueKey EventMessageFile reg_query_value EventMessageFile 0a0b: NtQueryValueKey retval=00000000 ret=77e59959 0a0b: NtClose(0000002c) ret=77e5997c NtClose 0x2c 0a0b: NtClose retval=00000000 ret=77e5997c 0a0b: NtGdiInit() ret=77f42258 win32k_process_init mapit anonymous map get_proc_address KiUserCallbackDispatcher do_user_callback continuing execution at 77fa15dc 0a0b: NtGdiQueryFontAssocInfo(00000000) ret=77f42323 NtGdiQueryFontAssocInfo (nil) 0a0b: NtGdiQueryFontAssocInfo retval=00000000 ret=77f42323 0a0b: NtUserGetThreadState(00000011) ret=77e134bc 0a0b: NtUserGetThreadState retval=00000001 ret=77e134bc 0a0b: NtUserProcessConnect(ffffffff,0016f3d0,00000104) ret=77e328f8 NtUserProcessConnect 0xffffffff 0x16f3d0 260 init_user_shared_memory user_shared_mem at 0xb6a7e000 mapit anonymous map NtUserProcessConnect user shared at 0x320000 0a0b: NtUserProcessConnect retval=00000000 ret=77e328f8 0a0b: NtUserInitializeClientPfnArrays(77e329d8,77e32a28,77e32a78,77e10000) ret=77e328c1 NtUserInitializeClientPfnArrays 0x77e329d8 0x77e32a28 0x77e32a78 0x77e10000 0a0b: NtUserInitializeClientPfnArrays retval=00000000 ret=77e328c1 0a0b: NtUserCallNoParam(00000012) ret=77e327c3 NtUserCallNoParam 18 0a0b: NtUserCallNoParam retval=00000000 ret=77e327c3 0a0b: NtGdiCreateCompatibleDC(00000000) ret=77f42006 NtGdiCreateCompatibleDC (nil) mapit anonymous map 0a0b: NtGdiCreateCompatibleDC retval=00010000 ret=77f42006 0a0b: NtGdiGetStockObject(00000000) ret=77f416cb NtGdiGetStockObject 0 0a0b: NtGdiGetStockObject retval=00900001 ret=77f416cb 0a0b: NtGdiGetStockObject(00000004) ret=77f416cb NtGdiGetStockObject 4 0a0b: NtGdiGetStockObject retval=00900002 ret=77f416cb 0a0b: NtGdiCreateBitmap(00000008,00000008,00000001,00000001,77e31fe8) ret=77f4216e NtGdiCreateBitmap (8x8) 1 1 0x77e31fe8 0a0b: NtGdiCreateBitmap retval=00050003 ret=77f4216e 0a0b: NtGdiCreateSolidBrush(00000000,00000000) ret=77f4209a NtGdiCreateSolidBrush 00000000 00000000 0a0b: NtGdiCreateSolidBrush retval=00100004 ret=77f4209a 0a0b: NtGdiGetStockObject(0000000d) ret=77f416cb NtGdiGetStockObject 13 0a0b: NtGdiGetStockObject retval=008a0005 ret=77f416cb 0a0b: NtGdiCreateCompatibleDC(00000000) ret=77f42006 NtGdiCreateCompatibleDC (nil) mapit anonymous map 0a0b: NtGdiCreateCompatibleDC retval=00010006 ret=77f42006 0a0b: NtUserGetThreadDesktop(0000000b,00000000) ret=77e32818 NtUserGetThreadDesktop 11 0 0a0b: NtUserGetThreadDesktop retval=00000de5 ret=77e32818 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultUILanguage(77fcf5cc) ret=77f8df54 0a0b: NtQueryDefaultUILanguage retval=00000000 ret=77f8df54 0a0b: NtQueryInstallUILanguage(77fcf5ce) ret=77f8df6e 0a0b: NtQueryInstallUILanguage retval=00000000 ret=77f8df6e 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000020,00000002,00000000,77e69628,00000000,00000068,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000020 00000002 00000000 0x77e69628 00000000 00000068 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050007 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050007) ret=77f453c2 NtGdiGetDCforBitmap 0x50007 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010008 ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000020,00000002,00000000,77e69628,00000000,00000068,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000020 00000002 00000000 0x77e69628 00000000 00000068 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050009 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050009) ret=77f453c2 NtGdiGetDCforBitmap 0x50009 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=0001000a ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000020,00000002,00000000,77e69628,00000000,00000068,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000020 00000002 00000000 0x77e69628 00000000 00000068 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=0005000b ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(0005000b) ret=77f453c2 NtGdiGetDCforBitmap 0x5000b mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=0001000c ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000020,00000002,00000000,77e69628,00000000,00000068,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000020 00000002 00000000 0x77e69628 00000000 00000068 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=0005000d ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(0005000d) ret=77f453c2 NtGdiGetDCforBitmap 0x5000d mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=0001000e ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000020,00000002,00000000,77e69628,00000000,00000068,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000020 00000002 00000000 0x77e69628 00000000 00000068 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=0005000f ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(0005000f) ret=77f453c2 NtGdiGetDCforBitmap 0x5000f mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010010 ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000020,00000002,00000000,77e69628,00000000,00000068,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000020 00000002 00000000 0x77e69628 00000000 00000068 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050011 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050011) ret=77f453c2 NtGdiGetDCforBitmap 0x50011 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010012 ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000020,00000002,00000000,77e69628,00000000,00000068,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000020 00000002 00000000 0x77e69628 00000000 00000068 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050013 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050013) ret=77f453c2 NtGdiGetDCforBitmap 0x50013 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010014 ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050015 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050015) ret=77f453c2 NtGdiGetDCforBitmap 0x50015 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010016 ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050017 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050017) ret=77f453c2 NtGdiGetDCforBitmap 0x50017 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010018 ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050019 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050019) ret=77f453c2 NtGdiGetDCforBitmap 0x50019 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=0001001a ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=0005001b ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(0005001b) ret=77f453c2 NtGdiGetDCforBitmap 0x5001b mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=0001001c ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=0005001d ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(0005001d) ret=77f453c2 NtGdiGetDCforBitmap 0x5001d mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=0001001e ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=0005001f ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(0005001f) ret=77f453c2 NtGdiGetDCforBitmap 0x5001f mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010020 ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050021 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050021) ret=77f453c2 NtGdiGetDCforBitmap 0x50021 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010022 ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050023 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050023) ret=77f453c2 NtGdiGetDCforBitmap 0x50023 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010024 ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050025 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050025) ret=77f453c2 NtGdiGetDCforBitmap 0x50025 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010026 ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050027 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050027) ret=77f453c2 NtGdiGetDCforBitmap 0x50027 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010028 ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050029 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050029) ret=77f453c2 NtGdiGetDCforBitmap 0x50029 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=0001002a ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=0005002b ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(0005002b) ret=77f453c2 NtGdiGetDCforBitmap 0x5002b mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=0001002c ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=0005002d ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(0005002d) ret=77f453c2 NtGdiGetDCforBitmap 0x5002d mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=0001002e ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=0005002f ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(0005002f) ret=77f453c2 NtGdiGetDCforBitmap 0x5002f mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010030 ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050031 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050031) ret=77f453c2 NtGdiGetDCforBitmap 0x50031 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010032 ret=77f453c2 0a0b: NtUserGetThreadState(00000011) ret=77e324af 0a0b: NtUserGetThreadState retval=00000001 ret=77e324af 0a0b: NtUserFindExistingCursorIcon(0016f130,0016f140,0016f378) ret=77e3261a NtUserFindExistingCursorIcon 0x16f130 0x16f140 0x16f378 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 0a0b: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 0a0b: NtQueryDefaultLocale(00000001,0016f000) ret=77f869de NtQueryDefaultLocale 1 0x16f000 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetThreadState(00000011) ret=77e346db 0a0b: NtUserGetThreadState retval=00000001 ret=77e346db 0a0b: NtQueryDefaultLocale(00000001,0016f010) ret=77f869de NtQueryDefaultLocale 1 0x16f010 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtUserGetDC(00000000) ret=77e285c6 NtUserGetDC (nil) 0a0b: NtUserGetDC retval=00810154 ret=77e285c6 0a0b: NtGdiCreateDIBitmapInternal(00810154,00000020,00000040,00000002,00000000,77e693d8,00000000,00000030,00000000,00000000,00000000) ret=77f47117 NtGdiCreateDIBitmapInternal 0x810154 00000020 00000040 00000002 00000000 0x77e693d8 00000000 00000030 00000000 00000000 00000000 0a0b: NtGdiCreateDIBitmapInternal retval=00050033 ret=77f47117 0a0b: NtUserCallOneParam(00810154,00000029) ret=77e1426e NtUserCallOneParam 41 (00810154) 0a0b: NtUserCallOneParam retval=00000001 ret=77e1426e 0a0b: NtGdiGetDCforBitmap(00050033) ret=77f453c2 NtGdiGetDCforBitmap 0x50033 mapit anonymous map 0a0b: NtGdiGetDCforBitmap retval=00010034 ret=77f453c2 0a0b: NtUserCallNoParam(00000007) ret=77e11e27 NtUserCallNoParam 7 0a0b: NtUserCallNoParam retval=feed0007 ret=77e11e27 0a0b: NtCallbackReturn(00000000,00000000,c0000001) ret=77f8cda4 NtCallbackReturn (nil) 0 c0000001 0a0b: NtCallbackReturn retval=00000000 ret=77f8cda4 eax 000010d4 ebx 00000001 ecx 0016fae8 edx 0016f4f4 esi 77f95749 edi 00000000 ebp 0016f4f8 efl 00010246 cs:eip 0073:77f42258 ss:esp 007b:0016f4f0 ds 007b es 007b fs 003b gs 0000 do_user_callback callback returned c0000001 NtGdiInit 0a0b: NtGdiInit retval=00000001 ret=77f42258 0a0b: NtUserGetThreadState(00000011) ret=77e134bc 0a0b: NtUserGetThreadState retval=00000001 ret=77e134bc 0a0b: NtGdiGetStockObject(00000012) ret=77f416cb NtGdiGetStockObject 18 0a0b: NtGdiGetStockObject retval=008a0035 ret=77f416cb 0a0b: NtGdiGetStockObject(00000013) ret=77f416cb NtGdiGetStockObject 19 0a0b: NtGdiGetStockObject retval=008a0036 ret=77f416cb 0a0b (debug 16fac0,0,1f) : LDR: LdrGetProcedureAddress by 0a0b (debug 16fabc,16fac0,23) : NAME - UserServerDllInitialization 0a0b: NtCreateEvent(5ffe8774,001f0003,00000000,00000000,00000000) ret=5ffb26bf NtCreateEvent 0x5ffe8774 001f0003 (nil) 0 0 process_alloc_user_handle handle = 0000002c 0a0b: NtCreateEvent retval=00000000 ret=5ffb26bf 0a0b: NtCreateEvent(5ffe87a4,001f0003,00000000,00000000,00000000) ret=5ffb26ca NtCreateEvent 0x5ffe87a4 001f0003 (nil) 0 0 process_alloc_user_handle handle = 00000044 0a0b: NtCreateEvent retval=00000000 ret=5ffb26ca 0a0b: NtCreateEvent(5ffe8048,001f0003,00000000,00000001,00000000) ret=5ffb26d6 NtCreateEvent 0x5ffe8048 001f0003 (nil) 1 0 process_alloc_user_handle handle = 00000048 0a0b: NtCreateEvent retval=00000000 ret=5ffb26d6 0a0b: NtCreateEvent(5ffe804c,001f0003,00000000,00000001,00000000) ret=5ffb26e2 NtCreateEvent 0x5ffe804c 001f0003 (nil) 1 0 process_alloc_user_handle handle = 0000004c 0a0b: NtCreateEvent retval=00000000 ret=5ffb26e2 0a0b: NtQueryDefaultLocale(00000001,0016fcb4) ret=77f869de NtQueryDefaultLocale 1 0x16fcb4 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtQueryDefaultLocale(00000001,0016fcb4) ret=77f869de NtQueryDefaultLocale 1 0x16fcb4 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtQueryDefaultLocale(00000001,0016fcb4) ret=77f869de NtQueryDefaultLocale 1 0x16fcb4 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b: NtQueryDefaultLocale(00000001,0016fcb4) ret=77f869de NtQueryDefaultLocale 1 0x16fcb4 0a0b: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0b (debug 16f880,74756f72,37) : LDR: LdrGetDllHandle, searching for kernel32.dll from 0a0b (debug 16fa7c,ffffffff,1f) : LDR: LdrGetProcedureAddress by 0a0b (debug 16fa78,16fa7c,1f) : NAME - BaseAttachCompleteThunk 0a0b: NtUserInitialize(00050000,00000048,0000004c) ret=5ffb277e NtUserInitialize 00050000 00000048 0000004c 0a0b: NtUserInitialize retval=00000001 ret=5ffb277e 0a0b: NtQuerySystemInformation(00000000,0016fa14,0000002c,00000000) ret=77faf12b NtQuerySystemInformation 0 0x16fa14 44 (nil) 0a0b: NtQuerySystemInformation retval=00000000 ret=77faf12b 0a0b: NtAllocateVirtualMemory(ffffffff,0016fa48,00000000,0016fa58,00002000,00000004) ret=77faf1b0 NtAllocateVirtualMemory returns 0x4c0000 00040000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77faf1b0 0a0b: NtAllocateVirtualMemory(ffffffff,0016fa48,00000000,0016fa5c,00001000,00000004) ret=77faf1fa NtAllocateVirtualMemory returns 0x4fb000 00005000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77faf1fa 0a0b: NtProtectVirtualMemory(ffffffff,0016fa48,0016fa44,00000104,0016fa40) ret=77faf226 NtProtectVirtualMemory 0xffffffff 0x16fa48 0x16fa44 260 0x16fa40 NtProtectVirtualMemory 0x4fb000 00001000 0a0b: NtProtectVirtualMemory retval=00000000 ret=77faf226 0a0b: NtWriteVirtualMemory(ffffffff,004ffffc,0016fa58,00000004,00000000) ret=77fb126d NtWriteVirtualMemory 0xffffffff 0x4ffffc 0x16fa58 00000004 (nil) NtWriteVirtualMemory 0xb6789ffc <- 0xb71b8a58 4 NtWriteVirtualMemory wrote 4 bytes 0a0b: NtWriteVirtualMemory retval=00000000 ret=77fb126d 0a0b: NtCreateThread(0016fd80,001f03ff,0016fd4c,ffffffff,0016fd64,0016fa6c,0016fd38,00000000) ret=77faf6ee NtCreateThread 0x16fd80 001f03ff 0x16fd4c 0xffffffff 0x16fd64 0x16fa6c 0x16fd38 0 mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 00000050 0a0b: NtCreateThread retval=00000000 ret=77faf6ee 0a0c: NtTestAlert() ret=77f84bcb 0a0c: NtTestAlert retval=00000000 ret=77f84bcb 0a0b (debug 16f8d8,77f92a98,2a) : LDR: LdrLoadDll, loading winsrv.dll from 0a0c: NtContinue(004ffd28,00000001) ret=77f8855e NtContinue 0x4ffd28 1 eax 00000000 ebx 00000001 ecx 00000002 edx 00000003 esi 00000004 edi 00000005 ebp 00000000 efl 00000200 cs:eip 0018:5ffb27ec ss:esp 0020:004ffff8 ds 007b es 007b fs 003b gs 0000 0a0c: NtContinue retval=00000000 ret=77f8855e 0a0b (debug 16f8a0,68637261,1f) : LDR: Refcount USER32.DLL (3) 0a0c: NtSetInformationThread(00000050,00000002,004fffd8,00000004) ret=5ffb2842 NtSetInformationThread 0x50 2 0x4fffd8 4 access_allowed fixme: no access check 0a0c: NtSetInformationThread retval=00000000 ret=5ffb2842 0a0b (debug 16f868,38,21) : LDR: Refcount KERNEL32.DLL (5) 0a0c: NtCreateEvent(5ffe87c0,001f0003,00000000,00000001,00000000) ret=5ffb2859 NtCreateEvent 0x5ffe87c0 001f0003 (nil) 1 0 process_alloc_user_handle handle = 00000054 0a0c: NtCreateEvent retval=00000000 ret=5ffb2859 0a0b (debug 16f868,38,1e) : LDR: Refcount GDI32.DLL (3) 0a0c: NtOpenKey(5ffe80a8,00020019,004ffd68) ret=5ffb2a7f NtOpenKey 0x5ffe80a8 00020019 0x4ffd68 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\PriorityControl NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000058 0a0c: NtOpenKey retval=00000000 ret=5ffb2a7f 0a0b (debug 16f830,0,21) : LDR: Refcount KERNEL32.DLL (6) 0a0c: NtQueryValueKey(00000058,004ffd44,00000002,004ffd30,00000014,004ffd4c) ret=5ffb2aba NtQueryValueKey 0x58 0x4ffd44 2 0x4ffd30 20 0x4ffd4c NtQueryValueKey Win32PrioritySeparation reg_query_value Win32PrioritySeparation 0a0c: NtQueryValueKey retval=00000000 ret=5ffb2aba 0a0b (debug 16f830,0,1f) : LDR: Refcount USER32.DLL (4) 0a0c: NtSetSystemInformation(00000027,004ffd50,00000004) ret=5ffb2ad6 NtSetSystemInformation 39 0x4ffd50 4 0a0c: NtSetSystemInformation retval=00000000 ret=5ffb2ad6 0a0b (debug 16f8a0,68637261,21) : LDR: Refcount KERNEL32.DLL (7) 0a0c: NtNotifyChangeKey(00000058,00000000,5ffb2a89,00000000,5ffe80b0,00000004,00000000,5ffe80b8,00000004,00000001) ret=5ffb2afd NtNotifyChangeKey does nothing... 0a0c: NtNotifyChangeKey retval=00000000 ret=5ffb2afd 0a0b (debug 16f8a0,68637261,20) : LDR: Refcount BASESRV.DLL (3) 0a0c: NtWaitForMultipleObjects(00000003,004fffbc,00000001,00000001,00000000) ret=5ffb28c7 NtWaitForMultipleObjects 3 0x4fffbc 1 1 (nil) wait_on_handles handle[0] = 00000054 wait_on_handles handle[1] = 00000048 wait_on_handles handle[2] = 0000004c 0a0b (debug 16f8a0,68637261,1e) : LDR: Refcount GDI32.DLL (4) 0a0b (debug 16fac0,0,1f) : LDR: LdrGetProcedureAddress by 0a0b (debug 16fabc,16fac0,22) : NAME - ConServerDllInitialization 0a0b: NtQuerySystemInformation(00000000,0016fcf8,0000002c,00000000) ret=77fcb540 NtQuerySystemInformation 0 0x16fcf8 44 (nil) 0a0b: NtQuerySystemInformation retval=00000000 ret=77fcb540 0a0b: NtAllocateVirtualMemory(ffffffff,0016fcc0,00000000,0016fd9c,00002000,00000004) ret=77fcb607 NtAllocateVirtualMemory returns 0x500000 00010000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77fcb607 0a0b: NtAllocateVirtualMemory(ffffffff,0016fd6c,00000000,0016fda0,00001000,00000004) ret=77fcb640 NtAllocateVirtualMemory returns 0x500000 00001000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77fcb640 0a0b: NtCreateEvent(00500618,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x500618 00100003 (nil) 1 0 process_alloc_user_handle handle = 0000005c 0a0b: NtCreateEvent retval=00000000 ret=77f94ac1 0a0b: NtAllocateVirtualMemory(ffffffff,0016faac,00000000,0016facc,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x501000 00002000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0a0b: NtCreateEvent(5ffe8400,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x5ffe8400 00100003 (nil) 1 0 process_alloc_user_handle handle = 00000060 0a0b: NtCreateEvent retval=00000000 ret=77f94ac1 0a0b: NtCreateEvent(5ffe85d0,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x5ffe85d0 00100003 (nil) 1 0 process_alloc_user_handle handle = 00000064 0a0b: NtCreateEvent retval=00000000 ret=77f94ac1 0a0b: NtCreateEvent(5ffe8070,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x5ffe8070 00100003 (nil) 1 0 process_alloc_user_handle handle = 00000068 0a0b: NtCreateEvent retval=00000000 ret=77f94ac1 0a0b: NtCreateEvent(5ffe83d0,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x5ffe83d0 00100003 (nil) 1 0 process_alloc_user_handle handle = 0000006c 0a0b: NtCreateEvent retval=00000000 ret=77f94ac1 0a0b: NtOpenThreadToken(fffffffe,00020008,00000001,0016fb60) ret=77f961d7 NtOpenThreadToken 0xfffffffe 00020008 1 0x16fb60 0a0b: NtOpenThreadToken retval=c000007c ret=77f961d7 0a0b: NtOpenProcessToken(ffffffff,00020008,0016fb60) ret=77f961f6 NtOpenProcessToken 0xffffffff 00020008 0x16fb60 process_alloc_user_handle handle = 00000070 0a0b: NtOpenProcessToken retval=00000000 ret=77f961f6 0a0b: NtQueryInformationToken(00000070,00000001,0016fb00,00000050,0016fb58) ret=77f96212 NtQueryInformationToken 0x70 1 0x16fb00 80 0x16fb58 access_allowed fixme: no access check NtQueryInformationToken TokenUser 0a0b: NtQueryInformationToken retval=00000000 ret=77f96212 0a0b: NtClose(00000070) ret=77f9621c NtClose 0x70 0a0b: NtClose retval=00000000 ret=77f9621c 0a0b: NtOpenKey(0016fb94,80000000,0016fb7c) ret=7c4fdb96 NtOpenKey 0x16fb94 80000000 0x16fb7c NtOpenKey len 00000018 root (nil) attr 00000040 \REGISTRY\USER\S-1-5-18 NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000070 0a0b: NtOpenKey retval=00000000 ret=7c4fdb96 0a0b: NtClose(00000070) ret=7c4fdba9 NtClose 0x70 0a0b: NtClose retval=00000000 ret=7c4fdba9 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f688,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f688 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(00173a2c,80100000,0016fa2c,0016fa4c,00000007,00000060) ret=7c4f4094 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system.ini open_file root = (nil) name = \??\C:\WINNT\system.ini open_unicode_file open file : c:/winnt/system.ini process_alloc_user_handle handle = 00000070 0a0b: NtOpenFile retval=00000000 ret=7c4f4094 0a0b: NtLockFile(00000070,00000000,00000000,00000000,0016fa4c,0016fa5c,0016fa54,00000001,00000000,00000000) ret=7c4f40d4 NtLockFile just returns success... 0a0b: NtLockFile retval=00000000 ret=7c4f40d4 0a0b: NtQueryInformationFile(00000070,0016fa4c,00173a78,00000018,00000005) ret=7c4f4101 NtQueryInformationFile 0x70 0x16fa4c 0x173a78 24 5 access_allowed fixme: no access check 0a0b: NtQueryInformationFile retval=00000000 ret=7c4f4101 0a0b: NtAllocateVirtualMemory(ffffffff,00173a38,00000000,00173a40,00002000,00000004) ret=7c4f414c NtAllocateVirtualMemory returns 0x510000 00101000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=7c4f414c 0a0b: NtAllocateVirtualMemory(ffffffff,00173a38,00000000,00173a3c,00001000,00000004) ret=7c4f4168 NtAllocateVirtualMemory returns 0x510000 00001000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=7c4f4168 0a0b: NtReadFile(00000070,00000000,00000000,00000000,0016fa4c,00510000,000000cd,00000000,7c5416a8) ret=7c4f418a NtReadFile 0x70 (nil) (nil) (nil) 0x16fa4c 0x510000 205 (nil) 0x7c5416a8 access_allowed fixme: no access check 0a0b: NtReadFile retval=00000000 ret=7c4f418a 0a0b: NtFreeVirtualMemory(ffffffff,00173a38,00173a40,00008000) ret=7c4f99f7 NtFreeVirtualMemory 0xffffffff 0x173a38 0x173a40 32768 NtFreeVirtualMemory returning 00000000 0a0b: NtFreeVirtualMemory retval=00000000 ret=7c4f99f7 0a0b: NtUnlockFile(00000070,0016fa50,0016fa60,0016fa58,0000000b) ret=7c4f9a35 NtUnlockFile just returns success... 0a0b: NtUnlockFile retval=00000000 ret=7c4f9a35 0a0b: NtClose(00000070) ret=7c4f9a3e NtClose 0x70 0a0b: NtClose retval=00000000 ret=7c4f9a3e 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\fonts\dosapp.FON stat_unicode c:/winnt/fonts/dosapp.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\??\C:\WINNT\system32\dosapp.FON stat_unicode c:/??/c:/winnt/system32/dosapp.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32dosapp.FON stat_unicode c:/winnt/system32dosapp.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\dosapp.FON stat_unicode c:/winnt/system32/dosapp.fon -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\dosapp.FON 0a0b: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f388,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f388 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryInformationProcess(ffffffff,00000017,0016f48c,00000024,00000000) ret=7c4e682d NtQueryInformationProcess 0xffffffff 23 0x16f48c 36 (nil) 0a0b: NtQueryInformationProcess retval=00000000 ret=7c4e682d 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f16c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f16c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtGdiAddFontResourceW(00173710,00000021,00000001,00000001,5ffb402c,00000000) ret=77f5826b NtGdiAddFontResourceW filename = \??\C:\WINNT\system32\dosapp.FON 0a0b: NtGdiAddFontResourceW retval=00000001 ret=77f5826b 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f688,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f688 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(00173c8c,80100000,0016fa2c,0016fa4c,00000007,00000060) ret=7c4f4094 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system.ini open_file root = (nil) name = \??\C:\WINNT\system.ini open_unicode_file open file : c:/winnt/system.ini process_alloc_user_handle handle = 00000070 0a0b: NtOpenFile retval=00000000 ret=7c4f4094 0a0b: NtLockFile(00000070,00000000,00000000,00000000,0016fa4c,0016fa5c,0016fa54,00000001,00000000,00000000) ret=7c4f40d4 NtLockFile just returns success... 0a0b: NtLockFile retval=00000000 ret=7c4f40d4 0a0b: NtQueryInformationFile(00000070,0016fa4c,00173cd8,00000018,00000005) ret=7c4f4101 NtQueryInformationFile 0x70 0x16fa4c 0x173cd8 24 5 access_allowed fixme: no access check 0a0b: NtQueryInformationFile retval=00000000 ret=7c4f4101 0a0b: NtAllocateVirtualMemory(ffffffff,00173c98,00000000,00173ca0,00002000,00000004) ret=7c4f414c NtAllocateVirtualMemory returns 0x510000 00101000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=7c4f414c 0a0b: NtAllocateVirtualMemory(ffffffff,00173c98,00000000,00173c9c,00001000,00000004) ret=7c4f4168 NtAllocateVirtualMemory returns 0x510000 00001000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=7c4f4168 0a0b: NtReadFile(00000070,00000000,00000000,00000000,0016fa4c,00510000,000000cd,00000000,7c5416a8) ret=7c4f418a NtReadFile 0x70 (nil) (nil) (nil) 0x16fa4c 0x510000 205 (nil) 0x7c5416a8 access_allowed fixme: no access check 0a0b: NtReadFile retval=00000000 ret=7c4f418a 0a0b: NtFreeVirtualMemory(ffffffff,00173c98,00173ca0,00008000) ret=7c4f99f7 NtFreeVirtualMemory 0xffffffff 0x173c98 0x173ca0 32768 NtFreeVirtualMemory returning 00000000 0a0b: NtFreeVirtualMemory retval=00000000 ret=7c4f99f7 0a0b: NtUnlockFile(00000070,0016fa50,0016fa60,0016fa58,0000000b) ret=7c4f9a35 NtUnlockFile just returns success... 0a0b: NtUnlockFile retval=00000000 ret=7c4f9a35 0a0b: NtClose(00000070) ret=7c4f9a3e NtClose 0x70 0a0b: NtClose retval=00000000 ret=7c4f9a3e 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\fonts\EGA80WOA.FON stat_unicode c:/winnt/fonts/ega80woa.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\??\C:\WINNT\system32\EGA80WOA.FON stat_unicode c:/??/c:/winnt/system32/ega80woa.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32EGA80WOA.FON stat_unicode c:/winnt/system32ega80woa.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\EGA80WOA.FON stat_unicode c:/winnt/system32/ega80woa.fon -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\EGA80WOA.FON 0a0b: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f388,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f388 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryInformationProcess(ffffffff,00000017,0016f48c,00000024,00000000) ret=7c4e682d NtQueryInformationProcess 0xffffffff 23 0x16f48c 36 (nil) 0a0b: NtQueryInformationProcess retval=00000000 ret=7c4e682d 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f16c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f16c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtGdiAddFontResourceW(00173710,00000023,00000001,00000001,5ffb402c,00000000) ret=77f5826b NtGdiAddFontResourceW filename = \??\C:\WINNT\system32\EGA80WOA.FON 0a0b: NtGdiAddFontResourceW retval=00000001 ret=77f5826b 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f688,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f688 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(00173c8c,80100000,0016fa2c,0016fa4c,00000007,00000060) ret=7c4f4094 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system.ini open_file root = (nil) name = \??\C:\WINNT\system.ini open_unicode_file open file : c:/winnt/system.ini process_alloc_user_handle handle = 00000070 0a0b: NtOpenFile retval=00000000 ret=7c4f4094 0a0b: NtLockFile(00000070,00000000,00000000,00000000,0016fa4c,0016fa5c,0016fa54,00000001,00000000,00000000) ret=7c4f40d4 NtLockFile just returns success... 0a0b: NtLockFile retval=00000000 ret=7c4f40d4 0a0b: NtQueryInformationFile(00000070,0016fa4c,00173cd8,00000018,00000005) ret=7c4f4101 NtQueryInformationFile 0x70 0x16fa4c 0x173cd8 24 5 access_allowed fixme: no access check 0a0b: NtQueryInformationFile retval=00000000 ret=7c4f4101 0a0b: NtAllocateVirtualMemory(ffffffff,00173c98,00000000,00173ca0,00002000,00000004) ret=7c4f414c NtAllocateVirtualMemory returns 0x510000 00101000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=7c4f414c 0a0b: NtAllocateVirtualMemory(ffffffff,00173c98,00000000,00173c9c,00001000,00000004) ret=7c4f4168 NtAllocateVirtualMemory returns 0x510000 00001000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=7c4f4168 0a0b: NtReadFile(00000070,00000000,00000000,00000000,0016fa4c,00510000,000000cd,00000000,7c5416a8) ret=7c4f418a NtReadFile 0x70 (nil) (nil) (nil) 0x16fa4c 0x510000 205 (nil) 0x7c5416a8 access_allowed fixme: no access check 0a0b: NtReadFile retval=00000000 ret=7c4f418a 0a0b: NtFreeVirtualMemory(ffffffff,00173c98,00173ca0,00008000) ret=7c4f99f7 NtFreeVirtualMemory 0xffffffff 0x173c98 0x173ca0 32768 NtFreeVirtualMemory returning 00000000 0a0b: NtFreeVirtualMemory retval=00000000 ret=7c4f99f7 0a0b: NtUnlockFile(00000070,0016fa50,0016fa60,0016fa58,0000000b) ret=7c4f9a35 NtUnlockFile just returns success... 0a0b: NtUnlockFile retval=00000000 ret=7c4f9a35 0a0b: NtClose(00000070) ret=7c4f9a3e NtClose 0x70 0a0b: NtClose retval=00000000 ret=7c4f9a3e 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\fonts\EGA40WOA.FON stat_unicode c:/winnt/fonts/ega40woa.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\??\C:\WINNT\system32\EGA40WOA.FON stat_unicode c:/??/c:/winnt/system32/ega40woa.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32EGA40WOA.FON stat_unicode c:/winnt/system32ega40woa.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\EGA40WOA.FON stat_unicode c:/winnt/system32/ega40woa.fon -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\EGA40WOA.FON 0a0b: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f388,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f388 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryInformationProcess(ffffffff,00000017,0016f48c,00000024,00000000) ret=7c4e682d NtQueryInformationProcess 0xffffffff 23 0x16f48c 36 (nil) 0a0b: NtQueryInformationProcess retval=00000000 ret=7c4e682d 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f16c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f16c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtGdiAddFontResourceW(00173710,00000023,00000001,00000001,5ffb402c,00000000) ret=77f5826b NtGdiAddFontResourceW filename = \??\C:\WINNT\system32\EGA40WOA.FON 0a0b: NtGdiAddFontResourceW retval=00000001 ret=77f5826b 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f688,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f688 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(00173c8c,80100000,0016fa2c,0016fa4c,00000007,00000060) ret=7c4f4094 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system.ini open_file root = (nil) name = \??\C:\WINNT\system.ini open_unicode_file open file : c:/winnt/system.ini process_alloc_user_handle handle = 00000070 0a0b: NtOpenFile retval=00000000 ret=7c4f4094 0a0b: NtLockFile(00000070,00000000,00000000,00000000,0016fa4c,0016fa5c,0016fa54,00000001,00000000,00000000) ret=7c4f40d4 NtLockFile just returns success... 0a0b: NtLockFile retval=00000000 ret=7c4f40d4 0a0b: NtQueryInformationFile(00000070,0016fa4c,00173cd8,00000018,00000005) ret=7c4f4101 NtQueryInformationFile 0x70 0x16fa4c 0x173cd8 24 5 access_allowed fixme: no access check 0a0b: NtQueryInformationFile retval=00000000 ret=7c4f4101 0a0b: NtAllocateVirtualMemory(ffffffff,00173c98,00000000,00173ca0,00002000,00000004) ret=7c4f414c NtAllocateVirtualMemory returns 0x510000 00101000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=7c4f414c 0a0b: NtAllocateVirtualMemory(ffffffff,00173c98,00000000,00173c9c,00001000,00000004) ret=7c4f4168 NtAllocateVirtualMemory returns 0x510000 00001000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=7c4f4168 0a0b: NtReadFile(00000070,00000000,00000000,00000000,0016fa4c,00510000,000000cd,00000000,7c5416a8) ret=7c4f418a NtReadFile 0x70 (nil) (nil) (nil) 0x16fa4c 0x510000 205 (nil) 0x7c5416a8 access_allowed fixme: no access check 0a0b: NtReadFile retval=00000000 ret=7c4f418a 0a0b: NtFreeVirtualMemory(ffffffff,00173c98,00173ca0,00008000) ret=7c4f99f7 NtFreeVirtualMemory 0xffffffff 0x173c98 0x173ca0 32768 NtFreeVirtualMemory returning 00000000 0a0b: NtFreeVirtualMemory retval=00000000 ret=7c4f99f7 0a0b: NtUnlockFile(00000070,0016fa50,0016fa60,0016fa58,0000000b) ret=7c4f9a35 NtUnlockFile just returns success... 0a0b: NtUnlockFile retval=00000000 ret=7c4f9a35 0a0b: NtClose(00000070) ret=7c4f9a3e NtClose 0x70 0a0b: NtClose retval=00000000 ret=7c4f9a3e 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\fonts\CGA80WOA.FON stat_unicode c:/winnt/fonts/cga80woa.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\??\C:\WINNT\system32\CGA80WOA.FON stat_unicode c:/??/c:/winnt/system32/cga80woa.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32CGA80WOA.FON stat_unicode c:/winnt/system32cga80woa.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\CGA80WOA.FON stat_unicode c:/winnt/system32/cga80woa.fon -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\CGA80WOA.FON 0a0b: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f388,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f388 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryInformationProcess(ffffffff,00000017,0016f48c,00000024,00000000) ret=7c4e682d NtQueryInformationProcess 0xffffffff 23 0x16f48c 36 (nil) 0a0b: NtQueryInformationProcess retval=00000000 ret=7c4e682d 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f16c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f16c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtGdiAddFontResourceW(00173710,00000023,00000001,00000001,5ffb402c,00000000) ret=77f5826b NtGdiAddFontResourceW filename = \??\C:\WINNT\system32\CGA80WOA.FON 0a0b: NtGdiAddFontResourceW retval=00000001 ret=77f5826b 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f688,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f688 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtOpenFile(00173c8c,80100000,0016fa2c,0016fa4c,00000007,00000060) ret=7c4f4094 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system.ini open_file root = (nil) name = \??\C:\WINNT\system.ini open_unicode_file open file : c:/winnt/system.ini process_alloc_user_handle handle = 00000070 0a0b: NtOpenFile retval=00000000 ret=7c4f4094 0a0b: NtLockFile(00000070,00000000,00000000,00000000,0016fa4c,0016fa5c,0016fa54,00000001,00000000,00000000) ret=7c4f40d4 NtLockFile just returns success... 0a0b: NtLockFile retval=00000000 ret=7c4f40d4 0a0b: NtQueryInformationFile(00000070,0016fa4c,00173cd8,00000018,00000005) ret=7c4f4101 NtQueryInformationFile 0x70 0x16fa4c 0x173cd8 24 5 access_allowed fixme: no access check 0a0b: NtQueryInformationFile retval=00000000 ret=7c4f4101 0a0b: NtAllocateVirtualMemory(ffffffff,00173c98,00000000,00173ca0,00002000,00000004) ret=7c4f414c NtAllocateVirtualMemory returns 0x510000 00101000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=7c4f414c 0a0b: NtAllocateVirtualMemory(ffffffff,00173c98,00000000,00173c9c,00001000,00000004) ret=7c4f4168 NtAllocateVirtualMemory returns 0x510000 00001000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=7c4f4168 0a0b: NtReadFile(00000070,00000000,00000000,00000000,0016fa4c,00510000,000000cd,00000000,7c5416a8) ret=7c4f418a NtReadFile 0x70 (nil) (nil) (nil) 0x16fa4c 0x510000 205 (nil) 0x7c5416a8 access_allowed fixme: no access check 0a0b: NtReadFile retval=00000000 ret=7c4f418a 0a0b: NtFreeVirtualMemory(ffffffff,00173c98,00173ca0,00008000) ret=7c4f99f7 NtFreeVirtualMemory 0xffffffff 0x173c98 0x173ca0 32768 NtFreeVirtualMemory returning 00000000 0a0b: NtFreeVirtualMemory retval=00000000 ret=7c4f99f7 0a0b: NtUnlockFile(00000070,0016fa50,0016fa60,0016fa58,0000000b) ret=7c4f9a35 NtUnlockFile just returns success... 0a0b: NtUnlockFile retval=00000000 ret=7c4f9a35 0a0b: NtClose(00000070) ret=7c4f9a3e NtClose 0x70 0a0b: NtClose retval=00000000 ret=7c4f9a3e 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\fonts\CGA40WOA.FON stat_unicode c:/winnt/fonts/cga40woa.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\??\C:\WINNT\system32\CGA40WOA.FON stat_unicode c:/??/c:/winnt/system32/cga40woa.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32CGA40WOA.FON stat_unicode c:/winnt/system32cga40woa.fon -> -1 0a0b: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f08c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f08c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryAttributesFile(0016f450,0016f428) ret=77f8cb7a NtQueryAttributesFile 0x16f450 0x16f428 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\CGA40WOA.FON stat_unicode c:/winnt/system32/cga40woa.fon -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\CGA40WOA.FON 0a0b: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f388,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f388 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtQueryInformationProcess(ffffffff,00000017,0016f48c,00000024,00000000) ret=7c4e682d NtQueryInformationProcess 0xffffffff 23 0x16f48c 36 (nil) 0a0b: NtQueryInformationProcess retval=00000000 ret=7c4e682d 0a0b: NtFsControlFile(00000000,00000000,00000000,00000000,0016f16c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x16f16c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0a0b: NtFsControlFile retval=c0000008 ret=77f86dbb 0a0b: NtGdiAddFontResourceW(00173710,00000023,00000001,00000001,5ffb402c,00000000) ret=77f5826b NtGdiAddFontResourceW filename = \??\C:\WINNT\system32\CGA40WOA.FON 0a0b: NtGdiAddFontResourceW retval=00000001 ret=77f5826b 0a0b: NtCreatePort(5ff988bc,0016ff4c,00000028,000000a8,00010000) ret=5ff93cf8 NtCreatePort 0x5ff988bc 0x16ff4c 40 168 0x10000 NtCreatePort root = (nil) port = \Windows\ApiPort process_alloc_user_handle handle = 00000070 0a0b: NtCreatePort retval=00000000 ret=5ff93cf8 0a0b: NtCreateEvent(0016ff74,001f0003,00000000,00000001,00000000) ret=5ff93d3b NtCreateEvent 0x16ff74 001f0003 (nil) 1 0 process_alloc_user_handle handle = 00000074 0a0b: NtCreateEvent retval=00000000 ret=5ff93d3b 0a0b: NtQuerySystemInformation(00000000,0016fbb8,0000002c,00000000) ret=77faf12b NtQuerySystemInformation 0 0x16fbb8 44 (nil) 0a0b: NtQuerySystemInformation retval=00000000 ret=77faf12b 0a0b: NtAllocateVirtualMemory(ffffffff,0016fbec,00000000,0016fbfc,00002000,00000004) ret=77faf1b0 NtAllocateVirtualMemory returns 0x510000 00040000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77faf1b0 0a0b: NtAllocateVirtualMemory(ffffffff,0016fbec,00000000,0016fc00,00001000,00000004) ret=77faf1fa NtAllocateVirtualMemory returns 0x54d000 00003000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77faf1fa 0a0b: NtProtectVirtualMemory(ffffffff,0016fbec,0016fbe8,00000104,0016fbe4) ret=77faf226 NtProtectVirtualMemory 0xffffffff 0x16fbec 0x16fbe8 260 0x16fbe4 NtProtectVirtualMemory 0x54d000 00001000 0a0b: NtProtectVirtualMemory retval=00000000 ret=77faf226 0a0b: NtWriteVirtualMemory(ffffffff,0054fffc,0016fbfc,00000004,00000000) ret=77fb126d NtWriteVirtualMemory 0xffffffff 0x54fffc 0x16fbfc 00000004 (nil) NtWriteVirtualMemory 0xb6729ffc <- 0xb71b8bfc 4 NtWriteVirtualMemory wrote 4 bytes 0a0b: NtWriteVirtualMemory retval=00000000 ret=77fb126d 0a0b: NtCreateThread(0016ff24,001f03ff,0016fef0,ffffffff,0016ff08,0016fc10,0016fedc,00000001) ret=77faf6ee NtCreateThread 0x16ff24 001f03ff 0x16fef0 0xffffffff 0x16ff08 0x16fc10 0x16fedc 1 mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 00000078 0a0b: NtCreateThread retval=00000000 ret=77faf6ee 0a0b: NtResumeThread(00000050,00000000) ret=5ff93d8b NtResumeThread 0x50 (nil) access_allowed fixme: no access check 0a0b: NtResumeThread retval=00000000 ret=5ff93d8b 0a0b: NtResumeThread(00000078,00000000) ret=5ff93d8b NtResumeThread 0x78 (nil) access_allowed fixme: no access check 0a0b: NtResumeThread retval=00000000 ret=5ff93d8b 0a0d: NtTestAlert() ret=77f84bcb 0a0d: NtTestAlert retval=00000000 ret=77f84bcb 0a0b: NtWaitForSingleObject(00000074,00000000,00000000) ret=5ff93d9f NtWaitForSingleObject 0x74 0 (nil) wait_on_handles handle[0] = 00000074 0a0d: NtContinue(0054fd28,00000001) ret=77f8855e NtContinue 0x54fd28 1 eax 00000000 ebx 00000001 ecx 00000002 edx 00000003 esi 00000004 edi 00000005 ebp 00000000 efl 00000200 cs:eip 0018:5ff93f6d ss:esp 0020:0054fff8 ds 007b es 007b fs 003b gs 0000 0a0d: NtContinue retval=00000000 ret=77f8855e 0a0d (debug 54f9c0,0,35) : LDR: LdrGetDllHandle, searching for user32.dll from 0a0d (debug 54fb70,0,1f) : LDR: LdrGetProcedureAddress by 0a0d (debug 54fb6c,54fb70,19) : NAME - ClientThreadSetup 0a0d: NtSetEvent(00000074,00000000) ret=5ff93ff9 0a0d: NtSetEvent retval=00000000 ret=5ff93ff9 0a0b: NtWaitForSingleObject retval=00000000 ret=5ff93d9f 0a0d: NtReplyWaitReceivePort(00000070,0054ff08,00000000,0054ff2c) ret=5ff9404d NtReplyWaitReceivePort 0x70 0x54ff08 (nil) 0x54ff2c access_allowed fixme: no access check reply_wait_receive 0x80c0948 (nil) (nil) 0a0b: NtClose(00000074) ret=5ff93daf NtClose 0x74 0a0b: NtClose retval=00000000 ret=5ff93daf 0a0b: NtConnectPort(77fcf1f0,0016ff64,0016ff58,00000000,00000000,00000000,00000000,00000000) ret=77f9bb2c NtConnectPort 0x77fcf1f0 0x16ff64 0x16ff58 (nil) (nil) (nil) (nil) (nil) NtSecureConnectPort 0x77fcf1f0 0x16ff64 0x16ff58 (nil) (nil) (nil) (nil) (nil) (nil) connect_port \DbgSsApiPort dump DataSize = 0 dump MessageSize = 24 dump MessageType = 10 (LPC_CONNECTION_REQUEST) dump Offset = 0 dump ClientId = 000a, 000b dump MessageId = 258 dump SectionSize = 00000000 address 0x80c093c 0308: NtReplyWaitReceivePort retval=00000000 ret=48582d05 0308: NtOpenProcess(0024ff0c,00020040,0024feec,0024ff38) ret=48582e61 NtOpenProcess 0x24ff0c 00020040 0x24feec 0x24ff38 process_alloc_user_handle handle = 00000058 0308: NtOpenProcess retval=00000000 ret=48582e61 0308: NtAcceptConnectPort(0024ff08,00032950,0024ff30,00000001,00000000,00000000) ret=48582ecc NtAcceptConnectPort 0x24ff08 32950 0x24ff30 1 (nil) (nil) NtAcceptConnectPort 00000102 00000102 process_alloc_user_handle handle = 00000060 0308: NtAcceptConnectPort retval=00000000 ret=48582ecc 0308: NtCompleteConnectPort(00000060) ret=48582eff NtCompleteConnectPort 0x60 access_allowed fixme: no access check 0308: NtCompleteConnectPort retval=00000000 ret=48582eff process_alloc_user_handle handle = 00000074 connect_port ServerSharedMemory = (nil) 0a0b: NtConnectPort retval=00000000 ret=77f9bb2c 0308: NtReplyWaitReceivePort(00000030,0024ff2c,00000000,0024ff30) ret=48582d05 NtReplyWaitReceivePort 0x30 0x24ff2c (nil) 0x24ff30 access_allowed fixme: no access check reply_wait_receive 0x80b8220 (nil) (nil) 0a0b: NtQuerySystemInformation(00000000,0016fbec,0000002c,00000000) ret=77faf12b NtQuerySystemInformation 0 0x16fbec 44 (nil) 0a0b: NtQuerySystemInformation retval=00000000 ret=77faf12b 0a0b: NtAllocateVirtualMemory(ffffffff,0016fc20,00000000,0016fc30,00002000,00000004) ret=77faf1b0 NtAllocateVirtualMemory returns 0x550000 00040000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77faf1b0 0a0b: NtAllocateVirtualMemory(ffffffff,0016fc20,00000000,0016fc34,00001000,00000004) ret=77faf1fa NtAllocateVirtualMemory returns 0x58d000 00003000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77faf1fa 0a0b: NtProtectVirtualMemory(ffffffff,0016fc20,0016fc1c,00000104,0016fc18) ret=77faf226 NtProtectVirtualMemory 0xffffffff 0x16fc20 0x16fc1c 260 0x16fc18 NtProtectVirtualMemory 0x58d000 00001000 0a0b: NtProtectVirtualMemory retval=00000000 ret=77faf226 0a0b: NtWriteVirtualMemory(ffffffff,0058fffc,0016fc30,00000004,00000000) ret=77fb126d NtWriteVirtualMemory 0xffffffff 0x58fffc 0x16fc30 00000004 (nil) NtWriteVirtualMemory 0xb66d7ffc <- 0xb71b8c30 4 NtWriteVirtualMemory wrote 4 bytes 0a0b: NtWriteVirtualMemory retval=00000000 ret=77fb126d 0a0b: NtCreateThread(0016ff58,001f03ff,0016ff24,ffffffff,0016ff3c,0016fc44,0016ff10,00000000) ret=77faf6ee NtCreateThread 0x16ff58 001f03ff 0x16ff24 0xffffffff 0x16ff3c 0x16fc44 0x16ff10 0 mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 0000007c 0a0b: NtCreateThread retval=00000000 ret=77faf6ee 0a0e: NtTestAlert() ret=77f84bcb 0a0e: NtTestAlert retval=00000000 ret=77f84bcb 0a0b: NtCreatePort(5ff98980,0016ff5c,000000f4,00000110,00002200) ret=5ff938d9 NtCreatePort 0x5ff98980 0x16ff5c 244 272 0x2200 NtCreatePort root = (nil) port = \Windows\SbApiPort process_alloc_user_handle handle = 00000080 0a0b: NtCreatePort retval=00000000 ret=5ff938d9 0a0e: NtContinue(0058fd28,00000001) ret=77f8855e NtContinue 0x58fd28 1 eax 00000000 ebx 00000001 ecx 00000002 edx 00000003 esi 00000004 edi 00000005 ebp 00000000 efl 00000200 cs:eip 0018:77f9bf61 ss:esp 0020:0058fff8 ds 007b es 007b fs 003b gs 0000 0a0e: NtContinue retval=00000000 ret=77f8855e 0a0b: NtQuerySystemInformation(00000000,0016fbc8,0000002c,00000000) ret=77faf12b NtQuerySystemInformation 0 0x16fbc8 44 (nil) 0a0b: NtQuerySystemInformation retval=00000000 ret=77faf12b 0a0e: NtReplyWaitReceivePort(00000074,00000000,00000000,0058ffcc) ret=77f9bf7c NtReplyWaitReceivePort 0x74 (nil) (nil) 0x58ffcc access_allowed fixme: no access check reply_wait_receive 0x80c0ef8 (nil) (nil) 0a0b: NtAllocateVirtualMemory(ffffffff,0016fbfc,00000000,0016fc0c,00002000,00000004) ret=77faf1b0 NtAllocateVirtualMemory returns 0x590000 00040000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77faf1b0 0a0b: NtAllocateVirtualMemory(ffffffff,0016fbfc,00000000,0016fc10,00001000,00000004) ret=77faf1fa NtAllocateVirtualMemory returns 0x5cd000 00003000 00000000 0a0b: NtAllocateVirtualMemory retval=00000000 ret=77faf1fa 0a0b: NtProtectVirtualMemory(ffffffff,0016fbfc,0016fbf8,00000104,0016fbf4) ret=77faf226 NtProtectVirtualMemory 0xffffffff 0x16fbfc 0x16fbf8 260 0x16fbf4 NtProtectVirtualMemory 0x5cd000 00001000 0a0b: NtProtectVirtualMemory retval=00000000 ret=77faf226 0a0b: NtWriteVirtualMemory(ffffffff,005cfffc,0016fc0c,00000004,00000000) ret=77fb126d NtWriteVirtualMemory 0xffffffff 0x5cfffc 0x16fc0c 00000004 (nil) NtWriteVirtualMemory 0xb6685ffc <- 0xb71b8c0c 4 NtWriteVirtualMemory wrote 4 bytes 0a0b: NtWriteVirtualMemory retval=00000000 ret=77fb126d 0a0b: NtCreateThread(0016ff34,001f03ff,0016ff00,ffffffff,0016ff18,0016fc20,0016feec,00000001) ret=77faf6ee NtCreateThread 0x16ff34 001f03ff 0x16ff00 0xffffffff 0x16ff18 0x16fc20 0x16feec 1 mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 00000084 0a0b: NtCreateThread retval=00000000 ret=77faf6ee 0a0b: NtResumeThread(00000084,00000000) ret=5ff93919 NtResumeThread 0x84 (nil) access_allowed fixme: no access check 0a0b: NtResumeThread retval=00000000 ret=5ff93919 0a0f: NtTestAlert() ret=77f84bcb 0a0f: NtTestAlert retval=00000000 ret=77f84bcb 0a0b: NtConnectPort(5ff9888c,0016ff58,0016ff60,00000000,00000000,00000000,0016fe60,0016ff6c) ret=5ff96fb2 NtConnectPort 0x5ff9888c 0x16ff58 0x16ff60 (nil) (nil) (nil) 0x16fe60 0x16ff6c NtSecureConnectPort 0x5ff9888c 0x16ff58 0x16ff60 (nil) (nil) (nil) (nil) 0x16fe60 0x16ff6c connect_port \SmApiPort dump DataSize = 244 dump MessageSize = 268 dump MessageType = 10 (LPC_CONNECTION_REQUEST) dump Offset = 0 dump ClientId = 000a, 000b dump MessageId = 259 dump SectionSize = 00000000 address 0x80c1914 02 00 00 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 ....\.W.i.n.d.o. 77 00 73 00 5c 00 53 00 62 00 41 00 70 00 69 00 w.s.\.S.b.A.p.i. 50 00 6f 00 72 00 74 00 00 00 fc 77 00 00 17 00 P.o.r.t....w.... c0 c9 fc 77 08 06 17 00 25 c9 fc 77 d3 c7 fc 77 ...w....%..w...w 00 00 00 00 70 37 17 00 03 00 00 00 00 00 17 00 ....p7.......... 34 00 00 00 58 37 17 00 38 37 17 00 00 00 17 00 4...X7..87...... 26 00 00 00 08 00 00 00 a8 37 17 00 60 01 17 00 &........7..`... 00 00 00 10 08 00 00 00 18 39 17 00 00 03 17 00 .........9...... 00 40 00 00 e8 37 17 00 18 39 17 00 e8 02 17 00 .@...7...9...... a8 37 17 00 b0 37 17 00 40 00 00 00 00 00 00 00 .7...7..@....... 00 00 f7 7f 00 00 f7 7f 00 00 00 00 91 81 f9 77 ...............w 40 96 f8 77 ff ff ff ff 80 ff 16 00 3d 52 f9 5f @..w........=R._ 5d 52 f9 5f 58 24 17 00 60 89 f9 5f c8 88 f9 5f ]R._X$..`.._..._ 04 56 f9 5f 60 89 f9 5f 2c 1e f9 77 c8 88 f9 5f .V._`.._,..w..._ 0a 39 f9 5f 19 39 f9 5f 84 00 00 00 00 00 00 00 .9._.9._........ 34 89 f9 5f 4.._ 0305: NtReplyWaitReceivePort retval=00000000 ret=485881ff 0a0f: NtContinue(005cfd28,00000001) ret=77f8855e NtContinue 0x5cfd28 1 eax 00000000 ebx 00000001 ecx 00000002 edx 00000003 esi 00000004 edi 00000005 ebp 00000000 efl 00000200 cs:eip 0018:5ff9391e ss:esp 0020:005cfff8 ds 007b es 007b fs 003b gs 0000 0a0f: NtContinue retval=00000000 ret=77f8855e 0305: NtOpenProcess(0016fe5c,00000400,0016fe14,0016feb4) ret=485883dd NtOpenProcess 0x16fe5c 00000400 0x16fe14 0x16feb4 process_alloc_user_handle handle = 00000064 0305: NtOpenProcess retval=00000000 ret=485883dd 0a0f: NtReplyWaitReceivePort(00000080,00000000,00000000,005cfee4) ret=5ff93940 NtReplyWaitReceivePort 0x80 (nil) (nil) 0x5cfee4 access_allowed fixme: no access check reply_wait_receive 0x80c13d0 (nil) (nil) 0305: NtQueryInformationProcess(00000064,00000018,0016fe04,00000004,00000000) ret=485893e2 NtQueryInformationProcess 0x64 24 0x16fe04 4 (nil) access_allowed fixme: no access check 0305: NtQueryInformationProcess retval=00000000 ret=485893e2 0305: NtAcceptConnectPort(0016fe50,00032608,0016feac,48588101,00000000,0016fe2c) ret=485884dc NtAcceptConnectPort 0x16fe50 32608 0x16feac 1 (nil) 0x16fe2c NtAcceptConnectPort 00000103 00000103 process_alloc_user_handle handle = 00000068 0305: NtAcceptConnectPort retval=00000000 ret=485884dc 0305: NtCompleteConnectPort(00000068) ret=4858850d NtCompleteConnectPort 0x68 access_allowed fixme: no access check 0305: NtCompleteConnectPort retval=00000000 ret=4858850d process_alloc_user_handle handle = 00000088 connect_port ServerSharedMemory = (nil) 0a0b: NtConnectPort retval=00000000 ret=5ff96fb2 0305: NtConnectPort(00032810,0016fe44,0016fe38,00000000,00000000,00000000,00000000,00000000) ret=4858855b NtConnectPort 0x32810 0x16fe44 0x16fe38 (nil) (nil) (nil) (nil) (nil) NtSecureConnectPort 0x32810 0x16fe44 0x16fe38 (nil) (nil) (nil) (nil) (nil) (nil) connect_port \Windows\SbApiPort dump DataSize = 0 dump MessageSize = 24 dump MessageType = 10 (LPC_CONNECTION_REQUEST) dump Offset = 0 dump ClientId = 0003, 0005 dump MessageId = 260 dump SectionSize = 00000000 address 0x80c18e4 0a0f: NtReplyWaitReceivePort retval=00000000 ret=5ff93940 0a0b: NtSetEvent(00000014,00000000) ret=5ff92121 0a0b: NtSetEvent retval=00000000 ret=5ff92121 0a0f: NtAcceptConnectPort(005cfedc,00000000,005cfee4,00000001,00000000,005cfec8) ret=5ff939ea NtAcceptConnectPort 0x5cfedc 0 0x5cfee4 1 (nil) 0x5cfec8 NtAcceptConnectPort 00000104 00000104 process_alloc_user_handle handle = 0000008c 0a0f: NtAcceptConnectPort retval=00000000 ret=5ff939ea 0a0b: NtClose(00000014) ret=5ff92133 NtClose 0x14 0a0b: NtClose retval=00000000 ret=5ff92133 0a0f: NtCompleteConnectPort(0000008c) ret=5ff939f7 NtCompleteConnectPort 0x8c access_allowed fixme: no access check 0a0f: NtCompleteConnectPort retval=00000000 ret=5ff939f7 process_alloc_user_handle handle = 0000006c connect_port ServerSharedMemory = (nil) 0305: NtConnectPort retval=00000000 ret=4858855b 0a0b: NtSetDefaultHardErrorPort(00000070) ret=5ff92150 NtSetDefaultHardErrorPort 0x70 access_allowed fixme: no access check NtSetDefaultHardErrorPort does nothing 0a0b: NtSetDefaultHardErrorPort retval=00000000 ret=5ff92150 0a0f: NtReplyWaitReceivePort(00000080,00000000,00000000,005cfee4) ret=5ff93940 NtReplyWaitReceivePort 0x80 (nil) (nil) 0x5cfee4 access_allowed fixme: no access check reply_wait_receive 0x80c13d0 (nil) (nil) 0305: NtSetEvent(00000050,00000000) ret=48588572 0305: NtSetEvent retval=00000000 ret=48588572 0304: NtWaitForSingleObject retval=00000000 ret=48587512 0a0b: NtSetInformationProcess(ffffffff,0000000c,0016ff98,00000004) ret=5fff10b8 NtSetInformationProcess 0xffffffff 12 0x16ff98 4 NtSetInformationProcess set ProcessDefaultHardErrorMode 0a0b: NtSetInformationProcess retval=00000000 ret=5fff10b8 0305: NtReplyWaitReceivePort(00000010,0016fea8,00000000,0016feac) ret=485881ff NtReplyWaitReceivePort 0x10 0x16fea8 (nil) 0x16feac access_allowed fixme: no access check reply_wait_receive 0x80b3538 (nil) (nil) 0304: NtClose(0000005c) ret=4858751d NtClose 0x5c 0304: NtClose retval=00000000 ret=4858751d 0a0b: NtTerminateThread(fffffffe,00000000) ret=5fff1124 NtTerminateThread 0xfffffffe 00000000 0304: NtOpenKey(7ff7fe28,80000000,7ff7fe04) ret=77f91379 NtOpenKey 0x7ff7fe28 80000000 0x7ff7fe04 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe open_parse_key remaining = Image File Execution Options\winlogon.exe NtOpenKey open_key returned c000003a 0304: NtOpenKey retval=c000003a ret=77f91379 0304: NtSetEvent(0000001c,00000000) ret=48584767 0304: NtSetEvent retval=00000000 ret=48584767 0304: NtClose(0000001c) ret=48584770 NtClose 0x1c 0304: NtClose retval=00000000 ret=48584770 0304: NtQuerySystemInformation(00000009,7ff7ff3c,00000004,00000000) ret=48588d69 NtQuerySystemInformation 9 0x7ff7ff3c 4 (nil) 0304: NtQuerySystemInformation retval=00000000 ret=48588d69 0304: NtConnectPort(4858b28c,7ff7fe70,7ff7fe78,00000000,00000000,00000000,7ff7fd78,7ff7fe84) ret=48589b0b NtConnectPort 0x4858b28c 0x7ff7fe70 0x7ff7fe78 (nil) (nil) (nil) 0x7ff7fd78 0x7ff7fe84 NtSecureConnectPort 0x4858b28c 0x7ff7fe70 0x7ff7fe78 (nil) (nil) (nil) (nil) 0x7ff7fd78 0x7ff7fe84 connect_port \SmApiPort dump DataSize = 244 dump MessageSize = 268 dump MessageType = 10 (LPC_CONNECTION_REQUEST) dump Offset = 0 dump ClientId = 0003, 0004 dump MessageId = 261 dump SectionSize = 00000000 address 0x80c1ad4 00 00 00 00 00 00 fc 77 00 00 03 00 00 2b 03 00 .......w.....+.. 00 00 00 00 80 fd f7 7f 00 00 03 00 00 2b 03 00 .............+.. 00 00 00 00 44 fe f7 7f d7 c8 fc 77 00 00 03 00 ....D......w.... c0 c9 fc 77 08 06 03 00 25 c9 fc 77 d3 c7 fc 77 ...w....%..w...w 08 2b 03 00 00 00 00 00 88 25 03 00 08 00 00 00 .+.......%...... 20 00 00 00 a8 01 03 00 4c 01 01 00 00 00 03 00 .......L....... 9b 01 00 00 01 00 00 00 14 1f 58 48 28 33 03 00 ..........XH(3.. 01 2d 03 00 00 00 00 00 78 fd f7 7f a4 ff f7 7f .-......x....... b0 01 03 00 80 27 03 00 50 96 f8 77 18 00 00 00 .....'..P..w.... 00 00 00 00 1c fe f7 7f 40 00 00 00 00 00 00 00 ........@....... 00 00 00 00 d0 00 c6 02 3c fb f7 7f 01 00 00 00 ........<....... dc 01 de 01 b4 fd f7 00 18 00 18 00 38 19 58 48 ............8.XH 74 fe f7 7f df 4c 58 48 40 ff f7 7f 24 19 58 48 t....LXH@...$.XH 01 00 00 00 e0 b2 58 48 00 02 00 00 00 00 00 00 ......XH........ 58 23 03 00 d3 c7 fc 77 20 b5 58 48 40 00 1a 02 X#.....w .XH@... 30 33 03 00 03.. 0306: NtReplyWaitReceivePort retval=00000000 ret=485881ff 0306: NtAcceptConnectPort(001afe50,00032620,001afeac,48588101,00000000,001afe2c) ret=485884dc NtAcceptConnectPort 0x1afe50 32620 0x1afeac 1 (nil) 0x1afe2c NtAcceptConnectPort 00000105 00000105 process_alloc_user_handle handle = 0000001c 0306: NtAcceptConnectPort retval=00000000 ret=485884dc 0306: NtCompleteConnectPort(0000001c) ret=4858850d NtCompleteConnectPort 0x1c access_allowed fixme: no access check 0306: NtCompleteConnectPort retval=00000000 ret=4858850d process_alloc_user_handle handle = 0000005c connect_port ServerSharedMemory = (nil) 0304: NtConnectPort retval=00000000 ret=48589b0b 0306: NtReplyWaitReceivePort(00000010,001afea8,00000000,001afeac) ret=485881ff NtReplyWaitReceivePort 0x10 0x1afea8 (nil) 0x1afeac access_allowed fixme: no access check reply_wait_receive 0x80b3538 (nil) (nil) 0304: NtAllocateVirtualMemory(ffffffff,7ff7fa60,00000000,7ff7fa80,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x34000 00002000 c0000018 0304: NtAllocateVirtualMemory retval=c0000018 ret=77fcce74 0304: NtAllocateVirtualMemory(ffffffff,7ff7fa60,00000000,7ff7fa80,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x1c1000 00002000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7f80c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7f80c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtQueryAttributesFile(7ff7fbd0,7ff7fba8) ret=77f8cb7a NtQueryAttributesFile 0x7ff7fbd0 0x7ff7fba8 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\winlogon.exe stat_unicode c:/winnt/system32/winlogon.exe -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\winlogon.exe 0304: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7fb00,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7fb00 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtFreeVirtualMemory(ffffffff,7ff7fb94,7ff7fb98,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x7ff7fb94 0x7ff7fb98 16384 NtFreeVirtualMemory returning 00000000 0304: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0304: NtFsControlFile(00000000,00000000,00000000,00000000,7ff7f8ac,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x7ff7f8ac 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 0304: NtFsControlFile retval=c0000008 ret=77f86dbb 0304: NtAllocateVirtualMemory(ffffffff,7ff7fde4,00000000,7ff7fddc,00001000,00000004) ret=77f83e1d NtAllocateVirtualMemory returns 0x2a0000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77f83e1d 0304: NtOpenFile(7ff7fd74,00100020,7ff7fd44,7ff7fd5c,00000005,00000040) ret=77faf103 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\winlogon.exe open_file root = (nil) name = \??\C:\WINNT\system32\winlogon.exe open_unicode_file open file : c:/winnt/system32/winlogon.exe process_alloc_user_handle handle = 00000070 0304: NtOpenFile retval=00000000 ret=77faf103 0304: NtCreateSection(7ff7fdd8,000f001f,00000000,00000000,00000010,01000000,00000070) ret=77faf32c NtCreateSection 0x7ff7fdd8 000f001f (nil) (nil) 00000010 01000000 0x70 access_allowed fixme: no access check process_alloc_user_handle handle = 00000074 0304: NtCreateSection retval=00000000 ret=77faf32c 0304: NtClose(00000070) ret=77faf336 NtClose 0x70 0304: NtClose retval=00000000 ret=77faf336 0304: NtCreateProcess(7ff7feb0,001f0fff,7ff7fda8,ffffffff,00000000,00000074,00000000,00000000) ret=77faf3e5 NtCreateProcess 0x7ff7feb0 001f0fff 0x7ff7fda8 0xffffffff 0 0x74 (nil) (nil) access_allowed fixme: no access check mapit image at 0x1000000 mapit read 3 sections, load at 01000000 mapit .text 00001000 00000400 00020c00 00020b56 mapit .data 00022000 00021000 00002200 00002168 mapit .rsrc 00025000 00023200 00009000 00008e30 mapit image at 0x77f80000 mapit read 6 sections, load at 77f80000 mapit .text 00001000 00000400 00044a00 000448f9 mapit ECODE 00046000 00044e00 00004400 00004371 mapit PAGE 0004b000 00049200 00003e00 00003dfd mapit .data 0004f000 0004d000 00002200 00002a54 mapit .rsrc 00052000 0004f200 00026e00 00026d18 mapit .reloc 00079000 00076000 00002000 00001f40 mapit anonymous map mapit anonymous map process_alloc_user_handle handle = 00000070 0304: NtCreateProcess retval=00000000 ret=77faf3e5 0304: NtQuerySection(00000074,00000001,7ff7fec0,00000030,00000000) ret=77faf3fd NtQuerySection 0x74 1 0x7ff7fec0 48 (nil) access_allowed fixme: no access check 0304: NtQuerySection retval=00000000 ret=77faf3fd 0304: NtQueryInformationProcess(00000070,00000000,7ff7fd90,00000018,00000000) ret=77faf413 NtQueryInformationProcess 0x70 0 0x7ff7fd90 24 (nil) access_allowed fixme: no access check 0304: NtQueryInformationProcess retval=00000000 ret=77faf413 0304: NtAllocateVirtualMemory(00000070,7ff7fdc0,00000000,7ff7fdd0,00001000,00000004) ret=77faf57a access_allowed fixme: no access check NtAllocateVirtualMemory returns 0x10000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf57a 0304: NtWriteVirtualMemory(00000070,00010000,001b0000,000002a0,00000000) ret=77faf594 NtWriteVirtualMemory 0x70 0x10000 0x1b0000 000002a0 (nil) access_allowed fixme: no access check NtWriteVirtualMemory 0xb6302000 <- 0xb758d000 672 NtWriteVirtualMemory wrote 672 bytes 0304: NtWriteVirtualMemory retval=00000000 ret=77faf594 0304: NtAllocateVirtualMemory(00000070,7ff7fde0,00000000,7ff7fd8c,00001000,00000004) ret=77faf5c4 access_allowed fixme: no access check NtAllocateVirtualMemory returns 0x20000 00001000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf5c4 0304: NtWriteVirtualMemory(00000070,00020000,002a0000,00000568,00000000) ret=77faf5dd NtWriteVirtualMemory 0x70 0x20000 0x2a0000 00000568 (nil) access_allowed fixme: no access check NtWriteVirtualMemory 0xb6301000 <- 0xb6633000 1384 NtWriteVirtualMemory wrote 1384 bytes 0304: NtWriteVirtualMemory retval=00000000 ret=77faf5dd 0304: NtWriteVirtualMemory(00000070,7ffd0010,7ff7fde0,00000004,00000000) ret=77faf5f9 NtWriteVirtualMemory 0x70 0x7ffd0010 0x7ff7fde0 00000004 (nil) access_allowed fixme: no access check NtWriteVirtualMemory 0xb634b010 <- 0xb7843de0 4 NtWriteVirtualMemory wrote 4 bytes 0304: NtWriteVirtualMemory retval=00000000 ret=77faf5f9 0304: NtQuerySystemInformation(00000000,7ff7f9f4,0000002c,00000000) ret=77faf12b NtQuerySystemInformation 0 0x7ff7f9f4 44 (nil) 0304: NtQuerySystemInformation retval=00000000 ret=77faf12b 0304: NtAllocateVirtualMemory(00000070,7ff7fa28,00000000,7ff7fa38,00002000,00000004) ret=77faf1b0 access_allowed fixme: no access check NtAllocateVirtualMemory returns 0x30000 00040000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1b0 0304: NtAllocateVirtualMemory(00000070,7ff7fa28,00000000,7ff7fa3c,00001000,00000004) ret=77faf1fa access_allowed fixme: no access check NtAllocateVirtualMemory returns 0x6d000 00003000 00000000 0304: NtAllocateVirtualMemory retval=00000000 ret=77faf1fa 0304: NtProtectVirtualMemory(00000070,7ff7fa28,7ff7fa24,00000104,7ff7fa20) ret=77faf226 NtProtectVirtualMemory 0x70 0x7ff7fa28 0x7ff7fa24 260 0x7ff7fa20 access_allowed fixme: no access check NtProtectVirtualMemory 0x6d000 00001000 0304: NtProtectVirtualMemory retval=00000000 ret=77faf226 0304: NtWriteVirtualMemory(00000070,0006fffc,7ff7fa38,00000004,00000000) ret=77fb126d NtWriteVirtualMemory 0x70 0x6fffc 0x7ff7fa38 00000004 (nil) access_allowed fixme: no access check NtWriteVirtualMemory 0xb6300ffc <- 0xb7843a38 4 NtWriteVirtualMemory wrote 4 bytes 0304: NtWriteVirtualMemory retval=00000000 ret=77fb126d 0304: NtCreateThread(7ff7fd60,001f03ff,7ff7fd2c,00000070,7ff7fd44,7ff7fa4c,7ff7fd18,00000001) ret=77faf6ee NtCreateThread 0x7ff7fd60 001f03ff 0x7ff7fd2c 0x70 0x7ff7fd44 0x7ff7fa4c 0x7ff7fd18 1 access_allowed fixme: no access check mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 00000078 0304: NtCreateThread retval=00000000 ret=77faf6ee 0304: NtClose(00000074) ret=77faf64f NtClose 0x74 0304: NtClose retval=00000000 ret=77faf64f 0304: NtFreeVirtualMemory(ffffffff,7ff7fe2c,7ff7fe20,00008000) ret=77f83cc7 NtFreeVirtualMemory 0xffffffff 0x7ff7fe2c 0x7ff7fe20 32768 NtFreeVirtualMemory returning 00000000 0304: NtFreeVirtualMemory retval=00000000 ret=77f83cc7 0304: NtDuplicateObject(ffffffff,00000070,ffffffff,7ff7ff98,001f0fff,00000000,00000000) ret=485876ea NtDuplicateObject 0xffffffff 0x70 0xffffffff 0x7ff7ff98 001f0fff 00000000 00000000 NtDuplicateObject source process 0x80d2448 access_allowed fixme: no access check NtDuplicateObject target process 0x80d2448 process_alloc_user_handle handle = 00000074 NtDuplicateObject new handle is 0x74 0304: NtDuplicateObject retval=00000000 ret=485876ea 0304: NtRequestWaitReplyPort(0000005c,7ff7fd5c,7ff7fd5c) ret=48589a42 NtRequestWaitReplyPort 0x5c 0x7ff7fd5c 0x7ff7fd5c access_allowed fixme: no access check dump DataSize = 80 dump MessageSize = 304 dump MessageType = 1 (LPC_REQUEST) dump Offset = 0 dump ClientId = 0003, 0004 dump MessageId = 262 dump SectionSize = 00000000 address 0x80c2d5c 03 00 00 00 28 33 03 00 44 00 00 00 70 00 00 00 ....(3..D...p... 78 00 00 00 10 00 00 00 11 00 00 00 f4 23 00 01 x............#.. 00 00 00 00 00 00 04 00 00 20 00 00 02 00 00 00 ......... ...... 00 00 04 00 00 00 00 00 1f 03 00 80 4c 01 01 00 ............L... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0305: NtReplyWaitReceivePort retval=00000000 ret=485881ff 0305: NtOpenProcess(0016fe64,00000040,0016fe3c,0016feb4) ret=48588c03 NtOpenProcess 0x16fe64 00000040 0x16fe3c 0x16feb4 process_alloc_user_handle handle = 0000007c 0305: NtOpenProcess retval=00000000 ret=48588c03 0305: NtDuplicateObject(0000007c,00000070,ffffffff,0016fdfc,001f0fff,00000000,00000000) ret=48588c47 NtDuplicateObject 0x7c 0x70 0xffffffff 0x16fdfc 001f0fff 00000000 00000000 access_allowed fixme: no access check NtDuplicateObject source process 0x80d2448 access_allowed fixme: no access check NtDuplicateObject target process 0x80d2448 process_alloc_user_handle handle = 00000080 NtDuplicateObject new handle is 0x80 0305: NtDuplicateObject retval=00000000 ret=48588c47 0305: NtDuplicateObject(0000007c,00000078,ffffffff,0016fe00,001f03ff,00000000,00000000) ret=48588c80 NtDuplicateObject 0x7c 0x78 0xffffffff 0x16fe00 001f03ff 00000000 00000000 access_allowed fixme: no access check NtDuplicateObject source process 0x80d2448 access_allowed fixme: no access check NtDuplicateObject target process 0x80d2448 process_alloc_user_handle handle = 00000084 NtDuplicateObject new handle is 0x84 0305: NtDuplicateObject retval=00000000 ret=48588c80 0305: NtClose(0000007c) ret=48588cb0 NtClose 0x7c 0305: NtClose retval=00000000 ret=48588cb0 0305: NtQueryInformationProcess(00000080,00000018,0016fcb0,00000004,00000000) ret=485893e2 NtQueryInformationProcess 0x80 24 0x16fcb0 4 (nil) access_allowed fixme: no access check 0305: NtQueryInformationProcess retval=00000000 ret=485893e2 0305: NtDuplicateObject(ffffffff,00000080,00000054,0016fce8,001f0fff,00000000,00000000) ret=485888d6 NtDuplicateObject 0xffffffff 0x80 0x54 0x16fce8 001f0fff 00000000 00000000 NtDuplicateObject source process 0x80d2448 access_allowed fixme: no access check access_allowed fixme: no access check NtDuplicateObject target process 0x80bd2d0 process_alloc_user_handle handle = 00000014 NtDuplicateObject new handle is 0x14 0305: NtDuplicateObject retval=00000000 ret=485888d6 0305: NtDuplicateObject(ffffffff,00000084,00000054,0016fcec,001f03ff,00000000,00000000) ret=48588919 NtDuplicateObject 0xffffffff 0x84 0x54 0x16fcec 001f03ff 00000000 00000000 NtDuplicateObject source process 0x80d2448 access_allowed fixme: no access check access_allowed fixme: no access check NtDuplicateObject target process 0x80bd2d0 process_alloc_user_handle handle = 00000090 NtDuplicateObject new handle is 0x90 0305: NtDuplicateObject retval=00000000 ret=48588919 0305: NtClose(00000080) ret=48588991 NtClose 0x80 0305: NtClose retval=00000000 ret=48588991 0305: NtClose(00000084) ret=48588996 NtClose 0x84 0305: NtClose retval=00000000 ret=48588996 0305: NtRequestWaitReplyPort(0000006c,0016fcc0,0016fcc0) ret=485889de NtRequestWaitReplyPort 0x6c 0x16fcc0 0x16fcc0 access_allowed fixme: no access check dump DataSize = 96 dump MessageSize = 272 dump MessageType = 1 (LPC_REQUEST) dump Offset = 0 dump ClientId = 0003, 0005 dump MessageId = 263 dump SectionSize = 00000000 address 0x80c2d5c 00 00 00 00 00 00 00 00 01 00 00 00 44 00 00 00 ............D... 14 00 00 00 90 00 00 00 10 00 00 00 11 00 00 00 ................ f4 23 00 01 00 00 00 00 00 00 04 00 00 20 00 00 .#........... .. 02 00 00 00 00 00 04 00 00 00 00 00 1f 03 00 80 ................ 4c 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 L............... 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0a0f: NtReplyWaitReceivePort retval=00000000 ret=5ff93940 0a0f: NtSetInformationProcess(00000014,00000008,5ff988bc,00000004) ret=5ff93a3c NtSetInformationProcess 0x14 8 0x5ff988bc 4 access_allowed fixme: no access check access_allowed fixme: no access check 0a0f: NtSetInformationProcess retval=00000000 ret=5ff93a3c 0a0f: NtQueryInformationThread(00000090,00000001,005cfeb0,00000020,00000000) ret=5ff93a67 NtQueryInformationThread 0x90 1 0x5cfeb0 32 (nil) access_allowed fixme: no access check 0a0f: NtQueryInformationThread retval=00000000 ret=5ff93a67 0a0f: NtSetInformationProcess(00000014,00000019,005cfe97,00000001) ret=5ff94b68 NtSetInformationProcess 0x14 25 0x5cfe97 1 access_allowed fixme: no access check NtSetInformationProcess set ProcessForegroundInformation 0a0f: NtSetInformationProcess retval=00000000 ret=5ff94b68 0a0f: NtResumeThread(00000090,00000000) ret=5ff93b43 NtResumeThread 0x90 (nil) access_allowed fixme: no access check 0a0f: NtResumeThread retval=00000000 ret=5ff93b43 1011: NtOpenKey(0006fc74,80000000,0006fc50) ret=77f91379 NtOpenKey 0x6fc74 80000000 0x6fc50 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe open_parse_key remaining = Image File Execution Options\winlogon.exe NtOpenKey open_key returned c000003a 1011: NtOpenKey retval=c000003a ret=77f91379 0a0f: NtReplyWaitReceivePort(00000080,00000000,005cfee4,005cfee4) ret=5ff93940 NtReplyWaitReceivePort 0x80 (nil) 0x5cfee4 0x5cfee4 access_allowed fixme: no access check reply_wait_receive 0x80c13d0 0x80c2d38 (nil) dump DataSize = 96 dump MessageSize = 272 dump MessageType = 2 (LPC_REPLY) dump Offset = 0 dump ClientId = 000a, 000f dump MessageId = 263 dump SectionSize = 00000000 address 0x80c2d5c 00 00 00 00 00 00 00 00 01 00 00 00 44 00 00 00 ............D... 14 00 00 00 90 00 00 00 10 00 00 00 11 00 00 00 ................ f4 23 00 01 00 00 00 00 00 00 04 00 00 20 00 00 .#........... .. 02 00 00 00 00 00 04 00 00 00 00 00 1f 03 00 80 ................ 4c 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 L............... 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0305: NtRequestWaitReplyPort retval=00000000 ret=485889de 1011: NtOpenKey(0006fc74,80000000,0006fc50) ret=77f91379 NtOpenKey 0x6fc74 80000000 0x6fc50 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe open_parse_key remaining = Image File Execution Options\winlogon.exe NtOpenKey open_key returned c000003a 1011: NtOpenKey retval=c000003a ret=77f91379 0305: NtReplyWaitReceivePort(00000010,0016fea8,0016feac,0016feac) ret=485881ff NtReplyWaitReceivePort 0x10 0x16fea8 0x16feac 0x16feac access_allowed fixme: no access check reply_wait_receive 0x80b3538 0x80c2d38 (nil) dump DataSize = 80 dump MessageSize = 304 dump MessageType = 2 (LPC_REPLY) dump Offset = 0 dump ClientId = 0003, 0005 dump MessageId = 262 dump SectionSize = 00000000 address 0x80c2d5c 03 00 00 00 00 00 00 00 44 00 00 00 70 00 00 00 ........D...p... 78 00 00 00 10 00 00 00 11 00 00 00 f4 23 00 01 x............#.. 00 00 00 00 00 00 04 00 00 20 00 00 02 00 00 00 ......... ...... 00 00 04 00 00 00 00 00 1f 03 00 80 4c 01 01 00 ............L... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0304: NtRequestWaitReplyPort retval=00000000 ret=48589a42 1011 (debug 6f754,0,28) : LDR: PID: 0x10 started - 'winlogon.exe' 0304: NtClose(00000070) ret=48589a59 NtClose 0x70 0304: NtClose retval=00000000 ret=48589a59 1011: NtCreateEvent(0006f974,00100003,00000000,00000001,00000000) ret=77f8c9cd NtCreateEvent 0x6f974 00100003 (nil) 1 0 process_alloc_user_handle handle = 00000004 1011: NtCreateEvent retval=00000000 ret=77f8c9cd 0304: NtClose(00000078) ret=48589a5e NtClose 0x78 0304: NtClose retval=00000000 ret=48589a5e 1011: NtCreateEvent(77fcf670,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x77fcf670 00100003 (nil) 1 0 process_alloc_user_handle handle = 00000008 1011: NtCreateEvent retval=00000000 ret=77f94ac1 0304: NtWaitForMultipleObjects(00000002,7ff7ff94,00000001,00000000,00000000) ret=48588e60 NtWaitForMultipleObjects 2 0x7ff7ff94 1 0 (nil) wait_on_handles handle[0] = 00000054 access_allowed fixme: no access check wait_on_handles handle[1] = 00000074 access_allowed fixme: no access check 1011: NtQuerySystemInformation(00000000,0006f8cc,0000002c,00000000) ret=77fcb540 NtQuerySystemInformation 0 0x6f8cc 44 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=77fcb540 1011: NtAllocateVirtualMemory(ffffffff,0006f894,00000000,0006f970,00002000,00000004) ret=77fcb607 NtAllocateVirtualMemory returns 0x70000 00100000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcb607 1011: NtAllocateVirtualMemory(ffffffff,0006f940,00000000,0006f974,00001000,00000004) ret=77fcb640 NtAllocateVirtualMemory returns 0x70000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcb640 1011: NtCreateEvent(00070618,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x70618 00100003 (nil) 1 0 process_alloc_user_handle handle = 0000000c 1011: NtCreateEvent retval=00000000 ret=77f94ac1 1011: NtAllocateVirtualMemory(ffffffff,0006f680,00000000,0006f6a0,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x71000 00002000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtOpenKey(0006f950,80000000,0006f92c) ret=77f91379 NtOpenKey 0x6f950 80000000 0x6f92c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe open_parse_key remaining = Image File Execution Options\winlogon.exe NtOpenKey open_key returned c000003a 1011: NtOpenKey retval=c000003a ret=77f91379 1011: NtOpenDirectoryObject(77fcf000,00000003,0006fc30) ret=77f8584a nt_open_object object = \KnownDlls process_alloc_user_handle handle = 00000010 1011: NtOpenDirectoryObject retval=00000000 ret=77f8584a 1011: NtOpenSymbolicLinkObject(0006fc80,00000001,0006fc30) ret=77f8588d nt_open_object object = KnownDllPath process_alloc_user_handle handle = 00000014 1011: NtOpenSymbolicLinkObject retval=00000000 ret=77f8588d 1011: NtQuerySymbolicLinkObject(00000014,77fcf008,00000000) ret=77f858bd access_allowed fixme: no access check 1011: NtQuerySymbolicLinkObject retval=00000000 ret=77f858bd 1011: NtClose(00000014) ret=77f858c7 NtClose 0x14 1011: NtClose retval=00000000 ret=77f858c7 1011 (debug 6f75c,70178,11) : LDR: NEW PROCESS 1011 (debug 6f754,11,43) : Image Path: \??\C:\WINNT\system32\winlogon.exe (winlogon.exe) 1011 (debug 6f758,43,2a) : Current Directory: C:\WINNT\system32 1011 (debug 6f758,43,3f) : Search Path: C:\WINNT\system32;C:\WINNT\system32;C:\WINNT 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f7f4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f7f4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f548,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f548 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f92c,00100020,0006f940,0006f904,00000003,00000021) ret=77f850ba NtCreateFile root (nil) attr 00000042 \??\C:\WINNT\system32 open_file root = (nil) name = \??\C:\WINNT\system32 open_unicode_dir open name : c:/winnt/system32 open_unicode_dir r = 200 open_file fd = 200 process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f850ba 1011: NtQueryVolumeInformationFile(00000014,0006f904,0006f924,00000008,00000004) ret=77f850d9 NtQueryVolumeInformationFile 0x14 0x6f904 0x6f924 8 4 1011: NtQueryVolumeInformationFile retval=c0000002 ret=77f850d9 1011: NtFreeVirtualMemory(ffffffff,0006f804,0006f808,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f804 0x6f808 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtClose(00000014) ret=77f9aace NtClose 0x14 1011: NtClose retval=00000000 ret=77f9aace 1011: NtAllocateVirtualMemory(ffffffff,0006f6fc,00000000,0006f71c,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x72000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f7f4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f7f4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f548,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f548 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f92c,00100020,0006f940,0006f904,00000003,00000021) ret=77f850ba NtCreateFile root (nil) attr 00000042 \??\C:\WINNT open_file root = (nil) name = \??\C:\WINNT open_unicode_dir open name : c:/winnt open_unicode_dir r = 201 open_file fd = 201 process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f850ba 1011: NtQueryVolumeInformationFile(00000014,0006f904,0006f924,00000008,00000004) ret=77f850d9 NtQueryVolumeInformationFile 0x14 0x6f904 0x6f924 8 4 1011: NtQueryVolumeInformationFile retval=c0000002 ret=77f850d9 1011: NtFreeVirtualMemory(ffffffff,0006f804,0006f808,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f804 0x6f808 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtClose(00000014) ret=77f9aace NtClose 0x14 1011: NtClose retval=00000000 ret=77f9aace 1011 (debug 6f708,0,26) : LDR: winlogon.exe bound to MSVCRT.DLL 1011: NtAllocateVirtualMemory(ffffffff,0006f658,00000000,0006f678,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x72000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtOpenSection(0006f868,0000000e,0006f848) ret=77f935ad nt_open_object object = MSVCRT.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFreeVirtualMemory(ffffffff,0006f78c,0006f790,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f78c 0x6f790 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtAllocateVirtualMemory(ffffffff,0006f674,00000000,0006f694,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x72000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f420,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f420 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f7e4,0006f7bc) ret=77f8cb7a NtQueryAttributesFile 0x6f7e4 0x6f7bc NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\MSVCRT.DLL stat_unicode c:/winnt/system32/msvcrt.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\MSVCRT.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f714,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f714 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f654,0,33) : LDR: Loading (STATIC) C:\WINNT\system32\MSVCRT.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f4e8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f4e8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f870,00100020,0006f840,0006f858,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\MSVCRT.DLL open_file root = (nil) name = \??\C:\WINNT\system32\MSVCRT.DLL open_unicode_file open file : c:/winnt/system32/msvcrt.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f8d8,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f8d8 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f8dc,00000000,00000000,00000000,0006f8d4,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f8dc 0 00000000 (nil) 0x6f8d4 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x78000000 mapit read 5 sections, load at 78000000 mapit .text 00001000 00002000 00031000 00030568 mapit .rdata 00032000 00033000 00008000 00007574 mapit .data 0003a000 0003b000 00007000 00006d80 mapit .rsrc 00041000 00042000 00001000 000003a8 mapit .reloc 00042000 00043000 00003000 000025a4 NtMapViewOfSection mapped at 0x78000000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f68c,0,26) : LDR: MSVCRT.DLL bound to KERNEL32.dll 1011: NtOpenSection(0006f7ec,0000000e,0006f7cc) ret=77f935ad nt_open_object object = KERNEL32.dll 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f3a4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f3a4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f768,0006f740) ret=77f8cb7a NtQueryAttributesFile 0x6f768 0x6f740 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\KERNEL32.dll stat_unicode c:/winnt/system32/kernel32.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\KERNEL32.dll 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f698,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f698 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f5d8,0,35) : LDR: Loading (STATIC) C:\WINNT\system32\KERNEL32.dll 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f46c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f46c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f7f4,00100020,0006f7c4,0006f7dc,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\KERNEL32.dll open_file root = (nil) name = \??\C:\WINNT\system32\KERNEL32.dll open_unicode_file open file : c:/winnt/system32/kernel32.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f85c,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f85c 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f860,00000000,00000000,00000000,0006f858,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f860 0 00000000 (nil) 0x6f858 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x7c4e0000 mapit read 4 sections, load at 7c4e0000 mapit .text 00001000 00000400 0005e400 0005e378 mapit .data 00060000 0005e800 00003200 000032b8 mapit .rsrc 00064000 00061a00 00050600 00050548 mapit .reloc 000b5000 000b2000 00003600 00003588 NtMapViewOfSection mapped at 0x7c4e0000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f610,0,25) : LDR: KERNEL32.dll bound to NTDLL.DLL 1011 (debug 6f610,0,33) : LDR: KERNEL32.dll has correct binding to NTDLL.DLL 1011 (debug 6f68c,0,34) : LDR: MSVCRT.DLL has correct binding to KERNEL32.dll 1011 (debug 6f688,6f68c,46) : LDR: MSVCRT.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll 1011 (debug 6f68c,46,31) : LDR: MSVCRT.DLL has correct binding to NTDLL.DLL 1011 (debug 6f708,0,34) : LDR: winlogon.exe has correct binding to MSVCRT.DLL 1011 (debug 6f708,0,28) : LDR: winlogon.exe bound to ADVAPI32.DLL 1011: NtOpenSection(0006f868,0000000e,0006f848) ret=77f935ad nt_open_object object = ADVAPI32.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f420,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f420 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f7e4,0006f7bc) ret=77f8cb7a NtQueryAttributesFile 0x6f7e4 0x6f7bc NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\ADVAPI32.DLL stat_unicode c:/winnt/system32/advapi32.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\ADVAPI32.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f714,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f714 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f654,0,35) : LDR: Loading (STATIC) C:\WINNT\system32\ADVAPI32.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f4e8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f4e8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f870,00100020,0006f840,0006f858,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\ADVAPI32.DLL open_file root = (nil) name = \??\C:\WINNT\system32\ADVAPI32.DLL open_unicode_file open file : c:/winnt/system32/advapi32.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f8d8,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f8d8 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f8dc,00000000,00000000,00000000,0006f8d4,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f8dc 0 00000000 (nil) 0x6f8d4 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x7c2d0000 mapit read 4 sections, load at 7c2d0000 mapit .text 00001000 00000400 00056200 00056162 mapit .data 00058000 00056600 00003200 0000330c mapit .rsrc 0005c000 00059800 00001400 00001260 mapit .reloc 0005e000 0005ac00 00003c00 00003be0 NtMapViewOfSection mapped at 0x7c2d0000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f68c,0,25) : LDR: ADVAPI32.DLL bound to NTDLL.DLL 1011 (debug 6f68c,0,33) : LDR: ADVAPI32.DLL has correct binding to NTDLL.DLL 1011 (debug 6f68c,0,28) : LDR: ADVAPI32.DLL bound to KERNEL32.DLL 1011 (debug 6f68c,0,36) : LDR: ADVAPI32.DLL has correct binding to KERNEL32.DLL 1011 (debug 6f688,6f68c,48) : LDR: ADVAPI32.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll 1011 (debug 6f68c,48,33) : LDR: ADVAPI32.DLL has correct binding to NTDLL.DLL 1011 (debug 6f68c,48,26) : LDR: ADVAPI32.DLL bound to RPCRT4.DLL 1011: NtOpenSection(0006f7ec,0000000e,0006f7cc) ret=77f935ad nt_open_object object = RPCRT4.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f3a4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f3a4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f768,0006f740) ret=77f8cb7a NtQueryAttributesFile 0x6f768 0x6f740 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\RPCRT4.DLL stat_unicode c:/winnt/system32/rpcrt4.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\RPCRT4.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f698,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f698 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f5d8,0,33) : LDR: Loading (STATIC) C:\WINNT\system32\RPCRT4.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f46c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f46c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f7f4,00100020,0006f7c4,0006f7dc,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\RPCRT4.DLL open_file root = (nil) name = \??\C:\WINNT\system32\RPCRT4.DLL open_unicode_file open file : c:/winnt/system32/rpcrt4.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f85c,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f85c 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f860,00000000,00000000,00000000,0006f858,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f860 0 00000000 (nil) 0x6f858 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x77d30000 mapit read 5 sections, load at 77d30000 mapit .text 00001000 00000400 00062000 00061f9c mapit .orpc 00063000 00062400 00007e00 00007c27 mapit .data 0006b000 0006a200 00000e00 00000f6c mapit .rsrc 0006c000 0006b000 00000400 000003e0 mapit .reloc 0006d000 0006b400 00003a00 0000392c NtMapViewOfSection mapped at 0x77d30000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f610,0,23) : LDR: RPCRT4.DLL bound to NTDLL.DLL 1011 (debug 6f610,0,31) : LDR: RPCRT4.DLL has correct binding to NTDLL.DLL 1011 (debug 6f610,0,26) : LDR: RPCRT4.DLL bound to KERNEL32.DLL 1011 (debug 6f610,0,34) : LDR: RPCRT4.DLL has correct binding to KERNEL32.DLL 1011 (debug 6f60c,6f610,46) : LDR: RPCRT4.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll 1011 (debug 6f610,46,31) : LDR: RPCRT4.DLL has correct binding to NTDLL.DLL 1011 (debug 6f610,46,26) : LDR: RPCRT4.DLL bound to ADVAPI32.DLL 1011 (debug 6f610,46,34) : LDR: RPCRT4.DLL has correct binding to ADVAPI32.DLL 1011 (debug 6f68c,0,34) : LDR: ADVAPI32.DLL has correct binding to RPCRT4.DLL 1011 (debug 6f708,0,36) : LDR: winlogon.exe has correct binding to ADVAPI32.DLL 1011 (debug 6f708,0,28) : LDR: winlogon.exe bound to KERNEL32.DLL 1011 (debug 6f708,0,36) : LDR: winlogon.exe has correct binding to KERNEL32.DLL 1011 (debug 6f704,6f708,48) : LDR: winlogon.exe bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll 1011 (debug 6f708,48,33) : LDR: winlogon.exe has correct binding to NTDLL.DLL 1011 (debug 6f708,48,25) : LDR: winlogon.exe bound to GDI32.DLL 1011: NtOpenSection(0006f868,0000000e,0006f848) ret=77f935ad nt_open_object object = GDI32.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f420,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f420 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f7e4,0006f7bc) ret=77f8cb7a NtQueryAttributesFile 0x6f7e4 0x6f7bc NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\GDI32.DLL stat_unicode c:/winnt/system32/gdi32.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\GDI32.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f714,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f714 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f654,0,32) : LDR: Loading (STATIC) C:\WINNT\system32\GDI32.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f4e8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f4e8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f870,00100020,0006f840,0006f858,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\GDI32.DLL open_file root = (nil) name = \??\C:\WINNT\system32\GDI32.DLL open_unicode_file open file : c:/winnt/system32/gdi32.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f8d8,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f8d8 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f8dc,00000000,00000000,00000000,0006f8d4,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f8dc 0 00000000 (nil) 0x6f8d4 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x77f40000 mapit read 4 sections, load at 77f40000 mapit .text 00001000 00000400 00036800 0003663a mapit .data 00038000 00036c00 00000a00 00000d28 mapit .rsrc 00039000 00037600 00000400 000003a8 mapit .reloc 0003a000 00037a00 00001600 00001518 NtMapViewOfSection mapped at 0x77f40000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f68c,0,22) : LDR: GDI32.DLL bound to NTDLL.DLL 1011 (debug 6f68c,0,30) : LDR: GDI32.DLL has correct binding to NTDLL.DLL 1011 (debug 6f68c,0,25) : LDR: GDI32.DLL bound to KERNEL32.DLL 1011 (debug 6f68c,0,33) : LDR: GDI32.DLL has correct binding to KERNEL32.DLL 1011 (debug 6f688,6f68c,45) : LDR: GDI32.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll 1011 (debug 6f68c,45,30) : LDR: GDI32.DLL has correct binding to NTDLL.DLL 1011 (debug 6f68c,45,23) : LDR: GDI32.DLL bound to USER32.DLL 1011: NtOpenSection(0006f7ec,0000000e,0006f7cc) ret=77f935ad nt_open_object object = USER32.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f3a4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f3a4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f768,0006f740) ret=77f8cb7a NtQueryAttributesFile 0x6f768 0x6f740 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\USER32.DLL stat_unicode c:/winnt/system32/user32.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\USER32.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f698,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f698 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f5d8,0,33) : LDR: Loading (STATIC) C:\WINNT\system32\USER32.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f46c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f46c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f7f4,00100020,0006f7c4,0006f7dc,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\USER32.DLL open_file root = (nil) name = \??\C:\WINNT\system32\USER32.DLL open_unicode_file open file : c:/winnt/system32/user32.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f85c,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f85c 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f860,00000000,00000000,00000000,0006f858,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f860 0 00000000 (nil) 0x6f858 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x77e10000 mapit read 4 sections, load at 77e10000 mapit .text 00001000 00000400 00057400 0005729a mapit .data 00059000 00057800 00000a00 00000e20 mapit .rsrc 0005a000 00058200 00007800 00007618 mapit .reloc 00062000 0005fa00 00002c00 00002ae8 NtMapViewOfSection mapped at 0x77e10000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f610,0,23) : LDR: USER32.DLL bound to NTDLL.DLL 1011 (debug 6f610,0,31) : LDR: USER32.DLL has correct binding to NTDLL.DLL 1011 (debug 6f610,0,26) : LDR: USER32.DLL bound to KERNEL32.DLL 1011 (debug 6f610,0,34) : LDR: USER32.DLL has correct binding to KERNEL32.DLL 1011 (debug 6f60c,6f610,46) : LDR: USER32.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll 1011 (debug 6f610,46,31) : LDR: USER32.DLL has correct binding to NTDLL.DLL 1011 (debug 6f610,46,23) : LDR: USER32.DLL bound to GDI32.DLL 1011 (debug 6f610,46,31) : LDR: USER32.DLL has correct binding to GDI32.DLL 1011 (debug 6f68c,0,31) : LDR: GDI32.DLL has correct binding to USER32.DLL 1011 (debug 6f708,0,33) : LDR: winlogon.exe has correct binding to GDI32.DLL 1011 (debug 6f708,0,26) : LDR: winlogon.exe bound to USER32.DLL 1011 (debug 6f708,0,34) : LDR: winlogon.exe has correct binding to USER32.DLL 1011 (debug 6f708,0,26) : LDR: winlogon.exe bound to RPCRT4.DLL 1011 (debug 6f708,0,34) : LDR: winlogon.exe has correct binding to RPCRT4.DLL 1011 (debug 6f708,0,25) : LDR: winlogon.exe bound to NTDLL.DLL 1011 (debug 6f708,0,33) : LDR: winlogon.exe has correct binding to NTDLL.DLL 1011 (debug 6f708,0,27) : LDR: winlogon.exe bound to USERENV.DLL 1011: NtOpenSection(0006f868,0000000e,0006f848) ret=77f935ad nt_open_object object = USERENV.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f420,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f420 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f7e4,0006f7bc) ret=77f8cb7a NtQueryAttributesFile 0x6f7e4 0x6f7bc NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\USERENV.DLL stat_unicode c:/winnt/system32/userenv.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\USERENV.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f714,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f714 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f654,0,34) : LDR: Loading (STATIC) C:\WINNT\system32\USERENV.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f4e8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f4e8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f870,00100020,0006f840,0006f858,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\USERENV.DLL open_file root = (nil) name = \??\C:\WINNT\system32\USERENV.DLL open_unicode_file open file : c:/winnt/system32/userenv.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f8d8,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f8d8 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f8dc,00000000,00000000,00000000,0006f8d4,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f8dc 0 00000000 (nil) 0x6f8d4 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x7c0f0000 mapit read 4 sections, load at 7c0f0000 mapit .text 00001000 00000400 00052800 00052742 mapit .data 00054000 00052c00 00001a00 000018f8 mapit .rsrc 00056000 00054600 00007200 000071e0 mapit .reloc 0005e000 0005b800 00003a00 00003840 NtMapViewOfSection mapped at 0x7c0f0000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f68c,0,25) : LDR: USERENV.DLL bound to MSVCRT.DLL 1011 (debug 6f68c,0,33) : LDR: USERENV.DLL has correct binding to MSVCRT.DLL 1011 (debug 6f68c,0,24) : LDR: USERENV.DLL bound to NTDLL.DLL 1011 (debug 6f68c,0,32) : LDR: USERENV.DLL has correct binding to NTDLL.DLL 1011 (debug 6f68c,0,27) : LDR: USERENV.DLL bound to KERNEL32.DLL 1011 (debug 6f68c,0,35) : LDR: USERENV.DLL has correct binding to KERNEL32.DLL 1011 (debug 6f688,6f68c,47) : LDR: USERENV.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll 1011 (debug 6f68c,47,32) : LDR: USERENV.DLL has correct binding to NTDLL.DLL 1011 (debug 6f68c,47,27) : LDR: USERENV.DLL bound to ADVAPI32.DLL 1011 (debug 6f68c,47,35) : LDR: USERENV.DLL has correct binding to ADVAPI32.DLL 1011 (debug 6f68c,47,25) : LDR: USERENV.DLL bound to USER32.DLL 1011 (debug 6f68c,47,33) : LDR: USERENV.DLL has correct binding to USER32.DLL 1011 (debug 6f708,0,35) : LDR: winlogon.exe has correct binding to USERENV.DLL 1011 (debug 6f708,0,27) : LDR: winlogon.exe bound to NDDEAPI.DLL 1011: NtOpenSection(0006f868,0000000e,0006f848) ret=77f935ad nt_open_object object = NDDEAPI.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f420,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f420 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f7e4,0006f7bc) ret=77f8cb7a NtQueryAttributesFile 0x6f7e4 0x6f7bc NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\NDDEAPI.DLL stat_unicode c:/winnt/system32/nddeapi.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\NDDEAPI.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f714,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f714 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f654,0,34) : LDR: Loading (STATIC) C:\WINNT\system32\NDDEAPI.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f4e8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f4e8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f870,00100020,0006f840,0006f858,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\NDDEAPI.DLL open_file root = (nil) name = \??\C:\WINNT\system32\NDDEAPI.DLL open_unicode_file open file : c:/winnt/system32/nddeapi.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f8d8,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f8d8 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f8dc,00000000,00000000,00000000,0006f8d4,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f8dc 0 00000000 (nil) 0x6f8d4 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x769a0000 mapit read 4 sections, load at 769a0000 mapit .text 00001000 00000400 00002c00 00002aa4 mapit .data 00004000 00003000 00000200 00000248 mapit .rsrc 00005000 00003200 00000a00 000008d0 mapit .reloc 00006000 00003c00 00000200 000001d8 NtMapViewOfSection mapped at 0x769a0000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f68c,0,25) : LDR: NDDEAPI.DLL bound to MSVCRT.DLL 1011 (debug 6f68c,0,33) : LDR: NDDEAPI.DLL has correct binding to MSVCRT.DLL 1011 (debug 6f68c,0,25) : LDR: NDDEAPI.DLL bound to USER32.DLL 1011 (debug 6f68c,0,33) : LDR: NDDEAPI.DLL has correct binding to USER32.DLL 1011 (debug 6f68c,0,27) : LDR: NDDEAPI.DLL bound to KERNEL32.DLL 1011 (debug 6f68c,0,35) : LDR: NDDEAPI.DLL has correct binding to KERNEL32.DLL 1011 (debug 6f68c,0,25) : LDR: NDDEAPI.DLL bound to RPCRT4.DLL 1011 (debug 6f68c,0,33) : LDR: NDDEAPI.DLL has correct binding to RPCRT4.DLL 1011 (debug 6f68c,0,27) : LDR: NDDEAPI.DLL bound to ADVAPI32.DLL 1011 (debug 6f68c,0,35) : LDR: NDDEAPI.DLL has correct binding to ADVAPI32.DLL 1011 (debug 6f708,0,35) : LDR: winlogon.exe has correct binding to NDDEAPI.DLL 1011 (debug 6f708,0,23) : LDR: winlogon.exe bound to SFC.DLL 1011: NtOpenSection(0006f868,0000000e,0006f848) ret=77f935ad nt_open_object object = SFC.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f420,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f420 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f7e4,0006f7bc) ret=77f8cb7a NtQueryAttributesFile 0x6f7e4 0x6f7bc NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\SFC.DLL stat_unicode c:/winnt/system32/sfc.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\SFC.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f714,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f714 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f654,0,30) : LDR: Loading (STATIC) C:\WINNT\system32\SFC.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f4e8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f4e8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f870,00100020,0006f840,0006f858,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\SFC.DLL open_file root = (nil) name = \??\C:\WINNT\system32\SFC.DLL open_unicode_file open file : c:/winnt/system32/sfc.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f8d8,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f8d8 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f8dc,00000000,00000000,00000000,0006f8d4,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f8dc 0 00000000 (nil) 0x6f8d4 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x76980000 mapit read 4 sections, load at 76980000 mapit .text 00001000 00000600 0000be00 0000bc40 mapit .data 0000d000 0000c400 00000200 00003f14 mapit .rsrc 00011000 0000c600 00008200 000081c0 mapit .reloc 0001a000 00014800 00001000 00000e42 NtMapViewOfSection mapped at 0x76980000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f68c,0,21) : LDR: SFC.DLL bound to MSVCRT.dll 1011 (debug 6f68c,0,2f) : LDR: SFC.DLL has correct binding to MSVCRT.dll 1011 (debug 6f68c,0,20) : LDR: SFC.DLL bound to ntdll.dll 1011 (debug 6f68c,0,2e) : LDR: SFC.DLL has correct binding to ntdll.dll 1011 (debug 6f68c,0,21) : LDR: SFC.DLL bound to USER32.dll 1011 (debug 6f68c,0,2f) : LDR: SFC.DLL has correct binding to USER32.dll 1011 (debug 6f68c,0,23) : LDR: SFC.DLL bound to KERNEL32.dll 1011 (debug 6f68c,0,31) : LDR: SFC.DLL has correct binding to KERNEL32.dll 1011 (debug 6f688,6f68c,43) : LDR: SFC.DLL bound to ntdll.dll via forwarder(s) from KERNEL32.dll 1011 (debug 6f68c,43,2e) : LDR: SFC.DLL has correct binding to ntdll.dll 1011 (debug 6f68c,43,21) : LDR: SFC.DLL bound to RPCRT4.dll 1011 (debug 6f68c,43,2f) : LDR: SFC.DLL has correct binding to RPCRT4.dll 1011 (debug 6f68c,43,23) : LDR: SFC.DLL bound to ADVAPI32.dll 1011 (debug 6f68c,43,31) : LDR: SFC.DLL has correct binding to ADVAPI32.dll 1011 (debug 6f68c,43,23) : LDR: SFC.DLL bound to sfcfiles.dll 1011: NtOpenSection(0006f7ec,0000000e,0006f7cc) ret=77f935ad nt_open_object object = sfcfiles.dll 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f3a4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f3a4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f768,0006f740) ret=77f8cb7a NtQueryAttributesFile 0x6f768 0x6f740 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\sfcfiles.dll stat_unicode c:/winnt/system32/sfcfiles.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\sfcfiles.dll 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f698,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f698 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f5d8,0,35) : LDR: Loading (STATIC) C:\WINNT\system32\sfcfiles.dll 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f46c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f46c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f7f4,00100020,0006f7c4,0006f7dc,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\sfcfiles.dll open_file root = (nil) name = \??\C:\WINNT\system32\sfcfiles.dll open_unicode_file open file : c:/winnt/system32/sfcfiles.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f85c,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f85c 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f860,00000000,00000000,00000000,0006f858,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f860 0 00000000 (nil) 0x6f858 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x68010000 mapit read 4 sections, load at 68010000 mapit .text 00001000 00000600 00000400 000002bf mapit .data 00002000 00000a00 000e5c00 000e5c08 mapit .rsrc 000e8000 000e6600 00000400 000003f0 mapit .reloc 000e9000 000e6a00 00006600 0000649e NtMapViewOfSection mapped at 0x68010000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f610,0,25) : LDR: sfcfiles.dll bound to ntdll.dll 1011 (debug 6f610,0,33) : LDR: sfcfiles.dll has correct binding to ntdll.dll 1011 (debug 6f68c,0,31) : LDR: SFC.DLL has correct binding to sfcfiles.dll 1011 (debug 6f708,0,31) : LDR: winlogon.exe has correct binding to SFC.DLL 1011 (debug 6f708,0,27) : LDR: winlogon.exe bound to SECUR32.DLL 1011: NtOpenSection(0006f868,0000000e,0006f848) ret=77f935ad nt_open_object object = SECUR32.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f420,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f420 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f7e4,0006f7bc) ret=77f8cb7a NtQueryAttributesFile 0x6f7e4 0x6f7bc NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\SECUR32.DLL stat_unicode c:/winnt/system32/secur32.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\SECUR32.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f714,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f714 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f654,0,34) : LDR: Loading (STATIC) C:\WINNT\system32\SECUR32.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f4e8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f4e8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f870,00100020,0006f840,0006f858,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\SECUR32.DLL open_file root = (nil) name = \??\C:\WINNT\system32\SECUR32.DLL open_unicode_file open file : c:/winnt/system32/secur32.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f8d8,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f8d8 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f8dc,00000000,00000000,00000000,0006f8d4,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f8dc 0 00000000 (nil) 0x6f8d4 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x7c340000 mapit read 4 sections, load at 7c340000 mapit .text 00001000 00000400 0000a800 0000a610 mapit .data 0000c000 0000ac00 00000400 000003f0 mapit .rsrc 0000d000 0000b000 00000400 000003f0 mapit .reloc 0000e000 0000b400 00000a00 00000818 NtMapViewOfSection mapped at 0x7c340000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f68c,0,24) : LDR: SECUR32.DLL bound to NTDLL.DLL 1011 (debug 6f68c,0,32) : LDR: SECUR32.DLL has correct binding to NTDLL.DLL 1011 (debug 6f68c,0,27) : LDR: SECUR32.DLL bound to KERNEL32.DLL 1011 (debug 6f68c,0,35) : LDR: SECUR32.DLL has correct binding to KERNEL32.DLL 1011 (debug 6f68c,0,27) : LDR: SECUR32.DLL bound to ADVAPI32.DLL 1011 (debug 6f68c,0,35) : LDR: SECUR32.DLL has correct binding to ADVAPI32.DLL 1011 (debug 6f708,0,35) : LDR: winlogon.exe has correct binding to SECUR32.DLL 1011 (debug 6f708,0,27) : LDR: winlogon.exe bound to PROFMAP.DLL 1011: NtOpenSection(0006f868,0000000e,0006f848) ret=77f935ad nt_open_object object = PROFMAP.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f420,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f420 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f7e4,0006f7bc) ret=77f8cb7a NtQueryAttributesFile 0x6f7e4 0x6f7bc NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\PROFMAP.DLL stat_unicode c:/winnt/system32/profmap.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\PROFMAP.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f714,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f714 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f654,0,34) : LDR: Loading (STATIC) C:\WINNT\system32\PROFMAP.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f4e8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f4e8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f870,00100020,0006f840,0006f858,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\PROFMAP.DLL open_file root = (nil) name = \??\C:\WINNT\system32\PROFMAP.DLL open_unicode_file open file : c:/winnt/system32/profmap.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f8d8,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f8d8 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f8dc,00000000,00000000,00000000,0006f8d4,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f8dc 0 00000000 (nil) 0x6f8d4 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x690f0000 mapit read 4 sections, load at 690f0000 mapit .text 00001000 00000600 00006200 0000600c mapit .data 00008000 00006800 00000200 0000014c mapit .rsrc 00009000 00006a00 00000400 000003a8 mapit .reloc 0000a000 00006e00 00000600 000005f0 NtMapViewOfSection mapped at 0x690f0000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f68c,0,25) : LDR: PROFMAP.DLL bound to MSVCRT.dll 1011 (debug 6f68c,0,33) : LDR: PROFMAP.DLL has correct binding to MSVCRT.dll 1011 (debug 6f68c,0,24) : LDR: PROFMAP.DLL bound to ntdll.dll 1011 (debug 6f68c,0,32) : LDR: PROFMAP.DLL has correct binding to ntdll.dll 1011 (debug 6f68c,0,27) : LDR: PROFMAP.DLL bound to KERNEL32.dll 1011 (debug 6f68c,0,35) : LDR: PROFMAP.DLL has correct binding to KERNEL32.dll 1011 (debug 6f688,6f68c,47) : LDR: PROFMAP.DLL bound to ntdll.dll via forwarder(s) from KERNEL32.dll 1011 (debug 6f68c,47,32) : LDR: PROFMAP.DLL has correct binding to ntdll.dll 1011 (debug 6f68c,47,27) : LDR: PROFMAP.DLL bound to ADVAPI32.dll 1011 (debug 6f68c,47,35) : LDR: PROFMAP.DLL has correct binding to ADVAPI32.dll 1011 (debug 6f68c,47,25) : LDR: PROFMAP.DLL bound to USER32.dll 1011 (debug 6f68c,47,33) : LDR: PROFMAP.DLL has correct binding to USER32.dll 1011 (debug 6f68c,47,25) : LDR: PROFMAP.DLL bound to RPCRT4.dll 1011 (debug 6f68c,47,33) : LDR: PROFMAP.DLL has correct binding to RPCRT4.dll 1011 (debug 6f68c,47,27) : LDR: PROFMAP.DLL bound to NETAPI32.dll 1011: NtOpenSection(0006f7ec,0000000e,0006f7cc) ret=77f935ad nt_open_object object = NETAPI32.dll 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f3a4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f3a4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f768,0006f740) ret=77f8cb7a NtQueryAttributesFile 0x6f768 0x6f740 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\NETAPI32.dll stat_unicode c:/winnt/system32/netapi32.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\NETAPI32.dll 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f698,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f698 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f5d8,0,35) : LDR: Loading (STATIC) C:\WINNT\system32\NETAPI32.dll 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f46c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f46c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f7f4,00100020,0006f7c4,0006f7dc,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\NETAPI32.dll open_file root = (nil) name = \??\C:\WINNT\system32\NETAPI32.dll open_unicode_file open file : c:/winnt/system32/netapi32.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f85c,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f85c 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f860,00000000,00000000,00000000,0006f858,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f860 0 00000000 (nil) 0x6f858 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x75170000 mapit read 4 sections, load at 75170000 mapit .text 00001000 00000400 00046c00 00046ba6 mapit .data 00048000 00047000 00002600 00002644 mapit .rsrc 0004b000 00049600 00000400 000003d0 mapit .reloc 0004c000 00049a00 00002600 00002570 NtMapViewOfSection mapped at 0x75170000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f610,0,26) : LDR: NETAPI32.dll bound to MSVCRT.DLL 1011 (debug 6f610,0,34) : LDR: NETAPI32.dll has correct binding to MSVCRT.DLL 1011 (debug 6f610,0,25) : LDR: NETAPI32.dll bound to NTDLL.DLL 1011 (debug 6f610,0,33) : LDR: NETAPI32.dll has correct binding to NTDLL.DLL 1011 (debug 6f610,0,27) : LDR: NETAPI32.dll bound to SECUR32.DLL 1011 (debug 6f610,0,35) : LDR: NETAPI32.dll has correct binding to SECUR32.DLL 1011 (debug 6f610,0,28) : LDR: NETAPI32.dll bound to ADVAPI32.DLL 1011 (debug 6f610,0,36) : LDR: NETAPI32.dll has correct binding to ADVAPI32.DLL 1011 (debug 6f610,0,26) : LDR: NETAPI32.dll bound to NETRAP.DLL 1011: NtOpenSection(0006f770,0000000e,0006f750) ret=77f935ad nt_open_object object = NETRAP.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f328,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f328 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f6ec,0006f6c4) ret=77f8cb7a NtQueryAttributesFile 0x6f6ec 0x6f6c4 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\NETRAP.DLL stat_unicode c:/winnt/system32/netrap.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\NETRAP.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f61c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f61c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f55c,0,33) : LDR: Loading (STATIC) C:\WINNT\system32\NETRAP.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f3f0,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f3f0 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f778,00100020,0006f748,0006f760,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\NETRAP.DLL open_file root = (nil) name = \??\C:\WINNT\system32\NETRAP.DLL open_unicode_file open file : c:/winnt/system32/netrap.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f7e0,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f7e0 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f7e4,00000000,00000000,00000000,0006f7dc,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f7e4 0 00000000 (nil) 0x6f7dc 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x751c0000 mapit read 4 sections, load at 751c0000 mapit .text 00001000 00000600 00001e00 00001cdf mapit .data 00003000 00002400 00000200 0000007c mapit .rsrc 00004000 00002600 00000400 000003d0 mapit .reloc 00005000 00002a00 00000200 0000014c NtMapViewOfSection mapped at 0x751c0000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f594,0,24) : LDR: NETRAP.DLL bound to MSVCRT.dll 1011 (debug 6f594,0,30) : LDR: NETRAP.DLL has stale binding to MSVCRT.dll 1011 (debug 6f594,0,2b) : LDR: Stale Bind MSVCRT.dll from NETRAP.DLL 1011: NtProtectVirtualMemory(ffffffff,0006f78c,0006f750,00000004,0006f754) ret=77f822b5 NtProtectVirtualMemory 0xffffffff 0x6f78c 0x6f750 4 0x6f754 NtProtectVirtualMemory 0x751c1000 00000048 1011: NtProtectVirtualMemory retval=00000000 ret=77f822b5 1011: NtProtectVirtualMemory(ffffffff,0006f78c,0006f750,0006f77c,0006f754) ret=77f82357 NtProtectVirtualMemory 0xffffffff 0x6f78c 0x6f750 456572 0x6f754 NtProtectVirtualMemory 0x751c1000 00000048 1011: NtProtectVirtualMemory retval=00000000 ret=77f82357 1011: NtFlushInstructionCache(ffffffff,751c1000,00000048) ret=77f82364 NtFlushInstructionCache 0xffffffff 0x751c1000 00000048 1011: NtFlushInstructionCache retval=00000000 ret=77f82364 1011 (debug 6f594,0,23) : LDR: NETRAP.DLL bound to ntdll.dll 1011 (debug 6f594,0,2f) : LDR: NETRAP.DLL has stale binding to ntdll.dll 1011 (debug 6f594,0,2a) : LDR: Stale Bind ntdll.dll from NETRAP.DLL 1011: NtProtectVirtualMemory(ffffffff,0006f78c,0006f750,00000004,0006f754) ret=77f822b5 NtProtectVirtualMemory 0xffffffff 0x6f78c 0x6f750 4 0x6f754 NtProtectVirtualMemory 0x751c1000 00000048 1011: NtProtectVirtualMemory retval=00000000 ret=77f822b5 1011: NtProtectVirtualMemory(ffffffff,0006f78c,0006f750,0006f77c,0006f754) ret=77f82357 NtProtectVirtualMemory 0xffffffff 0x6f78c 0x6f750 456572 0x6f754 NtProtectVirtualMemory 0x751c1000 00000048 1011: NtProtectVirtualMemory retval=00000000 ret=77f82357 1011: NtFlushInstructionCache(ffffffff,751c1000,00000048) ret=77f82364 NtFlushInstructionCache 0xffffffff 0x751c1000 00000048 1011: NtFlushInstructionCache retval=00000000 ret=77f82364 1011 (debug 6f594,0,26) : LDR: NETRAP.DLL bound to KERNEL32.dll 1011 (debug 6f594,0,32) : LDR: NETRAP.DLL has stale binding to KERNEL32.dll 1011 (debug 6f594,0,2d) : LDR: Stale Bind KERNEL32.dll from NETRAP.DLL 1011: NtProtectVirtualMemory(ffffffff,0006f78c,0006f750,00000004,0006f754) ret=77f822b5 NtProtectVirtualMemory 0xffffffff 0x6f78c 0x6f750 4 0x6f754 NtProtectVirtualMemory 0x751c1000 00000048 1011: NtProtectVirtualMemory retval=00000000 ret=77f822b5 1011: NtProtectVirtualMemory(ffffffff,0006f78c,0006f750,0006f77c,0006f754) ret=77f82357 NtProtectVirtualMemory 0xffffffff 0x6f78c 0x6f750 456572 0x6f754 NtProtectVirtualMemory 0x751c1000 00000048 1011: NtProtectVirtualMemory retval=00000000 ret=77f82357 1011: NtFlushInstructionCache(ffffffff,751c1000,00000048) ret=77f82364 NtFlushInstructionCache 0xffffffff 0x751c1000 00000048 1011: NtFlushInstructionCache retval=00000000 ret=77f82364 1011 (debug 6f610,0,32) : LDR: NETAPI32.dll has stale binding to NETRAP.DLL 1011 (debug 6f610,0,2d) : LDR: Stale Bind NETRAP.DLL from NETAPI32.dll 1011: NtProtectVirtualMemory(ffffffff,0006f808,0006f7cc,00000004,0006f7d0) ret=77f822b5 NtProtectVirtualMemory 0xffffffff 0x6f808 0x6f7cc 4 0x6f7d0 NtProtectVirtualMemory 0x75171000 000005d4 1011: NtProtectVirtualMemory retval=00000000 ret=77f822b5 1011: NtProtectVirtualMemory(ffffffff,0006f808,0006f7cc,751c02a5,0006f7d0) ret=77f82357 NtProtectVirtualMemory 0xffffffff 0x6f808 0x6f7cc 1964769957 0x6f7d0 NtProtectVirtualMemory 0x75171000 000005d4 1011: NtProtectVirtualMemory retval=00000000 ret=77f82357 1011: NtFlushInstructionCache(ffffffff,75171000,000005d4) ret=77f82364 NtFlushInstructionCache 0xffffffff 0x75171000 000005d4 1011: NtFlushInstructionCache retval=00000000 ret=77f82364 1011 (debug 6f610,0,26) : LDR: NETAPI32.dll bound to RPCRT4.DLL 1011 (debug 6f610,0,34) : LDR: NETAPI32.dll has correct binding to RPCRT4.DLL 1011 (debug 6f610,0,28) : LDR: NETAPI32.dll bound to KERNEL32.DLL 1011 (debug 6f610,0,36) : LDR: NETAPI32.dll has correct binding to KERNEL32.DLL 1011 (debug 6f60c,6f610,48) : LDR: NETAPI32.dll bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll 1011 (debug 6f610,48,33) : LDR: NETAPI32.dll has correct binding to NTDLL.DLL 1011 (debug 6f610,48,26) : LDR: NETAPI32.dll bound to SAMLIB.DLL 1011: NtOpenSection(0006f770,0000000e,0006f750) ret=77f935ad nt_open_object object = SAMLIB.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f328,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f328 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f6ec,0006f6c4) ret=77f8cb7a NtQueryAttributesFile 0x6f6ec 0x6f6c4 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\SAMLIB.DLL stat_unicode c:/winnt/system32/samlib.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\SAMLIB.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f61c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f61c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f55c,0,33) : LDR: Loading (STATIC) C:\WINNT\system32\SAMLIB.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f3f0,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f3f0 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f778,00100020,0006f748,0006f760,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\SAMLIB.DLL open_file root = (nil) name = \??\C:\WINNT\system32\SAMLIB.DLL open_unicode_file open file : c:/winnt/system32/samlib.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f7e0,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f7e0 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f7e4,00000000,00000000,00000000,0006f7dc,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f7e4 0 00000000 (nil) 0x6f7dc 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x75150000 mapit read 4 sections, load at 75150000 mapit .text 00001000 00000400 00009000 00008fda mapit .data 0000a000 00009400 00002400 00002290 mapit .rsrc 0000d000 0000b800 00000400 000003c0 mapit .reloc 0000e000 0000bc00 00000600 00000544 NtMapViewOfSection mapped at 0x75150000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f594,0,23) : LDR: SAMLIB.DLL bound to NTDLL.DLL 1011 (debug 6f594,0,31) : LDR: SAMLIB.DLL has correct binding to NTDLL.DLL 1011 (debug 6f594,0,26) : LDR: SAMLIB.DLL bound to ADVAPI32.DLL 1011 (debug 6f594,0,34) : LDR: SAMLIB.DLL has correct binding to ADVAPI32.DLL 1011 (debug 6f594,0,24) : LDR: SAMLIB.DLL bound to RPCRT4.DLL 1011 (debug 6f594,0,32) : LDR: SAMLIB.DLL has correct binding to RPCRT4.DLL 1011 (debug 6f594,0,26) : LDR: SAMLIB.DLL bound to KERNEL32.DLL 1011 (debug 6f594,0,34) : LDR: SAMLIB.DLL has correct binding to KERNEL32.DLL 1011 (debug 6f590,6f594,46) : LDR: SAMLIB.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll 1011 (debug 6f594,46,31) : LDR: SAMLIB.DLL has correct binding to NTDLL.DLL 1011 (debug 6f610,0,34) : LDR: NETAPI32.dll has correct binding to SAMLIB.DLL 1011 (debug 6f610,0,26) : LDR: NETAPI32.dll bound to WS2_32.DLL 1011: NtOpenSection(0006f770,0000000e,0006f750) ret=77f935ad nt_open_object object = WS2_32.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtAllocateVirtualMemory(ffffffff,0006f230,00000000,0006f250,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x73000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f328,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f328 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f6ec,0006f6c4) ret=77f8cb7a NtQueryAttributesFile 0x6f6ec 0x6f6c4 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\WS2_32.DLL stat_unicode c:/winnt/system32/ws2_32.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\WS2_32.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFreeVirtualMemory(ffffffff,0006f608,0006f60c,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f608 0x6f60c 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f61c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f61c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f55c,70000,33) : LDR: Loading (STATIC) C:\WINNT\system32\WS2_32.DLL 1011: NtAllocateVirtualMemory(ffffffff,0006f2f8,00000000,0006f318,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x73000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f3f0,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f3f0 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f778,00100020,0006f748,0006f760,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\WS2_32.DLL open_file root = (nil) name = \??\C:\WINNT\system32\WS2_32.DLL open_unicode_file open file : c:/winnt/system32/ws2_32.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f7e0,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f7e0 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtFreeVirtualMemory(ffffffff,0006f6d8,0006f6dc,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f6d8 0x6f6dc 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtMapViewOfSection(00000018,ffffffff,0006f7e4,00000000,00000000,00000000,0006f7dc,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f7e4 0 00000000 (nil) 0x6f7dc 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x75030000 mapit read 4 sections, load at 75030000 mapit .text 00001000 00000400 0000f200 0000f00e mapit .data 00011000 0000f600 00000800 0000086c mapit .rsrc 00012000 0000fe00 00000400 000003e0 mapit .reloc 00013000 00010200 00000e00 00000d20 NtMapViewOfSection mapped at 0x75030000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f594,0,24) : LDR: WS2_32.DLL bound to MSVCRT.DLL 1011 (debug 6f594,0,32) : LDR: WS2_32.DLL has correct binding to MSVCRT.DLL 1011 (debug 6f594,0,26) : LDR: WS2_32.DLL bound to KERNEL32.DLL 1011 (debug 6f594,0,34) : LDR: WS2_32.DLL has correct binding to KERNEL32.DLL 1011 (debug 6f590,6f594,46) : LDR: WS2_32.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll 1011 (debug 6f594,46,31) : LDR: WS2_32.DLL has correct binding to NTDLL.DLL 1011 (debug 6f594,46,26) : LDR: WS2_32.DLL bound to ADVAPI32.DLL 1011 (debug 6f594,46,34) : LDR: WS2_32.DLL has correct binding to ADVAPI32.DLL 1011 (debug 6f594,46,25) : LDR: WS2_32.DLL bound to WS2HELP.DLL 1011: NtOpenSection(0006f6f4,0000000e,0006f6d4) ret=77f935ad nt_open_object object = WS2HELP.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtAllocateVirtualMemory(ffffffff,0006f1b4,00000000,0006f1d4,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x73000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f2ac,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f2ac 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f670,0006f648) ret=77f8cb7a NtQueryAttributesFile 0x6f670 0x6f648 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\WS2HELP.DLL stat_unicode c:/winnt/system32/ws2help.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\WS2HELP.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFreeVirtualMemory(ffffffff,0006f58c,0006f590,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f58c 0x6f590 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f5a0,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f5a0 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f4e0,70000,34) : LDR: Loading (STATIC) C:\WINNT\system32\WS2HELP.DLL 1011: NtAllocateVirtualMemory(ffffffff,0006f27c,00000000,0006f29c,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x73000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f374,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f374 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f6fc,00100020,0006f6cc,0006f6e4,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\WS2HELP.DLL open_file root = (nil) name = \??\C:\WINNT\system32\WS2HELP.DLL open_unicode_file open file : c:/winnt/system32/ws2help.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f764,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f764 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtFreeVirtualMemory(ffffffff,0006f65c,0006f660,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f65c 0x6f660 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtMapViewOfSection(00000018,ffffffff,0006f768,00000000,00000000,00000000,0006f760,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f768 0 00000000 (nil) 0x6f760 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x75020000 mapit read 4 sections, load at 75020000 mapit .text 00001000 00000400 00003600 00003578 mapit .data 00005000 00003a00 00000200 00000088 mapit .rsrc 00006000 00003c00 00000600 000004c8 mapit .reloc 00007000 00004200 00000400 000002c8 NtMapViewOfSection mapped at 0x75020000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f518,0,24) : LDR: WS2HELP.DLL bound to NTDLL.DLL 1011 (debug 6f518,0,30) : LDR: WS2HELP.DLL has stale binding to NTDLL.DLL 1011 (debug 6f518,0,2b) : LDR: Stale Bind NTDLL.DLL from WS2HELP.DLL 1011: NtProtectVirtualMemory(ffffffff,0006f710,0006f6d4,00000004,0006f6d8) ret=77f822b5 NtProtectVirtualMemory 0xffffffff 0x6f710 0x6f6d4 4 0x6f6d8 NtProtectVirtualMemory 0x75021000 00000134 1011: NtProtectVirtualMemory retval=00000000 ret=77f822b5 1011: NtProtectVirtualMemory(ffffffff,0006f710,0006f6d4,0006f700,0006f6d8) ret=77f82357 NtProtectVirtualMemory 0xffffffff 0x6f710 0x6f6d4 456448 0x6f6d8 NtProtectVirtualMemory 0x75021000 00000134 1011: NtProtectVirtualMemory retval=00000000 ret=77f82357 1011: NtFlushInstructionCache(ffffffff,75021000,00000134) ret=77f82364 NtFlushInstructionCache 0xffffffff 0x75021000 00000134 1011: NtFlushInstructionCache retval=00000000 ret=77f82364 1011 (debug 6f518,0,27) : LDR: WS2HELP.DLL bound to ADVAPI32.DLL 1011 (debug 6f518,0,33) : LDR: WS2HELP.DLL has stale binding to ADVAPI32.DLL 1011 (debug 6f518,0,2e) : LDR: Stale Bind ADVAPI32.DLL from WS2HELP.DLL 1011: NtProtectVirtualMemory(ffffffff,0006f710,0006f6d4,00000004,0006f6d8) ret=77f822b5 NtProtectVirtualMemory 0xffffffff 0x6f710 0x6f6d4 4 0x6f6d8 NtProtectVirtualMemory 0x75021000 00000134 1011: NtProtectVirtualMemory retval=00000000 ret=77f822b5 1011: NtProtectVirtualMemory(ffffffff,0006f710,0006f6d4,0006f700,0006f6d8) ret=77f82357 NtProtectVirtualMemory 0xffffffff 0x6f710 0x6f6d4 456448 0x6f6d8 NtProtectVirtualMemory 0x75021000 00000134 1011: NtProtectVirtualMemory retval=00000000 ret=77f82357 1011: NtFlushInstructionCache(ffffffff,75021000,00000134) ret=77f82364 NtFlushInstructionCache 0xffffffff 0x75021000 00000134 1011: NtFlushInstructionCache retval=00000000 ret=77f82364 1011 (debug 6f518,0,27) : LDR: WS2HELP.DLL bound to KERNEL32.DLL 1011 (debug 6f518,0,33) : LDR: WS2HELP.DLL has stale binding to KERNEL32.DLL 1011 (debug 6f514,6f518,47) : LDR: WS2HELP.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll 1011 (debug 6f518,47,30) : LDR: WS2HELP.DLL has stale binding to NTDLL.DLL 1011 (debug 6f518,47,2e) : LDR: Stale Bind KERNEL32.DLL from WS2HELP.DLL 1011: NtProtectVirtualMemory(ffffffff,0006f710,0006f6d4,00000004,0006f6d8) ret=77f822b5 NtProtectVirtualMemory 0xffffffff 0x6f710 0x6f6d4 4 0x6f6d8 NtProtectVirtualMemory 0x75021000 00000134 1011: NtProtectVirtualMemory retval=00000000 ret=77f822b5 1011 (debug 6f18c,4c,29) : LDR: LdrLoadDll, loading NTDLL.dll from 1011 (debug 6f374,0,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6f370,6f374,20) : NAME - RtlDeleteCriticalSection 1011 (debug 6f18c,4c,29) : LDR: LdrLoadDll, loading NTDLL.dll from 1011 (debug 6f374,20,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6f370,6f374,1f) : NAME - RtlLeaveCriticalSection 1011 (debug 6f18c,4c,29) : LDR: LdrLoadDll, loading NTDLL.dll from 1011 (debug 6f374,1f,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6f370,6f374,1f) : NAME - RtlEnterCriticalSection 1011: NtProtectVirtualMemory(ffffffff,0006f710,0006f6d4,0006f700,0006f6d8) ret=77f82357 NtProtectVirtualMemory 0xffffffff 0x6f710 0x6f6d4 456448 0x6f6d8 NtProtectVirtualMemory 0x75021000 00000134 1011: NtProtectVirtualMemory retval=00000000 ret=77f82357 1011: NtFlushInstructionCache(ffffffff,75021000,00000134) ret=77f82364 NtFlushInstructionCache 0xffffffff 0x75021000 00000134 1011: NtFlushInstructionCache retval=00000000 ret=77f82364 1011 (debug 6f594,8395,31) : LDR: WS2_32.DLL has stale binding to WS2HELP.DLL 1011 (debug 6f594,8395,2c) : LDR: Stale Bind WS2HELP.DLL from WS2_32.DLL 1011: NtProtectVirtualMemory(ffffffff,0006f78c,0006f750,00000004,0006f754) ret=77f822b5 NtProtectVirtualMemory 0xffffffff 0x6f78c 0x6f750 4 0x6f754 NtProtectVirtualMemory 0x75031000 00000184 1011: NtProtectVirtualMemory retval=00000000 ret=77f822b5 1011: NtProtectVirtualMemory(ffffffff,0006f78c,0006f750,750202a7,0006f754) ret=77f82357 NtProtectVirtualMemory 0xffffffff 0x6f78c 0x6f750 1963066023 0x6f754 NtProtectVirtualMemory 0x75031000 00000184 1011: NtProtectVirtualMemory retval=00000000 ret=77f82357 1011: NtFlushInstructionCache(ffffffff,75031000,00000184) ret=77f82364 NtFlushInstructionCache 0xffffffff 0x75031000 00000184 1011: NtFlushInstructionCache retval=00000000 ret=77f82364 1011 (debug 6f610,6f301,34) : LDR: NETAPI32.dll has correct binding to WS2_32.DLL 1011 (debug 6f610,6f301,27) : LDR: NETAPI32.dll bound to WLDAP32.DLL 1011: NtOpenSection(0006f770,0000000e,0006f750) ret=77f935ad nt_open_object object = WLDAP32.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtAllocateVirtualMemory(ffffffff,0006f230,00000000,0006f250,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x73000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f328,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f328 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f6ec,0006f6c4) ret=77f8cb7a NtQueryAttributesFile 0x6f6ec 0x6f6c4 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\WLDAP32.DLL stat_unicode c:/winnt/system32/wldap32.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\WLDAP32.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFreeVirtualMemory(ffffffff,0006f608,0006f60c,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f608 0x6f60c 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f61c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f61c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f55c,70000,34) : LDR: Loading (STATIC) C:\WINNT\system32\WLDAP32.DLL 1011: NtAllocateVirtualMemory(ffffffff,0006f2f8,00000000,0006f318,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x73000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f3f0,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f3f0 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f778,00100020,0006f748,0006f760,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\WLDAP32.DLL open_file root = (nil) name = \??\C:\WINNT\system32\WLDAP32.DLL open_unicode_file open file : c:/winnt/system32/wldap32.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f7e0,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f7e0 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtFreeVirtualMemory(ffffffff,0006f6d8,0006f6dc,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f6d8 0x6f6dc 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtMapViewOfSection(00000018,ffffffff,0006f7e4,00000000,00000000,00000000,0006f7dc,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f7e4 0 00000000 (nil) 0x6f7dc 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x77950000 mapit read 4 sections, load at 77950000 mapit .text 00001000 00000400 0001da00 0001d86c mapit .data 0001f000 0001de00 00007800 00007854 mapit .rsrc 00027000 00025600 00001000 00000e98 mapit .reloc 00028000 00026600 00001200 000010b0 NtMapViewOfSection mapped at 0x77950000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f594,0,25) : LDR: WLDAP32.DLL bound to MSVCRT.DLL 1011 (debug 6f594,0,33) : LDR: WLDAP32.DLL has correct binding to MSVCRT.DLL 1011 (debug 6f594,0,27) : LDR: WLDAP32.DLL bound to KERNEL32.DLL 1011 (debug 6f594,0,35) : LDR: WLDAP32.DLL has correct binding to KERNEL32.DLL 1011 (debug 6f590,6f594,47) : LDR: WLDAP32.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll 1011 (debug 6f594,47,32) : LDR: WLDAP32.DLL has correct binding to NTDLL.DLL 1011 (debug 6f594,47,27) : LDR: WLDAP32.DLL bound to ADVAPI32.DLL 1011 (debug 6f594,47,35) : LDR: WLDAP32.DLL has correct binding to ADVAPI32.DLL 1011 (debug 6f610,0,35) : LDR: NETAPI32.dll has correct binding to WLDAP32.DLL 1011 (debug 6f610,0,26) : LDR: NETAPI32.dll bound to DNSAPI.DLL 1011: NtOpenSection(0006f770,0000000e,0006f750) ret=77f935ad nt_open_object object = DNSAPI.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtAllocateVirtualMemory(ffffffff,0006f230,00000000,0006f250,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x73000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f328,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f328 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f6ec,0006f6c4) ret=77f8cb7a NtQueryAttributesFile 0x6f6ec 0x6f6c4 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\DNSAPI.DLL stat_unicode c:/winnt/system32/dnsapi.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\DNSAPI.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFreeVirtualMemory(ffffffff,0006f608,0006f60c,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f608 0x6f60c 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f61c,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f61c 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f55c,70000,33) : LDR: Loading (STATIC) C:\WINNT\system32\DNSAPI.DLL 1011: NtAllocateVirtualMemory(ffffffff,0006f2f8,00000000,0006f318,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x73000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f3f0,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f3f0 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f778,00100020,0006f748,0006f760,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\DNSAPI.DLL open_file root = (nil) name = \??\C:\WINNT\system32\DNSAPI.DLL open_unicode_file open file : c:/winnt/system32/dnsapi.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f7e0,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f7e0 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtFreeVirtualMemory(ffffffff,0006f6d8,0006f6dc,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f6d8 0x6f6dc 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtMapViewOfSection(00000018,ffffffff,0006f7e4,00000000,00000000,00000000,0006f7dc,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f7e4 0 00000000 (nil) 0x6f7dc 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x77980000 mapit read 4 sections, load at 77980000 mapit .text 00001000 00000400 0001e000 0001df3c mapit .data 0001f000 0001e400 00001200 00001298 mapit .rsrc 00021000 0001f600 00000400 000003b8 mapit .reloc 00022000 0001fa00 00001400 000013a0 NtMapViewOfSection mapped at 0x77980000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f594,0,24) : LDR: DNSAPI.DLL bound to MSVCRT.DLL 1011 (debug 6f594,0,32) : LDR: DNSAPI.DLL has correct binding to MSVCRT.DLL 1011 (debug 6f594,0,26) : LDR: DNSAPI.DLL bound to ADVAPI32.DLL 1011 (debug 6f594,0,34) : LDR: DNSAPI.DLL has correct binding to ADVAPI32.DLL 1011 (debug 6f594,0,26) : LDR: DNSAPI.DLL bound to KERNEL32.DLL 1011 (debug 6f594,0,34) : LDR: DNSAPI.DLL has correct binding to KERNEL32.DLL 1011 (debug 6f590,6f594,46) : LDR: DNSAPI.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll 1011 (debug 6f594,46,31) : LDR: DNSAPI.DLL has correct binding to NTDLL.DLL 1011 (debug 6f594,46,25) : LDR: DNSAPI.DLL bound to WSOCK32.DLL 1011: NtOpenSection(0006f6f4,0000000e,0006f6d4) ret=77f935ad nt_open_object object = WSOCK32.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtAllocateVirtualMemory(ffffffff,0006f4c8,00000000,0006f4e8,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x73000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f2ac,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f2ac 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f670,0006f648) ret=77f8cb7a NtQueryAttributesFile 0x6f670 0x6f648 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\WSOCK32.DLL stat_unicode c:/winnt/system32/wsock32.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\WSOCK32.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f5a0,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f5a0 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtFreeVirtualMemory(ffffffff,0006f5fc,0006f600,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f5fc 0x6f600 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtAllocateVirtualMemory(ffffffff,0006f500,00000000,0006f520,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x73000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011 (debug 6f4e0,77fcbaef,34) : LDR: Loading (STATIC) C:\WINNT\system32\WSOCK32.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f374,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f374 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f6fc,00100020,0006f6cc,0006f6e4,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\WSOCK32.DLL open_file root = (nil) name = \??\C:\WINNT\system32\WSOCK32.DLL open_unicode_file open file : c:/winnt/system32/wsock32.dll process_alloc_user_handle handle = 00000014 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f764,0000000f,00000000,00000000,00000010,01000000,00000014) ret=77f8e946 NtCreateSection 0x6f764 0000000f (nil) (nil) 00000010 01000000 0x14 access_allowed fixme: no access check process_alloc_user_handle handle = 00000018 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000014) ret=77f8e951 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000018,ffffffff,0006f768,00000000,00000000,00000000,0006f760,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x18 0xffffffff 0x6f768 0 00000000 (nil) 0x6f760 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x75050000 mapit read 3 sections, load at 75050000 mapit .text 00001000 00000400 00002200 000020fc mapit .rsrc 00004000 00002600 00002c00 00002ad0 mapit .reloc 00007000 00005200 00000200 00000028 NtMapViewOfSection mapped at 0x75050000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000018) ret=77f870b4 NtClose 0x18 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f518,0,27) : LDR: WSOCK32.DLL bound to KERNEL32.DLL 1011 (debug 6f518,0,35) : LDR: WSOCK32.DLL has correct binding to KERNEL32.DLL 1011 (debug 6f518,0,25) : LDR: WSOCK32.DLL bound to WS2_32.DLL 1011 (debug 6f518,0,33) : LDR: WSOCK32.DLL has correct binding to WS2_32.DLL 1011 (debug 6f594,0,33) : LDR: DNSAPI.DLL has correct binding to WSOCK32.DLL 1011 (debug 6f590,6f594,46) : LDR: DNSAPI.DLL bound to ws2_32.DLL via forwarder(s) from WSOCK32.DLL 1011 (debug 6f594,46,32) : LDR: DNSAPI.DLL has correct binding to ws2_32.DLL 1011 (debug 6f594,46,24) : LDR: DNSAPI.DLL bound to RPCRT4.DLL 1011 (debug 6f594,46,32) : LDR: DNSAPI.DLL has correct binding to RPCRT4.DLL 1011 (debug 6f610,0,34) : LDR: NETAPI32.dll has correct binding to DNSAPI.DLL 1011 (debug 6f68c,0,35) : LDR: PROFMAP.DLL has correct binding to NETAPI32.dll 1011 (debug 6f708,20498,35) : LDR: winlogon.exe has correct binding to PROFMAP.DLL 1011 (debug 6f71c,78652e6e,1f) : LDR: Refcount MSVCRT.DLL (1) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount KERNEL32.dll (1) 1011 (debug 6f71c,78652e6e,21) : LDR: Refcount ADVAPI32.DLL (1) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount KERNEL32.DLL (2) 1011 (debug 6f6e4,77f91508,1f) : LDR: Refcount RPCRT4.DLL (1) 1011 (debug 6f6ac,74636572,21) : LDR: Refcount KERNEL32.DLL (3) 1011 (debug 6f6ac,74636572,21) : LDR: Refcount ADVAPI32.DLL (2) 1011 (debug 6f71c,78652e6e,21) : LDR: Refcount KERNEL32.DLL (4) 1011 (debug 6f71c,78652e6e,1e) : LDR: Refcount GDI32.DLL (1) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount KERNEL32.DLL (5) 1011 (debug 6f6e4,77f91508,1f) : LDR: Refcount USER32.DLL (1) 1011 (debug 6f6ac,74636572,21) : LDR: Refcount KERNEL32.DLL (6) 1011 (debug 6f6ac,74636572,1e) : LDR: Refcount GDI32.DLL (2) 1011 (debug 6f71c,78652e6e,1f) : LDR: Refcount USER32.DLL (2) 1011 (debug 6f71c,78652e6e,1f) : LDR: Refcount RPCRT4.DLL (2) 1011 (debug 6f71c,78652e6e,20) : LDR: Refcount USERENV.DLL (1) 1011 (debug 6f6e4,77f91508,1f) : LDR: Refcount MSVCRT.DLL (2) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount KERNEL32.DLL (7) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount ADVAPI32.DLL (3) 1011 (debug 6f6e4,77f91508,1f) : LDR: Refcount USER32.DLL (3) 1011 (debug 6f71c,78652e6e,20) : LDR: Refcount NDDEAPI.DLL (1) 1011 (debug 6f6e4,77f91508,1f) : LDR: Refcount MSVCRT.DLL (3) 1011 (debug 6f6e4,77f91508,1f) : LDR: Refcount USER32.DLL (4) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount KERNEL32.DLL (8) 1011 (debug 6f6e4,77f91508,1f) : LDR: Refcount RPCRT4.DLL (3) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount ADVAPI32.DLL (4) 1011 (debug 6f71c,78652e6e,1c) : LDR: Refcount SFC.DLL (1) 1011 (debug 6f6e4,77f91508,1f) : LDR: Refcount MSVCRT.dll (4) 1011 (debug 6f6e4,77f91508,1f) : LDR: Refcount USER32.dll (5) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount KERNEL32.dll (9) 1011 (debug 6f6e4,77f91508,1f) : LDR: Refcount RPCRT4.dll (4) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount ADVAPI32.dll (5) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount sfcfiles.dll (1) 1011 (debug 6f71c,78652e6e,20) : LDR: Refcount SECUR32.DLL (1) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount KERNEL32.DLL (a) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount ADVAPI32.DLL (6) 1011 (debug 6f71c,78652e6e,20) : LDR: Refcount PROFMAP.DLL (1) 1011 (debug 6f6e4,77f91508,1f) : LDR: Refcount MSVCRT.dll (5) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount KERNEL32.dll (b) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount ADVAPI32.dll (7) 1011 (debug 6f6e4,77f91508,1f) : LDR: Refcount USER32.dll (6) 1011 (debug 6f6e4,77f91508,1f) : LDR: Refcount RPCRT4.dll (5) 1011 (debug 6f6e4,77f91508,21) : LDR: Refcount NETAPI32.dll (1) 1011 (debug 6f6ac,74636572,1f) : LDR: Refcount MSVCRT.DLL (6) 1011 (debug 6f6ac,74636572,20) : LDR: Refcount SECUR32.DLL (2) 1011 (debug 6f6ac,74636572,21) : LDR: Refcount ADVAPI32.DLL (8) 1011 (debug 6f6ac,74636572,1f) : LDR: Refcount NETRAP.DLL (1) 1011 (debug 6f674,10002a0,1f) : LDR: Refcount MSVCRT.dll (7) 1011 (debug 6f674,10002a0,21) : LDR: Refcount KERNEL32.dll (c) 1011 (debug 6f6ac,74636572,1f) : LDR: Refcount RPCRT4.DLL (6) 1011 (debug 6f6ac,74636572,21) : LDR: Refcount KERNEL32.DLL (d) 1011 (debug 6f6ac,74636572,1f) : LDR: Refcount SAMLIB.DLL (1) 1011 (debug 6f674,10002a0,21) : LDR: Refcount ADVAPI32.DLL (9) 1011 (debug 6f674,10002a0,1f) : LDR: Refcount RPCRT4.DLL (7) 1011 (debug 6f674,10002a0,21) : LDR: Refcount KERNEL32.DLL (e) 1011 (debug 6f6ac,74636572,1f) : LDR: Refcount WS2_32.DLL (1) 1011 (debug 6f674,10002a0,1f) : LDR: Refcount MSVCRT.DLL (8) 1011 (debug 6f674,10002a0,21) : LDR: Refcount KERNEL32.DLL (f) 1011 (debug 6f674,10002a0,21) : LDR: Refcount ADVAPI32.DLL (a) 1011 (debug 6f674,10002a0,20) : LDR: Refcount WS2HELP.DLL (1) 1011 (debug 6f63c,690f02a0,21) : LDR: Refcount ADVAPI32.DLL (b) 1011 (debug 6f63c,690f02a0,22) : LDR: Refcount KERNEL32.DLL (10) 1011 (debug 6f6ac,74636572,20) : LDR: Refcount WLDAP32.DLL (1) 1011 (debug 6f674,10002a0,1f) : LDR: Refcount MSVCRT.DLL (9) 1011 (debug 6f674,10002a0,22) : LDR: Refcount KERNEL32.DLL (11) 1011 (debug 6f674,10002a0,21) : LDR: Refcount ADVAPI32.DLL (c) 1011 (debug 6f6ac,74636572,1f) : LDR: Refcount DNSAPI.DLL (1) 1011 (debug 6f674,10002a0,1f) : LDR: Refcount MSVCRT.DLL (a) 1011 (debug 6f674,10002a0,21) : LDR: Refcount ADVAPI32.DLL (d) 1011 (debug 6f674,10002a0,22) : LDR: Refcount KERNEL32.DLL (12) 1011 (debug 6f674,10002a0,20) : LDR: Refcount WSOCK32.DLL (1) 1011 (debug 6f63c,690f02a0,22) : LDR: Refcount KERNEL32.DLL (13) 1011 (debug 6f63c,690f02a0,1f) : LDR: Refcount WS2_32.DLL (2) 1011 (debug 6f674,10002a0,1f) : LDR: Refcount ws2_32.DLL (3) 1011 (debug 6f674,10002a0,1f) : LDR: Refcount RPCRT4.DLL (8) 1011: NtOpenKey(0006f794,80000000,0006f770) ret=77f91379 NtOpenKey 0x6f794 80000000 0x6f770 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe open_parse_key remaining = Image File Execution Options\winlogon.exe NtOpenKey open_key returned c000003a 1011: NtOpenKey retval=c000003a ret=77f91379 1011 (debug 6f6e8,21,14) : LDR: Real INIT LIST 1011 (debug 6f6e0,60014,3a) : C:\WINNT\system32\KERNEL32.dll init routine 7c4ece51 1011 (debug 6f6e0,60014,38) : C:\WINNT\system32\MSVCRT.DLL init routine 78001000 1011 (debug 6f6e0,60014,38) : C:\WINNT\system32\RPCRT4.DLL init routine 77d34884 1011 (debug 6f6e0,60014,3a) : C:\WINNT\system32\ADVAPI32.DLL init routine 7c2d17e4 1011 (debug 6f6e0,60014,38) : C:\WINNT\system32\USER32.DLL init routine 77e311c5 1011 (debug 6f6e0,60014,39) : C:\WINNT\system32\USERENV.DLL init routine 7c0f1506 1011 (debug 6f6e0,60014,39) : C:\WINNT\system32\NDDEAPI.DLL init routine 769a1084 1011 (debug 6f6e0,60014,3a) : C:\WINNT\system32\sfcfiles.dll init routine 68011080 1011 (debug 6f6e0,60014,35) : C:\WINNT\system32\SFC.DLL init routine 769867e5 1011 (debug 6f6e0,60014,39) : C:\WINNT\system32\SECUR32.DLL init routine 7c342b19 1011 (debug 6f6e0,60014,38) : C:\WINNT\system32\SAMLIB.DLL init routine 751510d4 1011 (debug 6f6e0,60014,39) : C:\WINNT\system32\WS2HELP.DLL init routine 750211ae 1011 (debug 6f6e0,60014,38) : C:\WINNT\system32\WS2_32.DLL init routine 75031c85 1011 (debug 6f6e0,60014,39) : C:\WINNT\system32\WLDAP32.DLL init routine 779510c0 1011 (debug 6f6e0,60014,38) : C:\WINNT\system32\DNSAPI.DLL init routine 77987ce8 1011 (debug 6f6e0,60014,3a) : C:\WINNT\system32\NETAPI32.dll init routine 751728d6 1011 (debug 6f6e0,60014,39) : C:\WINNT\system32\PROFMAP.DLL init routine 690f5ce0 1011 (debug 6f6e4,39,19) : LDR: KERNEL32.dll loaded. 1011 (debug 6f6e4,39,24) : - Calling init routine at 7c4ece51 1011: NtQuerySystemInformation(00000032,7c5417b8,00000004,00000000) ret=7c4e7f8f NtQuerySystemInformation 50 0x7c5417b8 4 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=7c4e7f8f 1011: NtQuerySystemInformation(00000000,77fcf600,0000002c,00000000) ret=77f8b8ed NtQuerySystemInformation 0 0x77fcf600 44 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=77f8b8ed 1011: NtCreateSection(0006f5b8,000f001f,00000000,0006f5a0,00000004,04000000,00000000) ret=77f8ba21 NtCreateSection 0x6f5b8 000f001f (nil) 0x6f5a0 00000004 04000000 (nil) process_alloc_user_handle handle = 00000014 1011: NtCreateSection retval=00000000 ret=77f8ba21 1011: NtSecureConnectPort(77fcf1d4,77fcf160,0006f594,0006f570,000729c8,0006f588,0006f5b0,0006f548,0006f5b4) ret=77f8baa1 NtSecureConnectPort 0x77fcf1d4 0x77fcf160 0x6f594 0x6f570 0x729c8 0x6f588 0x6f5b0 0x6f548 0x6f5b4 access_allowed fixme: no access check connect_port \Windows\ApiPort access_allowed fixme: no access check dump DataSize = 40 dump MessageSize = 64 dump MessageType = 10 (LPC_CONNECTION_REQUEST) dump Offset = 0 dump ClientId = 0010, 0011 dump MessageId = 264 dump SectionSize = 00010000 address 0x80c51ac 00 00 01 00 6e 00 20 00 4f 00 70 00 74 00 69 00 ....n. .O.p.t.i. 6f 00 6e 00 73 00 5c 00 77 00 69 00 6e 00 6c 00 o.n.s.\.w.i.n.l. 6f 00 67 00 6f 00 6e 00 o.g.o.n. 0a0d: NtReplyWaitReceivePort retval=00000000 ret=5ff9404d 0a0d: NtDuplicateObject(ffffffff,00000018,00000014,0054ff4c,00000000,00000000,00000006) ret=5ff9495a NtDuplicateObject 0xffffffff 0x18 0x14 0x54ff4c 00000000 00000000 00000006 NtDuplicateObject source process 0x80bd2d0 access_allowed fixme: no access check NtDuplicateObject target process 0x80c1c20 process_alloc_user_handle handle = 00000018 NtDuplicateObject new handle is 0x18 0a0d: NtDuplicateObject retval=00000000 ret=5ff9495a 0a0d: NtMapViewOfSection(0000001c,00000014,5ff988ec,00000000,00000000,00000000,0054fe8c,00000002,00400000,00000020) ret=5ff93808 NtMapViewOfSection 0x1c 0x14 0x5ff988ec 0 00000000 (nil) 0x54fe8c 2 00400000 00000020 access_allowed fixme: no access check access_allowed fixme: no access check NtMapViewOfSection requested specific address 0x7fe70000 mapit anonymous map NtMapViewOfSection mapped at 0x7fe70000 0a0d: NtMapViewOfSection retval=00000000 ret=5ff93808 0a0d: NtAcceptConnectPort(0054feb0,00000006,0054ff2c,00000001,00000000,0054fea0) ret=5ff949bb NtAcceptConnectPort 0x54feb0 6 0x54ff2c 1 (nil) 0x54fea0 NtAcceptConnectPort 00000108 00000108 mapit anonymous map mapit anonymous map accept_connect theirs=0x5d0000 ours=0x170000 process_alloc_user_handle handle = 00000094 0a0d: NtAcceptConnectPort retval=00000000 ret=5ff949bb 0a0d: NtCompleteConnectPort(00000094) ret=5ff949e5 NtCompleteConnectPort 0x94 access_allowed fixme: no access check 0a0d: NtCompleteConnectPort retval=00000000 ret=5ff949e5 process_alloc_user_handle handle = 0000001c connect_port ServerSharedMemory = 0x6f588 1011: NtSecureConnectPort retval=00000000 ret=77f8baa1 0a0d: NtReplyWaitReceivePort(00000070,0054ff08,00000000,0054ff2c) ret=5ff9404d NtReplyWaitReceivePort 0x70 0x54ff08 (nil) 0x54ff2c access_allowed fixme: no access check reply_wait_receive 0x80c0948 (nil) (nil) 1011: NtClose(00000014) ret=77f8bab3 NtClose 0x14 1011: NtClose retval=00000000 ret=77f8bab3 1011: NtQueryObject(0000001c,00000004,0006f532,00000002,00000000) ret=77f8b949 NtQueryObject 0x1c 4 0x6f532 2 (nil) access_allowed fixme: no access check 1011: NtQueryObject retval=00000000 ret=77f8b949 1011: NtSetInformationObject(0000001c,00000004,0006f532,00000002) ret=77f8b965 NtSetInformationObject 0x1c 4 0x6f532 2 access_allowed fixme: no access check 1011: NtSetInformationObject retval=00000000 ret=77f8b965 1011: NtQuerySystemInformation(00000000,0006f48c,0000002c,00000000) ret=77fcb540 NtQuerySystemInformation 0 0x6f48c 44 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=77fcb540 1011: NtQueryVirtualMemory(ffffffff,00170000,00000000,0006f4d0,0000001c,00000000) ret=77fccbc8 NtQueryVirtualMemory 0xffffffff 0x170000 0 0x6f4d0 28 (nil) 1011: NtQueryVirtualMemory retval=00000000 ret=77fccbc8 1011: NtQueryVirtualMemory(ffffffff,00180000,00000000,0006f4d0,0000001c,00000000) ret=77fcd26c NtQueryVirtualMemory 0xffffffff 0x180000 0 0x6f4d0 28 (nil) query no areas found! 1011: NtQueryVirtualMemory retval=c000000d ret=77fcd26c 1011: NtCreateEvent(00170618,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x170618 00100003 (nil) 1 0 process_alloc_user_handle handle = 00000014 1011: NtCreateEvent retval=00000000 ret=77f94ac1 1011: NtRequestWaitReplyPort(0000001c,0006f5d8,0006f5d8) ret=77f891d2 NtRequestWaitReplyPort 0x1c 0x6f5d8 0x6f5d8 access_allowed fixme: no access check dump DataSize = 28 dump MessageSize = 52 dump MessageType = 1 (LPC_REQUEST) dump Offset = 0 dump ClientId = 0010, 0011 dump MessageId = 265 dump SectionSize = 00000000 address 0x80c2ed4 88 06 5d 00 00 00 00 00 08 00 00 00 f8 ff ff ff ..]............. 01 00 00 00 9c 06 5d 00 04 00 00 00 ......]..... 0a0d: NtReplyWaitReceivePort retval=00000000 ret=5ff9404d 0a0d: NtQuerySystemInformation(00000000,0054fb28,0000002c,00000000) ret=77faf12b NtQuerySystemInformation 0 0x54fb28 44 (nil) 0a0d: NtQuerySystemInformation retval=00000000 ret=77faf12b 0a0d: NtAllocateVirtualMemory(ffffffff,0054fb5c,00000000,0054fb6c,00002000,00000004) ret=77faf1b0 NtAllocateVirtualMemory returns 0x5e0000 00040000 00000000 0a0d: NtAllocateVirtualMemory retval=00000000 ret=77faf1b0 0a0d: NtAllocateVirtualMemory(ffffffff,0054fb5c,00000000,0054fb70,00001000,00000004) ret=77faf1fa NtAllocateVirtualMemory returns 0x61d000 00003000 00000000 0a0d: NtAllocateVirtualMemory retval=00000000 ret=77faf1fa 0a0d: NtProtectVirtualMemory(ffffffff,0054fb5c,0054fb58,00000104,0054fb54) ret=77faf226 NtProtectVirtualMemory 0xffffffff 0x54fb5c 0x54fb58 260 0x54fb54 NtProtectVirtualMemory 0x61d000 00001000 0a0d: NtProtectVirtualMemory retval=00000000 ret=77faf226 0a0d: NtWriteVirtualMemory(ffffffff,0061fffc,0054fb6c,00000004,00000000) ret=77fb126d NtWriteVirtualMemory 0xffffffff 0x61fffc 0x54fb6c 00000004 (nil) NtWriteVirtualMemory 0xb5708ffc <- 0xb6729b6c 4 NtWriteVirtualMemory wrote 4 bytes 0a0d: NtWriteVirtualMemory retval=00000000 ret=77fb126d 0a0d: NtCreateThread(0054fe94,001f03ff,0054fe60,ffffffff,0054fe78,0054fb80,0054fe4c,00000001) ret=77faf6ee NtCreateThread 0x54fe94 001f03ff 0x54fe60 0xffffffff 0x54fe78 0x54fb80 0x54fe4c 1 mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 00000098 0a0d: NtCreateThread retval=00000000 ret=77faf6ee 0a0d: NtResumeThread(00000098,00000000) ret=5ff93f30 NtResumeThread 0x98 (nil) access_allowed fixme: no access check 0a0d: NtResumeThread retval=00000000 ret=5ff93f30 0a12: NtTestAlert() ret=77f84bcb 0a12: NtTestAlert retval=00000000 ret=77f84bcb 0a0d: NtReplyWaitReceivePort(00000094,0054ff08,0054ff2c,0054ff2c) ret=5ff9404d NtReplyWaitReceivePort 0x94 0x54ff08 0x54ff2c 0x54ff2c access_allowed fixme: no access check reply_wait_receive 0x80c5288 0x80c2eb0 (nil) dump DataSize = 28 dump MessageSize = 52 dump MessageType = 2 (LPC_REPLY) dump Offset = 0 dump ClientId = 000a, 000d dump MessageId = 265 dump SectionSize = 00000000 address 0x80c2ed4 88 39 17 00 00 00 00 00 00 00 00 00 f8 ff ff ff .9.............. 01 00 00 00 9c 06 5d 00 04 00 00 00 ......]..... 1011: NtRequestWaitReplyPort retval=00000000 ret=77f891d2 0a12: NtContinue(0061fd28,00000001) ret=77f8855e NtContinue 0x61fd28 1 eax 00000000 ebx 00000001 ecx 00000002 edx 00000003 esi 00000004 edi 00000005 ebp 00000000 efl 00000200 cs:eip 0018:5ff93f6d ss:esp 0020:0061fff8 ds 007b es 007b fs 003b gs 0000 0a12: NtContinue retval=00000000 ret=77f8855e 1011: NtFreeVirtualMemory(ffffffff,0006f514,0006f518,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f514 0x6f518 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0a12: NtReplyWaitReceivePort(00000070,0061ff08,00000000,0061ff2c) ret=5ff9404d NtReplyWaitReceivePort 0x70 0x61ff08 (nil) 0x61ff2c access_allowed fixme: no access check reply_wait_receive 0x80c0948 (nil) (nil) 1011: NtRegisterThreadTerminatePort(0000001c) ret=77f84bd7 NtRegisterThreadTerminatePort 0x1c access_allowed fixme: no access check 1011: NtRegisterThreadTerminatePort retval=00000000 ret=77f84bd7 1011: NtQueryAttributesFile(0006f674,0006f64c) ret=77f8cb7a NtQueryAttributesFile 0x6f674 0x6f64c NtQueryAttributesFile root (nil) attr 00000040 \??\C:\??\C:\WINNT\system32\winlogon.exe.Local stat_unicode c:/??/c:/winnt/system32/winlogon.exe.local -> -1 1011: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 1011: NtOpenSection(0006f678,00000004,0006f618) ret=7c4ea47d nt_open_object object = \NLS\NlsSectionUnicode process_alloc_user_handle handle = 00000020 1011: NtOpenSection retval=00000000 ret=7c4ea47d 1011: NtMapViewOfSection(00000020,ffffffff,0006f67c,00000000,00000000,00000000,0006f600,00000002,00000000,00000002) ret=7c4f9861 NtMapViewOfSection 0x20 0xffffffff 0x6f67c 0 00000000 (nil) 0x6f600 2 00000000 00000002 access_allowed fixme: no access check mapit anonymous map NtMapViewOfSection mapped at 0x180000 1011: NtMapViewOfSection retval=00000000 ret=7c4f9861 1011: NtClose(00000020) ret=7c4f9832 NtClose 0x20 1011: NtClose retval=00000000 ret=7c4f9832 1011: NtQueryDefaultLocale(00000000,7c541418) ret=7c4e8131 NtQueryDefaultLocale 0 0x7c541418 1011: NtQueryDefaultLocale retval=00000000 ret=7c4e8131 1011: NtOpenSection(0006f66c,00000004,0006f630) ret=7c4ea47d nt_open_object object = \NLS\NlsSectionLocale process_alloc_user_handle handle = 00000020 1011: NtOpenSection retval=00000000 ret=7c4ea47d 1011: NtMapViewOfSection(00000020,ffffffff,0006f670,00000000,00000000,00000000,0006f618,00000002,00000000,00000002) ret=7c4f9861 NtMapViewOfSection 0x20 0xffffffff 0x6f670 0 00000000 (nil) 0x6f618 2 00000000 00000002 access_allowed fixme: no access check mapit anonymous map NtMapViewOfSection mapped at 0x1a0000 1011: NtMapViewOfSection retval=00000000 ret=7c4f9861 1011: NtClose(00000020) ret=7c4f9832 NtClose 0x20 1011: NtClose retval=00000000 ret=7c4f9832 1011: NtOpenSection(0006f67c,00000005,0006f624) ret=7c4ea47d nt_open_object object = \NLS\NlsSectionSortkey process_alloc_user_handle handle = 00000020 1011: NtOpenSection retval=00000000 ret=7c4ea47d 1011: NtMapViewOfSection(00000020,ffffffff,0006f678,00000000,00000000,00000000,0006f60c,00000002,00000000,00000002) ret=7c4f9861 NtMapViewOfSection 0x20 0xffffffff 0x6f678 0 00000000 (nil) 0x6f60c 2 00000000 00000002 access_allowed fixme: no access check mapit anonymous map NtMapViewOfSection mapped at 0x1d0000 1011: NtMapViewOfSection retval=00000000 ret=7c4f9861 1011: NtQuerySection(00000020,00000000,0006f660,00000010,00000000) ret=7c4e8534 NtQuerySection 0x20 0 0x6f660 16 (nil) access_allowed fixme: no access check 1011: NtQuerySection retval=00000000 ret=7c4e8534 1011: NtClose(00000020) ret=7c4e853f NtClose 0x20 1011: NtClose retval=00000000 ret=7c4e853f 1011: NtOpenSection(0006f678,00000004,0006f638) ret=7c4ea47d nt_open_object object = \NLS\NlsSectionSortTbls process_alloc_user_handle handle = 00000020 1011: NtOpenSection retval=00000000 ret=7c4ea47d 1011: NtMapViewOfSection(00000020,ffffffff,0006f67c,00000000,00000000,00000000,0006f620,00000002,00000000,00000002) ret=7c4f9861 NtMapViewOfSection 0x20 0xffffffff 0x6f67c 0 00000000 (nil) 0x6f620 2 00000000 00000002 access_allowed fixme: no access check mapit anonymous map NtMapViewOfSection mapped at 0x220000 1011: NtMapViewOfSection retval=00000000 ret=7c4f9861 1011: NtClose(00000020) ret=7c4f9832 NtClose 0x20 1011: NtClose retval=00000000 ret=7c4f9832 1011: NtQueryVirtualMemory(ffffffff,7ffc0000,00000000,0006f654,0000001c,00000000) ret=7c4e8b9f NtQueryVirtualMemory 0xffffffff 0x7ffc0000 0 0x6f654 28 (nil) 1011: NtQueryVirtualMemory retval=00000000 ret=7c4e8b9f 1011: NtOpenSection(0006f614,00000004,0006f1c4) ret=7c4ea47d nt_open_object object = \NLS\NlsSectionSortkey00000409 1011: NtOpenSection retval=c0000034 ret=7c4ea47d 1011: NtAllocateVirtualMemory(ffffffff,0006f3e4,00000000,0006f404,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x171000 00002000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtRequestWaitReplyPort(0000001c,0006f5e8,0006f5e8) ret=77f891d2 NtRequestWaitReplyPort 0x1c 0x6f5e8 0x6f5e8 access_allowed fixme: no access check dump DataSize = 24 dump MessageSize = 48 dump MessageType = 1 (LPC_REQUEST) dump Offset = 0 dump ClientId = 0010, 0011 dump MessageId = 266 dump SectionSize = 00000000 address 0x80c2ed4 88 06 5d 00 1a 00 01 00 00 00 00 00 00 00 00 00 ..]............. 9c 06 5d 00 70 18 00 00 ..].p... 0a0d: NtReplyWaitReceivePort retval=00000000 ret=5ff9404d 0a0d: NtAllocateVirtualMemory(ffffffff,0054fc94,00000000,0054fcb4,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x174000 00002000 00000000 0a0d: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0a0d: NtFreeVirtualMemory(ffffffff,0054fdfc,0054fe00,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x54fdfc 0x54fe00 16384 NtFreeVirtualMemory returning 00000000 0a0d: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0a0d: NtReplyWaitReceivePort(00000094,0054ff08,0054ff2c,0054ff2c) ret=5ff9404d NtReplyWaitReceivePort 0x94 0x54ff08 0x54ff2c 0x54ff2c access_allowed fixme: no access check reply_wait_receive 0x80c5288 0x80c2eb0 (nil) dump DataSize = 24 dump MessageSize = 48 dump MessageType = 2 (LPC_REPLY) dump Offset = 0 dump ClientId = 000a, 000d dump MessageId = 266 dump SectionSize = 00000000 address 0x80c2ed4 f0 39 17 00 1a 00 01 00 00 00 00 00 00 00 00 00 .9.............. 9c 06 5d 00 70 18 00 00 ..].p... 1011: NtRequestWaitReplyPort retval=00000000 ret=77f891d2 1011: NtFreeVirtualMemory(ffffffff,0006f528,0006f52c,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f528 0x6f52c 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtRequestWaitReplyPort(0000001c,0006ed5c,0006ed5c) ret=77f891d2 NtRequestWaitReplyPort 0x1c 0x6ed5c 0x6ed5c access_allowed fixme: no access check dump DataSize = 28 dump MessageSize = 52 dump MessageType = 1 (LPC_REQUEST) dump Offset = 0 dump ClientId = 0010, 0011 dump MessageId = 267 dump SectionSize = 00000000 address 0x80c2ed4 88 06 5d 00 00 00 00 00 06 00 00 00 00 00 00 00 ..]............. 02 00 00 00 9c 06 5d 00 38 06 00 00 ......].8... 0a12: NtReplyWaitReceivePort retval=00000000 ret=5ff9404d 0a12: NtAllocateVirtualMemory(ffffffff,0061fc94,00000000,0061fcb4,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x174000 00001000 00000000 0a12: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 0a12: NtFreeVirtualMemory(ffffffff,0061fdfc,0061fe00,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x61fdfc 0x61fe00 16384 NtFreeVirtualMemory returning 00000000 0a12: NtFreeVirtualMemory retval=00000000 ret=77fcc191 0a12: NtReplyWaitReceivePort(00000094,0061ff08,0061ff2c,0061ff2c) ret=5ff9404d NtReplyWaitReceivePort 0x94 0x61ff08 0x61ff2c 0x61ff2c access_allowed fixme: no access check reply_wait_receive 0x80c5288 0x80c2eb0 (nil) dump DataSize = 28 dump MessageSize = 52 dump MessageType = 2 (LPC_REPLY) dump Offset = 0 dump ClientId = 000a, 0012 dump MessageId = 267 dump SectionSize = 00000000 address 0x80c2ed4 f0 39 17 00 00 00 00 00 00 00 00 00 00 00 00 00 .9.............. 02 00 00 00 9c 06 5d 00 38 06 00 00 ......].8... 1011: NtRequestWaitReplyPort retval=00000000 ret=77f891d2 1011 (debug 6f6e4,39,17) : LDR: MSVCRT.DLL loaded. 1011 (debug 6f6e4,39,24) : - Calling init routine at 78001000 1011: NtQuerySystemInformation(00000000,0006f768,0000002c,00000000) ret=77fcb540 NtQuerySystemInformation 0 0x6f768 44 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=77fcb540 1011: NtAllocateVirtualMemory(ffffffff,0006f730,00000000,0006f80c,00002000,00000004) ret=77fcb607 NtAllocateVirtualMemory returns 0x230000 00010000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcb607 1011: NtAllocateVirtualMemory(ffffffff,0006f7dc,00000000,0006f810,00001000,00000004) ret=77fcb640 NtAllocateVirtualMemory returns 0x230000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcb640 1011: NtCreateEvent(00230618,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x230618 00100003 (nil) 1 0 process_alloc_user_handle handle = 00000020 1011: NtCreateEvent retval=00000000 ret=77f94ac1 1011: NtAllocateVirtualMemory(ffffffff,0006f51c,00000000,0006f53c,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x231000 00002000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtQueryVolumeInformationFile(00000000,0006f7c4,0006f7cc,00000008,00000004) ret=7c4f54a0 NtQueryVolumeInformationFile (nil) 0x6f7c4 0x6f7cc 8 4 1011: NtQueryVolumeInformationFile retval=c0000002 ret=7c4f54a0 1011: NtQueryVolumeInformationFile(00000000,0006f7c4,0006f7cc,00000008,00000004) ret=7c4f54a0 NtQueryVolumeInformationFile (nil) 0x6f7c4 0x6f7cc 8 4 1011: NtQueryVolumeInformationFile retval=c0000002 ret=7c4f54a0 1011: NtQueryVolumeInformationFile(00000000,0006f7c4,0006f7cc,00000008,00000004) ret=7c4f54a0 NtQueryVolumeInformationFile (nil) 0x6f7c4 0x6f7cc 8 4 1011: NtQueryVolumeInformationFile retval=c0000002 ret=7c4f54a0 1011: NtOpenSection(0006f218,00000004,0006f1d4) ret=7c4ea47d nt_open_object object = \NLS\NlsSectionCType process_alloc_user_handle handle = 00000024 1011: NtOpenSection retval=00000000 ret=7c4ea47d 1011: NtMapViewOfSection(00000024,ffffffff,0006f21c,00000000,00000000,00000000,0006f1bc,00000002,00000000,00000002) ret=7c4f9861 NtMapViewOfSection 0x24 0xffffffff 0x6f21c 0 00000000 (nil) 0x6f1bc 2 00000000 00000002 access_allowed fixme: no access check mapit anonymous map NtMapViewOfSection mapped at 0x240000 1011: NtMapViewOfSection retval=00000000 ret=7c4f9861 1011: NtClose(00000024) ret=7c4f9832 NtClose 0x24 1011: NtClose retval=00000000 ret=7c4f9832 1011: NtOpenProcessToken(ffffffff,00000008,0006efc4) ret=7c4ebce0 NtOpenProcessToken 0xffffffff 00000008 0x6efc4 process_alloc_user_handle handle = 00000024 1011: NtOpenProcessToken retval=00000000 ret=7c4ebce0 1011: NtQueryInformationToken(00000024,0000000a,0006ef88,00000038,0006efc0) ret=7c4ebcfb NtQueryInformationToken 0x24 10 0x6ef88 56 0x6efc0 access_allowed fixme: no access check NtQueryInformationToken TokenStatistics 1011: NtQueryInformationToken retval=00000000 ret=7c4ebcfb 1011: NtClose(00000024) ret=7c4ebd2d NtClose 0x24 1011: NtClose retval=00000000 ret=7c4ebd2d 1011: NtOpenThreadToken(fffffffe,00020008,00000001,0006e840) ret=77f961d7 NtOpenThreadToken 0xfffffffe 00020008 1 0x6e840 1011: NtOpenThreadToken retval=c000007c ret=77f961d7 1011: NtOpenProcessToken(ffffffff,00020008,0006e840) ret=77f961f6 NtOpenProcessToken 0xffffffff 00020008 0x6e840 process_alloc_user_handle handle = 00000024 1011: NtOpenProcessToken retval=00000000 ret=77f961f6 1011: NtQueryInformationToken(00000024,00000001,0006e7e0,00000050,0006e838) ret=77f96212 NtQueryInformationToken 0x24 1 0x6e7e0 80 0x6e838 access_allowed fixme: no access check NtQueryInformationToken TokenUser 1011: NtQueryInformationToken retval=00000000 ret=77f96212 1011: NtClose(00000024) ret=77f9621c NtClose 0x24 1011: NtClose retval=00000000 ret=77f9621c 1011: NtOpenKey(0006ecc8,02000000,0006e85c) ret=77f83183 NtOpenKey 0x6ecc8 02000000 0x6e85c NtOpenKey len 00000018 root (nil) attr 00000040 \REGISTRY\USER\S-1-5-18 NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 1011: NtOpenKey retval=00000000 ret=77f83183 1011: NtOpenKey(0006eef8,00020019,0006eca4) ret=7c4eb095 NtOpenKey 0x6eef8 00020019 0x6eca4 NtOpenKey len 00000018 root 0x24 attr 00000040 Control Panel\International NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000028 1011: NtOpenKey retval=00000000 ret=7c4eb095 1011: NtClose(00000024) ret=7c4eb0a5 NtClose 0x24 1011: NtClose retval=00000000 ret=7c4eb0a5 1011: NtQueryValueKey(00000028,0006ecb0,00000001,0006ece0,00000214,0006ecc4) ret=7c4fbb2d NtQueryValueKey 0x28 0x6ecb0 1 0x6ece0 532 0x6ecc4 NtQueryValueKey Locale reg_query_value Locale 1011: NtQueryValueKey retval=00000000 ret=7c4fbb2d 1011: NtClose(00000028) ret=7c4f9126 NtClose 0x28 1011: NtClose retval=00000000 ret=7c4f9126 1011 (debug 6f308,100010,37) : LDR: LdrGetDllHandle, searching for KERNEL32.dll from 1011 (debug 6f510,6f790,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6f50c,6f510,21) : NAME - IsProcessorFeaturePresent 1011: NtAllocateVirtualMemory(ffffffff,0006f5fc,00000000,0006f61c,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x233000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011 (debug 6f6e4,230178,17) : LDR: RPCRT4.DLL loaded. 1011 (debug 6f6e4,230178,24) : - Calling init routine at 77d34884 1011: NtAllocateVirtualMemory(ffffffff,0006f6c0,00000000,0006f6e0,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x74000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtOpenKey(0006f7e0,00000001,0006f7ac) ret=7c4ec7d2 NtOpenKey 0x6f7e0 00000001 0x6f7ac NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\MACHINE\System\CurrentControlSet\Control\Session Manager NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 1011: NtOpenKey retval=00000000 ret=7c4ec7d2 1011: NtQueryValueKey(00000024,0006f7d4,00000002,0006f7c4,00000010,0006f7dc) ret=7c4ec7fa NtQueryValueKey 0x24 0x6f7d4 2 0x6f7c4 16 0x6f7dc NtQueryValueKey SafeDllSearchMode 1011: NtQueryValueKey retval=c0000034 ret=7c4ec7fa 1011: NtClose(00000024) ret=7c4ec80b NtClose 0x24 1011: NtClose retval=00000000 ret=7c4ec80b 1011 (debug 6f30c,37,89) : LDR: LdrLoadDll, loading kernel32.dll from \??\C:\WINNT\system32;.;C:\WINNT\system32;C:\WINNT\system;C:\WINNT;C:\WINNT\system32;C:\WINNT 1011 (debug 6f58c,6c006c,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6f588,6f58c,22) : NAME - InterlockedCompareExchange 1011 (debug 6f6e4,74260,19) : LDR: ADVAPI32.DLL loaded. 1011 (debug 6f6e4,74260,24) : - Calling init routine at 7c2d17e4 1011: NtOpenProcessToken(ffffffff,00000008,0006f678) ret=7c2d9356 NtOpenProcessToken 0xffffffff 00000008 0x6f678 process_alloc_user_handle handle = 00000024 1011: NtOpenProcessToken retval=00000000 ret=7c2d9356 1011: NtQueryInformationToken(00000024,0000000b,00000000,00000000,0006f5f8) ret=7c2d1d02 NtQueryInformationToken 0x24 11 (nil) 0 0x6f5f8 access_allowed fixme: no access check NtQueryInformationToken info class 11 1011: NtQueryInformationToken retval=c0000003 ret=7c2d1d02 1011: NtClose(00000024) ret=7c2d9375 NtClose 0x24 1011: NtClose retval=00000000 ret=7c2d9375 1011: NtOpenKey(0006f674,00020019,0006f65c) ret=7c2d943e NtOpenKey 0x6f674 00020019 0x6f65c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 1011: NtOpenKey retval=00000000 ret=7c2d943e 1011: NtQueryValueKey(00000024,0006f648,00000002,0006f5b8,00000090,0006f650) ret=7c2d946c NtQueryValueKey 0x24 0x6f648 2 0x6f5b8 144 0x6f650 NtQueryValueKey LeakTrack 1011: NtQueryValueKey retval=c0000034 ret=7c2d946c 1011: NtClose(00000024) ret=7c2d947d NtClose 0x24 1011: NtClose retval=00000000 ret=7c2d947d 1011: NtOpenKey(7c328070,02000000,0006f5e8) ret=7c2d92f4 NtOpenKey 0x7c328070 02000000 0x6f5e8 NtOpenKey len 00000018 root (nil) attr 00000040 \REGISTRY\MACHINE NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000024 1011: NtOpenKey retval=00000000 ret=7c2d92f4 1011: NtOpenKey(0006f8a0,00020019,0006f5e0) ret=7c2d208a NtOpenKey 0x6f8a0 00020019 0x6f5e0 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Windows NT\CurrentVersion\Diagnostics NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000028 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000028,0006f634,00000002,0006f564,00000090,0006f5fc) ret=7c2d2271 NtQueryValueKey 0x28 0x6f634 2 0x6f564 144 0x6f5fc NtQueryValueKey RunDiagnosticLoggingApplicationManagement 1011: NtQueryValueKey retval=c0000034 ret=7c2d2271 1011: NtQueryValueKey(00000028,0006f634,00000002,0006f564,00000090,0006f5fc) ret=7c2d2271 NtQueryValueKey 0x28 0x6f634 2 0x6f564 144 0x6f5fc NtQueryValueKey AppMgmtDebugLevel reg_query_value AppMgmtDebugLevel 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtQueryValueKey(00000028,0006f634,00000002,0006f564,00000090,0006f5fc) ret=7c2d2271 NtQueryValueKey 0x28 0x6f634 2 0x6f564 144 0x6f5fc NtQueryValueKey AppMgmtDebugBreak reg_query_value AppMgmtDebugBreak 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtClose(00000028) ret=7c2d1f22 NtClose 0x28 1011: NtClose retval=00000000 ret=7c2d1f22 1011 (debug 6f6e4,74260,17) : LDR: USER32.DLL loaded. 1011 (debug 6f6e4,74260,24) : - Calling init routine at 77e311c5 1011: NtQuerySystemInformation(00000000,0006f8a0,0000002c,00000000) ret=77e3125a NtQuerySystemInformation 0 0x6f8a0 44 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=77e3125a 1011: NtRequestWaitReplyPort(0000001c,0006f2a8,0006f2a8) ret=77f891d2 NtRequestWaitReplyPort 0x1c 0x6f2a8 0x6f2a8 access_allowed fixme: no access check dump DataSize = 28 dump MessageSize = 52 dump MessageType = 1 (LPC_REQUEST) dump Offset = 0 dump ClientId = 0010, 0011 dump MessageId = 268 dump SectionSize = 00000000 address 0x80c2ed4 88 06 5d 00 00 00 00 00 28 00 28 00 20 00 20 00 ..].....(.(. . . 03 00 00 00 9c 06 5d 00 04 01 00 00 ......]..... 0a0d: NtReplyWaitReceivePort retval=00000000 ret=5ff9404d 0a0d: NtUserSetInformationThread(fffffffe,0000000a,5ffe8464,00000004) ret=5ffb6e23 get_proc_address KiUserCallbackDispatcher do_user_callback continuing execution at 77fa15dc 0a0d: NtCallbackReturn(00000000,00000000,c0000001) ret=77f8cda4 NtCallbackReturn (nil) 0 c0000001 0a0d: NtCallbackReturn retval=00000000 ret=77f8cda4 eax 000011f5 ebx 0054ff5c ecx 00173560 edx 0054fe8c esi 0054ff2c edi 0054ff58 ebp 0054feb8 efl 00010246 cs:eip 0073:5ffb8337 ss:esp 007b:0054fe88 ds 007b es 007b fs 003b gs 0000 do_user_callback callback returned c0000001 NtUserSetInformationThread 0xfffffffe 0000000a 0x5ffe8464 00000004 0a0d: NtUserSetInformationThread retval=00000000 ret=5ffb6e23 0a0d: NtUserProcessConnect(00000014,00173a04,00000104) ret=5ffb6e06 access_allowed fixme: no access check NtUserProcessConnect 0x14 0x173a04 260 init_user_shared_memory user_shared_mem at 0xb6a7e000 mapit anonymous map NtUserProcessConnect user shared at 0x250000 0a0d: NtUserProcessConnect retval=00000000 ret=5ffb6e06 0a0d: NtReplyWaitReceivePort(00000094,0054ff08,0054ff2c,0054ff2c) ret=5ff9404d NtReplyWaitReceivePort 0x94 0x54ff08 0x54ff2c 0x54ff2c access_allowed fixme: no access check reply_wait_receive 0x80c5288 0x80c2eb0 (nil) dump DataSize = 28 dump MessageSize = 52 dump MessageType = 2 (LPC_REPLY) dump Offset = 0 dump ClientId = 000a, 000d dump MessageId = 268 dump SectionSize = 00000000 address 0x80c2ed4 f0 39 17 00 00 00 00 00 00 00 00 00 20 00 20 00 .9.......... . . 03 00 00 00 9c 06 5d 00 04 01 00 00 ......]..... 1011: NtRequestWaitReplyPort retval=00000000 ret=77f891d2 1011: NtOpenKey(0006f378,00020019,0006f340) ret=77e319e9 NtOpenKey 0x6f378 00020019 0x6f340 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\ NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000028 1011: NtOpenKey retval=00000000 ret=77e319e9 1011: NtQueryValueKey(00000028,0006f368,00000002,0006f328,00000018,0006f374) ret=77e59842 NtQueryValueKey 0x28 0x6f368 2 0x6f328 24 0x6f374 NtQueryValueKey EnableLogging reg_query_value EnableLogging 1011: NtQueryValueKey retval=00000000 ret=77e59842 1011: NtQueryValueKey(00000028,0006f358,00000002,0006f328,00000018,0006f374) ret=77e5986b NtQueryValueKey 0x28 0x6f358 2 0x6f328 24 0x6f374 NtQueryValueKey LogSeverity reg_query_value LogSeverity 1011: NtQueryValueKey retval=00000000 ret=77e5986b 1011: NtQueryValueKey(00000028,0006f368,00000002,0006f328,00000018,0006f374) ret=77e5989e NtQueryValueKey 0x28 0x6f368 2 0x6f328 24 0x6f374 NtQueryValueKey EnableDefaultReply reg_query_value EnableDefaultReply 1011: NtQueryValueKey retval=00000000 ret=77e5989e 1011: NtClose(00000028) ret=77e598b3 NtClose 0x28 1011: NtClose retval=00000000 ret=77e598b3 1011: NtOpenKey(0006f310,00020019,0006f2f8) ret=77e59929 NtOpenKey 0x6f310 00020019 0x6f2f8 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Services\EventLog\Application\Error Instrument\ NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000028 1011: NtOpenKey retval=00000000 ret=77e59929 1011: NtQueryValueKey(00000028,0006f2e4,00000002,0006f0d4,00000210,0006f2ec) ret=77e59959 NtQueryValueKey 0x28 0x6f2e4 2 0x6f0d4 528 0x6f2ec NtQueryValueKey EventMessageFile reg_query_value EventMessageFile 1011: NtQueryValueKey retval=00000000 ret=77e59959 1011: NtClose(00000028) ret=77e5997c NtClose 0x28 1011: NtClose retval=00000000 ret=77e5997c 1011: NtGdiInit() ret=77f42258 win32k_process_init mapit anonymous map get_proc_address KiUserCallbackDispatcher do_user_callback continuing execution at 77fa15dc 1011: NtGdiQueryFontAssocInfo(00000000) ret=77f42323 NtGdiQueryFontAssocInfo (nil) 1011: NtGdiQueryFontAssocInfo retval=00000000 ret=77f42323 1011: NtUserGetThreadState(00000011) ret=77e134bc 1011: NtUserGetThreadState retval=00000001 ret=77e134bc 1011: NtUserCallNoParam(00000012) ret=77e327c3 NtUserCallNoParam 18 1011: NtUserCallNoParam retval=00000000 ret=77e327c3 1011: NtGdiCreateCompatibleDC(00000000) ret=77f42006 NtGdiCreateCompatibleDC (nil) mapit anonymous map 1011: NtGdiCreateCompatibleDC retval=00010037 ret=77f42006 1011: NtGdiGetStockObject(00000000) ret=77f416cb NtGdiGetStockObject 0 1011: NtGdiGetStockObject retval=00900038 ret=77f416cb 1011: NtGdiGetStockObject(00000004) ret=77f416cb NtGdiGetStockObject 4 1011: NtGdiGetStockObject retval=00900039 ret=77f416cb 1011: NtGdiCreateBitmap(00000008,00000008,00000001,00000001,77e31fe8) ret=77f4216e NtGdiCreateBitmap (8x8) 1 1 0x77e31fe8 1011: NtGdiCreateBitmap retval=0005003a ret=77f4216e 1011: NtGdiCreateSolidBrush(00000000,00000000) ret=77f4209a NtGdiCreateSolidBrush 00000000 00000000 1011: NtGdiCreateSolidBrush retval=0010003b ret=77f4209a 1011: NtGdiGetStockObject(0000000d) ret=77f416cb NtGdiGetStockObject 13 1011: NtGdiGetStockObject retval=008a003c ret=77f416cb 1011: NtGdiCreateCompatibleDC(00000000) ret=77f42006 NtGdiCreateCompatibleDC (nil) mapit anonymous map 1011: NtGdiCreateCompatibleDC retval=0001003d ret=77f42006 1011: NtGdiSelectBitmap(0001003d,0005003a) ret=77f41be5 NtGdiSelectBitmap 0x1003d 0x5003a 1011: NtGdiSelectBitmap retval=0005003e ret=77f41be5 1011: NtGdiFlush() ret=77f415e5 NtGdiFlush 1011: NtGdiFlush retval=00000000 ret=77f415e5 1011: NtUserGetThreadDesktop(00000011,00000000) ret=77e32818 NtUserGetThreadDesktop 17 0 1011: NtUserGetThreadDesktop retval=00000de5 ret=77e32818 1011: NtOpenKey(0006f018,80000000,0006efc0) ret=77e31bf5 NtOpenKey 0x6f018 80000000 0x6efc0 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Session Manager\AppCompatibility\winlogon.exe open_parse_key remaining = AppCompatibility\winlogon.exe NtOpenKey open_key returned c000003a 1011: NtOpenKey retval=c000003a ret=77e31bf5 1011: NtOpenKey(0006f234,00020019,0006f208) ret=77e31e93 NtOpenKey 0x6f234 00020019 0x6f208 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000028 1011: NtOpenKey retval=00000000 ret=77e31e93 1011: NtQueryValueKey(00000028,0006f220,00000002,0006f1c8,00000040,0006f230) ret=77e31ebe NtQueryValueKey 0x28 0x6f220 2 0x6f1c8 64 0x6f230 NtQueryValueKey AppInit_DLLs reg_query_value AppInit_DLLs 1011: NtQueryValueKey retval=00000000 ret=77e31ebe 1011: NtClose(00000028) ret=77e31f42 NtClose 0x28 1011: NtClose retval=00000000 ret=77e31f42 1011: NtUserGetThreadState(00000011) ret=77e324af 1011: NtUserGetThreadState retval=00000001 ret=77e324af 1011: NtUserFindExistingCursorIcon(0006ef70,0006ef80,0006f1b8) ret=77e3261a NtUserFindExistingCursorIcon 0x6ef70 0x6ef80 0x6f1b8 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 1011: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 1011: NtUserRegisterClassExWOW(0006f18c,0006f1cc,0006f1dc,77e3029f,00000080,00000000) ret=77e32d81 NtUserRegisterClassExWOW Name = Button 1011: NtUserRegisterClassExWOW retval=0000c001 ret=77e32d81 1011: NtUserGetThreadState(00000011) ret=77e324af 1011: NtUserGetThreadState retval=00000001 ret=77e324af 1011: NtUserFindExistingCursorIcon(0006ef70,0006ef80,0006f1b8) ret=77e3261a NtUserFindExistingCursorIcon 0x6ef70 0x6ef80 0x6f1b8 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 1011: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 1011: NtUserRegisterClassExWOW(0006f18c,0006f1cc,0006f1dc,77e302a0,00000080,00000000) ret=77e32d81 NtUserRegisterClassExWOW Name = ComboBox 1011: NtUserRegisterClassExWOW retval=0000c002 ret=77e32d81 1011: NtUserGetThreadState(00000011) ret=77e324af 1011: NtUserGetThreadState retval=00000001 ret=77e324af 1011: NtUserFindExistingCursorIcon(0006ef70,0006ef80,0006f1b8) ret=77e3261a NtUserFindExistingCursorIcon 0x6ef70 0x6ef80 0x6f1b8 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 1011: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 1011: NtUserRegisterClassExWOW(0006f18c,0006f1cc,0006f1dc,77e302a1,00000080,00000000) ret=77e32d81 NtUserRegisterClassExWOW Name = ComboLBox 1011: NtUserRegisterClassExWOW retval=0000c003 ret=77e32d81 1011: NtUserGetThreadState(00000011) ret=77e324af 1011: NtUserGetThreadState retval=00000001 ret=77e324af 1011: NtUserFindExistingCursorIcon(0006ef70,0006ef80,0006f1b8) ret=77e3261a NtUserFindExistingCursorIcon 0x6ef70 0x6ef80 0x6f1b8 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 1011: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 1011: NtUserRegisterClassExWOW(0006f18c,0006f1cc,0006f1dc,000002a2,00000080,00000000) ret=77e32d81 NtUserRegisterClassExWOW Name = 1011: NtUserRegisterClassExWOW retval=0000c004 ret=77e32d81 1011: NtUserGetThreadState(00000011) ret=77e324af 1011: NtUserGetThreadState retval=00000001 ret=77e324af 1011: NtUserFindExistingCursorIcon(0006ef70,0006ef80,0006f1b8) ret=77e3261a NtUserFindExistingCursorIcon 0x6ef70 0x6ef80 0x6f1b8 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 1011: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 1011: NtUserRegisterClassExWOW(0006f18c,0006f1cc,0006f1dc,77e302a3,00000080,00000000) ret=77e32d81 NtUserRegisterClassExWOW Name = Edit 1011: NtUserRegisterClassExWOW retval=0000c005 ret=77e32d81 1011: NtUserGetThreadState(00000011) ret=77e324af 1011: NtUserGetThreadState retval=00000001 ret=77e324af 1011: NtUserFindExistingCursorIcon(0006ef70,0006ef80,0006f1b8) ret=77e3261a NtUserFindExistingCursorIcon 0x6ef70 0x6ef80 0x6f1b8 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 1011: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 1011: NtUserRegisterClassExWOW(0006f18c,0006f1cc,0006f1dc,77e302a4,00000080,00000000) ret=77e32d81 NtUserRegisterClassExWOW Name = ListBox 1011: NtUserRegisterClassExWOW retval=0000c006 ret=77e32d81 1011: NtUserGetThreadState(00000011) ret=77e324af 1011: NtUserGetThreadState retval=00000001 ret=77e324af 1011: NtUserFindExistingCursorIcon(0006ef70,0006ef80,0006f1b8) ret=77e3261a NtUserFindExistingCursorIcon 0x6ef70 0x6ef80 0x6f1b8 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 1011: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 1011: NtUserRegisterClassExWOW(0006f18c,0006f1cc,0006f1dc,77e302a5,00000080,00000000) ret=77e32d81 NtUserRegisterClassExWOW Name = MDIClient 1011: NtUserRegisterClassExWOW retval=0000c007 ret=77e32d81 1011: NtUserGetThreadState(00000011) ret=77e324af 1011: NtUserGetThreadState retval=00000001 ret=77e324af 1011: NtUserFindExistingCursorIcon(0006ef70,0006ef80,0006f1b8) ret=77e3261a NtUserFindExistingCursorIcon 0x6ef70 0x6ef80 0x6f1b8 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 1011: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 1011: NtUserRegisterClassExWOW(0006f18c,0006f1cc,0006f1dc,77e302a7,00000080,00000000) ret=77e32d81 NtUserRegisterClassExWOW Name = IME 1011: NtUserRegisterClassExWOW retval=0000c008 ret=77e32d81 1011: NtUserGetThreadState(00000011) ret=77e324af 1011: NtUserGetThreadState retval=00000001 ret=77e324af 1011: NtUserFindExistingCursorIcon(0006ef70,0006ef80,0006f1b8) ret=77e3261a NtUserFindExistingCursorIcon 0x6ef70 0x6ef80 0x6f1b8 NtUserFindExistingCursorIcon Library='USER32' NtUserFindExistingCursorIcon str2='' NtUserFindExistingCursorIcon index = 0 1011: NtUserFindExistingCursorIcon retval=00000000 ret=77e3261a 1011: NtUserRegisterClassExWOW(0006f18c,0006f1cc,0006f1dc,77e302a6,00000080,00000000) ret=77e32d81 NtUserRegisterClassExWOW Name = Static 1011: NtUserRegisterClassExWOW retval=0000c009 ret=77e32d81 1011: NtUserRegisterClassExWOW(0006f15c,0006f19c,0006f1ac,00000000,00000080,00000000) ret=77e32d81 NtUserRegisterClassExWOW Name = DDEMLMom 1011: NtUserRegisterClassExWOW retval=0000c00a ret=77e32d81 1011: NtUserRegisterClassExWOW(0006f15c,0006f19c,0006f1ac,00000000,00000082,00000000) ret=77e32b41 NtUserRegisterClassExWOW Name = DDEMLAnsiClient 1011: NtUserRegisterClassExWOW retval=0000c00b ret=77e32b41 1011: NtUserRegisterClassExWOW(0006f15c,0006f19c,0006f1ac,00000000,00000080,00000000) ret=77e32d81 NtUserRegisterClassExWOW Name = DDEMLUnicodeClient 1011: NtUserRegisterClassExWOW retval=0000c00c ret=77e32d81 1011: NtUserRegisterClassExWOW(0006f15c,0006f19c,0006f1ac,00000000,00000082,00000000) ret=77e32b41 NtUserRegisterClassExWOW Name = DDEMLAnsiServer 1011: NtUserRegisterClassExWOW retval=0000c00d ret=77e32b41 1011: NtUserRegisterClassExWOW(0006f15c,0006f19c,0006f1ac,00000000,00000080,00000000) ret=77e32d81 NtUserRegisterClassExWOW Name = DDEMLUnicodeServer 1011: NtUserRegisterClassExWOW retval=0000c00e ret=77e32d81 1011: NtCallbackReturn(00000000,00000000,00000000) ret=77f8cda4 NtCallbackReturn (nil) 0 00000000 1011: NtCallbackReturn retval=00000000 ret=77f8cda4 eax 000010d4 ebx 00000001 ecx 0006f964 edx 0006f370 esi 0006f8a0 edi 00000000 ebp 0006f374 efl 00010246 cs:eip 0073:77f42258 ss:esp 007b:0006f36c ds 007b es 007b fs 003b gs 0000 do_user_callback callback returned 00000000 NtGdiInit 1011: NtGdiInit retval=00000001 ret=77f42258 1011: NtUserGetThreadState(00000011) ret=77e134bc 1011: NtUserGetThreadState retval=00000001 ret=77e134bc 1011: NtGdiGetStockObject(00000012) ret=77f416cb NtGdiGetStockObject 18 1011: NtGdiGetStockObject retval=008a003f ret=77f416cb 1011: NtGdiGetStockObject(00000013) ret=77f416cb NtGdiGetStockObject 19 1011: NtGdiGetStockObject retval=008a0040 ret=77f416cb 1011 (debug 6f6e4,74260,18) : LDR: USERENV.DLL loaded. 1011 (debug 6f6e4,74260,24) : - Calling init routine at 7c0f1506 1011: NtOpenKey(0006ef3c,00020019,0006ee44) ret=7c2d208a NtOpenKey 0x6ef3c 00020019 0x6ee44 NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Control\ProductOptions NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000028 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000028,0006ee98,00000002,0006edc8,00000090,0006ee60) ret=7c2d2271 NtQueryValueKey 0x28 0x6ee98 2 0x6edc8 144 0x6ee60 NtQueryValueKey ProductType reg_query_value ProductType 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtClose(00000028) ret=7c2d1f22 NtClose 0x28 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenDirectoryObject(7c540024,0002000f,0006eed8) ret=7c4ec6cf nt_open_object object = \BaseNamedObjects process_alloc_user_handle handle = 00000028 1011: NtOpenDirectoryObject retval=00000000 ret=7c4ec6cf 1011: NtOpenMutant(0006ef30,001f0001,0006ef10) ret=7c4fb05f NtOpenMutant 0x6ef30 001f0001 0x6ef10 nt_open_object object = Global\userenv: GUI mode setup running 1011: NtOpenMutant retval=c0000034 ret=7c4fb05f 1011: NtCreateEvent(0006ef2c,001f0003,0006ef0c,00000000,00000001) ret=7c4fb298 NtCreateEvent 0x6ef2c 001f0003 0x6ef0c 0 1 create name = Global\userenv: User Profile setup event process_alloc_user_handle handle = 0000002c 1011: NtCreateEvent retval=00000000 ret=7c4fb298 1011: NtQueryDefaultUILanguage(77fcf5cc) ret=77f8df54 1011: NtQueryDefaultUILanguage retval=00000000 ret=77f8df54 1011: NtQueryInstallUILanguage(77fcf5ce) ret=77f8df6e 1011: NtQueryInstallUILanguage retval=00000000 ret=77f8df6e 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtOpenThreadToken(fffffffe,00020008,00000001,0006eee4) ret=77f961d7 NtOpenThreadToken 0xfffffffe 00020008 1 0x6eee4 1011: NtOpenThreadToken retval=c000007c ret=77f961d7 1011: NtOpenProcessToken(ffffffff,00020008,0006eee4) ret=77f961f6 NtOpenProcessToken 0xffffffff 00020008 0x6eee4 process_alloc_user_handle handle = 00000030 1011: NtOpenProcessToken retval=00000000 ret=77f961f6 1011: NtQueryInformationToken(00000030,00000001,0006ee84,00000050,0006eedc) ret=77f96212 NtQueryInformationToken 0x30 1 0x6ee84 80 0x6eedc access_allowed fixme: no access check NtQueryInformationToken TokenUser 1011: NtQueryInformationToken retval=00000000 ret=77f96212 1011: NtClose(00000030) ret=77f9621c NtClose 0x30 1011: NtClose retval=00000000 ret=77f9621c 1011: NtOpenKey(0006f6a4,00020019,0006ef00) ret=77f83183 NtOpenKey 0x6f6a4 00020019 0x6ef00 NtOpenKey len 00000018 root (nil) attr 00000040 \REGISTRY\USER\S-1-5-18 NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000030 1011: NtOpenKey retval=00000000 ret=77f83183 1011: NtOpenKey(0006f6b0,00020019,0006eec8) ret=7c2d208a NtOpenKey 0x6f6b0 00020019 0x6eec8 NtOpenKey len 00000018 root 0x30 attr 00000040 Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000034 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000034,0006ef1c,00000002,0006ee4c,00000090,0006eee4) ret=7c2d2271 NtQueryValueKey 0x34 0x6ef1c 2 0x6ee4c 144 0x6eee4 NtQueryValueKey Personal reg_query_value Personal 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryValueKey(00000034,0006ef1c,00000002,0006ee4c,00000090,0006eee4) ret=7c2d2271 NtQueryValueKey 0x34 0x6ef1c 2 0x6ee4c 144 0x6eee4 NtQueryValueKey Local Settings reg_query_value Local Settings 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtQueryDefaultLocale(00000001,0006ee18) ret=77f869de NtQueryDefaultLocale 1 0x6ee18 1011: NtQueryDefaultLocale retval=00000000 ret=77f869de 1011: NtClose(00000034) ret=7c2d1f22 NtClose 0x34 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtClose(00000030) ret=7c2d1f22 NtClose 0x30 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006f6b4,02000000,0006f1d4) ret=7c2d208a NtOpenKey 0x6f6b4 02000000 0x6f1d4 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Windows NT\CurrentVersion\winlogon NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000030 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000030,0006f238,00000002,0006f168,00000090,0006f200) ret=7c2d2271 NtQueryValueKey 0x30 0x6f238 2 0x6f168 144 0x6f200 NtQueryValueKey UserEnvDebugLevel 1011: NtQueryValueKey retval=c0000034 ret=7c2d2271 1011: NtClose(00000030) ret=7c2d1f22 NtClose 0x30 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006f6b4,02000000,0006f1d4) ret=7c2d208a NtOpenKey 0x6f6b4 02000000 0x6f1d4 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Policies\Microsoft\Windows\System NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000030 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000030,0006f238,00000002,0006f168,00000090,0006f200) ret=7c2d2271 NtQueryValueKey 0x30 0x6f238 2 0x6f168 144 0x6f200 NtQueryValueKey UserEnvDebugLevel 1011: NtQueryValueKey retval=c0000034 ret=7c2d2271 1011: NtClose(00000030) ret=7c2d1f22 NtClose 0x30 1011: NtClose retval=00000000 ret=7c2d1f22 1011 (debug 6f6e4,4e0049,18) : LDR: NDDEAPI.DLL loaded. 1011 (debug 6f6e4,4e0049,24) : - Calling init routine at 769a1084 1011 (debug 6f6e4,4e0049,19) : LDR: sfcfiles.dll loaded. 1011 (debug 6f6e4,4e0049,24) : - Calling init routine at 68011080 1011 (debug 6f6e4,4e0049,14) : LDR: SFC.DLL loaded. 1011 (debug 6f6e4,4e0049,24) : - Calling init routine at 769867e5 1011 (debug 6f6e4,73005c,18) : LDR: SECUR32.DLL loaded. 1011 (debug 6f6e4,73005c,24) : - Calling init routine at 7c342b19 1011 (debug 6f6e4,73005c,17) : LDR: SAMLIB.DLL loaded. 1011 (debug 6f6e4,73005c,24) : - Calling init routine at 751510d4 1011 (debug 6f6e4,73005c,18) : LDR: WS2HELP.DLL loaded. 1011 (debug 6f6e4,73005c,24) : - Calling init routine at 750211ae 1011 (debug 6f6e4,73005c,17) : LDR: WS2_32.DLL loaded. 1011 (debug 6f6e4,73005c,24) : - Calling init routine at 75031c85 1011: NtQuerySystemInformation(00000000,0006f834,0000002c,00000000) ret=7c4faacb NtQuerySystemInformation 0 0x6f834 44 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=7c4faacb 1011: NtQuerySystemInformation(00000001,0006f860,0000000c,00000000) ret=7c4faade NtQuerySystemInformation 1 0x6f860 12 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=7c4faade 1011: NtAllocateVirtualMemory(ffffffff,0006f62c,00000000,0006f64c,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x75000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011 (debug 6f6e4,73005c,18) : LDR: WLDAP32.DLL loaded. 1011 (debug 6f6e4,73005c,24) : - Calling init routine at 779510c0 1011: NtQuerySystemInformation(00000000,0006f7fc,0000002c,00000000) ret=77fcb540 NtQuerySystemInformation 0 0x6f7fc 44 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=77fcb540 1011: NtAllocateVirtualMemory(ffffffff,0006f7c4,00000000,0006f8a0,00002000,00000004) ret=77fcb607 NtAllocateVirtualMemory returns 0x280000 00010000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcb607 1011: NtAllocateVirtualMemory(ffffffff,0006f870,00000000,0006f8a4,00001000,00000004) ret=77fcb640 NtAllocateVirtualMemory returns 0x280000 00004000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcb640 1011: NtCreateEvent(00280618,00100003,00000000,00000001,00000000) ret=77f94ac1 NtCreateEvent 0x280618 00100003 (nil) 1 0 process_alloc_user_handle handle = 00000030 1011: NtCreateEvent retval=00000000 ret=77f94ac1 1011: NtCreateEvent(0006f888,001f0003,00000000,00000001,00000000) ret=7c4fb298 NtCreateEvent 0x6f888 001f0003 (nil) 1 0 process_alloc_user_handle handle = 00000034 1011: NtCreateEvent retval=00000000 ret=7c4fb298 1011: NtOpenKey(0006f8b8,00020019,0006f82c) ret=7c2d208a NtOpenKey 0x6f8b8 00020019 0x6f82c NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Services\LDAP open_parse_key remaining = LDAP NtOpenKey open_key returned c0000034 1011: NtOpenKey retval=c0000034 ret=7c2d208a 1011 (debug 6f6e4,73005c,17) : LDR: DNSAPI.DLL loaded. 1011 (debug 6f6e4,73005c,24) : - Calling init routine at 77987ce8 1011: NtOpenKey(0006f8c0,00000001,0006f840) ret=7c2d208a NtOpenKey 0x6f8c0 00000001 0x6f840 NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Services\DNS NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006f8c0,00000001,0006f824) ret=7c2d208a NtOpenKey 0x6f8c0 00000001 0x6f824 NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Services\Tcpip\Parameters NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000038,7ff70bf8,00000002,0006f788,00000090,0006f820) ret=7c2d2271 NtQueryValueKey 0x38 0x7ff70bf8 2 0x6f788 144 0x6f820 NtQueryValueKey DnsQueryTimeouts 1011: NtQueryValueKey retval=c0000034 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006f8c0,00020019,0006f838) ret=7c2d208a NtOpenKey 0x6f8c0 00020019 0x6f838 NtOpenKey len 00000018 root 0x24 attr 00000040 System\Setup NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000038,7ff70bf8,00000002,0006f764,00000090,0006f7fc) ret=7c2d2271 NtQueryValueKey 0x38 0x7ff70bf8 2 0x6f764 144 0x6f7fc NtQueryValueKey SystemSetupInProgress 1011: NtQueryValueKey retval=c0000034 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006f8c0,00020019,0006f834) ret=7c2d208a NtOpenKey 0x6f8c0 00020019 0x6f834 NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Services\Tcpip\Parameters NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000038,0006f850,00000002,0006f780,00000090,0006f818) ret=7c2d2271 NtQueryValueKey 0x38 0x6f850 2 0x6f780 144 0x6f818 NtQueryValueKey DnsTest 1011: NtQueryValueKey retval=c0000034 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtCreateKey(0006f8c0,00020019,0006f7e8,00000000,0006f878,00000000,0006f848) ret=7c2d2835 NtCreateKey 0x6f8c0 00020019 0x6f7e8 0 0x6f878 0 0x6f848 NtCreateKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Services\Tcpip\Parameters process_alloc_user_handle handle = 00000038 1011: NtCreateKey retval=00000000 ret=7c2d2835 1011: NtQueryValueKey(00000038,0006f84c,00000002,0006f77c,00000090,0006f814) ret=7c2d2271 NtQueryValueKey 0x38 0x6f84c 2 0x6f77c 144 0x6f814 NtQueryValueKey AllowUnqualifiedQuery reg_query_value AllowUnqualifiedQuery 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtQueryValueKey(00000038,0006f84c,00000002,0006f77c,00000090,0006f814) ret=7c2d2271 NtQueryValueKey 0x38 0x6f84c 2 0x6f77c 144 0x6f814 NtQueryValueKey AllowUnqualifiedQuery reg_query_value AllowUnqualifiedQuery 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtCreateKey(0006f8c0,00020019,0006f7e8,00000000,0006f878,00000000,0006f848) ret=7c2d2835 NtCreateKey 0x6f8c0 00020019 0x6f7e8 0 0x6f878 0 0x6f848 NtCreateKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Services\Tcpip\Parameters process_alloc_user_handle handle = 00000038 1011: NtCreateKey retval=00000000 ret=7c2d2835 1011: NtQueryValueKey(00000038,0006f84c,00000002,0006f77c,00000090,0006f814) ret=7c2d2271 NtQueryValueKey 0x38 0x6f84c 2 0x6f77c 144 0x6f814 NtQueryValueKey PrioritizeRecordData reg_query_value PrioritizeRecordData 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtQueryValueKey(00000038,0006f84c,00000002,0006f77c,00000090,0006f814) ret=7c2d2271 NtQueryValueKey 0x38 0x6f84c 2 0x6f77c 144 0x6f814 NtQueryValueKey PrioritizeRecordData reg_query_value PrioritizeRecordData 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006f8c0,00020019,0006f838) ret=7c2d208a NtOpenKey 0x6f8c0 00020019 0x6f838 NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Services\Tcpip\Parameters NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000038,0006f854,00000002,0006f784,00000090,0006f81c) ret=7c2d2271 NtQueryValueKey 0x38 0x6f854 2 0x6f784 144 0x6f81c NtQueryValueKey UpdateSecurityLevel 1011: NtQueryValueKey retval=c0000034 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006f8bc,00020019,0006f830) ret=7c2d208a NtOpenKey 0x6f8bc 00020019 0x6f830 NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Services\Tcpip\Parameters NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000038,0006f84c,00000002,0006f77c,00000090,0006f814) ret=7c2d2271 NtQueryValueKey 0x38 0x6f84c 2 0x6f77c 144 0x6f814 NtQueryValueKey RemoteDnsResolver 1011: NtQueryValueKey retval=c0000034 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006f8c0,00000001,0006f830) ret=7c2d208a NtOpenKey 0x6f8c0 00000001 0x6f830 NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Services\DnsCache\Parameters open_parse_key remaining = Parameters NtOpenKey open_key returned c0000034 1011: NtOpenKey retval=c0000034 ret=7c2d208a 1011 (debug 6f6e4,73005c,19) : LDR: NETAPI32.dll loaded. 1011 (debug 6f6e4,73005c,24) : - Calling init routine at 751728d6 1011: NtOpenKey(0006f86c,00020019,0006f830) ret=7c4fc532 NtOpenKey 0x6f86c 00020019 0x6f830 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c4fc532 1011: NtQueryValueKey(00000038,0006f850,00000001,0006f7b0,00000080,0006f85c) ret=7c4fc567 NtQueryValueKey 0x38 0x6f850 1 0x6f7b0 128 0x6f85c NtQueryValueKey ComputerName reg_query_value ComputerName 1011: NtQueryValueKey retval=00000000 ret=7c4fc567 1011: NtClose(00000038) ret=7c4fc5e3 NtClose 0x38 1011: NtClose retval=00000000 ret=7c4fc5e3 1011 (debug 6f6e4,0,18) : LDR: PROFMAP.DLL loaded. 1011 (debug 6f6e4,0,24) : - Calling init routine at 690f5ce0 1011: NtTestAlert() ret=77f84bcb 1011: NtTestAlert retval=00000000 ret=77f84bcb 1011: NtContinue(0006fd28,00000001) ret=77f8855e NtContinue 0x6fd28 1 eax 00000000 ebx 00000001 ecx 00000002 edx 00000003 esi 00000004 edi 00000005 ebp 00000000 efl 00000200 cs:eip 0018:010023f4 ss:esp 0020:0006fff8 ds 007b es 007b fs 003b gs 0000 1011: NtContinue retval=00000000 ret=77f8855e 1011: NtQuerySystemInformation(00000023,0006ff56,00000002,00000000) ret=01002574 NtQuerySystemInformation 35 0x6ff56 2 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=01002574 1011: NtSetInformationProcess(ffffffff,00000012,0006ff24,00000002) ret=7c500ae3 NtSetInformationProcess 0xffffffff 18 0x6ff24 2 NtSetInformationProcess set ProcessPriorityClass 1011: NtSetInformationProcess retval=00000000 ret=7c500ae3 1011: NtSetInformationThread(fffffffe,00000003,0006ff24,00000004) ret=7c4fb5bf NtSetInformationThread 0xfffffffe 3 0x6ff24 4 1011: NtSetInformationThread retval=00000000 ret=7c4fb5bf 1011: NtOpenKey(0006ff20,0002001f,0006fe0c) ret=7c2d208a NtOpenKey 0x6ff20 0002001f 0x6fe0c NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Services\Tcpip\Parameters NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000038,0006fe60,00000002,0006fd90,00000090,0006fe28) ret=7c2d2271 NtQueryValueKey 0x38 0x6fe60 2 0x6fd90 144 0x6fe28 NtQueryValueKey NV Hostname reg_query_value NV Hostname 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtSetValueKey(00000038,0006fe40,00000000,00000001,0006fe98,00000020) ret=7c2d2b0c NtSetValueKey 0x38 0x6fe40 0 1 0x6fe98 32 1011: NtSetValueKey retval=00000000 ret=7c2d2b0c 1011: NtQueryValueKey(00000038,0006fe60,00000002,0006fd90,00000090,0006fe28) ret=7c2d2271 NtQueryValueKey 0x38 0x6fe60 2 0x6fd90 144 0x6fe28 NtQueryValueKey NV Domain 1011: NtQueryValueKey retval=c0000034 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006ff20,0002001f,0006fe0c) ret=7c2d208a NtOpenKey 0x6ff20 0002001f 0x6fe0c NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Policies\Microsoft\System\DNSclient open_parse_key remaining = System\DNSclient NtOpenKey open_key returned c000003a 1011: NtOpenKey retval=c000003a ret=7c2d208a 1011: NtUserCallTwoParam(00000010,00000001,0000005b) ret=77e11f7a NtUserCallTwoParam 91 (00000001, 00000010) 1011: NtUserCallTwoParam retval=00000001 ret=77e11f7a 1011: NtRequestWaitReplyPort(0000001c,0006fc80,0006fc80) ret=77f891d2 NtRequestWaitReplyPort 0x1c 0x6fc80 0x6fc80 access_allowed fixme: no access check dump DataSize = 20 dump MessageSize = 44 dump MessageType = 1 (LPC_REQUEST) dump Offset = 0 dump ClientId = 0010, 0011 dump MessageId = 269 dump SectionSize = 00000000 address 0x80c595c 00 00 00 00 07 04 03 00 98 4b f8 77 28 fd 06 00 .........K.w(... 10 00 00 00 .... 0a12: NtReplyWaitReceivePort retval=00000000 ret=5ff9404d 0a12: NtReplyWaitReceivePort(00000094,0061ff08,0061ff2c,0061ff2c) ret=5ff9404d NtReplyWaitReceivePort 0x94 0x61ff08 0x61ff2c 0x61ff2c access_allowed fixme: no access check reply_wait_receive 0x80c5288 0x80c5938 (nil) dump DataSize = 20 dump MessageSize = 44 dump MessageType = 2 (LPC_REPLY) dump Offset = 0 dump ClientId = 000a, 0012 dump MessageId = 269 dump SectionSize = 00000000 address 0x80c595c 00 00 00 00 07 04 03 00 00 00 00 00 28 fd 06 00 ............(... 10 00 00 00 .... 1011: NtRequestWaitReplyPort retval=00000000 ret=77f891d2 1011: NtOpenKey(0006fccc,00020019,0006fc40) ret=7c2d208a NtOpenKey 0x6fccc 00020019 0x6fc40 NtOpenKey len 00000018 root 0x24 attr 00000040 SYSTEM\Setup NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000038,0006fc94,00000002,0006fbc4,00000090,0006fc5c) ret=7c2d2271 NtQueryValueKey 0x38 0x6fc94 2 0x6fbc4 144 0x6fc5c NtQueryValueKey SetupType 1011: NtQueryValueKey retval=c0000034 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006fccc,00020019,0006fc34) ret=7c2d208a NtOpenKey 0x6fccc 00020019 0x6fc34 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Windows NT\CurrentVersion\Winlogon NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000038,0006fc88,00000002,0006fbb8,00000090,0006fc50) ret=7c2d2271 NtQueryValueKey 0x38 0x6fc88 2 0x6fbb8 144 0x6fc50 NtQueryValueKey VerboseStatus 1011: NtQueryValueKey retval=c0000034 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006fccc,00020019,0006fc34) ret=7c2d208a NtOpenKey 0x6fccc 00020019 0x6fc34 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Windows\CurrentVersion\Policies\System NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000038,0006fc88,00000002,0006fbb8,00000090,0006fc50) ret=7c2d2271 NtQueryValueKey 0x38 0x6fc88 2 0x6fbb8 144 0x6fc50 NtQueryValueKey VerboseStatus reg_query_value VerboseStatus 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006fcc4,00020019,0006fc8c) ret=7c4ef845 NtOpenKey 0x6fcc4 00020019 0x6fc8c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\ComputerName NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c4ef845 1011: NtOpenKey(0006fc64,00020019,0006fc4c) ret=7c4ef71e NtOpenKey 0x6fc64 00020019 0x6fc4c NtOpenKey len 00000018 root 0x38 attr 00000040 ActiveComputerName NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000003c 1011: NtOpenKey retval=00000000 ret=7c4ef71e 1011: NtQueryValueKey(0000003c,0006fc38,00000001,0006fbcc,0000006c,0006fc40) ret=7c4ef750 NtQueryValueKey 0x3c 0x6fc38 1 0x6fbcc 108 0x6fc40 NtQueryValueKey ComputerName reg_query_value ComputerName 1011: NtQueryValueKey retval=00000000 ret=7c4ef750 1011: NtClose(0000003c) ret=7c4ef75c NtClose 0x3c 1011: NtClose retval=00000000 ret=7c4ef75c 1011: NtClose(00000038) ret=7c4ef8a2 NtClose 0x38 1011: NtClose retval=00000000 ret=7c4ef8a2 1011: NtQueryVirtualMemory(ffffffff,00010000,00000000,0006fc54,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x10000 0 0x6fc54 28 (nil) 1011: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 1011: NtOpenKey(0006f9b4,00020019,0006f514) ret=7c2d208a NtOpenKey 0x6f9b4 00020019 0x6f514 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Windows NT\CurrentVersion\ProfileList NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000038,0006f568,00000002,0006f498,00000090,0006f530) ret=7c2d2271 NtQueryValueKey 0x38 0x6f568 2 0x6f498 144 0x6f530 NtQueryValueKey ProfilesDirectory reg_query_value ProfilesDirectory 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006fcc8,00020019,0006f954) ret=7c2d208a NtOpenKey 0x6fcc8 00020019 0x6f954 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Windows NT\CurrentVersion\ProfileList NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000038,0006f9a8,00000002,0006f8d8,00000090,0006f970) ret=7c2d2271 NtQueryValueKey 0x38 0x6f9a8 2 0x6f8d8 144 0x6f970 NtQueryValueKey DefaultUserProfile reg_query_value DefaultUserProfile 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtQueryVirtualMemory(ffffffff,00010000,00000000,0006fc54,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x10000 0 0x6fc54 28 (nil) 1011: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 1011: NtOpenKey(0006f9b4,00020019,0006f514) ret=7c2d208a NtOpenKey 0x6f9b4 00020019 0x6f514 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Windows NT\CurrentVersion\ProfileList NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000038,0006f568,00000002,0006f498,00000090,0006f530) ret=7c2d2271 NtQueryValueKey 0x38 0x6f568 2 0x6f498 144 0x6f530 NtQueryValueKey ProfilesDirectory reg_query_value ProfilesDirectory 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006fcc8,00020019,0006f954) ret=7c2d208a NtOpenKey 0x6fcc8 00020019 0x6f954 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Windows NT\CurrentVersion\ProfileList NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000038,0006f9a8,00000002,0006f8d8,00000090,0006f970) ret=7c2d2271 NtQueryValueKey 0x38 0x6f9a8 2 0x6f8d8 144 0x6f970 NtQueryValueKey AllUsersProfile reg_query_value AllUsersProfile 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtQueryVirtualMemory(ffffffff,00010000,00000000,0006fc54,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x10000 0 0x6fc54 28 (nil) 1011: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f790,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f790 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006fb78,00010080,0006fb34,0006fb68,00000007,00204040) ret=7c4eda7e NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\temppf.sys open_file root = (nil) name = \??\C:\WINNT\system32\temppf.sys open_unicode_file open file : c:/winnt/system32/temppf.sys 1011: NtOpenFile retval=c000003a ret=7c4eda7e 1011: NtQuerySystemInformation(00000012,0006fedc,00000018,0006ff10) ret=01002c4a NtQuerySystemInformation 18 0x6fedc 24 0x6ff10 NtQuerySystemInformation SystemInformationClass = 18 not handled 1011: NtQuerySystemInformation retval=00000000 ret=01002c4a 1011: NtQuerySystemInformation(00000002,0006fb98,00000138,00000000) ret=01002c5f NtQuerySystemInformation 2 0x6fb98 312 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=01002c5f 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f7f4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f7f4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtCreatePagingFile(0006ff00,0006ff08,0006ff14,00000000) ret=01014f55 NtCreatePagingFile unimplemented - \??\C:\WINNT\system32\temppf.sys 20971520 20971520 00000000 1011: NtCreatePagingFile retval=00000000 ret=01014f55 1011: NtAllocateVirtualMemory(ffffffff,0006f610,00000000,0006f630,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x76000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f708,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f708 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006fb30,00110080,0006fb18,0006fad4,00000007,00204020) ret=7c4f0df0 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\temppf.sys open_file root = (nil) name = \??\C:\WINNT\system32\temppf.sys open_unicode_file open file : c:/winnt/system32/temppf.sys 1011: NtOpenFile retval=c000003a ret=7c4f0df0 1011: NtCreateKey(0006fa84,c0000000,0006fa54,00000000,00000000,00000000,00000000) ret=7c5116a1 NtCreateKey 0x6fa84 c0000000 0x6fa54 0 (nil) 0 (nil) NtCreateKey len 00000018 root (nil) attr 000000c0 \Registry\Machine\System\CurrentControlSet\Control\Session Manager process_alloc_user_handle handle = 00000038 1011: NtCreateKey retval=00000000 ret=7c5116a1 1011: NtQueryValueKey(00000038,0006fa78,00000002,00076108,00000400,0006fa80) ret=7c51170e NtQueryValueKey 0x38 0x6fa78 2 0x76108 1024 0x6fa80 NtQueryValueKey PendingFileRenameOperations2 1011: NtQueryValueKey retval=c0000034 ret=7c51170e 1011: NtClose(00000038) ret=7c51183c NtClose 0x38 1011: NtClose retval=00000000 ret=7c51183c 1011: NtCreateKey(0006fa84,c0000000,0006fa54,00000000,00000000,00000000,00000000) ret=7c5116a1 NtCreateKey 0x6fa84 c0000000 0x6fa54 0 (nil) 0 (nil) NtCreateKey len 00000018 root (nil) attr 000000c0 \Registry\Machine\System\CurrentControlSet\Control\Session Manager process_alloc_user_handle handle = 00000038 1011: NtCreateKey retval=00000000 ret=7c5116a1 1011: NtQueryValueKey(00000038,0006fa78,00000002,00076108,00000400,0006fa80) ret=7c51170e NtQueryValueKey 0x38 0x6fa78 2 0x76108 1024 0x6fa80 NtQueryValueKey PendingFileRenameOperations 1011: NtQueryValueKey retval=c0000034 ret=7c51170e 1011: NtSetValueKey(00000038,0006fa78,00000000,00000007,00076108,00000046) ret=7c5117f5 NtSetValueKey 0x38 0x6fa78 0 7 0x76108 70 1011: NtSetValueKey retval=00000000 ret=7c5117f5 1011: NtClose(00000038) ret=7c511800 NtClose 0x38 1011: NtClose retval=00000000 ret=7c511800 1011: NtFreeVirtualMemory(ffffffff,0006f9ec,0006f9f0,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f9ec 0x6f9f0 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtOpenKey(0006ff1c,00020006,0006fb0c) ret=7c2d208a NtOpenKey 0x6ff1c 00020006 0x6fb0c NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Control\Session Manager\Memory Management NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtSetValueKey(00000038,0006fb40,00000000,00000004,0006ff20,00000004) ret=7c2d2b0c NtSetValueKey 0x38 0x6fb40 0 4 0x6ff20 4 1011: NtSetValueKey retval=00000000 ret=7c2d2b0c 1011: NtClose(00000038) ret=7c2d1f22 NtClose 0x38 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtAllocateVirtualMemory(ffffffff,0006fcec,00000000,0006fd0c,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x76000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtOpenThreadToken(fffffffe,00020008,00000001,0006f35c) ret=77f961d7 NtOpenThreadToken 0xfffffffe 00020008 1 0x6f35c 1011: NtOpenThreadToken retval=c000007c ret=77f961d7 1011: NtOpenProcessToken(ffffffff,00020008,0006f35c) ret=77f961f6 NtOpenProcessToken 0xffffffff 00020008 0x6f35c process_alloc_user_handle handle = 00000038 1011: NtOpenProcessToken retval=00000000 ret=77f961f6 1011: NtQueryInformationToken(00000038,00000001,0006f2fc,00000050,0006f354) ret=77f96212 NtQueryInformationToken 0x38 1 0x6f2fc 80 0x6f354 access_allowed fixme: no access check NtQueryInformationToken TokenUser 1011: NtQueryInformationToken retval=00000000 ret=77f96212 1011: NtClose(00000038) ret=77f9621c NtClose 0x38 1011: NtClose retval=00000000 ret=77f9621c 1011: NtOpenKey(0006f40c,02000000,0006f378) ret=77f83183 NtOpenKey 0x6f40c 02000000 0x6f378 NtOpenKey len 00000018 root (nil) attr 00000040 \REGISTRY\USER\S-1-5-18 NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=77f83183 1011: NtOpenKey(0006f410,000f003f,0006f3dc) ret=77e3eec0 NtOpenKey 0x6f410 000f003f 0x6f3dc NtOpenKey len 00000018 root 0x38 attr 00000040 Keyboard Layout\Preload NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000003c 1011: NtOpenKey retval=00000000 ret=77e3eec0 1011: NtQueryValueKey(0000003c,0006f3f4,00000002,0006f3b8,00000024,0006f400) ret=77e3eeec NtQueryValueKey 0x3c 0x6f3f4 2 0x6f3b8 36 0x6f400 NtQueryValueKey 1 reg_query_value 1 1011: NtQueryValueKey retval=00000000 ret=77e3eeec 1011: NtClose(0000003c) ret=77e3ef1f NtClose 0x3c 1011: NtClose retval=00000000 ret=77e3ef1f 1011: NtClose(00000038) ret=77e3ef24 NtClose 0x38 1011: NtClose retval=00000000 ret=77e3ef24 1011: NtOpenKey(0006f400,00020019,0006f3c8) ret=77e3e761 NtOpenKey 0x6f400 00020019 0x6f3c8 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409 NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000038 1011: NtOpenKey retval=00000000 ret=77e3e761 1011: NtQueryValueKey(00000038,0006f3f4,00000002,0006f020,00000210,0006f3f0) ret=77e3e795 NtQueryValueKey 0x38 0x6f3f4 2 0x6f020 528 0x6f3f0 NtQueryValueKey Layout File reg_query_value Layout File 1011: NtQueryValueKey retval=00000000 ret=77e3e795 1011: NtQueryValueKey(00000038,0006f3f4,00000002,0006f394,00000014,0006f3f0) ret=77e3e7d4 NtQueryValueKey 0x38 0x6f3f4 2 0x6f394 20 0x6f3f0 NtQueryValueKey Attributes 1011: NtQueryValueKey retval=c0000034 ret=77e3e7d4 1011: NtClose(00000038) ret=77e3e806 NtClose 0x38 1011: NtClose retval=00000000 ret=77e3e806 1011: NtAllocateVirtualMemory(ffffffff,0006e978,00000000,0006e998,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011 (debug 6e684,0,86) : LDR: LdrLoadDll, loading KBDUS.DLL from \??\C:\WINNT\system32;.;C:\WINNT\system32;C:\WINNT\system;C:\WINNT;C:\WINNT\system32;C:\WINNT 1011: NtOpenSection(0006e814,0000000e,0006e7f4) ret=77f935ad nt_open_object object = KBDUS.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtQueryAttributesFile(0006e790,0006e768) ret=77f8cb7a NtQueryAttributesFile 0x6e790 0x6e768 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\??\C:\WINNT\system32\KBDUS.DLL stat_unicode c:/??/c:/winnt/system32/kbdus.dll -> -1 1011: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006e3cc,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6e3cc 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006e790,0006e768) ret=77f8cb7a NtQueryAttributesFile 0x6e790 0x6e768 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32KBDUS.DLL stat_unicode c:/winnt/system32kbdus.dll -> -1 1011: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006e3cc,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6e3cc 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006e790,0006e768) ret=77f8cb7a NtQueryAttributesFile 0x6e790 0x6e768 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\KBDUS.DLL stat_unicode c:/winnt/system32/kbdus.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\KBDUS.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006e6c0,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6e6c0 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6e600,0,33) : LDR: Loading (DYNAMIC) C:\WINNT\system32\KBDUS.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006e494,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6e494 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006e81c,00100020,0006e7ec,0006e804,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\KBDUS.DLL open_file root = (nil) name = \??\C:\WINNT\system32\KBDUS.DLL open_unicode_file open file : c:/winnt/system32/kbdus.dll process_alloc_user_handle handle = 00000038 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006e884,0000000f,00000000,00000000,00000010,01000000,00000038) ret=77f8e946 NtCreateSection 0x6e884 0000000f (nil) (nil) 00000010 01000000 0x38 access_allowed fixme: no access check process_alloc_user_handle handle = 0000003c 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(00000038) ret=77f8e951 NtClose 0x38 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(0000003c,ffffffff,0006e888,00000000,00000000,00000000,0006e880,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x3c 0xffffffff 0x6e888 0 00000000 (nil) 0x6e880 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x5ff60000 mapit read 3 sections, load at 5ff60000 mapit .data 00001000 00000600 00000c00 00000a9a mapit .rsrc 00002000 00001200 00000400 000003d0 mapit .reloc 00003000 00001600 00000200 000000c0 NtMapViewOfSection mapped at 0x5ff60000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(0000003c) ret=77f870b4 NtClose 0x3c 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6e618,0,14) : LDR: Real INIT LIST 1011: NtFreeVirtualMemory(ffffffff,0006eabc,0006eac0,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6eabc 0x6eac0 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011 (debug 6e8e4,727f0,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6e8e0,6e8e4,c) : ORDINAL - 5 1011 (debug 6e8e4,c,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6e8e0,6e8e4,c) : ORDINAL - 3 1011 (debug 6e8e4,c,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6e8e0,6e8e4,c) : ORDINAL - 1 1011 (debug 6e92c,0,11) : LDR: UNINIT LIST 1011 (debug 6e918,0,43) : (1) [KBDUS.DLL] C:\WINNT\system32\KBDUS.DLL (0) deinit 0 1011 (debug 6e928,31282020,1b) : LDR: Unmapping [KBDUS.DLL] 1011: NtUnmapViewOfSection(ffffffff,5ff60000) ret=77f91f50 NtUnmapViewOfSection 0xffffffff 0x5ff60000 1011: NtUnmapViewOfSection retval=00000000 ret=77f91f50 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006e7e0,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6e7e0 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtCreateFile(0006ebe8,80100080,0006eb84,0006ebbc,00000000,00000000,00000001,00000001,00000060,00000000,00000000) ret=7c4ec506 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\KBDUS.DLL open_file root = (nil) name = \??\C:\WINNT\system32\KBDUS.DLL open_unicode_file open file : c:/winnt/system32/kbdus.dll process_alloc_user_handle handle = 00000038 1011: NtCreateFile retval=00000000 ret=7c4ec506 1011: NtOpenDirectoryObject(0006fed4,00000004,0006feb0) ret=77e1208f nt_open_object object = \Windows\WindowStations process_alloc_user_handle handle = 0000003c 1011: NtOpenDirectoryObject retval=00000000 ret=77e1208f 1011: NtUserCreateWindowStation(0006feb0,02000000,00000038,00001608,0006fe94,04090409) ret=77e120dc NtUserCreateWindowStation 0x6feb0 02000000 0x38 00001608 0x6fe94 04090409 NtUserCreateWindowStation name = WinSta0 1011: NtUserCreateWindowStation retval=f00d2000 ret=77e120dc 1011: NtClose(0000003c) ret=77e120ed NtClose 0x3c 1011: NtClose retval=00000000 ret=77e120ed 1011: NtClose(00000038) ret=77e120fb NtClose 0x38 1011: NtClose retval=00000000 ret=77e120fb 1011: NtUserSetProcessWindowStation(f00d2000) ret=01002f54 NtUserSetProcessWindowStation 1011: NtUserSetProcessWindowStation retval=00000001 ret=01002f54 1011: NtAllocateVirtualMemory(ffffffff,0006f994,00000000,0006f9b4,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f7a4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f7a4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0007712c,80100000,0006fb48,0006fb68,00000007,00000060) ret=7c4f4094 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\win.ini open_file root = (nil) name = \??\C:\WINNT\win.ini open_unicode_file open file : c:/winnt/win.ini process_alloc_user_handle handle = 00000038 1011: NtOpenFile retval=00000000 ret=7c4f4094 1011: NtLockFile(00000038,00000000,00000000,00000000,0006fb68,0006fb78,0006fb70,00000001,00000000,00000000) ret=7c4f40d4 NtLockFile just returns success... 1011: NtLockFile retval=00000000 ret=7c4f40d4 1011: NtQueryInformationFile(00000038,0006fb68,00077178,00000018,00000005) ret=7c4f4101 NtQueryInformationFile 0x38 0x6fb68 0x77178 24 5 access_allowed fixme: no access check 1011: NtQueryInformationFile retval=00000000 ret=7c4f4101 1011: NtAllocateVirtualMemory(ffffffff,00077138,00000000,00077140,00002000,00000004) ret=7c4f414c NtAllocateVirtualMemory returns 0x290000 00101000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4f414c 1011: NtAllocateVirtualMemory(ffffffff,00077138,00000000,0007713c,00001000,00000004) ret=7c4f4168 NtAllocateVirtualMemory returns 0x290000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4f4168 1011: NtReadFile(00000038,00000000,00000000,00000000,0006fb68,00290000,0000000b,00000000,7c5416a8) ret=7c4f418a NtReadFile 0x38 (nil) (nil) (nil) 0x6fb68 0x290000 11 (nil) 0x7c5416a8 access_allowed fixme: no access check 1011: NtReadFile retval=00000000 ret=7c4f418a 1011: NtFreeVirtualMemory(ffffffff,00077138,00077140,00008000) ret=7c4f99f7 NtFreeVirtualMemory 0xffffffff 0x77138 0x77140 32768 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=7c4f99f7 1011: NtUnlockFile(00000038,0006fb6c,0006fb7c,0006fb74,00000011) ret=7c4f9a35 NtUnlockFile just returns success... 1011: NtUnlockFile retval=00000000 ret=7c4f9a35 1011: NtClose(00000038) ret=7c4f9a3e NtClose 0x38 1011: NtClose retval=00000000 ret=7c4f9a3e 1011: NtFreeVirtualMemory(ffffffff,0006fb20,0006fb24,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6fb20 0x6fb24 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtSetSecurityObject(f00d2000,00000004,00076f58) ret=77e3f0fa NtSetSecurityObject 0xf00d2000 00000004 0x76f58 1011: NtSetSecurityObject retval=00000000 ret=77e3f0fa 1011: NtUserGetProcessWindowStation() ret=77e32efe NtUserGetProcessWindowStation 1011: NtUserGetProcessWindowStation retval=f00d2000 ret=77e32efe 1011: NtUserCreateDesktop(0006fea8,00000000,00000000,00000000,02000000) ret=77e12455 NtUserCreateDesktop NtUserCreateDesktop name = Winlogon 1011: NtUserCreateDesktop retval=f00d2001 ret=77e12455 1011: NtUserGetProcessWindowStation() ret=77e32efe NtUserGetProcessWindowStation 1011: NtUserGetProcessWindowStation retval=f00d2000 ret=77e32efe 1011: NtUserCreateDesktop(0006fea8,00000000,00000000,00000000,02000000) ret=77e12455 NtUserCreateDesktop NtUserCreateDesktop name = Default 1011: NtUserCreateDesktop retval=f00d2001 ret=77e12455 1011: NtSetSecurityObject(f00d2001,00000004,00076de8) ret=77e3f0fa NtSetSecurityObject 0xf00d2001 00000004 0x76de8 1011: NtSetSecurityObject retval=00000000 ret=77e3f0fa 1011: NtAllocateVirtualMemory(ffffffff,0006f960,00000000,0006f980,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f770,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f770 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0007712c,80100000,0006fb14,0006fb34,00000007,00000060) ret=7c4f4094 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\win.ini open_file root = (nil) name = \??\C:\WINNT\win.ini open_unicode_file open file : c:/winnt/win.ini process_alloc_user_handle handle = 00000038 1011: NtOpenFile retval=00000000 ret=7c4f4094 1011: NtLockFile(00000038,00000000,00000000,00000000,0006fb34,0006fb44,0006fb3c,00000001,00000000,00000000) ret=7c4f40d4 NtLockFile just returns success... 1011: NtLockFile retval=00000000 ret=7c4f40d4 1011: NtQueryInformationFile(00000038,0006fb34,00077178,00000018,00000005) ret=7c4f4101 NtQueryInformationFile 0x38 0x6fb34 0x77178 24 5 access_allowed fixme: no access check 1011: NtQueryInformationFile retval=00000000 ret=7c4f4101 1011: NtAllocateVirtualMemory(ffffffff,00077138,00000000,00077140,00002000,00000004) ret=7c4f414c NtAllocateVirtualMemory returns 0x290000 00101000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4f414c 1011: NtAllocateVirtualMemory(ffffffff,00077138,00000000,0007713c,00001000,00000004) ret=7c4f4168 NtAllocateVirtualMemory returns 0x290000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4f4168 1011: NtReadFile(00000038,00000000,00000000,00000000,0006fb34,00290000,0000000b,00000000,7c5416a8) ret=7c4f418a NtReadFile 0x38 (nil) (nil) (nil) 0x6fb34 0x290000 11 (nil) 0x7c5416a8 access_allowed fixme: no access check 1011: NtReadFile retval=00000000 ret=7c4f418a 1011: NtFreeVirtualMemory(ffffffff,00077138,00077140,00008000) ret=7c4f99f7 NtFreeVirtualMemory 0xffffffff 0x77138 0x77140 32768 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=7c4f99f7 1011: NtUnlockFile(00000038,0006fb38,0006fb48,0006fb40,00000011) ret=7c4f9a35 NtUnlockFile just returns success... 1011: NtUnlockFile retval=00000000 ret=7c4f9a35 1011: NtClose(00000038) ret=7c4f9a3e NtClose 0x38 1011: NtClose retval=00000000 ret=7c4f9a3e 1011: NtFreeVirtualMemory(ffffffff,0006faec,0006faf0,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6faec 0x6faf0 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtSetSecurityObject(f00d2001,00000004,00076de8) ret=77e3f0fa NtSetSecurityObject 0xf00d2001 00000004 0x76de8 1011: NtSetSecurityObject retval=00000000 ret=77e3f0fa 1011: NtOpenKey(0006ff4c,00020019,0006feac) ret=7c2d208a NtOpenKey 0x6ff4c 00020019 0x6feac NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Control\SafeBoot\Option open_parse_key remaining = SafeBoot\Option NtOpenKey open_key returned c000003a 1011: NtOpenKey retval=c000003a ret=7c2d208a 1011: NtUserSetThreadDesktop(f00d2001) ret=01002612 NtUserSetThreadDesktop 1011: NtUserSetThreadDesktop retval=00000001 ret=01002612 1011: NtQueryInformationToken(00000000,00000001,0006fe6c,00000080,0006fef8) ret=010035ec NtQueryInformationToken (nil) 1 0x6fe6c 128 0x6fef8 1011: NtQueryInformationToken retval=c0000008 ret=010035ec 1011: NtAllocateVirtualMemory(ffffffff,0006f944,00000000,0006f964,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f754,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f754 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0007712c,80100000,0006faf8,0006fb18,00000007,00000060) ret=7c4f4094 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\win.ini open_file root = (nil) name = \??\C:\WINNT\win.ini open_unicode_file open file : c:/winnt/win.ini process_alloc_user_handle handle = 00000038 1011: NtOpenFile retval=00000000 ret=7c4f4094 1011: NtLockFile(00000038,00000000,00000000,00000000,0006fb18,0006fb28,0006fb20,00000001,00000000,00000000) ret=7c4f40d4 NtLockFile just returns success... 1011: NtLockFile retval=00000000 ret=7c4f40d4 1011: NtQueryInformationFile(00000038,0006fb18,00077178,00000018,00000005) ret=7c4f4101 NtQueryInformationFile 0x38 0x6fb18 0x77178 24 5 access_allowed fixme: no access check 1011: NtQueryInformationFile retval=00000000 ret=7c4f4101 1011: NtAllocateVirtualMemory(ffffffff,00077138,00000000,00077140,00002000,00000004) ret=7c4f414c NtAllocateVirtualMemory returns 0x290000 00101000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4f414c 1011: NtAllocateVirtualMemory(ffffffff,00077138,00000000,0007713c,00001000,00000004) ret=7c4f4168 NtAllocateVirtualMemory returns 0x290000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4f4168 1011: NtReadFile(00000038,00000000,00000000,00000000,0006fb18,00290000,0000000b,00000000,7c5416a8) ret=7c4f418a NtReadFile 0x38 (nil) (nil) (nil) 0x6fb18 0x290000 11 (nil) 0x7c5416a8 access_allowed fixme: no access check 1011: NtReadFile retval=00000000 ret=7c4f418a 1011: NtFreeVirtualMemory(ffffffff,00077138,00077140,00008000) ret=7c4f99f7 NtFreeVirtualMemory 0xffffffff 0x77138 0x77140 32768 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=7c4f99f7 1011: NtUnlockFile(00000038,0006fb1c,0006fb2c,0006fb24,00000011) ret=7c4f9a35 NtUnlockFile just returns success... 1011: NtUnlockFile retval=00000000 ret=7c4f9a35 1011: NtClose(00000038) ret=7c4f9a3e NtClose 0x38 1011: NtClose retval=00000000 ret=7c4f9a3e 1011: NtFreeVirtualMemory(ffffffff,0006fad0,0006fad4,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6fad0 0x6fad4 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtSetSecurityObject(f00d2001,00000004,00076de8) ret=77e3f0fa NtSetSecurityObject 0xf00d2001 00000004 0x76de8 1011: NtSetSecurityObject retval=00000000 ret=77e3f0fa 1011: NtDuplicateObject(ffffffff,fffffffe,ffffffff,0006feb4,00000080,00000000,00000004) ret=0100182b NtDuplicateObject 0xffffffff 0xfffffffe 0xffffffff 0x6feb4 00000080 00000000 00000004 NtDuplicateObject source process 0x80c1c20 NtDuplicateObject target process 0x80c1c20 process_alloc_user_handle handle = 00000038 NtDuplicateObject new handle is 0x38 1011: NtDuplicateObject retval=00000000 ret=0100182b 1011: NtOpenThreadToken(fffffffe,00020008,00000001,0006fe78) ret=77f961d7 NtOpenThreadToken 0xfffffffe 00020008 1 0x6fe78 1011: NtOpenThreadToken retval=c000007c ret=77f961d7 1011: NtOpenProcessToken(ffffffff,00020008,0006fe78) ret=77f961f6 NtOpenProcessToken 0xffffffff 00020008 0x6fe78 process_alloc_user_handle handle = 0000003c 1011: NtOpenProcessToken retval=00000000 ret=77f961f6 1011: NtQueryInformationToken(0000003c,00000001,0006fe18,00000050,0006fe70) ret=77f96212 NtQueryInformationToken 0x3c 1 0x6fe18 80 0x6fe70 access_allowed fixme: no access check NtQueryInformationToken TokenUser 1011: NtQueryInformationToken retval=00000000 ret=77f96212 1011: NtClose(0000003c) ret=77f9621c NtClose 0x3c 1011: NtClose retval=00000000 ret=77f9621c 1011: NtOpenKey(0006feac,80000000,0006fe94) ret=7c4fdb96 NtOpenKey 0x6feac 80000000 0x6fe94 NtOpenKey len 00000018 root (nil) attr 00000040 \REGISTRY\USER\S-1-5-18 NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000003c 1011: NtOpenKey retval=00000000 ret=7c4fdb96 1011: NtClose(0000003c) ret=7c4fdba9 NtClose 0x3c 1011: NtClose retval=00000000 ret=7c4fdba9 1011: NtSetInformationThread(00000038,00000005,0006fea8,00000004) ret=010018e0 NtSetInformationThread 0x38 5 0x6fea8 4 access_allowed fixme: no access check 1011: NtSetInformationThread retval=c0000008 ret=010018e0 1011: NtClose(00000038) ret=010018eb NtClose 0x38 1011: NtClose retval=00000000 ret=010018eb 1011: NtDuplicateObject(ffffffff,fffffffe,ffffffff,0006fec8,00000080,00000000,00000004) ret=0100182b NtDuplicateObject 0xffffffff 0xfffffffe 0xffffffff 0x6fec8 00000080 00000000 00000004 NtDuplicateObject source process 0x80c1c20 NtDuplicateObject target process 0x80c1c20 process_alloc_user_handle handle = 00000038 NtDuplicateObject new handle is 0x38 1011: NtDuplicateObject retval=00000000 ret=0100182b 1011: NtUserSetImeHotKey(00000000,00000000,00000000,00000000,00000003) ret=77e3e9cb NtUserSetImeHotKey 1011: NtUserSetImeHotKey retval=00000001 ret=77e3e9cb 1011: NtOpenThreadToken(fffffffe,00020008,00000001,0006fdb4) ret=77f961d7 NtOpenThreadToken 0xfffffffe 00020008 1 0x6fdb4 1011: NtOpenThreadToken retval=c000007c ret=77f961d7 1011: NtOpenProcessToken(ffffffff,00020008,0006fdb4) ret=77f961f6 NtOpenProcessToken 0xffffffff 00020008 0x6fdb4 process_alloc_user_handle handle = 0000003c 1011: NtOpenProcessToken retval=00000000 ret=77f961f6 1011: NtQueryInformationToken(0000003c,00000001,0006fd54,00000050,0006fdac) ret=77f96212 NtQueryInformationToken 0x3c 1 0x6fd54 80 0x6fdac access_allowed fixme: no access check NtQueryInformationToken TokenUser 1011: NtQueryInformationToken retval=00000000 ret=77f96212 1011: NtClose(0000003c) ret=77f9621c NtClose 0x3c 1011: NtClose retval=00000000 ret=77f9621c 1011: NtOpenKey(0006fe68,02000000,0006fdd0) ret=77f83183 NtOpenKey 0x6fe68 02000000 0x6fdd0 NtOpenKey len 00000018 root (nil) attr 00000040 \REGISTRY\USER\S-1-5-18 NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000003c 1011: NtOpenKey retval=00000000 ret=77f83183 1011: NtOpenKey(0006fe6c,00020019,0006fe44) ret=77e3ea4c NtOpenKey 0x6fe6c 00020019 0x6fe44 NtOpenKey len 00000018 root 0x3c attr 00000040 Control Panel\Input Method\Hot Keys open_parse_key remaining = Input Method\Hot Keys NtOpenKey open_key returned c000003a 1011: NtOpenKey retval=c000003a ret=77e3ea4c 1011: NtClose(0000003c) ret=77e4b854 NtClose 0x3c 1011: NtClose retval=00000000 ret=77e4b854 1011: NtAllocateVirtualMemory(ffffffff,0006fb18,00000000,0006fb38,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f928,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f928 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(00077224,80100000,0006fccc,0006fcec,00000007,00000060) ret=7c4f4094 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\keyboardlayout.ini open_file root = (nil) name = \??\C:\WINNT\keyboardlayout.ini open_unicode_file open file : c:/winnt/keyboardlayout.ini 1011: NtOpenFile retval=c000003a ret=7c4f4094 1011: NtClose(00000000) ret=7c4fca51 NtClose (nil) 1011: NtClose retval=c0000008 ret=7c4fca51 1011: NtFreeVirtualMemory(ffffffff,0006fca4,0006fca8,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6fca4 0x6fca8 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtOpenThreadToken(fffffffe,00020008,00000001,0006fdd8) ret=77f961d7 NtOpenThreadToken 0xfffffffe 00020008 1 0x6fdd8 1011: NtOpenThreadToken retval=c000007c ret=77f961d7 1011: NtOpenProcessToken(ffffffff,00020008,0006fdd8) ret=77f961f6 NtOpenProcessToken 0xffffffff 00020008 0x6fdd8 process_alloc_user_handle handle = 0000003c 1011: NtOpenProcessToken retval=00000000 ret=77f961f6 1011: NtQueryInformationToken(0000003c,00000001,0006fd78,00000050,0006fdd0) ret=77f96212 NtQueryInformationToken 0x3c 1 0x6fd78 80 0x6fdd0 access_allowed fixme: no access check NtQueryInformationToken TokenUser 1011: NtQueryInformationToken retval=00000000 ret=77f96212 1011: NtClose(0000003c) ret=77f9621c NtClose 0x3c 1011: NtClose retval=00000000 ret=77f9621c 1011: NtOpenKey(0006fe88,02000000,0006fdf4) ret=77f83183 NtOpenKey 0x6fe88 02000000 0x6fdf4 NtOpenKey len 00000018 root (nil) attr 00000040 \REGISTRY\USER\S-1-5-18 NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000003c 1011: NtOpenKey retval=00000000 ret=77f83183 1011: NtOpenKey(0006fe8c,000f003f,0006fe58) ret=77e3eec0 NtOpenKey 0x6fe8c 000f003f 0x6fe58 NtOpenKey len 00000018 root 0x3c attr 00000040 Keyboard Layout\Preload NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000040 1011: NtOpenKey retval=00000000 ret=77e3eec0 1011: NtQueryValueKey(00000040,0006fe70,00000002,0006fe34,00000024,0006fe7c) ret=77e3eeec NtQueryValueKey 0x40 0x6fe70 2 0x6fe34 36 0x6fe7c NtQueryValueKey 1 reg_query_value 1 1011: NtQueryValueKey retval=00000000 ret=77e3eeec 1011: NtClose(00000040) ret=77e3ef1f NtClose 0x40 1011: NtClose retval=00000000 ret=77e3ef1f 1011: NtClose(0000003c) ret=77e3ef24 NtClose 0x3c 1011: NtClose retval=00000000 ret=77e3ef24 1011: NtAllocateVirtualMemory(ffffffff,0006f320,00000000,0006f340,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f130,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f130 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0007723c,80100000,0006f4d4,0006f4f4,00000007,00000060) ret=7c4f4094 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\keyboardlayout.ini open_file root = (nil) name = \??\C:\WINNT\keyboardlayout.ini open_unicode_file open file : c:/winnt/keyboardlayout.ini 1011: NtOpenFile retval=c000003a ret=7c4f4094 1011: NtClose(00000000) ret=7c4fca51 NtClose (nil) 1011: NtClose retval=c0000008 ret=7c4fca51 1011: NtFreeVirtualMemory(ffffffff,0006f4ac,0006f4b0,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f4ac 0x6f4b0 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtAllocateVirtualMemory(ffffffff,0006f334,00000000,0006f354,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f144,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f144 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtCreateFile(00077214,c0100000,0006f4e8,0006f508,00000000,00000080,00000007,00000003,00000060,00000000,00000000) ret=7c4e6130 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\win.ini open_file root = (nil) name = \??\C:\WINNT\win.ini open_unicode_file open file : c:/winnt/win.ini process_alloc_user_handle handle = 0000003c 1011: NtCreateFile retval=00000000 ret=7c4e6130 1011: NtLockFile(0000003c,00000000,00000000,00000000,0006f508,0006f518,0006f510,00000001,00000000,00000001) ret=7c4f40d4 NtLockFile just returns success... 1011: NtLockFile retval=00000000 ret=7c4f40d4 1011: NtQueryInformationFile(0000003c,0006f508,00077260,00000018,00000005) ret=7c4f4101 NtQueryInformationFile 0x3c 0x6f508 0x77260 24 5 access_allowed fixme: no access check 1011: NtQueryInformationFile retval=00000000 ret=7c4f4101 1011: NtAllocateVirtualMemory(ffffffff,00077220,00000000,00077228,00002000,00000004) ret=7c4f414c NtAllocateVirtualMemory returns 0x290000 00101000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4f414c 1011: NtAllocateVirtualMemory(ffffffff,00077220,00000000,00077224,00001000,00000004) ret=7c4f4168 NtAllocateVirtualMemory returns 0x290000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4f4168 1011: NtReadFile(0000003c,00000000,00000000,00000000,0006f508,00290000,0000000b,00000000,7c5416a8) ret=7c4f418a NtReadFile 0x3c (nil) (nil) (nil) 0x6f508 0x290000 11 (nil) 0x7c5416a8 access_allowed fixme: no access check 1011: NtReadFile retval=00000000 ret=7c4f418a 1011: NtFreeVirtualMemory(ffffffff,00077220,00077228,00008000) ret=7c4f99f7 NtFreeVirtualMemory 0xffffffff 0x77220 0x77228 32768 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=7c4f99f7 1011: NtUnlockFile(0000003c,0006f50c,0006f51c,0006f514,00000011) ret=7c4f9a35 NtUnlockFile just returns success... 1011: NtUnlockFile retval=00000000 ret=7c4f9a35 1011: NtClose(0000003c) ret=7c4f9a3e NtClose 0x3c 1011: NtClose retval=00000000 ret=7c4f9a3e 1011: NtFreeVirtualMemory(ffffffff,0006f4c0,0006f4c4,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f4c0 0x6f4c4 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtOpenKey(0006fe44,00020019,0006fe0c) ret=77e3e761 NtOpenKey 0x6fe44 00020019 0x6fe0c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409 NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000003c 1011: NtOpenKey retval=00000000 ret=77e3e761 1011: NtQueryValueKey(0000003c,0006fe38,00000002,0006fa64,00000210,0006fe34) ret=77e3e795 NtQueryValueKey 0x3c 0x6fe38 2 0x6fa64 528 0x6fe34 NtQueryValueKey Layout File reg_query_value Layout File 1011: NtQueryValueKey retval=00000000 ret=77e3e795 1011: NtQueryValueKey(0000003c,0006fe38,00000002,0006fdd8,00000014,0006fe34) ret=77e3e7d4 NtQueryValueKey 0x3c 0x6fe38 2 0x6fdd8 20 0x6fe34 NtQueryValueKey Attributes 1011: NtQueryValueKey retval=c0000034 ret=77e3e7d4 1011: NtClose(0000003c) ret=77e3e806 NtClose 0x3c 1011: NtClose retval=00000000 ret=77e3e806 1011: NtAllocateVirtualMemory(ffffffff,0006f3bc,00000000,0006f3dc,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011 (debug 6f0c8,6f2d8,86) : LDR: LdrLoadDll, loading KBDUS.DLL from \??\C:\WINNT\system32;.;C:\WINNT\system32;C:\WINNT\system;C:\WINNT;C:\WINNT\system32;C:\WINNT 1011: NtOpenSection(0006f258,0000000e,0006f238) ret=77f935ad nt_open_object object = KBDUS.DLL 1011: NtOpenSection retval=c0000034 ret=77f935ad 1011: NtQueryAttributesFile(0006f1d4,0006f1ac) ret=77f8cb7a NtQueryAttributesFile 0x6f1d4 0x6f1ac NtQueryAttributesFile root (nil) attr 00000040 \??\C:\??\C:\WINNT\system32\KBDUS.DLL stat_unicode c:/??/c:/winnt/system32/kbdus.dll -> -1 1011: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006ee10,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6ee10 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f1d4,0006f1ac) ret=77f8cb7a NtQueryAttributesFile 0x6f1d4 0x6f1ac NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32KBDUS.DLL stat_unicode c:/winnt/system32kbdus.dll -> -1 1011: NtQueryAttributesFile retval=c000003a ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006ee10,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6ee10 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f1d4,0006f1ac) ret=77f8cb7a NtQueryAttributesFile 0x6f1d4 0x6f1ac NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\KBDUS.DLL stat_unicode c:/winnt/system32/kbdus.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\KBDUS.DLL 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f104,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f104 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011 (debug 6f044,0,33) : LDR: Loading (DYNAMIC) C:\WINNT\system32\KBDUS.DLL 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006eed8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6eed8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006f260,00100020,0006f230,0006f248,00000005,00000060) ret=77f8e927 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\KBDUS.DLL open_file root = (nil) name = \??\C:\WINNT\system32\KBDUS.DLL open_unicode_file open file : c:/winnt/system32/kbdus.dll process_alloc_user_handle handle = 0000003c 1011: NtOpenFile retval=00000000 ret=77f8e927 1011: NtCreateSection(0006f2c8,0000000f,00000000,00000000,00000010,01000000,0000003c) ret=77f8e946 NtCreateSection 0x6f2c8 0000000f (nil) (nil) 00000010 01000000 0x3c access_allowed fixme: no access check process_alloc_user_handle handle = 00000040 1011: NtCreateSection retval=00000000 ret=77f8e946 1011: NtClose(0000003c) ret=77f8e951 NtClose 0x3c 1011: NtClose retval=00000000 ret=77f8e951 1011: NtMapViewOfSection(00000040,ffffffff,0006f2cc,00000000,00000000,00000000,0006f2c4,00000001,00000000,00000004) ret=77f86ff9 NtMapViewOfSection 0x40 0xffffffff 0x6f2cc 0 00000000 (nil) 0x6f2c4 1 00000000 00000004 access_allowed fixme: no access check mapit image at 0x5ff60000 mapit read 3 sections, load at 5ff60000 mapit .data 00001000 00000600 00000c00 00000a9a mapit .rsrc 00002000 00001200 00000400 000003d0 mapit .reloc 00003000 00001600 00000200 000000c0 NtMapViewOfSection mapped at 0x5ff60000 1011: NtMapViewOfSection retval=00000000 ret=77f86ff9 1011: NtClose(00000040) ret=77f870b4 NtClose 0x40 1011: NtClose retval=00000000 ret=77f870b4 1011 (debug 6f05c,0,14) : LDR: Real INIT LIST 1011 (debug 6f328,727f0,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6f324,6f328,c) : ORDINAL - 5 1011 (debug 6f328,c,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6f324,6f328,c) : ORDINAL - 3 1011 (debug 6f328,c,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6f324,6f328,c) : ORDINAL - 1 1011 (debug 6f370,70640,11) : LDR: UNINIT LIST 1011 (debug 6f35c,0,43) : (1) [KBDUS.DLL] C:\WINNT\system32\KBDUS.DLL (0) deinit 0 1011 (debug 6f36c,31282020,1b) : LDR: Unmapping [KBDUS.DLL] 1011: NtUnmapViewOfSection(ffffffff,5ff60000) ret=77f91f50 NtUnmapViewOfSection 0xffffffff 0x5ff60000 1011: NtUnmapViewOfSection retval=00000000 ret=77f91f50 1011: NtFreeVirtualMemory(ffffffff,0006f4e4,0006f4e8,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f4e4 0x6f4e8 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtAllocateVirtualMemory(ffffffff,0006f12c,00000000,0006f14c,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f224,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f224 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtCreateFile(0006f62c,80100080,0006f5c8,0006f600,00000000,00000000,00000001,00000001,00000060,00000000,00000000) ret=7c4ec506 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\KBDUS.DLL open_file root = (nil) name = \??\C:\WINNT\system32\KBDUS.DLL open_unicode_file open file : c:/winnt/system32/kbdus.dll process_alloc_user_handle handle = 0000003c 1011: NtCreateFile retval=00000000 ret=7c4ec506 1011: NtFreeVirtualMemory(ffffffff,0006f50c,0006f510,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f50c 0x6f510 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtUserLoadKeyboardLayoutEx(0000003c,00001608,00000000,0006fe34,04090409,40000003) ret=77e3eca7 NtUserLoadKeyboardLayoutEx 1011: NtUserLoadKeyboardLayoutEx retval=00000001 ret=77e3eca7 1011: NtClose(0000003c) ret=77e3ec61 NtClose 0x3c 1011: NtClose retval=00000000 ret=77e3ec61 1011: NtUserSetImeHotKey(00000000,00000000,00000000,00000000,00000003) ret=77e3e9cb NtUserSetImeHotKey 1011: NtUserSetImeHotKey retval=00000001 ret=77e3e9cb 1011: NtOpenThreadToken(fffffffe,00020008,00000001,0006fd7c) ret=77f961d7 NtOpenThreadToken 0xfffffffe 00020008 1 0x6fd7c 1011: NtOpenThreadToken retval=c000007c ret=77f961d7 1011: NtOpenProcessToken(ffffffff,00020008,0006fd7c) ret=77f961f6 NtOpenProcessToken 0xffffffff 00020008 0x6fd7c process_alloc_user_handle handle = 0000003c 1011: NtOpenProcessToken retval=00000000 ret=77f961f6 1011: NtQueryInformationToken(0000003c,00000001,0006fd1c,00000050,0006fd74) ret=77f96212 NtQueryInformationToken 0x3c 1 0x6fd1c 80 0x6fd74 access_allowed fixme: no access check NtQueryInformationToken TokenUser 1011: NtQueryInformationToken retval=00000000 ret=77f96212 1011: NtClose(0000003c) ret=77f9621c NtClose 0x3c 1011: NtClose retval=00000000 ret=77f9621c 1011: NtOpenKey(0006fe30,02000000,0006fd98) ret=77f83183 NtOpenKey 0x6fe30 02000000 0x6fd98 NtOpenKey len 00000018 root (nil) attr 00000040 \REGISTRY\USER\S-1-5-18 NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000003c 1011: NtOpenKey retval=00000000 ret=77f83183 1011: NtOpenKey(0006fe34,00020019,0006fe0c) ret=77e3ea4c NtOpenKey 0x6fe34 00020019 0x6fe0c NtOpenKey len 00000018 root 0x3c attr 00000040 Control Panel\Input Method\Hot Keys open_parse_key remaining = Input Method\Hot Keys NtOpenKey open_key returned c000003a 1011: NtOpenKey retval=c000003a ret=77e3ea4c 1011: NtClose(0000003c) ret=77e4b854 NtClose 0x3c 1011: NtClose retval=00000000 ret=77e4b854 1011: NtUserGetKeyboardLayoutList(00000000,00000000) ret=77e3e8f0 NtUserGetKeyboardLayoutList 00000000, 00000000 1011: NtUserGetKeyboardLayoutList retval=00000000 ret=77e3e8f0 1011: NtAllocateVirtualMemory(ffffffff,0006fb48,00000000,0006fb68,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f958,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f958 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(00077224,80100000,0006fcfc,0006fd1c,00000007,00000060) ret=7c4f4094 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\keyboardlayout.ini open_file root = (nil) name = \??\C:\WINNT\keyboardlayout.ini open_unicode_file open file : c:/winnt/keyboardlayout.ini 1011: NtOpenFile retval=c000003a ret=7c4f4094 1011: NtClose(00000000) ret=7c4fca51 NtClose (nil) 1011: NtClose retval=c0000008 ret=7c4fca51 1011: NtFreeVirtualMemory(ffffffff,0006fcd4,0006fcd8,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6fcd4 0x6fcd8 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtUserUpdatePerUserSystemParameters(00000000,00000000) ret=77e3f15c NtUserUpdatePerUserSystemParameters 1011: NtUserUpdatePerUserSystemParameters retval=00000001 ret=77e3f15c 1011: NtUserSystemParametersInfo(00000014,ffffffff,00000000,00000000) ret=77e3383e NtUserSystemParametersInfo 1011: NtUserSystemParametersInfo retval=00000001 ret=77e3383e 1011: NtSetInformationThread(00000038,00000005,0006febc,00000004) ret=010018e0 NtSetInformationThread 0x38 5 0x6febc 4 access_allowed fixme: no access check 1011: NtSetInformationThread retval=c0000008 ret=010018e0 1011: NtClose(00000038) ret=010018eb NtClose 0x38 1011: NtClose retval=00000000 ret=010018eb 1011: NtUserSetWindowStationUser(f00d2000,0006ff08,00000000,00000000) ret=77e3f315 NtUserSetWindowStationUser 1011: NtUserSetWindowStationUser retval=00000001 ret=77e3f315 1011: NtRequestWaitReplyPort(0000001c,0006fe98,0006fe98) ret=77f891d2 NtRequestWaitReplyPort 0x1c 0x6fe98 0x6fe98 access_allowed fixme: no access check dump DataSize = 20 dump MessageSize = 44 dump MessageType = 1 (LPC_REQUEST) dump Offset = 0 dump ClientId = 0010, 0011 dump MessageId = 270 dump SectionSize = 00000000 address 0x80c595c 00 00 00 00 02 04 03 00 01 00 00 00 c0 6b 07 00 .............k.. 00 00 00 00 .... 0a0d: NtReplyWaitReceivePort retval=00000000 ret=5ff9404d 0a0d: NtImpersonateThread(fffffffe,00000090,5ff98050) ret=5ff954c8 NtImpersonateThread access_allowed fixme: no access check 0a0d: NtImpersonateThread retval=00000000 ret=5ff954c8 0a0d: NtQueryDefaultLocale(00000000,7fef106c) ret=5ffa76d4 NtQueryDefaultLocale 0 0x7fef106c 0a0d: NtQueryDefaultLocale retval=00000000 ret=5ffa76d4 0a0d: NtOpenThreadToken(fffffffe,00020008,00000001,0054fe54) ret=77f961d7 NtOpenThreadToken 0xfffffffe 00020008 1 0x54fe54 0a0d: NtOpenThreadToken retval=c000007c ret=77f961d7 0a0d: NtOpenProcessToken(ffffffff,00020008,0054fe54) ret=77f961f6 NtOpenProcessToken 0xffffffff 00020008 0x54fe54 process_alloc_user_handle handle = 0000009c 0a0d: NtOpenProcessToken retval=00000000 ret=77f961f6 0a0d: NtQueryInformationToken(0000009c,00000001,0054fdf4,00000050,0054fe4c) ret=77f96212 NtQueryInformationToken 0x9c 1 0x54fdf4 80 0x54fe4c access_allowed fixme: no access check NtQueryInformationToken TokenUser 0a0d: NtQueryInformationToken retval=00000000 ret=77f96212 0a0d: NtClose(0000009c) ret=77f9621c NtClose 0x9c 0a0d: NtClose retval=00000000 ret=77f9621c 0a0d: NtOpenKey(0054feac,02000000,0054fe70) ret=77f83183 NtOpenKey 0x54feac 02000000 0x54fe70 NtOpenKey len 00000018 root (nil) attr 00000040 \REGISTRY\USER\S-1-5-18 NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000009c 0a0d: NtOpenKey retval=00000000 ret=77f83183 0a0d: NtOpenKey(0054feb0,00020019,0054fe70) ret=5ffb95b3 NtOpenKey 0x54feb0 00020019 0x54fe70 NtOpenKey len 00000018 root 0x9c attr 00000040 Control Panel\Desktop open_parse_key remaining = Desktop NtOpenKey open_key returned c0000034 0a0d: NtOpenKey retval=c0000034 ret=5ffb95b3 0a0d: NtClose(0000009c) ret=5ffbf2ca NtClose 0x9c 0a0d: NtClose retval=00000000 ret=5ffbf2ca 0a0d: NtOpenKey(0054feb0,00020019,0054fe70) ret=5ffb95b3 NtOpenKey 0x54feb0 00020019 0x54fe70 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000009c 0a0d: NtOpenKey retval=00000000 ret=5ffb95b3 0a0d: NtQueryDefaultLocale(00000001,0054fd58) ret=77f869de NtQueryDefaultLocale 1 0x54fd58 0a0d: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0d: NtQueryValueKey(0000009c,0054fe80,00000002,0054fe48,00000038,0054fe88) ret=5ffbf35e NtQueryValueKey 0x9c 0x54fe80 2 0x54fe48 56 0x54fe88 NtQueryValueKey WaitToKillServiceTimeout 0a0d: NtQueryValueKey retval=c0000034 ret=5ffbf35e 0a0d: NtQueryDefaultLocale(00000001,0054fd58) ret=77f869de NtQueryDefaultLocale 1 0x54fd58 0a0d: NtQueryDefaultLocale retval=00000000 ret=77f869de 0a0d: NtQueryValueKey(0000009c,0054fe80,00000002,0054fe48,00000038,0054fe88) ret=5ffbf35e NtQueryValueKey 0x9c 0x54fe80 2 0x54fe48 56 0x54fe88 NtQueryValueKey ProcessTerminateTimeout 0a0d: NtQueryValueKey retval=c0000034 ret=5ffbf35e 0a0d: NtClose(0000009c) ret=5ffbf314 NtClose 0x9c 0a0d: NtClose retval=00000000 ret=5ffbf314 0a0d: NtSetInformationThread(fffffffe,00000005,0054feb0,00000004) ret=5ff9551a NtSetInformationThread 0xfffffffe 5 0x54feb0 4 0a0d: NtSetInformationThread retval=c0000008 ret=5ff9551a 0a0d: NtUserSystemParametersInfo(00000068,00000000,5ffe85ac,00000000) ret=77e3383e NtUserSystemParametersInfo 0a0d: NtUserSystemParametersInfo retval=00000001 ret=77e3383e 0a0d: NtUserGetThreadState(00000011) ret=77e15bd2 0a0d: NtUserGetThreadState retval=00000001 ret=77e15bd2 0a0d: NtUserGetThreadState(00000011) ret=77e15bd2 0a0d: NtUserGetThreadState retval=00000001 ret=77e15bd2 0a0d: NtUserGetThreadState(00000011) ret=77e15bd2 0a0d: NtUserGetThreadState retval=00000001 ret=77e15bd2 0a0d: NtUserGetThreadState(00000011) ret=77e15bd2 0a0d: NtUserGetThreadState retval=00000001 ret=77e15bd2 0a0d: NtUserGetThreadState(00000011) ret=77e15bd2 0a0d: NtUserGetThreadState retval=00000001 ret=77e15bd2 0a0d: NtUserGetThreadState(00000011) ret=77e4b061 0a0d: NtUserGetThreadState retval=00000001 ret=77e4b061 0a0d: NtUserGetCaretBlinkTime() ret=77e15d44 NtUserGetCaretBlinkTime 0a0d: NtUserGetCaretBlinkTime retval=00000064 ret=77e15d44 0a0d: NtReplyWaitReceivePort(00000094,0054ff08,0054ff2c,0054ff2c) ret=5ff9404d NtReplyWaitReceivePort 0x94 0x54ff08 0x54ff2c 0x54ff2c access_allowed fixme: no access check reply_wait_receive 0x80c5288 0x80c5938 (nil) dump DataSize = 20 dump MessageSize = 44 dump MessageType = 2 (LPC_REPLY) dump Offset = 0 dump ClientId = 000a, 000d dump MessageId = 270 dump SectionSize = 00000000 address 0x80c595c 00 00 00 00 02 04 03 00 00 00 00 00 c0 6b 07 00 .............k.. 00 00 00 00 .... 1011: NtRequestWaitReplyPort retval=00000000 ret=77f891d2 1011: NtCreateEvent(0006ff20,001f0003,0006ff08,00000001,00000000) ret=010038c0 NtCreateEvent 0x6ff20 001f0003 0x6ff08 1 0 create name = \Security\NetworkProviderLoad process_alloc_user_handle handle = 00000038 1011: NtCreateEvent retval=00000000 ret=010038c0 1011: NtOpenKey(0006ff1c,00020019,0006fc74) ret=7c2d208a NtOpenKey 0x6ff1c 00020019 0x6fc74 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000003c 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtAllocateVirtualMemory(ffffffff,0006f84c,00000000,0006f86c,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011 (debug 6f558,77f95523,96) : LDR: LdrLoadDll, loading C:\WINNT\system32\sfc.dll from \??\C:\WINNT\system32;.;C:\WINNT\system32;C:\WINNT\system;C:\WINNT;C:\WINNT\system32;C:\WINNT 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f070,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f070 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f434,0006f40c) ret=77f8cb7a NtQueryAttributesFile 0x6f434 0x6f40c NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\sfc.dll stat_unicode c:/winnt/system32/sfc.dll -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\sfc.dll 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f364,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f364 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtFreeVirtualMemory(ffffffff,0006f990,0006f994,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6f990 0x6f994 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011 (debug 6f7b8,76e01,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6f7b4,6f7b8,18) : NAME - SfcWLEventLogoff 1011 (debug 6f7b8,18,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6f7b4,6f7b8,17) : NAME - SfcWLEventLogon 1011: NtEnumerateKey(0000003c,00000000,00000000,0006fb64,00000120,0006fca4) ret=7c2d3d82 1011: NtEnumerateKey retval=8000001a ret=7c2d3d82 1011: NtClose(0000003c) ret=7c2d1f22 NtClose 0x3c 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtUserSetThreadDesktop(f00d2001) ret=01002662 NtUserSetThreadDesktop 1011: NtUserSetThreadDesktop retval=00000001 ret=01002662 1011: NtOpenKey(0006ff20,00020019,0006fe8c) ret=7c2d208a NtOpenKey 0x6ff20 00020019 0x6fe8c NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Control\Lsa NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000003c 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(0000003c,0006fee0,00000002,0006fe10,00000090,0006fea8) ret=7c2d2271 NtQueryValueKey 0x3c 0x6fee0 2 0x6fe10 144 0x6fea8 NtQueryValueKey SecureBoot reg_query_value SecureBoot 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtOpenKey(01022220,00020019,0006fe7c) ret=7c2d208a NtOpenKey 0x1022220 00020019 0x6fe7c NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Control\Lsa NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000040 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtOpenKey(0006feec,00020019,0006fe3c) ret=7c2d208a NtOpenKey 0x6feec 00020019 0x6fe3c NtOpenKey len 00000018 root 0x40 attr 00000040 JD NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000044 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryKey(00000044,00000002,0006fd38,000000b0,0006fc70) ret=7c2d46a8 query full information query class = cf845301 query keycls = cf845301 1011: NtQueryKey retval=00000000 ret=7c2d46a8 1011: NtQuerySecurityObject(00000044,00000007,0006fde8,00000000,0006fe6c) ret=7c2d4574 NtQuerySecurityObject 00000007 = OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION DACL_SECURITY_INFORMATION 1011: NtQuerySecurityObject retval=c0000023 ret=7c2d4574 1011: NtQuerySecurityObject(00000044,0000000f,0006fde8,00000000,0006fe20) ret=7c2d4592 NtQuerySecurityObject 0000000f = OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION SACL_SECURITY_INFORMATION DACL_SECURITY_INFORMATION 1011: NtQuerySecurityObject retval=c0000023 ret=7c2d4592 1011: NtClose(00000044) ret=7c2d1f22 NtClose 0x44 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006feec,00020019,0006fe3c) ret=7c2d208a NtOpenKey 0x6feec 00020019 0x6fe3c NtOpenKey len 00000018 root 0x40 attr 00000040 Skew1 NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000044 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryKey(00000044,00000002,0006fd38,000000b0,0006fc70) ret=7c2d46a8 query full information query class = cf845301 query keycls = cf845301 1011: NtQueryKey retval=00000000 ret=7c2d46a8 1011: NtQuerySecurityObject(00000044,00000007,0006fde8,00000000,0006fe6c) ret=7c2d4574 NtQuerySecurityObject 00000007 = OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION DACL_SECURITY_INFORMATION 1011: NtQuerySecurityObject retval=c0000023 ret=7c2d4574 1011: NtQuerySecurityObject(00000044,0000000f,0006fde8,00000000,0006fe20) ret=7c2d4592 NtQuerySecurityObject 0000000f = OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION SACL_SECURITY_INFORMATION DACL_SECURITY_INFORMATION 1011: NtQuerySecurityObject retval=c0000023 ret=7c2d4592 1011: NtClose(00000044) ret=7c2d1f22 NtClose 0x44 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006feec,00020019,0006fe3c) ret=7c2d208a NtOpenKey 0x6feec 00020019 0x6fe3c NtOpenKey len 00000018 root 0x40 attr 00000040 GBG NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000044 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryKey(00000044,00000002,0006fd38,000000b0,0006fc70) ret=7c2d46a8 query full information query class = cf845301 query keycls = cf845301 1011: NtQueryKey retval=00000000 ret=7c2d46a8 1011: NtQuerySecurityObject(00000044,00000007,0006fde8,00000000,0006fe6c) ret=7c2d4574 NtQuerySecurityObject 00000007 = OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION DACL_SECURITY_INFORMATION 1011: NtQuerySecurityObject retval=c0000023 ret=7c2d4574 1011: NtQuerySecurityObject(00000044,0000000f,0006fde8,00000000,0006fe20) ret=7c2d4592 NtQuerySecurityObject 0000000f = OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION SACL_SECURITY_INFORMATION DACL_SECURITY_INFORMATION 1011: NtQuerySecurityObject retval=c0000023 ret=7c2d4592 1011: NtClose(00000044) ret=7c2d1f22 NtClose 0x44 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006feec,00020019,0006fe3c) ret=7c2d208a NtOpenKey 0x6feec 00020019 0x6fe3c NtOpenKey len 00000018 root 0x40 attr 00000040 Data NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000044 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryKey(00000044,00000002,0006fd38,000000b0,0006fc70) ret=7c2d46a8 query full information query class = cf845301 query keycls = cf845301 1011: NtQueryKey retval=00000000 ret=7c2d46a8 1011: NtQuerySecurityObject(00000044,00000007,0006fde8,00000000,0006fe6c) ret=7c2d4574 NtQuerySecurityObject 00000007 = OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION DACL_SECURITY_INFORMATION 1011: NtQuerySecurityObject retval=c0000023 ret=7c2d4574 1011: NtQuerySecurityObject(00000044,0000000f,0006fde8,00000000,0006fe20) ret=7c2d4592 NtQuerySecurityObject 0000000f = OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION SACL_SECURITY_INFORMATION DACL_SECURITY_INFORMATION 1011: NtQuerySecurityObject retval=c0000023 ret=7c2d4592 1011: NtClose(00000044) ret=7c2d1f22 NtClose 0x44 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtAllocateVirtualMemory(ffffffff,0006fae0,00000000,0006faf4,00002000,00000004) ret=7c4eba6f NtAllocateVirtualMemory returns 0x290000 00040000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4eba6f 1011: NtAllocateVirtualMemory(ffffffff,0006fae0,00000000,0006faf0,00001000,00000004) ret=7c4ebac0 NtAllocateVirtualMemory returns 0x2cd000 00003000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4ebac0 1011: NtProtectVirtualMemory(ffffffff,0006fae0,0006fadc,00000104,0006fad8) ret=7c4ebaf3 NtProtectVirtualMemory 0xffffffff 0x6fae0 0x6fadc 260 0x6fad8 NtProtectVirtualMemory 0x2cd000 00001000 1011: NtProtectVirtualMemory retval=00000000 ret=7c4ebaf3 1011: NtCreateThread(0006fea0,001f03ff,00000000,ffffffff,0006fea8,0006fb0c,0006fe6c,00000001) ret=7c4f344c NtCreateThread 0x6fea0 001f03ff (nil) 0xffffffff 0x6fea8 0x6fb0c 0x6fe6c 1 mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 00000044 1011: NtCreateThread retval=00000000 ret=7c4f344c 1011: NtRequestWaitReplyPort(0000001c,0006fdd8,0006fdd8) ret=77f891d2 NtRequestWaitReplyPort 0x1c 0x6fdd8 0x6fdd8 access_allowed fixme: no access check dump DataSize = 28 dump MessageSize = 52 dump MessageType = 1 (LPC_REQUEST) dump Offset = 0 dump ClientId = 0010, 0011 dump MessageId = 271 dump SectionSize = 00000000 address 0x80c6124 00 00 00 00 01 00 01 00 f8 0b f7 7f 60 fe 06 00 ............`... 44 00 00 00 10 00 00 00 13 00 00 00 D........... 0a12: NtReplyWaitReceivePort retval=00000000 ret=5ff9404d 0a12: NtDuplicateObject(00000014,00000044,ffffffff,0061feb4,00000000,00000000,00000002) ret=5ffa44e6 NtDuplicateObject 0x14 0x44 0xffffffff 0x61feb4 00000000 00000000 00000002 access_allowed fixme: no access check NtDuplicateObject source process 0x80c1c20 access_allowed fixme: no access check NtDuplicateObject target process 0x80bd2d0 process_alloc_user_handle handle = 0000009c NtDuplicateObject new handle is 0x9c 0a12: NtDuplicateObject retval=00000000 ret=5ffa44e6 0a12: NtQueryInformationThread(0000009c,00000001,0061fe68,00000020,00000000) ret=5ff9505a NtQueryInformationThread 0x9c 1 0x61fe68 32 (nil) access_allowed fixme: no access check 0a12: NtQueryInformationThread retval=00000000 ret=5ff9505a 0a12: NtReplyWaitReceivePort(00000094,0061ff08,0061ff2c,0061ff2c) ret=5ff9404d NtReplyWaitReceivePort 0x94 0x61ff08 0x61ff2c 0x61ff2c access_allowed fixme: no access check reply_wait_receive 0x80c5288 0x80c6100 (nil) dump DataSize = 28 dump MessageSize = 52 dump MessageType = 2 (LPC_REPLY) dump Offset = 0 dump ClientId = 000a, 0012 dump MessageId = 271 dump SectionSize = 00000000 address 0x80c6124 00 00 00 00 01 00 01 00 00 00 00 00 60 fe 06 00 ............`... 44 00 00 00 10 00 00 00 13 00 00 00 D........... 1011: NtRequestWaitReplyPort retval=00000000 ret=77f891d2 1011: NtResumeThread(00000044,0006fe68) ret=7c4f34c7 NtResumeThread 0x44 0x6fe68 access_allowed fixme: no access check 1011: NtResumeThread retval=00000000 ret=7c4f34c7 1013: NtTestAlert() ret=77f84bcb 1013: NtTestAlert retval=00000000 ret=77f84bcb 1011: NtClose(0000003c) ret=7c2d1f22 NtClose 0x3c 1011: NtClose retval=00000000 ret=7c2d1f22 1013: NtContinue(002cfd2c,00000001) ret=77f8855e NtContinue 0x2cfd2c 1 eax 01004368 ebx 00000000 ecx 77fcbaef edx 000001bf esi 00070000 edi 00000000 ebp 00077208 efl 00003000 cs:eip 0018:7c4e9824 ss:esp 0020:002cfffc ds 007b es 007b fs 003b gs 0000 1013: NtContinue retval=00000000 ret=77f8855e 1011: NtCreateTimer(77fd0398,001f0003,00000000,00000000) ret=77f97903 NtCreateTimer 0x77fd0398 001f0003 (nil) 0 process_alloc_user_handle handle = 0000003c 1011: NtCreateTimer retval=00000000 ret=77f97903 1013: NtCreatePort(002cffa8,002cff7c,00000004,00000040,00000040) ret=010043b8 NtCreatePort 0x2cffa8 0x2cff7c 4 64 0x40 NtCreatePort root = (nil) port = \Security\WxApiPort process_alloc_user_handle handle = 00000048 1013: NtCreatePort retval=00000000 ret=010043b8 1011: NtAllocateVirtualMemory(ffffffff,0006fa48,00000000,0006fa5c,00002000,00000004) ret=7c4eba6f NtAllocateVirtualMemory returns 0x2d0000 00040000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4eba6f 1013: NtReplyWaitReceivePort(00000048,002cffa0,00000000,002cff3c) ret=01004417 NtReplyWaitReceivePort 0x48 0x2cffa0 (nil) 0x2cff3c access_allowed fixme: no access check reply_wait_receive 0x80c6770 (nil) (nil) 1011: NtAllocateVirtualMemory(ffffffff,0006fa48,00000000,0006fa58,00001000,00000004) ret=7c4ebac0 NtAllocateVirtualMemory returns 0x30d000 00003000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4ebac0 1011: NtProtectVirtualMemory(ffffffff,0006fa48,0006fa44,00000104,0006fa40) ret=7c4ebaf3 NtProtectVirtualMemory 0xffffffff 0x6fa48 0x6fa44 260 0x6fa40 NtProtectVirtualMemory 0x30d000 00001000 1011: NtProtectVirtualMemory retval=00000000 ret=7c4ebaf3 1011: NtCreateThread(0006fe08,001f03ff,00000000,ffffffff,0006fe10,0006fa74,0006fdd4,00000001) ret=7c4f344c NtCreateThread 0x6fe08 001f03ff (nil) 0xffffffff 0x6fe10 0x6fa74 0x6fdd4 1 mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 0000004c 1011: NtCreateThread retval=00000000 ret=7c4f344c 1011: NtRequestWaitReplyPort(0000001c,0006fd40,0006fd40) ret=77f891d2 NtRequestWaitReplyPort 0x1c 0x6fd40 0x6fd40 access_allowed fixme: no access check dump DataSize = 28 dump MessageSize = 52 dump MessageType = 1 (LPC_REQUEST) dump Offset = 0 dump ClientId = 0010, 0011 dump MessageId = 272 dump SectionSize = 00000000 address 0x80c6c44 00 00 00 00 01 00 01 00 00 00 00 00 63 00 66 00 ............c.f. 4c 00 00 00 10 00 00 00 14 00 00 00 L........... 0a0d: NtReplyWaitReceivePort retval=00000000 ret=5ff9404d 0a0d: NtDuplicateObject(00000014,0000004c,ffffffff,0054feb4,00000000,00000000,00000002) ret=5ffa44e6 NtDuplicateObject 0x14 0x4c 0xffffffff 0x54feb4 00000000 00000000 00000002 access_allowed fixme: no access check NtDuplicateObject source process 0x80c1c20 access_allowed fixme: no access check NtDuplicateObject target process 0x80bd2d0 process_alloc_user_handle handle = 000000a0 NtDuplicateObject new handle is 0xa0 0a0d: NtDuplicateObject retval=00000000 ret=5ffa44e6 0a0d: NtQueryInformationThread(000000a0,00000001,0054fe68,00000020,00000000) ret=5ff9505a NtQueryInformationThread 0xa0 1 0x54fe68 32 (nil) access_allowed fixme: no access check 0a0d: NtQueryInformationThread retval=00000000 ret=5ff9505a 0a0d: NtReplyWaitReceivePort(00000094,0054ff08,0054ff2c,0054ff2c) ret=5ff9404d NtReplyWaitReceivePort 0x94 0x54ff08 0x54ff2c 0x54ff2c access_allowed fixme: no access check reply_wait_receive 0x80c5288 0x80c6c20 (nil) dump DataSize = 28 dump MessageSize = 52 dump MessageType = 2 (LPC_REPLY) dump Offset = 0 dump ClientId = 000a, 000d dump MessageId = 272 dump SectionSize = 00000000 address 0x80c6c44 00 00 00 00 01 00 01 00 00 00 00 00 63 00 66 00 ............c.f. 4c 00 00 00 10 00 00 00 14 00 00 00 L........... 1011: NtRequestWaitReplyPort retval=00000000 ret=77f891d2 1011: NtResumeThread(0000004c,0006fdd0) ret=7c4f34c7 NtResumeThread 0x4c 0x6fdd0 access_allowed fixme: no access check 1011: NtResumeThread retval=00000000 ret=7c4f34c7 1014: NtTestAlert() ret=77f84bcb 1014: NtTestAlert retval=00000000 ret=77f84bcb 1011: NtDelayExecution(00000000,0006fe58) ret=7c502b46 NtDelayExecution timeout = fffffffffffe7960 1014: NtContinue(0030fd2c,00000001) ret=77f8855e NtContinue 0x30fd2c 1 eax 77f85c00 ebx 0006fe60 ecx 0006fb10 edx 00000200 esi 0000006c edi 006c0064 ebp 00070000 efl 00003000 cs:eip 0018:7c4e9824 ss:esp 0020:0030fffc ds 007b es 007b fs 003b gs 0000 1014: NtContinue retval=00000000 ret=77f8855e 1014: NtCancelTimer(0000003c,00000000) ret=77f88c80 access_allowed fixme: no access check 1014: NtCancelTimer retval=00000000 ret=77f88c80 1014: NtSetTimer(0000003c,0030ff90,77f8ab3b,00000000,00000000,00000000,00000000) ret=77f88d1d NtSetTimer due = 8000000000000000 access_allowed fixme: no access check 1014: NtSetTimer retval=00000000 ret=77f88d1d 1014: NtDelayExecution(00000001,0030ffac) ret=77f85c42 NtDelayExecution timeout = 8000000000000000 1011: NtDelayExecution retval=00000000 ret=7c502b46 1011: NtQueueApcThread(0000004c,77f8ff45,00076fa0,00000000,00000000) ret=77f8ff3f NtQueueApcThread 0x4c 0x77f8ff45 0x76fa0 (nil) (nil) access_allowed fixme: no access check 1011: NtQueueApcThread retval=00000000 ret=77f8ff3f get_proc_address KiUserApcDispatcher 1014: NtDelayExecution retval=000000c0 ret=77f85c42 1011: NtQueryVirtualMemory(ffffffff,00010000,00000000,0006fea8,0000001c,00000000) ret=77f97a63 NtQueryVirtualMemory 0xffffffff 0x10000 0 0x6fea8 28 (nil) 1011: NtQueryVirtualMemory retval=00000000 ret=77f97a63 1014: NtQueryTimer(0000003c,00000000,0030fc94,00000010,0030fcac) ret=77f9179d access_allowed fixme: no access check 1014: NtQueryTimer retval=00000000 ret=77f9179d 1011: NtAllocateVirtualMemory(ffffffff,0006fe9c,00000000,0006feb4,00001000,00000004) ret=77f97a85 NtAllocateVirtualMemory returns 0x310000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77f97a85 1014: NtCancelTimer(0000003c,00000000) ret=77f88c80 access_allowed fixme: no access check 1014: NtCancelTimer retval=00000000 ret=77f88c80 1011: NtOpenKey(0006fed8,00000001,0006fc0c) ret=7c2d208a NtOpenKey 0x6fed8 00000001 0x6fc0c NtOpenKey len 00000018 root 0x24 attr 00000040 System\CurrentControlSet\Control\Session Manager\Environment NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000050 1011: NtOpenKey retval=00000000 ret=7c2d208a 1014: NtSetTimer(0000003c,0030fc94,77f8ab3b,00000000,00000000,00000000,00000000) ret=77f88d1d NtSetTimer due = fffffffffa0a1f00 access_allowed fixme: no access check 1014: NtSetTimer retval=00000000 ret=77f88d1d 1011: NtQueryKey(00000050,00000002,0006fb14,000000b0,0006fa4c) ret=7c2d46a8 query full information query class = (null us) query keycls = (null us) 1011: NtQueryKey retval=00000000 ret=7c2d46a8 1014: NtContinue(0030fcd4,00000001) ret=77f8855e NtContinue 0x30fcd4 1 eax 000000c0 ebx 0006fe60 ecx 0006fe60 edx 0030ffa4 esi 0000006c edi 006c0064 ebp 0030ffb4 efl 00010246 cs:eip 0073:77f8915e ss:esp 007b:0030ffa0 ds 007b es 007b fs 003b gs 0000 1014: NtContinue retval=00000000 ret=77f8855e 1011: NtQuerySecurityObject(00000050,00000007,0006fbc4,00000000,0006fc3c) ret=7c2d4574 NtQuerySecurityObject 00000007 = OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION DACL_SECURITY_INFORMATION 1011: NtQuerySecurityObject retval=c0000023 ret=7c2d4574 1014: NtDelayExecution(00000001,0030ffac) ret=77f85c42 NtDelayExecution timeout = 8000000000000000 1011: NtQuerySecurityObject(00000050,0000000f,0006fbc4,00000000,0006fbfc) ret=7c2d4592 NtQuerySecurityObject 0000000f = OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION SACL_SECURITY_INFORMATION DACL_SECURITY_INFORMATION 1011: NtQuerySecurityObject retval=c0000023 ret=7c2d4592 1011: NtAllocateVirtualMemory(ffffffff,0006fa60,00000000,0006fa80,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtEnumerateValueKey(00000050,00000000,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 0 1 0x6fb3c 216 0x6fc14 reg_query_value ComSpec 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000001,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 1 1 0x6fb3c 216 0x6fc14 reg_query_value PROCESSOR_ARCHITECTURE 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000002,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 2 1 0x6fb3c 216 0x6fc14 reg_query_value Path 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000003,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 3 1 0x6fb3c 216 0x6fc14 reg_query_value TEMP 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000004,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 4 1 0x6fb3c 216 0x6fc14 reg_query_value TMP 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000005,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 5 1 0x6fb3c 216 0x6fc14 reg_query_value windir 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000006,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 6 1 0x6fb3c 216 0x6fc14 reg_query_value OS 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000007,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 7 1 0x6fb3c 216 0x6fc14 reg_query_value PROCESSOR_ARCHITECTURE 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000008,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 8 1 0x6fb3c 216 0x6fc14 reg_query_value PROCESSOR_LEVEL 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000009,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 9 1 0x6fb3c 216 0x6fc14 reg_query_value PROCESSOR_IDENTIFIER 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,0000000a,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 10 1 0x6fb3c 216 0x6fc14 reg_query_value PROCESSOR_REVISION 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,0000000b,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 11 1 0x6fb3c 216 0x6fc14 reg_query_value NUMBER_OF_PROCESSORS 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000000,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 0 1 0x6fb3c 216 0x6fc14 reg_query_value ComSpec 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000001,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 1 1 0x6fb3c 216 0x6fc14 reg_query_value PROCESSOR_ARCHITECTURE 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000002,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 2 1 0x6fb3c 216 0x6fc14 reg_query_value Path 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000003,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 3 1 0x6fb3c 216 0x6fc14 reg_query_value TEMP 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtQueryInformationProcess(ffffffff,0000000c,0006f15c,00000004,00000000) ret=7c4fab92 NtQueryInformationProcess 0xffffffff 12 0x6f15c 4 (nil) 1011: NtQueryInformationProcess retval=00000000 ret=7c4fab92 1011: NtSetInformationProcess(ffffffff,0000000c,0006f16c,00000004) ret=7c4fabd5 NtSetInformationProcess 0xffffffff 12 0x6f16c 4 NtSetInformationProcess set ProcessDefaultHardErrorMode 1011: NtSetInformationProcess retval=00000000 ret=7c4fabd5 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006ed78,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6ed78 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f144,0006f11c) ret=7c4fb633 NtQueryAttributesFile 0x6f144 0x6f11c NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\TEMP stat_unicode c:/winnt/temp -> 0 NtQueryAttributesFile found \??\C:\WINNT\TEMP 1011: NtQueryAttributesFile retval=00000000 ret=7c4fb633 1011: NtQueryInformationProcess(ffffffff,0000000c,0006f15c,00000004,00000000) ret=7c4fab92 NtQueryInformationProcess 0xffffffff 12 0x6f15c 4 (nil) 1011: NtQueryInformationProcess retval=00000000 ret=7c4fab92 1011: NtSetInformationProcess(ffffffff,0000000c,0006f16c,00000004) ret=7c4fabd5 NtSetInformationProcess 0xffffffff 12 0x6f16c 4 NtSetInformationProcess set ProcessDefaultHardErrorMode 1011: NtSetInformationProcess retval=00000000 ret=7c4fabd5 1011: NtEnumerateValueKey(00000050,00000004,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 4 1 0x6fb3c 216 0x6fc14 reg_query_value TMP 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtQueryInformationProcess(ffffffff,0000000c,0006f15c,00000004,00000000) ret=7c4fab92 NtQueryInformationProcess 0xffffffff 12 0x6f15c 4 (nil) 1011: NtQueryInformationProcess retval=00000000 ret=7c4fab92 1011: NtSetInformationProcess(ffffffff,0000000c,0006f16c,00000004) ret=7c4fabd5 NtSetInformationProcess 0xffffffff 12 0x6f16c 4 NtSetInformationProcess set ProcessDefaultHardErrorMode 1011: NtSetInformationProcess retval=00000000 ret=7c4fabd5 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006ed78,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6ed78 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f144,0006f11c) ret=7c4fb633 NtQueryAttributesFile 0x6f144 0x6f11c NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\TEMP stat_unicode c:/winnt/temp -> 0 NtQueryAttributesFile found \??\C:\WINNT\TEMP 1011: NtQueryAttributesFile retval=00000000 ret=7c4fb633 1011: NtQueryInformationProcess(ffffffff,0000000c,0006f15c,00000004,00000000) ret=7c4fab92 NtQueryInformationProcess 0xffffffff 12 0x6f15c 4 (nil) 1011: NtQueryInformationProcess retval=00000000 ret=7c4fab92 1011: NtSetInformationProcess(ffffffff,0000000c,0006f16c,00000004) ret=7c4fabd5 NtSetInformationProcess 0xffffffff 12 0x6f16c 4 NtSetInformationProcess set ProcessDefaultHardErrorMode 1011: NtSetInformationProcess retval=00000000 ret=7c4fabd5 1011: NtEnumerateValueKey(00000050,00000005,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 5 1 0x6fb3c 216 0x6fc14 reg_query_value windir 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000006,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 6 1 0x6fb3c 216 0x6fc14 reg_query_value OS 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000007,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 7 1 0x6fb3c 216 0x6fc14 reg_query_value PROCESSOR_ARCHITECTURE 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000008,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 8 1 0x6fb3c 216 0x6fc14 reg_query_value PROCESSOR_LEVEL 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,00000009,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 9 1 0x6fb3c 216 0x6fc14 reg_query_value PROCESSOR_IDENTIFIER 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,0000000a,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 10 1 0x6fb3c 216 0x6fc14 reg_query_value PROCESSOR_REVISION 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtEnumerateValueKey(00000050,0000000b,00000001,0006fb3c,000000d8,0006fc14) ret=7c2d4cc1 NtEnumerateValueKey 0x50 11 1 0x6fb3c 216 0x6fc14 reg_query_value NUMBER_OF_PROCESSORS 1011: NtEnumerateValueKey retval=00000000 ret=7c2d4cc1 1011: NtClose(00000050) ret=7c2d1f22 NtClose 0x50 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtFreeVirtualMemory(ffffffff,0006fb9c,0006fba0,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6fb9c 0x6fba0 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtOpenKey(0006ee90,00020019,0006ee58) ret=7c4ef845 NtOpenKey 0x6ee90 00020019 0x6ee58 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\ComputerName NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000050 1011: NtOpenKey retval=00000000 ret=7c4ef845 1011: NtOpenKey(0006ee30,00020019,0006ee18) ret=7c4ef71e NtOpenKey 0x6ee30 00020019 0x6ee18 NtOpenKey len 00000018 root 0x50 attr 00000040 ActiveComputerName NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000054 1011: NtOpenKey retval=00000000 ret=7c4ef71e 1011: NtQueryValueKey(00000054,0006ee04,00000001,0006ed98,0000006c,0006ee0c) ret=7c4ef750 NtQueryValueKey 0x54 0x6ee04 1 0x6ed98 108 0x6ee0c NtQueryValueKey ComputerName reg_query_value ComputerName 1011: NtQueryValueKey retval=00000000 ret=7c4ef750 1011: NtClose(00000054) ret=7c4ef75c NtClose 0x54 1011: NtClose retval=00000000 ret=7c4ef75c 1011: NtClose(00000050) ret=7c4ef8a2 NtClose 0x50 1011: NtClose retval=00000000 ret=7c4ef8a2 1011: NtAllocateVirtualMemory(ffffffff,0006e440,00000000,0006e460,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFreeVirtualMemory(ffffffff,0006e57c,0006e580,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6e57c 0x6e580 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtOpenKey(0006fee0,00020019,0006ee24) ret=7c2d208a NtOpenKey 0x6fee0 00020019 0x6ee24 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Windows\CurrentVersion NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000050 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000050,0006ee78,00000002,0006eda8,00000090,0006ee40) ret=7c2d2271 NtQueryValueKey 0x50 0x6ee78 2 0x6eda8 144 0x6ee40 NtQueryValueKey ProgramFilesDir reg_query_value ProgramFilesDir 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtAllocateVirtualMemory(ffffffff,0006e440,00000000,0006e460,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFreeVirtualMemory(ffffffff,0006e57c,0006e580,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6e57c 0x6e580 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtQueryVirtualMemory(ffffffff,00310000,00000000,0006e60c,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x310000 0 0x6e60c 28 (nil) 1011: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 1011: NtQueryVirtualMemory(ffffffff,00010000,00000000,0006ee20,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x10000 0 0x6ee20 28 (nil) 1011: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 1011: NtQueryValueKey(00000050,0006ee78,00000002,0006eda8,00000090,0006ee40) ret=7c2d2271 NtQueryValueKey 0x50 0x6ee78 2 0x6eda8 144 0x6ee40 NtQueryValueKey CommonFilesDir reg_query_value CommonFilesDir 1011: NtQueryValueKey retval=00000000 ret=7c2d2271 1011: NtAllocateVirtualMemory(ffffffff,0006e440,00000000,0006e460,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtFreeVirtualMemory(ffffffff,0006e57c,0006e580,00004000) ret=77fcc191 NtFreeVirtualMemory 0xffffffff 0x6e57c 0x6e580 16384 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77fcc191 1011: NtQueryVirtualMemory(ffffffff,00310000,00000000,0006e60c,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x310000 0 0x6e60c 28 (nil) 1011: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 1011: NtQueryVirtualMemory(ffffffff,00010000,00000000,0006ee20,0000001c,00000000) ret=77f8e1d0 NtQueryVirtualMemory 0xffffffff 0x10000 0 0x6ee20 28 (nil) 1011: NtQueryVirtualMemory retval=00000000 ret=77f8e1d0 1011: NtClose(00000050) ret=7c2d1f22 NtClose 0x50 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtAllocateVirtualMemory(ffffffff,0006fc94,00000000,0006fcb4,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x77000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtQuerySystemInformation(00000000,0006fde8,0000002c,00000000) ret=7c4faacb NtQuerySystemInformation 0 0x6fde8 44 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=7c4faacb 1011: NtQuerySystemInformation(00000001,0006fe14,0000000c,00000000) ret=7c4faade NtQuerySystemInformation 1 0x6fe14 12 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=7c4faade 1011: NtOpenKey(0006fe0c,00020019,0006fd74) ret=7c2d208a NtOpenKey 0x6fe0c 00020019 0x6fd74 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Rpc\RobustMode open_parse_key remaining = RobustMode NtOpenKey open_key returned c0000034 1011: NtOpenKey retval=c0000034 ret=7c2d208a 1011: NtOpenKey(0006fe18,00020019,0006fab0) ret=7c2d208a NtOpenKey 0x6fe18 00020019 0x6fab0 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Rpc NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000050 1011: NtOpenKey retval=00000000 ret=7c2d208a 1011: NtQueryValueKey(00000050,7ff70bf8,00000002,0006fa14,00000090,0006faac) ret=7c2d2271 NtQueryValueKey 0x50 0x7ff70bf8 2 0x6fa14 144 0x6faac NtQueryValueKey MaxRpcSize 1011: NtQueryValueKey retval=c0000034 ret=7c2d2271 1011: NtClose(00000050) ret=7c2d1f22 NtClose 0x50 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtOpenKey(0006fe18,00020019,0006fab0) ret=7c2d208a NtOpenKey 0x6fe18 00020019 0x6fab0 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\RpcThreadPoolThrottle open_parse_key remaining = Image File Execution Options\winlogon.exe\RpcThreadPoolThrottle NtOpenKey open_key returned c000003a 1011: NtOpenKey retval=c000003a ret=7c2d208a 1011: NtCreateEvent(0006fdb8,001f0003,00000000,00000001,00000000) ret=7c4fb298 NtCreateEvent 0x6fdb8 001f0003 (nil) 1 0 process_alloc_user_handle handle = 00000050 1011: NtCreateEvent retval=00000000 ret=7c4fb298 1011: NtCreateEvent(0006fda4,001f0003,00000000,00000001,00000000) ret=7c4fb298 NtCreateEvent 0x6fda4 001f0003 (nil) 1 0 process_alloc_user_handle handle = 00000054 1011: NtCreateEvent retval=00000000 ret=7c4fb298 1011: NtQuerySystemTime(0006fe10) ret=77d45221 1011: NtQuerySystemTime retval=00000000 ret=77d45221 1011: NtCreateEvent(0006fdcc,001f0003,00000000,00000000,00000000) ret=7c4fb298 NtCreateEvent 0x6fdcc 001f0003 (nil) 0 0 process_alloc_user_handle handle = 00000058 1011: NtCreateEvent retval=00000000 ret=7c4fb298 1011 (debug 6f8ac,70178,87) : LDR: LdrLoadDll, loading rpcrt4.dll from \??\C:\WINNT\system32;.;C:\WINNT\system32;C:\WINNT\system;C:\WINNT;C:\WINNT\system32;C:\WINNT 1011: NtOpenKey(0006fd84,00020019,0006fd4c) ret=7c4ef845 NtOpenKey 0x6fd84 00020019 0x6fd4c NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\ComputerName NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 0000005c 1011: NtOpenKey retval=00000000 ret=7c4ef845 1011: NtOpenKey(0006fd24,00020019,0006fd0c) ret=7c4ef71e NtOpenKey 0x6fd24 00020019 0x6fd0c NtOpenKey len 00000018 root 0x5c attr 00000040 ActiveComputerName NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000060 1011: NtOpenKey retval=00000000 ret=7c4ef71e 1011: NtQueryValueKey(00000060,0006fcf8,00000001,0006fc8c,0000006c,0006fd00) ret=7c4ef750 NtQueryValueKey 0x60 0x6fcf8 1 0x6fc8c 108 0x6fd00 NtQueryValueKey ComputerName reg_query_value ComputerName 1011: NtQueryValueKey retval=00000000 ret=7c4ef750 1011: NtClose(00000060) ret=7c4ef75c NtClose 0x60 1011: NtClose retval=00000000 ret=7c4ef75c 1011: NtClose(0000005c) ret=7c4ef8a2 NtClose 0x5c 1011: NtClose retval=00000000 ret=7c4ef8a2 1011: NtCreateIoCompletion(0006fd8c,001f0003,00000000,00000000) ret=7c4f0346 NtCreateIoCompletion 0x6fd8c 001f0003 (nil) 0 process_alloc_user_handle handle = 0000005c 1011: NtCreateIoCompletion retval=00000000 ret=7c4f0346 1011: NtQuerySystemInformation(00000000,0006fd5c,0000002c,00000000) ret=77d45d20 NtQuerySystemInformation 0 0x6fd5c 44 (nil) 1011: NtQuerySystemInformation retval=00000000 ret=77d45d20 1011: NtDuplicateObject(ffffffff,0000005c,ffffffff,0006fdb4,00000000,00000000,00000002) ret=7c4ee9e1 NtDuplicateObject 0xffffffff 0x5c 0xffffffff 0x6fdb4 00000000 00000000 00000002 NtDuplicateObject source process 0x80c1c20 NtDuplicateObject target process 0x80c1c20 process_alloc_user_handle handle = 00000060 NtDuplicateObject new handle is 0x60 1011: NtDuplicateObject retval=00000000 ret=7c4ee9e1 1011: NtOpenProcessToken(ffffffff,00020008,0006fd88) ret=7c2d1c12 NtOpenProcessToken 0xffffffff 00020008 0x6fd88 process_alloc_user_handle handle = 00000064 1011: NtOpenProcessToken retval=00000000 ret=7c2d1c12 1011: NtQueryInformationToken(00000064,00000004,0006fc5c,00000048,0006fd84) ret=7c2d1beb NtQueryInformationToken 0x64 4 0x6fc5c 72 0x6fd84 access_allowed fixme: no access check NtQueryInformationToken TokenOwner 1011: NtQueryInformationToken retval=00000000 ret=7c2d1beb 1011: NtClose(00000064) ret=7c4e91aa NtClose 0x64 1011: NtClose retval=00000000 ret=7c4e91aa 1011: NtAllocateVirtualMemory(ffffffff,0006fbbc,00000000,0006fbdc,00001000,00000004) ret=77fcce74 NtAllocateVirtualMemory returns 0x78000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77fcce74 1011: NtCreateNamedPipeFile(0006fd78,c0100000,0006fd08,0006fd40,00000003,00000003,00000000,00000001,00000001,00000000,ffffffff,00000800,00000800,0006fd48) ret=7c50296b NtCreateNamedPipeFile name = \??\PIPE\InitShutdown process_alloc_user_handle handle = 00000064 NtCreateNamedPipeFile new handle is 0x64 1011: NtCreateNamedPipeFile retval=00000000 ret=7c50296b 1011: NtSetInformationFile(00000064,0006fd78,0006fd80,00000008,0000001e) ret=7c4e9a0d access_allowed fixme: no access check 1011: NtSetInformationFile retval=00000000 ret=7c4e9a0d 1011: NtCreateNamedPipeFile(0006fd78,c0100000,0006fd08,0006fd40,00000003,00000003,00000000,00000001,00000001,00000000,ffffffff,00000800,00000800,0006fd48) ret=7c50296b NtCreateNamedPipeFile name = \??\PIPE\InitShutdown process_alloc_user_handle handle = 00000068 NtCreateNamedPipeFile new handle is 0x68 1011: NtCreateNamedPipeFile retval=00000000 ret=7c50296b 1011: NtSetInformationFile(00000068,0006fd78,0006fd80,00000008,0000001e) ret=7c4e9a0d access_allowed fixme: no access check 1011: NtSetInformationFile retval=00000000 ret=7c4e9a0d 1011: NtCreateEvent(0006fd6c,001f0003,00000000,00000000,00000000) ret=7c4fb298 NtCreateEvent 0x6fd6c 001f0003 (nil) 0 0 process_alloc_user_handle handle = 0000006c 1011: NtCreateEvent retval=00000000 ret=7c4fb298 1011: NtOpenThreadToken(fffffffe,0000000c,00000001,0006fdb4) ret=7c2d1ba5 NtOpenThreadToken 0xfffffffe 0000000c 1 0x6fdb4 1011: NtOpenThreadToken retval=c000007c ret=7c2d1ba5 1011: NtAllocateVirtualMemory(ffffffff,0006f974,00000000,0006f988,00002000,00000004) ret=7c4eba6f NtAllocateVirtualMemory returns 0x320000 00040000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4eba6f 1011: NtAllocateVirtualMemory(ffffffff,0006f974,00000000,0006f984,00001000,00000004) ret=7c4ebac0 NtAllocateVirtualMemory returns 0x35d000 00003000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4ebac0 1011: NtProtectVirtualMemory(ffffffff,0006f974,0006f970,00000104,0006f96c) ret=7c4ebaf3 NtProtectVirtualMemory 0xffffffff 0x6f974 0x6f970 260 0x6f96c NtProtectVirtualMemory 0x35d000 00001000 1011: NtProtectVirtualMemory retval=00000000 ret=7c4ebaf3 1011: NtCreateThread(0006fd34,001f03ff,00000000,ffffffff,0006fd3c,0006f9a0,0006fd00,00000001) ret=7c4f344c NtCreateThread 0x6fd34 001f03ff (nil) 0xffffffff 0x6fd3c 0x6f9a0 0x6fd00 1 mapit anonymous map get_proc_address LdrInitializeThunk get_proc_address KiUserApcDispatcher create LdrInitializeThunk = 0x77f84af2 pKiUserApcDispatcher = 0x77fa15cc process_alloc_user_handle handle = 00000070 1011: NtCreateThread retval=00000000 ret=7c4f344c 1011: NtRequestWaitReplyPort(0000001c,0006fc6c,0006fc6c) ret=77f891d2 NtRequestWaitReplyPort 0x1c 0x6fc6c 0x6fc6c access_allowed fixme: no access check dump DataSize = 28 dump MessageSize = 52 dump MessageType = 1 (LPC_REQUEST) dump Offset = 0 dump ClientId = 0010, 0011 dump MessageId = 273 dump SectionSize = 00000000 address 0x80c7394 00 00 00 00 01 00 01 00 40 06 07 00 78 01 07 00 ........@...x... 70 00 00 00 10 00 00 00 15 00 00 00 p........... 0a12: NtReplyWaitReceivePort retval=00000000 ret=5ff9404d 0a12: NtDuplicateObject(00000014,00000070,ffffffff,0061feb4,00000000,00000000,00000002) ret=5ffa44e6 NtDuplicateObject 0x14 0x70 0xffffffff 0x61feb4 00000000 00000000 00000002 access_allowed fixme: no access check NtDuplicateObject source process 0x80c1c20 access_allowed fixme: no access check NtDuplicateObject target process 0x80bd2d0 process_alloc_user_handle handle = 000000a4 NtDuplicateObject new handle is 0xa4 0a12: NtDuplicateObject retval=00000000 ret=5ffa44e6 0a12: NtQueryInformationThread(000000a4,00000001,0061fe68,00000020,00000000) ret=5ff9505a NtQueryInformationThread 0xa4 1 0x61fe68 32 (nil) access_allowed fixme: no access check 0a12: NtQueryInformationThread retval=00000000 ret=5ff9505a 0a12: NtReplyWaitReceivePort(00000094,0061ff08,0061ff2c,0061ff2c) ret=5ff9404d NtReplyWaitReceivePort 0x94 0x61ff08 0x61ff2c 0x61ff2c access_allowed fixme: no access check reply_wait_receive 0x80c5288 0x80c7370 (nil) dump DataSize = 28 dump MessageSize = 52 dump MessageType = 2 (LPC_REPLY) dump Offset = 0 dump ClientId = 000a, 0012 dump MessageId = 273 dump SectionSize = 00000000 address 0x80c7394 00 00 00 00 01 00 01 00 00 00 00 00 78 01 07 00 ............x... 70 00 00 00 10 00 00 00 15 00 00 00 p........... 1011: NtRequestWaitReplyPort retval=00000000 ret=77f891d2 1011: NtResumeThread(00000070,0006fcfc) ret=7c4f34c7 NtResumeThread 0x70 0x6fcfc access_allowed fixme: no access check 1011: NtResumeThread retval=00000000 ret=7c4f34c7 1015: NtTestAlert() ret=77f84bcb 1015: NtTestAlert retval=00000000 ret=77f84bcb 1011: NtSetIoCompletion(0000005c,00000010,00000000,00000000,00000000) ret=7c4e1b69 NtSetIoCompletion 0x5c 00000010 00000000 00000000 00000000 1011: NtSetIoCompletion retval=00000000 ret=7c4e1b69 1015: NtContinue(0035fd2c,00000001) ret=77f8855e NtContinue 0x35fd2c 1 eax 77d3dcf3 ebx 00078068 ecx 77f91b34 edx 77f91b5c esi 77f8c277 edi 0006fa82 ebp 00077e90 efl 00003000 cs:eip 0018:7c4e9824 ss:esp 0020:0035fffc ds 007b es 007b fs 003b gs 0000 1015: NtContinue retval=00000000 ret=77f8855e 1011: NtClearEvent(00000058) ret=7c4ebf4b NtClearEvent 0x58 1011: NtClearEvent retval=00000000 ret=7c4ebf4b 1015: NtFsControlFile(00000064,00000000,00000000,00077ecc,00077ecc,00110008,00000000,00000000,00000000,00000000) ret=7c4e9a7a NtFsControlFile 0x64 (nil) (nil) 0x77ecc 0x77ecc 00110008 (nil) 0 (nil) 0 1015: NtFsControlFile retval=c0000002 ret=7c4e9a7a 1011: NtOpenKey(0006ff14,00020019,0006fe74) ret=7c2d208a NtOpenKey 0x6ff14 00020019 0x6fe74 NtOpenKey len 00000018 root 0x24 attr 00000040 Software\Microsoft\Windows NT\CurrentVersion\Winlogon NtOpenKey open_key returned 00000000 process_alloc_user_handle handle = 00000074 1011: NtOpenKey retval=00000000 ret=7c2d208a 1015: NtRemoveIoCompletion(0000005c,0035ff0c,0035fefc,0035fedc,0035fed4) ret=7c4efea1 NtRemoveIoCompletion 0x5c 0x35ff0c 0x35fefc 0x35fedc 0x35fed4 1011: NtQueryValueKey(00000074,0006fec8,00000002,0006fdf8,00000090,0006fe90) ret=7c2d2271 NtQueryValueKey 0x74 0x6fec8 2 0x6fdf8 144 0x6fe90 NtQueryValueKey DontWatchSysProcs 1011: NtQueryValueKey retval=c0000034 ret=7c2d2271 1011: NtClose(00000074) ret=7c2d1f22 NtClose 0x74 1011: NtClose retval=00000000 ret=7c2d1f22 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f9c0,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f9c0 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0007858c,80100000,0006fd64,0006fd84,00000007,00000060) ret=7c4f4094 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\win.ini open_file root = (nil) name = \??\C:\WINNT\win.ini open_unicode_file open file : c:/winnt/win.ini process_alloc_user_handle handle = 00000074 1011: NtOpenFile retval=00000000 ret=7c4f4094 1011: NtLockFile(00000074,00000000,00000000,00000000,0006fd84,0006fd94,0006fd8c,00000001,00000000,00000000) ret=7c4f40d4 NtLockFile just returns success... 1011: NtLockFile retval=00000000 ret=7c4f40d4 1011: NtQueryInformationFile(00000074,0006fd84,000785d8,00000018,00000005) ret=7c4f4101 NtQueryInformationFile 0x74 0x6fd84 0x785d8 24 5 access_allowed fixme: no access check 1011: NtQueryInformationFile retval=00000000 ret=7c4f4101 1011: NtAllocateVirtualMemory(ffffffff,00078598,00000000,000785a0,00002000,00000004) ret=7c4f414c NtAllocateVirtualMemory returns 0x360000 00101000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4f414c 1011: NtAllocateVirtualMemory(ffffffff,00078598,00000000,0007859c,00001000,00000004) ret=7c4f4168 NtAllocateVirtualMemory returns 0x360000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4f4168 1011: NtReadFile(00000074,00000000,00000000,00000000,0006fd84,00360000,0000000b,00000000,7c5416a8) ret=7c4f418a NtReadFile 0x74 (nil) (nil) (nil) 0x6fd84 0x360000 11 (nil) 0x7c5416a8 access_allowed fixme: no access check 1011: NtReadFile retval=00000000 ret=7c4f418a 1011: NtFreeVirtualMemory(ffffffff,00078598,000785a0,00008000) ret=7c4f99f7 NtFreeVirtualMemory 0xffffffff 0x78598 0x785a0 32768 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=7c4f99f7 1011: NtUnlockFile(00000074,0006fd88,0006fd98,0006fd90,00000011) ret=7c4f9a35 NtUnlockFile just returns success... 1011: NtUnlockFile retval=00000000 ret=7c4f9a35 1011: NtClose(00000074) ret=7c4f9a3e NtClose 0x74 1011: NtClose retval=00000000 ret=7c4f9a3e 1011: NtQueryInformationJobObject(00000000,00000004,0006f848,00000004,00000000) ret=7c4f1cdb NtQueryInformationJobObject 1011: NtQueryInformationJobObject retval=c0000022 ret=7c4f1cdb 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f2f8,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f2f8 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f6bc,0006f694) ret=77f8cb7a NtQueryAttributesFile 0x6f6bc 0x6f694 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\services.exe stat_unicode c:/winnt/system32/services.exe -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\services.exe 1011: NtQueryAttributesFile retval=00000000 ret=77f8cb7a 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f5f4,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f5f4 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f340,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f340 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtQueryAttributesFile(0006f70c,0006f6e4) ret=7c4fb633 NtQueryAttributesFile 0x6f70c 0x6f6e4 NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\services.exe stat_unicode c:/winnt/system32/services.exe -> 0 NtQueryAttributesFile found \??\C:\WINNT\system32\services.exe 1011: NtQueryAttributesFile retval=00000000 ret=7c4fb633 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f3ac,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f3ac 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtOpenFile(0006fc94,00100020,0006fd48,0006fbd4,00000005,00000060) ret=7c4f1e34 NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\services.exe open_file root = (nil) name = \??\C:\WINNT\system32\services.exe open_unicode_file open file : c:/winnt/system32/services.exe process_alloc_user_handle handle = 00000074 1011: NtOpenFile retval=00000000 ret=7c4f1e34 1011: NtCreateSection(0006fd14,000f001f,00000000,00000000,00000010,01000000,00000074) ret=7c4f1e80 NtCreateSection 0x6fd14 000f001f (nil) (nil) 00000010 01000000 0x74 access_allowed fixme: no access check process_alloc_user_handle handle = 00000078 1011: NtCreateSection retval=00000000 ret=7c4f1e80 1011: NtClose(00000074) ret=7c4f1e96 NtClose 0x74 1011: NtClose retval=00000000 ret=7c4f1e96 1011: NtOpenKey(0006f72c,00000001,0006f704) ret=7c4ea01f NtOpenKey 0x6f72c 00000001 0x6f704 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls open_parse_key remaining = AppCertDlls NtOpenKey open_key returned c0000034 1011: NtOpenKey retval=c0000034 ret=7c4ea01f 1011: NtQuerySection(00000078,00000001,0006fca8,00000030,00000000) ret=7c4f1ee8 NtQuerySection 0x78 1 0x6fca8 48 (nil) access_allowed fixme: no access check 1011: NtQuerySection retval=00000000 ret=7c4f1ee8 1011: NtOpenKey(0006f714,80000000,0006f6f0) ret=77f91379 NtOpenKey 0x6f714 80000000 0x6f6f0 NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\services.exe open_parse_key remaining = Image File Execution Options\services.exe NtOpenKey open_key returned c000003a 1011: NtOpenKey retval=c000003a ret=77f91379 1011 (debug 6f1a4,5c0032,89) : LDR: LdrLoadDll, loading advapi32.dll from \??\C:\WINNT\system32;.;C:\WINNT\system32;C:\WINNT\system;C:\WINNT;C:\WINNT\system32;C:\WINNT 1011 (debug 6f424,6c006c,1f) : LDR: LdrGetProcedureAddress by 1011 (debug 6f420,6f424,21) : NAME - CreateProcessAsUserSecure 1011: NtQuerySystemInformation(00000037,0006fcf8,00000004,00000000) ret=7c4f1ff2 NtQuerySystemInformation 55 0x6fcf8 4 (nil) NtQuerySystemInformation SystemInformationClass = 55 not handled 1011: NtQuerySystemInformation retval=00000000 ret=7c4f1ff2 1011: NtCreateProcess(0006fc90,001f0fff,00000000,ffffffff,00000000,00000078,00000000,00000000) ret=7c4f2062 NtCreateProcess 0x6fc90 001f0fff (nil) 0xffffffff 0 0x78 (nil) (nil) access_allowed fixme: no access check mapit image at 0x1000000 mapit read 3 sections, load at 01000000 mapit .text 00001000 00000400 00014c00 00014a7a mapit .data 00016000 00015000 00000600 000007d0 mapit .rsrc 00017000 00015600 00000600 00000578 mapit image at 0x77f80000 mapit read 6 sections, load at 77f80000 mapit .text 00001000 00000400 00044a00 000448f9 mapit ECODE 00046000 00044e00 00004400 00004371 mapit PAGE 0004b000 00049200 00003e00 00003dfd mapit .data 0004f000 0004d000 00002200 00002a54 mapit .rsrc 00052000 0004f200 00026e00 00026d18 mapit .reloc 00079000 00076000 00002000 00001f40 mapit anonymous map mapit anonymous map process_alloc_user_handle handle = 00000074 1011: NtCreateProcess retval=00000000 ret=7c4f2062 1011: NtClose(00000078) ret=7c4f2088 NtClose 0x78 1011: NtClose retval=00000000 ret=7c4f2088 1011: NtQueryInformationProcess(00000074,00000000,0006fbe4,00000018,00000000) ret=7c4f20d3 NtQueryInformationProcess 0x74 0 0x6fbe4 24 (nil) access_allowed fixme: no access check 1011: NtQueryInformationProcess retval=00000000 ret=7c4f20d3 1011: NtFsControlFile(00000000,00000000,00000000,00000000,0006f340,00090028,00000000,00000000,00000000,00000000) ret=77f86dbb NtFsControlFile (nil) (nil) (nil) (nil) 0x6f340 00090028 (nil) 0 (nil) 0 NtFsControlFile FSCTL_IS_VOLUME_MOUNTED 1011: NtFsControlFile retval=c0000008 ret=77f86dbb 1011: NtAllocateVirtualMemory(ffffffff,0006f414,00000000,0006f40c,00001000,00000004) ret=77f83e1d NtAllocateVirtualMemory returns 0x360000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=77f83e1d 1011: NtAllocateVirtualMemory(00000074,00360048,00000000,0006f4c0,00001000,00000004) ret=7c4e6b3a access_allowed fixme: no access check NtAllocateVirtualMemory returns 0x10000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4e6b3a 1011: NtWriteVirtualMemory(00000074,00010000,00310000,00000444,00000000) ret=7c4e6b60 NtWriteVirtualMemory 0x74 0x10000 0x310000 00000444 (nil) access_allowed fixme: no access check NtWriteVirtualMemory 0xb5180000 <- 0xb54d8000 1092 NtWriteVirtualMemory wrote 1092 bytes 1011: NtWriteVirtualMemory retval=00000000 ret=7c4e6b60 1011: NtAllocateVirtualMemory(00000074,0006f6f0,00000000,0006f4c0,00001000,00000004) ret=7c4e6cdd access_allowed fixme: no access check NtAllocateVirtualMemory returns 0x20000 00001000 00000000 1011: NtAllocateVirtualMemory retval=00000000 ret=7c4e6cdd 1011: NtWriteVirtualMemory(00000074,00020000,00360000,00000650,00000000) ret=7c4e6d36 NtWriteVirtualMemory 0x74 0x20000 0x360000 00000650 (nil) access_allowed fixme: no access check NtWriteVirtualMemory 0xb517f000 <- 0xb5181000 1616 NtWriteVirtualMemory wrote 1616 bytes 1011: NtWriteVirtualMemory retval=00000000 ret=7c4e6d36 1011: NtWriteVirtualMemory(00000074,7ffd0010,0006f6f0,00000004,00000000) ret=7c4e6d56 NtWriteVirtualMemory 0x74 0x7ffd0010 0x6f6f0 00000004 (nil) access_allowed fixme: no access check NtWriteVirtualMemory 0xb51ca010 <- 0xb63006f0 4 NtWriteVirtualMemory wrote 4 bytes 1011: NtWriteVirtualMemory retval=00000000 ret=7c4e6d56 1011: NtFreeVirtualMemory(ffffffff,0006f458,0006f44c,00008000) ret=77f83cc7 NtFreeVirtualMemory 0xffffffff 0x6f458 0x6f44c 32768 NtFreeVirtualMemory returning 00000000 1011: NtFreeVirtualMemory retval=00000000 ret=77f83cc7 1011: NtAllo