c: not present
Windows XP ISO found
0+0 records in
0+0 records out
0 bytes (0 B) copied, 2.5702e-05 seconds, 0.0 kB/s
0+0 records in
0+0 records out
0 bytes (0 B) copied, 2.654e-05 seconds, 0.0 kB/s
0+0 records in
0+0 records out
0 bytes (0 B) copied, 2.5143e-05 seconds, 0.0 kB/s
0+0 records in
0+0 records out
0 bytes (0 B) copied, 2.4864e-05 seconds, 0.0 kB/s
0+0 records in
0+0 records out
0 bytes (0 B) copied, 2.5981e-05 seconds, 0.0 kB/s
Extracting ADVAPI32.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/advapi32.dll

All done, no errors.
Copying    autochk.exe
Extracting BASESRV.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/basesrv.dll

All done, no errors.
Extracting C_1252.NL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/c_1252.nls

All done, no errors.
Extracting C_850.NL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/c_850.nls

All done, no errors.
Extracting C_437.NL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/c_437.nls

All done, no errors.
Extracting CGA80WOA.FO_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/cga80woa.fon

All done, no errors.
Extracting CGA40WOA.FO_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/cga40woa.fon

All done, no errors.
Extracting CSRSRV.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/csrsrv.dll

All done, no errors.
Extracting CSRSS.EX_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/csrss.exe

All done, no errors.
Extracting CMD.EX_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/cmd.exe

All done, no errors.
Extracting COMCTL32.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/comctl32.dll

All done, no errors.
Extracting CRYPT32.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/crypt32.dll

All done, no errors.
Extracting CRYPTDLL.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/cryptdll.dll

All done, no errors.
Extracting CTYPE.NL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/ctype.nls

All done, no errors.
Extracting DIGEST.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/digest.dll

All done, no errors.
Extracting DNSAPI.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/dnsapi.dll

All done, no errors.
Extracting DOSAPP.FO_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/dosapp.fon

All done, no errors.
Extracting EGA80WOA.FO_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/ega80woa.fon

All done, no errors.
Extracting EGA40WOA.FO_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/ega40woa.fon

All done, no errors.
Extracting GDI32.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/gdi32.dll

All done, no errors.
Extracting IMM32.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/imm32.dll

All done, no errors.
Copying    kbdus.dll
Extracting KERNEL32.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/kernel32.dll

All done, no errors.
Extracting KERBEROS.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/kerberos.dll

All done, no errors.
Extracting L_INTL.NL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/l_intl.nls

All done, no errors.
Extracting LOCALE.NL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/locale.nls

All done, no errors.
Extracting LSASRV.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/lsasrv.dll

All done, no errors.
Extracting LSASS.EX_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/lsass.exe

All done, no errors.
Extracting MSVCIRT.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/msvcirt.dll

All done, no errors.
Extracting MSVCRT40.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/msvcrt40.dll

All done, no errors.
Extracting NDDEAPI.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/nddeapi.dll

All done, no errors.
Extracting NETAPI32.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/netapi32.dll

All done, no errors.
Extracting NETRAP.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/netrap.dll

All done, no errors.
Copying    ntdll.dll
Extracting NTDSAPI.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/ntdsapi.dll

All done, no errors.
Extracting PROFMAP.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/profmap.dll

All done, no errors.
Extracting RPCRT4.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/rpcrt4.dll

All done, no errors.
Extracting SAMLIB.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/samlib.dll

All done, no errors.
Extracting SAMSRV.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/samsrv.dll

All done, no errors.
Extracting SAVEDUMP.EX_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/savedump.exe

All done, no errors.
Extracting SCESRV.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/scesrv.dll

All done, no errors.
Extracting SECUR32.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/secur32.dll

All done, no errors.
Extracting SERVICES.EX_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/services.exe

All done, no errors.
Extracting SFC.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/sfc.dll

All done, no errors.
Extracting SFCFILES.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/sfcfiles.dll

All done, no errors.
Extracting SHELL32.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/shell32.dll

All done, no errors.
Extracting SHLWAPI.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/shlwapi.dll

All done, no errors.
Extracting SMSS.EX_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/smss.exe

All done, no errors.
Extracting SORTKEY.NL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/sortkey.nls

All done, no errors.
Extracting SORTTBLS.NL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/sorttbls.nls

All done, no errors.
Extracting UMPNPMGR.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/umpnpmgr.dll

All done, no errors.
Extracting USER32.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/user32.dll

All done, no errors.
Extracting USERENV.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/userenv.dll

All done, no errors.
Extracting UNICODE.NL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/unicode.nls

All done, no errors.
Extracting WINSRV.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/winsrv.dll

All done, no errors.
Extracting WINLOGON.EX_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/winlogon.exe

All done, no errors.
Extracting WINSTA.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/winsta.dll

All done, no errors.
Extracting WLDAP32.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/wldap32.dll

All done, no errors.
Extracting WS2_32.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/ws2_32.dll

All done, no errors.
Extracting WS2HELP.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/ws2help.dll

All done, no errors.
Extracting WSOCK32.DL_
Extracting cabinet: .11941.temp.cab
  extracting drive/winnt/system32/wsock32.dll

All done, no errors.
init_skas using skas3
open_file root = (nil) name = \??\c:\winnt\system32\ntdll.dll
open_unicode_file open file : c:/winnt/system32/ntdll.dll
get_proc_address KiIntSystemCall
init_ntdll KiIntSystemCall = 0000e500
open_file root = (nil) name = \??\c:\winnt\system32\smss.exe
open_unicode_file open file : c:/winnt/system32/smss.exe
mapit image at 0x48580000
mapit read 4 sections, load at 48580000
mapit .text    00001000 00000400 0000ac00 0000abde
mapit .data    0000c000 0000b000 00000400 00000948
mapit .rsrc    0000d000 0000b400 00000600 00000460
mapit .reloc   0000e000 0000ba00 00000c00 00000bc6
mapit image at 0x7c900000
mapit read 4 sections, load at 7c900000
mapit .text    00001000 00000400 0007a000 00079fb6
mapit .data    0007b000 0007a400 00003200 00004a00
mapit .rsrc    00080000 0007d600 0002c000 0002be68
mapit .reloc   000ac000 000a9600 00003000 00002e84
mapit anonymous map
mapit anonymous map
create_initial_process entry point = 4858a4c8
mapit anonymous map
get_proc_address LdrInitializeThunk
get_proc_address KiUserApcDispatcher
create LdrInitializeThunk = 0x7c901166 pKiUserApcDispatcher = 0x7c90e430
NtCreatePort 0xb7b20fd8 0xb7b20f90 256 256 (nil)
NtCreatePort root = (nil) port = \SeRmCommandPort
process_alloc_user_handle handle = 00000004
NtListenPort 0x4 0xb7b20e90
access_allowed fixme: no access check
0304: NtOpenKey(7ff7fc6c,80000000,7ff7f948) ret=7c90e506
NtOpenKey 0x7ff7fc6c 80000000 0x7ff7f948
NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe
open_parse_key remaining = Image File Execution Options\smss.exe
NtOpenKey open_key returned c000003a
0304: NtOpenKey retval=c000003a ret=7c90e506
0304: NtOpenKeyedEvent(7ff7fb0c,02000000,7ff7fae4) ret=7c90e506
nt_open_object object = \KernelObjects\CritSecOutOfMemoryEvent
process_alloc_user_handle handle = 00000004
0304: NtOpenKeyedEvent retval=00000000 ret=7c90e506
0304: NtQuerySystemInformation(00000000,7ff7fa48,0000002c,00000000) ret=7c90e506
NtQuerySystemInformation 0 0x7ff7fa48 44 (nil)
0304: NtQuerySystemInformation retval=00000000 ret=7c90e506
0304: NtAllocateVirtualMemory(ffffffff,7ff7fae0,00000000,7ff7fb0c,00002000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x30000 00100000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0304: NtAllocateVirtualMemory(ffffffff,7ff7fadc,00000000,7ff7fb10,00001000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x30000 00001000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0304: NtAllocateVirtualMemory(ffffffff,7ff7f7cc,00000000,7ff7f7ec,00001000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x31000 00002000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0304: NtQuerySystemInformation(00000000,7ff7fa48,0000002c,00000000) ret=7c90e506
NtQuerySystemInformation 0 0x7ff7fa48 44 (nil)
0304: NtQuerySystemInformation retval=00000000 ret=7c90e506
0304: NtAllocateVirtualMemory(ffffffff,7ff7fae0,00000000,7ff7fb0c,00002000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x130000 00010000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0304: NtAllocateVirtualMemory(ffffffff,7ff7fadc,00000000,7ff7fb10,00001000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x130000 00006000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0304: NtOpenDirectoryObject(7c97c304,00000003,7ff7fb94) ret=7c90e506
nt_open_object object = \KnownDlls
0304: NtOpenDirectoryObject retval=c0000034 ret=7c90e506
0304: NtQueryDebugFilterState(00000057,00000003) ret=7c90e506
NtQueryDebugFilterState 00000057 00000003
0304: NtQueryDebugFilterState retval=00000000 ret=7c90e506
0304: NtQueryDebugFilterState(00000057,00000003) ret=7c90e506
NtQueryDebugFilterState 00000057 00000003
0304: NtQueryDebugFilterState retval=00000000 ret=7c90e506
0304: NtQueryAttributesFile(7ff7fabc,7ff7fa94) ret=7c90e506
NtQueryAttributesFile 0x7ff7fabc 0x7ff7fa94
NtQueryAttributesFile root (nil) attr 00000040 \??\c:\winnt\system32\smss.exe.Local
stat_unicode c:/winnt/system32/smss.exe.local -> -1
0304: NtQueryAttributesFile retval=c000003a ret=7c90e506
0304: NtSetInformationProcess(ffffffff,00000022,7ff7fc20,00000004) ret=7c90e506
NtSetInformationProcess 0xffffffff 34 0x7ff7fc20 4
0304: NtSetInformationProcess retval=c0000003 ret=7c90e506
0304: NtQueryInformationPort(ffffffff,00000025,7ff7fa8c,00000030,00000000) ret=7c90e506
syscall NtQueryInformationPort (9a) not implemented
0304: NtQueryInformationPort retval=c0000002 ret=7c90e506
0304: NtTestAlert() ret=7c90e506
0304: NtTestAlert retval=00000000 ret=7c90e506
0304: NtContinue(7ff7fd28,00000001) ret=7c90e506
NtContinue 0x7ff7fd28 1
eax 00000000 ebx 00000000 ecx 00000000 edx 00000000
esi 00000000 edi 00000000 ebp 00000000 efl 00000296
cs:eip 0073:4858a4c8 ss:esp 007b:7ff7fff8
ds 007b es 007b fs 003b gs 0000
0304: NtContinue retval=00000000 ret=7c90e506
0304: NtSetInformationProcess(ffffffff,00000005,7ff7ff84,00000004) ret=7c90e506
NtSetInformationProcess 0xffffffff 5 0x7ff7ff84 4
0304: NtSetInformationProcess retval=00000000 ret=7c90e506
0304: NtSetInformationProcess(ffffffff,0000000c,7ff7ff0c,00000004) ret=7c90e506
NtSetInformationProcess 0xffffffff 12 0x7ff7ff0c 4
NtSetInformationProcess set ProcessDefaultHardErrorMode
0304: NtSetInformationProcess retval=00000000 ret=7c90e506
0304: NtCreatePort(7ff7ff14,7ff7fee4,000000f4,00000130,00002200) ret=7c90e506
NtCreatePort 0x7ff7ff14 0x7ff7fee4 244 304 0x2200
NtCreatePort root = (nil) port = \SmApiPort
process_alloc_user_handle handle = 00000008
0304: NtCreatePort retval=00000000 ret=7c90e506
0304: NtQuerySystemInformation(00000000,7ff7fb14,0000002c,00000000) ret=7c90e506
NtQuerySystemInformation 0 0x7ff7fb14 44 (nil)
0304: NtQuerySystemInformation retval=00000000 ret=7c90e506
0304: NtAllocateVirtualMemory(ffffffff,7ff7fb48,00000000,7ff7fb58,00002000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x140000 00040000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0304: NtAllocateVirtualMemory(ffffffff,7ff7fb48,00000000,7ff7fb5c,00001000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x17c000 00004000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0304: NtProtectVirtualMemory(ffffffff,7ff7fb48,7ff7fb44,00000104,7ff7fb40) ret=7c90e506
NtProtectVirtualMemory 0xffffffff 0x7ff7fb48 0x7ff7fb44 260 0x7ff7fb40
NtProtectVirtualMemory 0x17c000 00001000
0304: NtProtectVirtualMemory retval=00000000 ret=7c90e506
0304: NtWriteVirtualMemory(ffffffff,0017fffc,7ff7fb5c,00000004,00000000) ret=7c90e506
NtWriteVirtualMemory 0xffffffff 0x17fffc 0x7ff7fb5c 00000004 (nil)
NtWriteVirtualMemory 0xb75b6ffc <- 0xb77d8b5c 4
NtWriteVirtualMemory wrote 4 bytes
0304: NtWriteVirtualMemory retval=00000000 ret=7c90e506
0304: NtCreateThread(7ff7fbbc,001f03ff,7ff7fb88,ffffffff,7ff7fba0,7ff7fbc0,7ff7fb74,00000000) ret=7c90e506
NtCreateThread 0x7ff7fbbc 001f03ff 0x7ff7fb88 0xffffffff 0x7ff7fba0 0x7ff7fbc0 0x7ff7fb74 0
mapit anonymous map
get_proc_address LdrInitializeThunk
get_proc_address KiUserApcDispatcher
create LdrInitializeThunk = 0x7c901166 pKiUserApcDispatcher = 0x7c90e430
process_alloc_user_handle handle = 0000000c
0304: NtCreateThread retval=00000000 ret=7c90e506
0305: NtTestAlert() ret=7c90e506
0305: NtTestAlert retval=00000000 ret=7c90e506
0304: NtClose(0000000c) ret=7c90e506
NtClose 0xc
0304: NtClose retval=00000000 ret=7c90e506
0305: NtContinue(0017fd28,00000001) ret=7c90e506
NtContinue 0x17fd28 1
eax 00000000 ebx 00000001 ecx 00000002 edx 00000003
esi 00000004 edi 00000005 ebp 00000000 efl 00000200
cs:eip 0018:485893b2 ss:esp 0020:0017fff8
ds 007b es 007b fs 003b gs 0000
0305: NtContinue retval=00000000 ret=7c90e506
0304: NtQuerySystemInformation(00000000,7ff7fb14,0000002c,00000000) ret=7c90e506
NtQuerySystemInformation 0 0x7ff7fb14 44 (nil)
0304: NtQuerySystemInformation retval=00000000 ret=7c90e506
0305: NtQueryInformationPort(ffffffff,00000000,0017fe74,00000018,00000000) ret=7c90e506
syscall NtQueryInformationPort (9a) not implemented
0305: NtQueryInformationPort retval=c0000002 ret=7c90e506
0304: NtAllocateVirtualMemory(ffffffff,7ff7fb48,00000000,7ff7fb58,00002000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x180000 00040000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0305: NtReplyWaitReceivePort(00000008,0017fe9c,00000000,0017fea8) ret=7c90e506
NtReplyWaitReceivePort 0x8 0x17fe9c (nil) 0x17fea8
access_allowed fixme: no access check
reply_wait_receive 0x80b3310 (nil) (nil)
0304: NtAllocateVirtualMemory(ffffffff,7ff7fb48,00000000,7ff7fb5c,00001000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x1bc000 00004000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0304: NtProtectVirtualMemory(ffffffff,7ff7fb48,7ff7fb44,00000104,7ff7fb40) ret=7c90e506
NtProtectVirtualMemory 0xffffffff 0x7ff7fb48 0x7ff7fb44 260 0x7ff7fb40
NtProtectVirtualMemory 0x1bc000 00001000
0304: NtProtectVirtualMemory retval=00000000 ret=7c90e506
0304: NtWriteVirtualMemory(ffffffff,001bfffc,7ff7fb5c,00000004,00000000) ret=7c90e506
NtWriteVirtualMemory 0xffffffff 0x1bfffc 0x7ff7fb5c 00000004 (nil)
NtWriteVirtualMemory 0xb7564ffc <- 0xb77d8b5c 4
NtWriteVirtualMemory wrote 4 bytes
0304: NtWriteVirtualMemory retval=00000000 ret=7c90e506
0304: NtCreateThread(7ff7fbbc,001f03ff,7ff7fb88,ffffffff,7ff7fba0,7ff7fbc0,7ff7fb74,00000000) ret=7c90e506
NtCreateThread 0x7ff7fbbc 001f03ff 0x7ff7fb88 0xffffffff 0x7ff7fba0 0x7ff7fbc0 0x7ff7fb74 0
mapit anonymous map
get_proc_address LdrInitializeThunk
get_proc_address KiUserApcDispatcher
create LdrInitializeThunk = 0x7c901166 pKiUserApcDispatcher = 0x7c90e430
process_alloc_user_handle handle = 0000000c
0304: NtCreateThread retval=00000000 ret=7c90e506
0306: NtTestAlert() ret=7c90e506
0306: NtTestAlert retval=00000000 ret=7c90e506
0304: NtClose(0000000c) ret=7c90e506
NtClose 0xc
0304: NtClose retval=00000000 ret=7c90e506
0306: NtContinue(001bfd28,00000001) ret=7c90e506
NtContinue 0x1bfd28 1
eax 00000000 ebx 00000001 ecx 00000002 edx 00000003
esi 00000004 edi 00000005 ebp 00000000 efl 00000200
cs:eip 0018:485893b2 ss:esp 0020:001bfff8
ds 007b es 007b fs 003b gs 0000
0306: NtContinue retval=00000000 ret=7c90e506
0304: NtCreateEvent(7ff7ff10,001f0003,7ff7fee4,00000000,00000000) ret=7c90e506
NtCreateEvent 0x7ff7ff10 001f0003 0x7ff7fee4 0 0
create name = \Device\VolumesSafeForWriteAccess
process_alloc_user_handle handle = 0000000c
0304: NtCreateEvent retval=00000000 ret=7c90e506
0306: NtQueryInformationPort(ffffffff,00000000,001bfe74,00000018,00000000) ret=7c90e506
syscall NtQueryInformationPort (9a) not implemented
0306: NtQueryInformationPort retval=c0000002 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,00020000,00000000,7ff7fe14,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x20000 0 0x7ff7fe14 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0306: NtReplyWaitReceivePort(00000008,001bfe9c,00000000,001bfea8) ret=7c90e506
NtReplyWaitReceivePort 0x8 0x1bfe9c (nil) 0x1bfea8
access_allowed fixme: no access check
reply_wait_receive 0x80b3310 (nil) (nil)
0304: NtAllocateVirtualMemory(ffffffff,7ff7fe34,00000000,7ff7fe20,00001000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x1c0000 00001000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0304: NtOpenKey(7ff7feb0,000f003f,7ff7fe6c) ret=7c90e506
NtOpenKey 0x7ff7feb0 000f003f 0x7ff7fe6c
NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\MiniNT
open_parse_key remaining = MiniNT
NtOpenKey open_key returned c0000034
0304: NtOpenKey retval=c0000034 ret=7c90e506
0304: NtOpenKey(7ff7feb0,000f003f,7ff7fe6c) ret=7c90e506
NtOpenKey 0x7ff7feb0 000f003f 0x7ff7fe6c
NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Session Manager\Environment
NtOpenKey open_key returned 00000000
process_alloc_user_handle handle = 00000010
0304: NtOpenKey retval=00000000 ret=7c90e506
0304: NtDeleteValueKey(00000010,7ff7fe8c) ret=7c90e506
NtDeleteValueKey 0x10 0x7ff7fe8c
delete_value deleting SAFEBOOT_OPTION
0304: NtDeleteValueKey retval=00000000 ret=7c90e506
0304: NtClose(00000010) ret=7c90e506
NtClose 0x10
0304: NtClose retval=00000000 ret=7c90e506
0304: NtOpenKey(7ff7fe34,82000000,7ff7fba8) ret=7c90e506
NtOpenKey 0x7ff7fe34 82000000 0x7ff7fba8
NtOpenKey len 00000018 root (nil) attr 00000240 \Registry\Machine\System\CurrentControlSet\Control\Session Manager
NtOpenKey open_key returned 00000000
process_alloc_user_handle handle = 00000010
0304: NtOpenKey retval=00000000 ret=7c90e506
0304: NtAllocateVirtualMemory(ffffffff,7ff7fde4,00000000,7ff7fe40,00001000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x1d0000 00001000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000010,7ff7fe28,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtQueryValueKey 0x10 0x7ff7fe28 1 0x1d0000 4094 0x7ff7fe3c
NtQueryValueKey ProtectionMode
reg_query_value ProtectionMode
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000010,7ff7fe28,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtQueryValueKey 0x10 0x7ff7fe28 1 0x1d0000 4094 0x7ff7fe3c
NtQueryValueKey AllowProtectedRenames
reg_query_value AllowProtectedRenames
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtDeleteValueKey(00000010,7ff7fe28) ret=7c90e506
NtDeleteValueKey 0x10 0x7ff7fe28
delete_value deleting AllowProtectedRenames
0304: NtDeleteValueKey retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000010,7ff7fe28,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtQueryValueKey 0x10 0x7ff7fe28 1 0x1d0000 4094 0x7ff7fe3c
NtQueryValueKey ObjectDirectories
reg_query_value ObjectDirectories
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtCreateDirectoryObject(7ff7fd90,000f000f,7ff7fd60) ret=7c90e506
NtCreateDirectoryObject 0x7ff7fd90 000f000f 0x7ff7fd60
create name = \Windows
process_alloc_user_handle handle = 00000014
0304: NtCreateDirectoryObject retval=00000000 ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtCreateDirectoryObject(7ff7fd90,000f000f,7ff7fd60) ret=7c90e506
NtCreateDirectoryObject 0x7ff7fd90 000f000f 0x7ff7fd60
create name = \RpcControl
process_alloc_user_handle handle = 00000014
0304: NtCreateDirectoryObject retval=00000000 ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtCreateDirectoryObject(7ff7fd90,000f000f,7ff7fd60) ret=7c90e506
NtCreateDirectoryObject 0x7ff7fd90 000f000f 0x7ff7fd60
create name = \RpcControl
process_alloc_user_handle handle = 00000014
0304: NtCreateDirectoryObject retval=00000000 ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000010,7ff7fe28,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtQueryValueKey 0x10 0x7ff7fe28 1 0x1d0000 4094 0x7ff7fe3c
NtQueryValueKey BootExecute
reg_query_value BootExecute
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000010,7ff7fe28,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtQueryValueKey 0x10 0x7ff7fe28 1 0x1d0000 4094 0x7ff7fe3c
NtQueryValueKey SetupExecute
0304: NtQueryValueKey retval=c0000034 ret=7c90e506
0304: NtQueryValueKey(00000010,7ff7fe28,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtQueryValueKey 0x10 0x7ff7fe28 1 0x1d0000 4094 0x7ff7fe3c
NtQueryValueKey PendingFileRenameOperations
0304: NtQueryValueKey retval=c0000034 ret=7c90e506
0304: NtQueryValueKey(00000010,7ff7fe28,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtQueryValueKey 0x10 0x7ff7fe28 1 0x1d0000 4094 0x7ff7fe3c
NtQueryValueKey PendingFileRenameOperations2
0304: NtQueryValueKey retval=c0000034 ret=7c90e506
0304: NtQueryValueKey(00000010,7ff7fe28,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtQueryValueKey 0x10 0x7ff7fe28 1 0x1d0000 4094 0x7ff7fe3c
NtQueryValueKey ExcludeFromKnownDlls
reg_query_value ExcludeFromKnownDlls
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtOpenKey(7ff7fe38,02000000,7ff7fe08) ret=7c90e506
NtOpenKey 0x7ff7fe38 02000000 0x7ff7fe08
NtOpenKey len 00000018 root 0x10 attr 00000240 Memory Management
NtOpenKey open_key returned 00000000
process_alloc_user_handle handle = 00000014
0304: NtOpenKey retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000014,7ff7fe28,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtQueryValueKey 0x14 0x7ff7fe28 1 0x1d0000 4094 0x7ff7fe3c
NtQueryValueKey PagingFiles
reg_query_value PagingFiles
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtOpenKey(7ff7fe38,02000000,7ff7fe08) ret=7c90e506
NtOpenKey 0x7ff7fe38 02000000 0x7ff7fe08
NtOpenKey len 00000018 root 0x10 attr 00000240 DOS Devices
NtOpenKey open_key returned 00000000
process_alloc_user_handle handle = 00000014
0304: NtOpenKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000000,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 0 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value AUX
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000001,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 1 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value MAILSLOT
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000002,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 2 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value NUL
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000003,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 3 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value PIPE
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000004,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 4 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value PRN
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000005,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 5 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value UNC
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000006,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 6 1 0x1d0000 4094 0x7ff7fe3c
0304: NtEnumerateValueKey retval=8000001a ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtOpenKey(7ff7fe38,02000000,7ff7fe08) ret=7c90e506
NtOpenKey 0x7ff7fe38 02000000 0x7ff7fe08
NtOpenKey len 00000018 root 0x10 attr 00000240 KnownDlls
NtOpenKey open_key returned 00000000
process_alloc_user_handle handle = 00000014
0304: NtOpenKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000000,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 0 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value advapi32
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000001,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 1 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value gdi32
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000002,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 2 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value DllDirectory
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000003,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 3 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value kernel32
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000004,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 4 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value user32
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000005,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 5 1 0x1d0000 4094 0x7ff7fe3c
0304: NtEnumerateValueKey retval=8000001a ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtOpenKey(7ff7fe38,02000000,7ff7fe08) ret=7c90e506
NtOpenKey 0x7ff7fe38 02000000 0x7ff7fe08
NtOpenKey len 00000018 root 0x10 attr 00000240 Environment
NtOpenKey open_key returned 00000000
process_alloc_user_handle handle = 00000014
0304: NtOpenKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000000,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 0 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value ComSpec
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,001c0000,00000000,7ff7fce4,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x1c0000 0 0x7ff7fce4 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000001,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 1 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value NUMBER_OF_PROCESSORS
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,001c0000,00000000,7ff7fce4,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x1c0000 0 0x7ff7fce4 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000002,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 2 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value OS
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,001c0000,00000000,7ff7fce4,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x1c0000 0 0x7ff7fce4 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000003,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 3 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value PROCESSOR_ARCHITECTURE
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,001c0000,00000000,7ff7fce4,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x1c0000 0 0x7ff7fce4 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000004,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 4 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value PROCESSOR_ARCHITECTURE
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000005,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 5 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value PROCESSOR_IDENTIFIER
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,001c0000,00000000,7ff7fce4,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x1c0000 0 0x7ff7fce4 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000006,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 6 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value PROCESSOR_LEVEL
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,001c0000,00000000,7ff7fce4,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x1c0000 0 0x7ff7fce4 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000007,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 7 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value PROCESSOR_REVISION
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,001c0000,00000000,7ff7fce4,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x1c0000 0 0x7ff7fce4 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000008,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 8 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value Path
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,001c0000,00000000,7ff7fce4,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x1c0000 0 0x7ff7fce4 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000009,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 9 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value TEMP
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,001c0000,00000000,7ff7fce4,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x1c0000 0 0x7ff7fce4 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,0000000a,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 10 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value TMP
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,001c0000,00000000,7ff7fce4,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x1c0000 0 0x7ff7fce4 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,0000000b,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 11 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value windir
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,001c0000,00000000,7ff7fce4,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x1c0000 0 0x7ff7fce4 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,0000000c,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 12 1 0x1d0000 4094 0x7ff7fe3c
0304: NtEnumerateValueKey retval=8000001a ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtOpenKey(7ff7fe38,02000000,7ff7fe08) ret=7c90e506
NtOpenKey 0x7ff7fe38 02000000 0x7ff7fe08
NtOpenKey len 00000018 root 0x10 attr 00000240 Environment
NtOpenKey open_key returned 00000000
process_alloc_user_handle handle = 00000014
0304: NtOpenKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000000,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 0 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value ComSpec
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000001,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 1 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value NUMBER_OF_PROCESSORS
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000002,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 2 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value OS
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000003,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 3 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value PROCESSOR_ARCHITECTURE
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000004,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 4 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value PROCESSOR_ARCHITECTURE
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000005,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 5 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value PROCESSOR_IDENTIFIER
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000006,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 6 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value PROCESSOR_LEVEL
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000007,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 7 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value PROCESSOR_REVISION
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000008,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 8 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value Path
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000009,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 9 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value TEMP
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,0000000a,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 10 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value TMP
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,0000000b,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 11 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value windir
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,0000000c,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 12 1 0x1d0000 4094 0x7ff7fe3c
0304: NtEnumerateValueKey retval=8000001a ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtOpenKey(7ff7fe38,02000000,7ff7fe08) ret=7c90e506
NtOpenKey 0x7ff7fe38 02000000 0x7ff7fe08
NtOpenKey len 00000018 root 0x10 attr 00000240 SubSystems
NtOpenKey open_key returned 00000000
process_alloc_user_handle handle = 00000014
0304: NtOpenKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000000,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 0 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value Debug
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000001,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 1 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value Kmode
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000002,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 2 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value Optional
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000003,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 3 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value Os2
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000004,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 4 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value Posix
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000005,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 5 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value Required
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000006,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 6 1 0x1d0000 4094 0x7ff7fe3c
reg_query_value Windows
0304: NtEnumerateValueKey retval=00000000 ret=7c90e506
0304: NtAllocateVirtualMemory(ffffffff,7ff7fadc,00000000,7ff7fafc,00001000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x33000 00001000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0304: NtEnumerateValueKey(00000014,00000007,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtEnumerateValueKey 0x14 7 1 0x1d0000 4094 0x7ff7fe3c
0304: NtEnumerateValueKey retval=8000001a ret=7c90e506
0304: NtQueryValueKey(00000014,7ff7fe28,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtQueryValueKey 0x14 0x7ff7fe28 1 0x1d0000 4094 0x7ff7fe3c
NtQueryValueKey Required
reg_query_value Required
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000014,7ff7fe28,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtQueryValueKey 0x14 0x7ff7fe28 1 0x1d0000 4094 0x7ff7fe3c
NtQueryValueKey Optional
reg_query_value Optional
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000014,7ff7fe28,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtQueryValueKey 0x14 0x7ff7fe28 1 0x1d0000 4094 0x7ff7fe3c
NtQueryValueKey Kmode
reg_query_value Kmode
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000010,7ff7fe28,00000001,001d0000,00000ffe,7ff7fe3c) ret=7c90e506
NtQueryValueKey 0x10 0x7ff7fe28 1 0x1d0000 4094 0x7ff7fe3c
NtQueryValueKey Execute
0304: NtQueryValueKey retval=c0000034 ret=7c90e506
0304: NtClose(00000010) ret=7c90e506
NtClose 0x10
0304: NtClose retval=00000000 ret=7c90e506
0304: NtFreeVirtualMemory(ffffffff,7ff7fdf4,7ff7fdf8,00008000) ret=7c90e506
NtFreeVirtualMemory 0xffffffff 0x7ff7fdf4 0x7ff7fdf8 32768
NtFreeVirtualMemory returning 00000000
0304: NtFreeVirtualMemory retval=00000000 ret=7c90e506
0304: NtOpenDirectoryObject(4858c930,000f000f,7ff7fe2c) ret=7c90e506
nt_open_object object = \??
process_alloc_user_handle handle = 00000010
0304: NtOpenDirectoryObject retval=00000000 ret=7c90e506
0304: NtCreateSymbolicLinkObject(7ff7fe54,000f0001,7ff7fe2c,000326d0) ret=7c90e506
NtCreateSymbolicLinkObject AUX -> \DosDevices\COM1
process_alloc_user_handle handle = 00000014
0304: NtCreateSymbolicLinkObject retval=00000000 ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtCreateSymbolicLinkObject(7ff7fe54,000f0001,7ff7fe2c,00032750) ret=7c90e506
NtCreateSymbolicLinkObject MAILSLOT -> \Device\MailSlot
process_alloc_user_handle handle = 00000014
0304: NtCreateSymbolicLinkObject retval=00000000 ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtCreateSymbolicLinkObject(7ff7fe54,000f0001,7ff7fe2c,000327d8) ret=7c90e506
NtCreateSymbolicLinkObject NUL -> \Device\Null
process_alloc_user_handle handle = 00000014
0304: NtCreateSymbolicLinkObject retval=00000000 ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtCreateSymbolicLinkObject(7ff7fe54,000f0001,7ff7fe2c,00032830) ret=7c90e506
NtCreateSymbolicLinkObject PIPE -> \Device\NamedPipe
process_alloc_user_handle handle = 00000014
0304: NtCreateSymbolicLinkObject retval=00000000 ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtCreateSymbolicLinkObject(7ff7fe54,000f0001,7ff7fe2c,000328b0) ret=7c90e506
NtCreateSymbolicLinkObject PRN -> \DosDevices\LPT1
process_alloc_user_handle handle = 00000014
0304: NtCreateSymbolicLinkObject retval=00000000 ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtCreateSymbolicLinkObject(7ff7fe54,000f0001,7ff7fe2c,00032930) ret=7c90e506
NtCreateSymbolicLinkObject UNC -> \Device\Mup
process_alloc_user_handle handle = 00000014
0304: NtCreateSymbolicLinkObject retval=00000000 ret=7c90e506
0304: NtClose(00000014) ret=7c90e506
NtClose 0x14
0304: NtClose retval=00000000 ret=7c90e506
0304: NtCreateDirectoryObject(4858c8d8,000f000f,7ff7fe6c) ret=7c90e506
NtCreateDirectoryObject 0x4858c8d8 000f000f 0x7ff7fe6c
create name = \Sessions
process_alloc_user_handle handle = 00000014
0304: NtCreateDirectoryObject retval=00000000 ret=7c90e506
0304: NtAllocateVirtualMemory(ffffffff,7ff7f954,00000000,7ff7f974,00001000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x34000 00002000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0304: NtQueryAttributesFile(7ff7fb38,7ff7fb10) ret=7c90e506
NtQueryAttributesFile 0x7ff7fb38 0x7ff7fb10
NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\native.exe
stat_unicode c:/winnt/system32/native.exe -> -1
0304: NtQueryAttributesFile retval=c000003a ret=7c90e506
0304: NtQueryAttributesFile(7ff7fb38,7ff7fb10) ret=7c90e506
NtQueryAttributesFile 0x7ff7fb38 0x7ff7fb10
NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\native.exe
stat_unicode c:/winnt/native.exe -> -1
0304: NtQueryAttributesFile retval=c000003a ret=7c90e506
0304: NtQueryAttributesFile(7ff7fb38,7ff7fb10) ret=7c90e506
NtQueryAttributesFile 0x7ff7fb38 0x7ff7fb10
NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\native.exe
stat_unicode c:/winnt/system32/native.exe -> -1
0304: NtQueryAttributesFile retval=c000003a ret=7c90e506
0304: NtQueryAttributesFile(7ff7fb38,7ff7fb10) ret=7c90e506
NtQueryAttributesFile 0x7ff7fb38 0x7ff7fb10
NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\native.exe
stat_unicode c:/winnt/system32/native.exe -> -1
0304: NtQueryAttributesFile retval=c000003a ret=7c90e506
0304: NtQueryAttributesFile(7ff7fb38,7ff7fb10) ret=7c90e506
NtQueryAttributesFile 0x7ff7fb38 0x7ff7fb10
NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\native.exe
stat_unicode c:/winnt/native.exe -> -1
0304: NtQueryAttributesFile retval=c000003a ret=7c90e506
0304: NtOpenProcessToken(ffffffff,00000028,7ff7fd58) ret=7c90e506
NtOpenProcessToken 0xffffffff 00000028 0x7ff7fd58
process_alloc_user_handle handle = 00000018
0304: NtOpenProcessToken retval=00000000 ret=7c90e506
0304: NtAdjustPrivilegesToken(00000018,00000000,7ff7fd6c,00000010,7ff7fd5c,7ff7fd50) ret=7c90e506
NtAdjustPrivilegesToken 0x18 0 0x7ff7fd6c 16 0x7ff7fd5c 0x7ff7fd50
access_allowed fixme: no access check
NtAdjustPrivilegesToken old privs 16 bytes
dump 00000013 00000000 00000000
NtAdjustPrivilegesToken new privs
dump 00000012 00000000 00000002
0304: NtAdjustPrivilegesToken retval=00000000 ret=7c90e506
0304: NtClose(00000018) ret=7c90e506
NtClose 0x18
0304: NtClose retval=00000000 ret=7c90e506
0304: NtOpenKey(7ff7f95c,00020019,7ff7f92c) ret=7c90e506
NtOpenKey 0x7ff7f95c 00020019 0x7ff7f92c
NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Session Manager\SFC
NtOpenKey open_key returned 00000000
process_alloc_user_handle handle = 00000018
0304: NtOpenKey retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000018,7ff7f918,00000002,7ff7f968,00000210,7ff7f920) ret=7c90e506
NtQueryValueKey 0x18 0x7ff7f918 2 0x7ff7f968 528 0x7ff7f920
NtQueryValueKey ProgramFilesDir
reg_query_value ProgramFilesDir
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,00020000,00000000,7ff7f870,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x20000 0 0x7ff7f870 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000018,7ff7f918,00000002,7ff7f968,00000210,7ff7f920) ret=7c90e506
NtQueryValueKey 0x18 0x7ff7f918 2 0x7ff7f968 528 0x7ff7f920
NtQueryValueKey CommonFilesDir
reg_query_value CommonFilesDir
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,00020000,00000000,7ff7f870,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x20000 0 0x7ff7f870 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtClose(00000018) ret=7c90e506
NtClose 0x18
0304: NtClose retval=00000000 ret=7c90e506
0304: NtQueryVirtualMemory(ffffffff,00020000,00000000,7ff7f870,0000001c,00000000) ret=7c90e506
NtQueryVirtualMemory 0xffffffff 0x20000 0 0x7ff7f870 28 (nil)
0304: NtQueryVirtualMemory retval=00000000 ret=7c90e506
0304: NtOpenProcessToken(ffffffff,00000028,7ff7fd58) ret=7c90e506
NtOpenProcessToken 0xffffffff 00000028 0x7ff7fd58
process_alloc_user_handle handle = 00000018
0304: NtOpenProcessToken retval=00000000 ret=7c90e506
0304: NtAdjustPrivilegesToken(00000018,00000000,7ff7fd6c,00000010,7ff7fd5c,7ff7fd50) ret=7c90e506
NtAdjustPrivilegesToken 0x18 0 0x7ff7fd6c 16 0x7ff7fd5c 0x7ff7fd50
access_allowed fixme: no access check
NtAdjustPrivilegesToken old privs 16 bytes
dump 00000013 00000000 00000000
NtAdjustPrivilegesToken new privs
dump 00000012 00000000 00000000
0304: NtAdjustPrivilegesToken retval=00000000 ret=7c90e506
0304: NtClose(00000018) ret=7c90e506
NtClose 0x18
0304: NtClose retval=00000000 ret=7c90e506
0304: NtCreateDirectoryObject(7ff7fe2c,000f000f,7ff7fde8) ret=7c90e506
NtCreateDirectoryObject 0x7ff7fe2c 000f000f 0x7ff7fde8
create name = \KnownDlls
process_alloc_user_handle handle = 00000018
0304: NtCreateDirectoryObject retval=00000000 ret=7c90e506
0304: NtOpenFile(7ff7fe28,00100001,7ff7fde8,7ff7fe00,00000003,00000021) ret=7c90e506
NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32
open_file root = (nil) name = \??\C:\WINNT\system32
open_unicode_dir open name : c:/winnt/system32
open_unicode_dir r = 37
open_file fd = 37
process_alloc_user_handle handle = 0000001c
0304: NtOpenFile retval=00000000 ret=7c90e506
0304: NtCreateSymbolicLinkObject(7ff7fe1c,000f0001,7ff7fde8,4858c8e0) ret=7c90e506
NtCreateSymbolicLinkObject KnownDllPath -> C:\WINNT\system32
process_alloc_user_handle handle = 00000020
0304: NtCreateSymbolicLinkObject retval=00000000 ret=7c90e506
0304: NtOpenFile(7ff7fe30,00100020,7ff7fde8,7ff7fe00,00000005,00000060) ret=7c90e506
NtCreateFile root 0x1c attr 00000040 advapi32.dll
open_file root = 0x1c name = advapi32.dll
0304: NtOpenFile retval=c000003a ret=7c90e506
0304: NtOpenFile(7ff7fe30,00100020,7ff7fde8,7ff7fe00,00000005,00000060) ret=7c90e506
NtCreateFile root 0x1c attr 00000040 gdi32.dll
open_file root = 0x1c name = gdi32.dll
0304: NtOpenFile retval=c000003a ret=7c90e506
0304: NtOpenFile(7ff7fe30,00100020,7ff7fde8,7ff7fe00,00000005,00000060) ret=7c90e506
NtCreateFile root 0x1c attr 00000040 kernel32.dll
open_file root = 0x1c name = kernel32.dll
0304: NtOpenFile retval=c000003a ret=7c90e506
0304: NtOpenFile(7ff7fe30,00100020,7ff7fde8,7ff7fe00,00000005,00000060) ret=7c90e506
NtCreateFile root 0x1c attr 00000040 user32.dll
open_file root = 0x1c name = user32.dll
0304: NtOpenFile retval=c000003a ret=7c90e506
0304: NtQueryDebugFilterState(00000001,00000003) ret=7c90e506
NtQueryDebugFilterState 00000001 00000003
0304: NtQueryDebugFilterState retval=00000000 ret=7c90e506
0304: NtQueryDebugFilterState(00000001,00000003) ret=7c90e506
NtQueryDebugFilterState 00000001 00000003
0304: NtQueryDebugFilterState retval=00000000 ret=7c90e506
0304: NtQueryInformationPort(ffffffff,00000017,7ff7fda0,00000024,00000000) ret=7c90e506
syscall NtQueryInformationPort (9a) not implemented
0304: NtQueryInformationPort retval=c0000002 ret=7c90e506
0304: NtQueryDebugFilterState(00000001,00000003) ret=7c90e506
NtQueryDebugFilterState 00000001 00000003
0304: NtQueryDebugFilterState retval=00000000 ret=7c90e506
0304: NtQueryDebugFilterState(00000001,00000003) ret=7c90e506
NtQueryDebugFilterState 00000001 00000003
0304: NtQueryDebugFilterState retval=00000000 ret=7c90e506
0304: NtInitializeRegistry(00000000) ret=7c90e506
NtInitializeRegistry 0
0304: NtInitializeRegistry retval=00000000 ret=7c90e506
0304: NtQuerySystemInformation(00000000,7ff7f9e8,0000002c,00000000) ret=7c90e506
NtQuerySystemInformation 0 0x7ff7f9e8 44 (nil)
0304: NtQuerySystemInformation retval=00000000 ret=7c90e506
0304: NtQuerySystemInformation(00000001,7ff7fa38,0000000c,00000000) ret=7c90e506
NtQuerySystemInformation 1 0x7ff7fa38 12 (nil)
0304: NtQuerySystemInformation retval=00000000 ret=7c90e506
0304: NtOpenKey(7ff7fa48,000f003f,7ff7fa20) ret=7c90e506
NtOpenKey 0x7ff7fa48 000f003f 0x7ff7fa20
NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Session Manager\Environment
NtOpenKey open_key returned 00000000
process_alloc_user_handle handle = 00000024
0304: NtOpenKey retval=00000000 ret=7c90e506
0304: NtSetValueKey(00000024,7ff7fa4c,00000000,00000001,48582428,00000016) ret=7c90e506
NtSetValueKey 0x24 0x7ff7fa4c 0 1 0x48582428 22
delete_value deleting OS
0304: NtSetValueKey retval=00000000 ret=7c90e506
0304: NtSetValueKey(00000024,7ff7fa4c,00000000,00000001,485823a4,00000008) ret=7c90e506
NtSetValueKey 0x24 0x7ff7fa4c 0 1 0x485823a4 8
delete_value deleting PROCESSOR_ARCHITECTURE
0304: NtSetValueKey retval=00000000 ret=7c90e506
0304: NtSetValueKey(00000024,7ff7fa4c,00000000,00000001,7ff7fc54,00000004) ret=7c90e506
NtSetValueKey 0x24 0x7ff7fa4c 0 1 0x7ff7fc54 4
delete_value deleting PROCESSOR_LEVEL
0304: NtSetValueKey retval=00000000 ret=7c90e506
0304: NtOpenKey(7ff7fa44,00020019,7ff7fa20) ret=7c90e506
NtOpenKey 0x7ff7fa44 00020019 0x7ff7fa20
NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\Hardware\Description\System\CentralProcessor\0
NtOpenKey open_key returned 00000000
process_alloc_user_handle handle = 00000028
0304: NtOpenKey retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000028,7ff7fa4c,00000002,7ff7fc54,00000200,7ff7fa14) ret=7c90e506
NtQueryValueKey 0x28 0x7ff7fa4c 2 0x7ff7fc54 512 0x7ff7fa14
NtQueryValueKey Identifier
reg_query_value Identifier
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000028,7ff7fa4c,00000002,7ff7fa54,00000200,7ff7fa14) ret=7c90e506
NtQueryValueKey 0x28 0x7ff7fa4c 2 0x7ff7fa54 512 0x7ff7fa14
NtQueryValueKey VendorIdentifier
reg_query_value VendorIdentifier
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtClose(00000028) ret=7c90e506
NtClose 0x28
0304: NtClose retval=00000000 ret=7c90e506
0304: NtSetValueKey(00000024,7ff7fa4c,00000000,00000001,7ff7fc60,0000005c) ret=7c90e506
NtSetValueKey 0x24 0x7ff7fa4c 0 1 0x7ff7fc60 92
delete_value deleting PROCESSOR_IDENTIFIER
0304: NtSetValueKey retval=00000000 ret=7c90e506
0304: NtSetValueKey(00000024,7ff7fa4c,00000000,00000001,7ff7fc54,0000000a) ret=7c90e506
NtSetValueKey 0x24 0x7ff7fa4c 0 1 0x7ff7fc54 10
delete_value deleting PROCESSOR_REVISION
0304: NtSetValueKey retval=00000000 ret=7c90e506
0304: NtSetValueKey(00000024,7ff7fa4c,00000000,00000001,7ff7fc54,00000004) ret=7c90e506
NtSetValueKey 0x24 0x7ff7fa4c 0 1 0x7ff7fc54 4
delete_value deleting NUMBER_OF_PROCESSORS
0304: NtSetValueKey retval=00000000 ret=7c90e506
0304: NtOpenKey(7ff7fa44,000f003f,7ff7fa20) ret=7c90e506
NtOpenKey 0x7ff7fa44 000f003f 0x7ff7fa20
NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\CurrentControlSet\Control\Safeboot\Option
open_parse_key remaining = Safeboot\Option
NtOpenKey open_key returned c000003a
0304: NtOpenKey retval=c000003a ret=7c90e506
0304: NtClose(00000024) ret=7c90e506
NtClose 0x24
0304: NtClose retval=00000000 ret=7c90e506
0304: NtOpenKey(7ff7f7d8,00020019,7ff7f7b0) ret=7c90e506
NtOpenKey 0x7ff7f7d8 00020019 0x7ff7f7b0
NtOpenKey len 00000018 root (nil) attr 00000040 \Registry\Machine\System\Setup
NtOpenKey open_key returned 00000000
process_alloc_user_handle handle = 00000024
0304: NtOpenKey retval=00000000 ret=7c90e506
0304: NtQueryValueKey(00000024,7ff7f7d0,00000002,7ff7f7e0,00000210,7ff7f79c) ret=7c90e506
NtQueryValueKey 0x24 0x7ff7f7d0 2 0x7ff7f7e0 528 0x7ff7f79c
NtQueryValueKey SystemPartition
reg_query_value SystemPartition
0304: NtQueryValueKey retval=00000000 ret=7c90e506
0304: NtClose(00000024) ret=7c90e506
NtClose 0x24
0304: NtClose retval=00000000 ret=7c90e506
0304: NtQueryDirectoryObject(00000010,7ff7fbf0,0000022a,00000001,00000001,7ff7f7a0,00000000) ret=7c90e506
NtQueryDirectoryObject 0x10 0x7ff7fbf0 554 1 1 0x7ff7f7a0 (nil)
NtQueryDirectoryObject fixme
0304: NtQueryDirectoryObject retval=8000001a ret=7c90e506
0304: NtOpenProcessToken(ffffffff,00000028,00033638) ret=7c90e506
NtOpenProcessToken 0xffffffff 00000028 0x33638
process_alloc_user_handle handle = 00000024
0304: NtOpenProcessToken retval=00000000 ret=7c90e506
0304: NtAdjustPrivilegesToken(00000024,00000000,00033a44,00000400,00033644,7ff7fe14) ret=7c90e506
NtAdjustPrivilegesToken 0x24 0 0x33a44 1024 0x33644 0x7ff7fe14
access_allowed fixme: no access check
NtAdjustPrivilegesToken old privs 16 bytes
dump 00000013 00000000 00000000
NtAdjustPrivilegesToken new privs
dump 0000000a 00000000 00000002
0304: NtAdjustPrivilegesToken retval=00000000 ret=7c90e506
0304: NtSetSystemInformation(0000002f,7ff7feac,00000004) ret=7c90e506
NtSetSystemInformation 47 0x7ff7feac 4
0304: NtSetSystemInformation retval=00000000 ret=7c90e506
0304: NtSetSystemInformation(00000026,7ff7fe34,00000008) ret=7c90e506
NtSetSystemInformation 38 0x7ff7fe34 8
0304: NtSetSystemInformation retval=00000000 ret=7c90e506
0304: NtAdjustPrivilegesToken(00000024,00000000,00033644,00000000,00000000,00000000) ret=7c90e506
NtAdjustPrivilegesToken 0x24 0 0x33644 0 (nil) (nil)
access_allowed fixme: no access check
NtAdjustPrivilegesToken new privs
dump 00000013 00000000 00000000
0304: NtAdjustPrivilegesToken retval=00000000 ret=7c90e506
0304: NtClose(00000024) ret=7c90e506
NtClose 0x24
0304: NtClose retval=00000000 ret=7c90e506
0304: NtQueryAttributesFile(7ff7fb08,7ff7fae0) ret=7c90e506
NtQueryAttributesFile 0x7ff7fb08 0x7ff7fae0
NtQueryAttributesFile root (nil) attr 00000040 \??\C:\WINNT\system32\csrss.exe
stat_unicode c:/winnt/system32/csrss.exe -> 0
NtQueryAttributesFile found \??\C:\WINNT\system32\csrss.exe
0304: NtQueryAttributesFile retval=00000000 ret=7c90e506
0304: NtFreeVirtualMemory(ffffffff,7ff7fab0,7ff7fab4,00004000) ret=7c90e506
NtFreeVirtualMemory 0xffffffff 0x7ff7fab0 0x7ff7fab4 16384
NtFreeVirtualMemory returning 00000000
0304: NtFreeVirtualMemory retval=00000000 ret=7c90e506
0304: NtCreateEvent(00032a58,001f0003,00000000,00000000,00000000) ret=7c90e506
NtCreateEvent 0x32a58 001f0003 (nil) 0 0
process_alloc_user_handle handle = 00000024
0304: NtCreateEvent retval=00000000 ret=7c90e506
0304: NtAllocateVirtualMemory(ffffffff,7ff7fa88,00000000,7ff7fa70,00001000,00000004) ret=7c90e506
NtAllocateVirtualMemory returns  0x1d0000 00001000  00000000
0304: NtAllocateVirtualMemory retval=00000000 ret=7c90e506
0304: NtOpenFile(7ff7fa1c,00100020,7ff7f9ec,7ff7fa04,00000005,00000040) ret=7c90e506
NtCreateFile root (nil) attr 00000040 \??\C:\WINNT\system32\csrss.exe
open_file root = (nil) name = \??\C:\WINNT\system32\csrss.exe
open_unicode_file open file : c:/winnt/system32/csrss.exe
process_alloc_user_handle handle = 00000028
0304: NtOpenFile retval=00000000 ret=7c90e506
0304: NtCreateSection(7ff7fa7c,000f001f,00000000,00000000,00000010,01000000,00000028) ret=7c90e506
NtCreateSection 0x7ff7fa7c 000f001f (nil) (nil) 00000010 01000000 0x28
access_allowed fixme: no access check
process_alloc_user_handle handle = 0000002c
0304: NtCreateSection retval=00000000 ret=7c90e506
0304: NtClose(00000028) ret=7c90e506
NtClose 0x28
0304: NtClose retval=00000000 ret=7c90e506
0304: NtCreateProcess(7ff7fd70,001f0fff,7ff7fa48,ffffffff,00000000,0000002c,00000000,00000000) ret=7c90e506
NtCreateProcess 0x7ff7fd70 001f0fff 0x7ff7fa48 0xffffffff 0 0x2c (nil) (nil)
access_allowed fixme: no access check
mapit image at 0x4a680000
mapit read 4 sections, load at 4a680000
mapit .text    00001000 00000400 00000c00 00000aa0
mapit .data    00002000 00001000 00000200 0000006c
mapit .rsrc    00003000 00001200 00000400 000003f0
mapit .reloc   00004000 00001600 00000200 00000094
mapit image at 0x7c900000
mapit read 4 sections, load at 7c900000
mapit .text    00001000 00000400 0007a000 00079fb6
mapit .data    0007b000 0007a400 00003200 00004a00
mapit .rsrc    00080000 0007d600 0002c000 0002be68
mapit .reloc   000ac000 000a9600 00003000 00002e84
mapit anonymous map
mapit anonymous map
process_alloc_user_handle handle = 00000028
0304: NtCreateProcess retval=00000000 ret=7c90e506
0304: NtQuerySection(0000002c,00000001,7ff7fd80,00000030,00000000) ret=7c90e506
NtQuerySection 0x2c 1 0x7ff7fd80 48 (nil)
access_allowed fixme: no access check
0304: NtQuerySection retval=00000000 ret=7c90e506
0304: NtQueryInformationPort(00000028,00000000,7ff7fa30,00000018,00000000) ret=7c90e506
syscall NtQueryInformationPort (9a) not implemented
0304: NtQueryInformationPort retval=c0000002 ret=7c90e506
0304: NtClose(00000028) ret=7c90e506
NtClose 0x28
0304: NtClose retval=00000000 ret=7c90e506
0304: NtClose(0000002c) ret=7c90e506
NtClose 0x2c
0304: NtClose retval=00000000 ret=7c90e506
0304: NtFreeVirtualMemory(ffffffff,7ff7facc,7ff7fac0,00008000) ret=7c90e506
NtFreeVirtualMemory 0xffffffff 0x7ff7facc 0x7ff7fac0 32768
NtFreeVirtualMemory returning 00000000
0304: NtFreeVirtualMemory retval=00000000 ret=7c90e506
0304: NtSetBoostPriority() ret=7c90e506
syscall NtSetBoostPriority (db) not implemented
0304: NtSetBoostPriority retval=c0000002 ret=7c90e506
0304: NtClose(00000024) ret=7c90e506
NtClose 0x24
0304: NtClose retval=00000000 ret=7c90e506
0304: NtSetBoostPriority() ret=7c90e506
syscall NtSetBoostPriority (db) not implemented
0304: NtSetBoostPriority retval=c0000002 ret=7c90e506
0304: NtClose(0000000c) ret=7c90e506
NtClose 0xc
0304: NtClose retval=00000000 ret=7c90e506
0304: NtOpenThreadToken(fffffffe,00000028,00000000,7ff7fed0) ret=7c90e506
NtOpenThreadToken 0xfffffffe 00000028 0 0x7ff7fed0
0304: NtOpenThreadToken retval=c000007c ret=7c90e506
0304: NtOpenProcessToken(ffffffff,00000028,7ff7fed0) ret=7c90e506
NtOpenProcessToken 0xffffffff 00000028 0x7ff7fed0
process_alloc_user_handle handle = 0000000c
0304: NtOpenProcessToken retval=00000000 ret=7c90e506
0304: NtAdjustPrivilegesToken(0000000c,00000000,7ff7fee4,00000010,7ff7fed4,7ff7fec8) ret=7c90e506
NtAdjustPrivilegesToken 0xc 0 0x7ff7fee4 16 0x7ff7fed4 0x7ff7fec8
access_allowed fixme: no access check
NtAdjustPrivilegesToken old privs 16 bytes
dump 00000013 00000000 00000000
NtAdjustPrivilegesToken new privs
dump 00000013 00000000 00000002
0304: NtAdjustPrivilegesToken retval=00000000 ret=7c90e506
0304: NtClose(0000000c) ret=7c90e506
NtClose 0xc
0304: NtClose retval=00000000 ret=7c90e506
0304: NtRaiseHardError(c000021a,00000004,00000001,7ff7ff4c,00000006,7ff7ff14) ret=7c90e506
NtRaiseHardError c000021a 4 1 0x7ff7ff4c 6 0x7ff7ff14
NtRaiseHardError hard error:
NtRaiseHardError arg[0]: Session Manager Initialization
NtRaiseHardError arg[1]: c0000002
NtRaiseHardError arg[2]: 00000000
NtRaiseHardError arg[3]: 00000000
Stopped
--