98
Malicious
This predictive confidence of maliciousness for this sample is 98%.
17e826fa0f6297f80b459948ab12efbdefc06f3cb999184a5cb1eddcf7b7d550
2.2 MB
2020-05-09 09:36:55
First seen 10 days ago
Windows PE32 Executable

Classification

Full Detail

Ransomware
Low
Trojan
Low
Virus
High
Banker
Medium
Bot
Low
Rat
Low
Adware
Low
Infostealer
Low
Worm
Low
Spyware
Low

Indicators

Expand All

SecondWrite Indicators
Forced Code Execution
Automatic Sequence Detection
Program Level Indicators
Anti-Analysis
Attempts to repeatedly call a single API many times in order to delay analysis time
Anti-Av
Stops Windows services
Anti-Sandbox
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
A process attempted to delay the analysis task.
Anti-Vm
Queries for the computername
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
Checks adapter addresses which can be used to detect virtual network interfaces
Detects VMWare through the in instruction feature
Av-Tools
One or more AV tool detects this sample as malicious: Virus:Win32/Floxif.H
Banker
Creates known Dyreza Banking Trojan files, registry keys and/or mutexes
Browser
Tries to locate where the browsers are installed
Dropper
Drops a binary and executes it
Generic
This executable is signed
This executable has a PDB path
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Creates executable files on the filesystem
Reads data out of its own binary image
Sniffs keystrokes
Http
Performs some HTTP requests
HTTP traffic contains suspicious features which may be indicative of malware related traffic
Network
Performs some DNS requests
Sample contacts servers at uncommon ports
Packer
Allocates read-write-execute memory (usually to unpack itself)
Persistence
Creates an Alternate Data Stream (ADS)
Pos
Creates known Dexter registry keys and/or mutexes
Program-Level-Features
Contains obfuscated control-flow to defeat static analysis.
Static
Anomalous binary characteristics
Strings possibly contain hardcoded URLs
Stealth
Sample has an unverified signature from a known company
Loads a driver
Deletes its original binary from disk
image/svg+xml

Yara


Yara Pattern Name Description
IsPE32 No Description Available
HasOverlay Overlay Check
HasDigitalSignature DigitalSignature Check
HasDebugData DebugData Check
HasRichSignature Rich Signature Check
Str_Win32_Winsock2_Library Match Winsock 2 API library declaration
Base64Encode Base64 encoding detected
DebuggerCheck__QueryInfo No Description Available
DebuggerHiding__Thread No Description Available
DebuggerException__SetConsoleCtrl No Description Available
anti_dbg Checks if being debugged
network_tcp_socket Communications over RAW socket
network_dns Communications use DNS
escalate_priv Escalade priviledges
screenshot Take screenshot
keylogger Run a keylogger
win_registry Affect system registries
win_token Affect system token
win_files_operation Affect private profile
Big_Numbers0 Looks for big numbers 20:sized

Static Analysis


Version Infos

LegalCopyright:
Copyright \xc2\xa9 1996-2018 Mark Russinovich
InternalName:
Process Monitor
FileVersion:
3.50
CompanyName:
Sysinternals - www.sysinternals.com
ProductName:
Sysinternals Procmon
ProductVersion:
3.50
FileDescription:
Process Monitor
OriginalFilename:
Process Monitor
Translation:
0x0409 0x04b0

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x0008ec87 0x0008ee00 6.50814717074
.rdata 0x00090000 0x0002bb18 0x0002bc00 4.4160836666
.data 0x000bc000 0x0000977c 0x00001a00 3.78600950005
.rsrc 0x000c6000 0x00146c08 0x00146e00 6.10668067406
.reloc 0x0020d000 0x0000900c 0x00009200 6.6928738831

Resources

Name Offset Size Language Sub-language File type
BINRES 0x000ea368 0x00121a88 LANG_ENGLISH SUBLANG_ENGLISH_US None
BINRES 0x000ea368 0x00121a88 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_CURSOR 0x000d8310 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_CURSOR 0x000d8310 0x00000134 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_BITMAP 0x000c78e0 0x00000b68 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ICON 0x000cf988 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_MENU 0x000d04a8 0x0000007a LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_MENU 0x000d04a8 0x0000007a LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_MENU 0x000d04a8 0x0000007a LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_MENU 0x000d04a8 0x0000007a LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_DIALOG 0x000d5020 0x00000f86 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_STRING 0x0020c3a0 0x0000003e LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_STRING 0x0020c3a0 0x0000003e LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_STRING 0x0020c3a0 0x0000003e LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_STRING 0x0020c3a0 0x0000003e LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_STRING 0x0020c3a0 0x0000003e LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_STRING 0x0020c3a0 0x0000003e LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_STRING 0x0020c3a0 0x0000003e LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_ACCELERATOR 0x000c7800 0x000000e0 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_CURSOR 0x000d82f8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_CURSOR 0x000d82f8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_GROUP_ICON 0x000cf220 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_VERSION 0x000d0658 0x00000330 LANG_ENGLISH SUBLANG_ENGLISH_US None
RT_MANIFEST 0x0020c3e0 0x00000824 LANG_ENGLISH SUBLANG_ENGLISH_US None

Imports

  • accept
  • bind
  • closesocket
  • connect
  • gethostbyaddr
  • gethostbyname
  • getservbyname
  • getservbyport
  • getsockname
  • htonl
  • htons
  • inet_addr
  • inet_ntoa
  • listen
  • ntohs
  • recv
  • send
  • socket
  • WSAGetLastError
  • WSASetLastError
  • WSAStartup
  • GetFileVersionInfoSizeW
  • GetFileVersionInfoW
  • VerQueryValueW
  • None
  • CreateStatusWindowW
  • ImageList_Add
  • ImageList_Create
  • ImageList_Destroy
  • ImageList_DrawEx
  • ImageList_GetIcon
  • ImageList_GetIconSize
  • ImageList_ReplaceIcon
  • ImageList_SetBkColor
  • ImageList_SetOverlayImage
  • InitCommonControlsEx
  • FilterConnectCommunicationPort
  • FilterGetMessage
  • FilterReplyMessage
  • FilterSendMessage
  • CloseHandle
  • CompareStringW
  • CreateEventW
  • CreateFileMappingW
  • CreateFileW
  • CreateProcessW
  • CreateSemaphoreW
  • CreateThread
  • DecodePointer
  • DeleteCriticalSection
  • DeleteFileW
  • EncodePointer
  • EnterCriticalSection
  • EnumResourceNamesW
  • ExitProcess
  • ExitThread
  • ExpandEnvironmentStringsA
  • ExpandEnvironmentStringsW
  • FileTimeToLocalFileTime
  • FileTimeToSystemTime
  • FindClose
  • FindFirstFileW
  • FindNextFileW
  • FindResourceW
  • FlushFileBuffers
  • FormatMessageW
  • FreeEnvironmentStringsW
  • FreeLibrary
  • GetACP
  • GetCommandLineW
  • GetComputerNameA
  • GetComputerNameW
  • GetConsoleCP
  • GetConsoleMode
  • GetCPInfo
  • GetCurrentDirectoryW
  • GetCurrentProcess
  • GetCurrentProcessId
  • GetCurrentThread
  • GetCurrentThreadId
  • GetDateFormatW
  • GetEnvironmentStringsW
  • GetEnvironmentVariableW
  • GetFileAttributesExW
  • GetFileAttributesW
  • GetFileSize
  • GetFileType
  • GetFullPathNameW
  • GetLastError
  • GetLocaleInfoW
  • GetModuleFileNameW
  • GetModuleHandleExW
  • GetModuleHandleW
  • GetNumberFormatW
  • GetOEMCP
  • GetProcAddress
  • GetProcessHeap
  • GetStartupInfoW
  • GetStdHandle
  • GetStringTypeW
  • GetSystemDirectoryA
  • GetSystemDirectoryW
  • GetSystemInfo
  • GetSystemTimeAsFileTime
  • GetThreadContext
  • GetTickCount
  • GetTimeFormatW
  • GetVersion
  • GetVersionExW
  • GlobalAddAtomW
  • GlobalAlloc
  • GlobalLock
  • GlobalMemoryStatusEx
  • GlobalUnlock
  • HeapAlloc
  • HeapCreate
  • HeapDestroy
  • HeapFree
  • HeapReAlloc
  • HeapSize
  • InitializeCriticalSection
  • InitializeCriticalSectionAndSpinCount
  • InterlockedDecrement
  • InterlockedIncrement
  • IsDebuggerPresent
  • IsProcessorFeaturePresent
  • IsValidCodePage
  • LCMapStringW
  • LeaveCriticalSection
  • LoadLibraryA
  • LoadLibraryExW
  • LoadLibraryW
  • LoadResource
  • LocalAlloc
  • LocalFileTimeToFileTime
  • LocalFree
  • LockResource
  • lstrlenA
  • MapViewOfFile
  • MulDiv
  • MultiByteToWideChar
  • OpenProcess
  • OpenThread
  • OutputDebugStringW
  • QueryPerformanceCounter
  • QueryPerformanceFrequency
  • RaiseException
  • ReadConsoleInputA
  • ReadConsoleW
  • ReadFile
  • ReleaseSemaphore
  • ResetEvent
  • RtlUnwind
  • SetConsoleCtrlHandler
  • SetConsoleMode
  • SetCurrentDirectoryW
  • SetEndOfFile
  • SetEnvironmentVariableW
  • SetEvent
  • SetFileAttributesW
  • SetFilePointer
  • SetFilePointerEx
  • SetLastError
  • SetProcessShutdownParameters
  • SetStdHandle
  • SetThreadPriority
  • SetUnhandledExceptionFilter
  • SizeofResource
  • Sleep
  • SystemTimeToFileTime
  • TerminateProcess
  • TlsAlloc
  • TlsFree
  • TlsGetValue
  • TlsSetValue
  • TryEnterCriticalSection
  • UnhandledExceptionFilter
  • UnmapViewOfFile
  • VirtualAlloc
  • VirtualFree
  • WaitForMultipleObjects
  • WaitForSingleObject
  • WideCharToMultiByte
  • WriteConsoleW
  • WriteFile
  • BeginDeferWindowPos
  • BeginPaint
  • CallWindowProcW
  • CheckDlgButton
  • CheckMenuItem
  • CheckRadioButton
  • ChildWindowFromPoint
  • ClientToScreen
  • CloseClipboard
  • CopyImage
  • CreateDialogParamW
  • CreateIconFromResourceEx
  • CreatePopupMenu
  • CreateWindowExW
  • DeferWindowPos
  • DefWindowProcW
  • DeleteMenu
  • DestroyIcon
  • DestroyMenu
  • DestroyWindow
  • DialogBoxIndirectParamW
  • DialogBoxParamW
  • DispatchMessageW
  • DrawFrameControl
  • DrawIconEx
  • DrawTextW
  • EmptyClipboard
  • EnableMenuItem
  • EnableWindow
  • EndDeferWindowPos
  • EndDialog
  • EndPaint
  • EnumChildWindows
  • EqualRect
  • FillRect
  • FindWindowExW
  • FindWindowW
  • FlashWindowEx
  • FrameRect
  • GetActiveWindow
  • GetAncestor
  • GetCapture
  • GetClassLongW
  • GetClassNameW
  • GetClientRect
  • GetCursor
  • GetCursorPos
  • GetDC
  • GetDesktopWindow
  • GetDlgItem
  • GetDlgItemInt
  • GetDlgItemTextW
  • GetFocus
  • GetIconInfo
  • GetKeyState
  • GetMenu
  • GetMenuItemCount
  • GetMenuItemInfoW
  • GetMessageW
  • GetMonitorInfoW
  • GetParent
  • GetPropW
  • GetScrollInfo
  • GetSubMenu
  • GetSysColor
  • GetSysColorBrush
  • GetSystemMetrics
  • GetUpdateRect
  • GetUpdateRgn
  • GetWindow
  • GetWindowDC
  • GetWindowLongW
  • GetWindowPlacement
  • GetWindowRect
  • GetWindowTextW
  • GetWindowThreadProcessId
  • InflateRect
  • InsertMenuItemW
  • InsertMenuW
  • IntersectRect
  • InvalidateRect
  • IsDialogMessageW
  • IsDlgButtonChecked
  • IsIconic
  • IsWindowEnabled
  • IsWindowVisible
  • IsZoomed
  • KillTimer
  • LoadAcceleratorsW
  • LoadBitmapW
  • LoadCursorW
  • LoadIconW
  • LoadImageW
  • LoadMenuW
  • LoadStringW
  • MapWindowPoints
  • MessageBeep
  • MessageBoxW
  • MonitorFromPoint
  • MoveWindow
  • OffsetRect
  • OpenClipboard
  • PostMessageW
  • PostQuitMessage
  • PtInRect
  • RegisterClassExW
  • RegisterClassW
  • RegisterWindowMessageW
  • ReleaseCapture
  • ReleaseDC
  • ScreenToClient
  • ScrollWindowEx
  • SendMessageW
  • SetActiveWindow
  • SetCapture
  • SetClassLongW
  • SetClipboardData
  • SetCursor
  • SetDlgItemInt
  • SetDlgItemTextW
  • SetFocus
  • SetForegroundWindow
  • SetMenuDefaultItem
  • SetMenuInfo
  • SetPropW
  • SetScrollInfo
  • SetTimer
  • SetWindowLongW
  • SetWindowPlacement
  • SetWindowPos
  • SetWindowTextA
  • SetWindowTextW
  • ShowWindow
  • TrackPopupMenu
  • TranslateAcceleratorW
  • TranslateMessage
  • UnionRect
  • UpdateWindow
  • ValidateRect
  • WaitForInputIdle
  • WindowFromPoint
  • BitBlt
  • CreateBitmap
  • CreateCompatibleBitmap
  • CreateCompatibleDC
  • CreateFontIndirectW
  • CreateFontW
  • CreatePen
  • CreateRectRgn
  • CreateRectRgnIndirect
  • CreateSolidBrush
  • DeleteDC
  • DeleteObject
  • EndDoc
  • EndPage
  • GdiFlush
  • GetBitmapBits
  • GetBkColor
  • GetBkMode
  • GetDeviceCaps
  • GetObjectW
  • GetPixel
  • GetStockObject
  • GetTextMetricsW
  • LineTo
  • MoveToEx
  • Polygon
  • Polyline
  • Rectangle
  • RectInRegion
  • RestoreDC
  • SaveDC
  • SelectClipRgn
  • SelectObject
  • SetBkColor
  • SetBkMode
  • SetMapMode
  • SetPixel
  • SetROP2
  • SetTextColor
  • StartDocW
  • StartPage
  • ChooseColorW
  • ChooseFontW
  • FindTextW
  • GetOpenFileNameW
  • GetSaveFileNameW
  • PrintDlgW
  • AdjustTokenPrivileges
  • AllocateAndInitializeSid
  • ConvertSidToStringSidW
  • ConvertStringSidToSidW
  • EqualSid
  • FreeSid
  • GetLengthSid
  • GetTokenInformation
  • LookupAccountSidW
  • LookupPrivilegeValueW
  • MapGenericMask
  • OpenProcessToken
  • RegCloseKey
  • RegCreateKeyExW
  • RegCreateKeyW
  • RegDeleteKeyW
  • RegDeleteValueW
  • RegEnumKeyW
  • RegEnumValueW
  • RegOpenKeyExA
  • RegOpenKeyExW
  • RegOpenKeyW
  • RegQueryValueExA
  • RegQueryValueExW
  • RegSetValueExW
  • RegSetValueW
  • CommandLineToArgvW
  • DragQueryFileW
  • SHBrowseForFolderW
  • SHChangeNotify
  • ShellExecuteExW
  • SHGetFileInfoW
  • SHGetMalloc
  • SHGetPathFromIDListW
  • SHGetSpecialFolderLocation
  • CoCreateInstance
  • CoInitialize
  • CoSetProxyBlanket
  • CreateBindCtx
  • OleInitialize
  • RegisterDragDrop
  • ReleaseStgMedium
  • SafeArrayAccessData
  • SafeArrayDestroy
  • SafeArrayGetElement
  • SafeArrayGetLBound
  • SafeArrayGetUBound
  • SafeArrayUnaccessData
  • SysAllocString
  • SysAllocStringByteLen
  • SysAllocStringLen
  • SysFreeString
  • SysStringLen
  • VariantChangeType
  • VariantClear
  • VariantCopy
  • VariantInit
  • VariantTimeToSystemTime
  • SHAutoComplete

Strings

  • !This program cannot be run in DOS mode.
  • `.rdata
  • @.data
  • @.reloc
  • VVVVVVWP
  • tC;KXt>j
  • tEQWSP
  • HtFHt5-
  • u.hHnI
  • VWhdqI
  • SVWhxrI
  • j6h$tI
  • u{hpuI
  • j@hLyI
  • ~,4r>j
  • t@;1u1
  • _L;OHt
  • w0;w4ts
  • uP9z uN;
  • j@hLyI
  • ;1t9SW
  • t@;1u1
  • p ;y\r
  • p(;ylr
  • w4;w0t
  • Ht=Ht%
  • trNt7N
  • f;B0s9
  • C8G+C4
  • j0hLyI
  • j0hLyI
  • j0hLyI
  • 3333333
  • 3333333333
  • 3333333333333333333
  • 3333333
  • 333333
  • 3333333333
  • 3333333
  • 333333 333!333"333333#3333333$%333&333'333333333333333333(333)333*333+333,333-333./333033313332
  • uGhd)J
  • u/h,sI
  • uqht/J
  • ?Dr#j3
  • j0hLyI
  • j0hLyI
  • tB;1u3
  • VuPWhhAJ
  • t@;1u1
  • t@;1u1
  • tA;9u2
  • tA;9u2
  • t@;1u1
  • t@;1u1
  • t@;1u1
  • t@;1u1
  • F +B ^]
  • F$+B$^]
  • F(+B(^]
  • F@+B@^]
  • FD+BD^]
  • FH+BH^]
  • B\+A\]
  • B`+A`]
  • Bd+Ad]
  • F,+G,_^]
  • u5j0hLyI
  • j$hLyI
  • t h@DJ
  • u_PPhB
  • t'@PhP
  • t'@PhP
  • j0hLyI
  • j@hLyI
  • rgh@rJ
  • j0hLyI
  • j0hLyI
  • j0hLyI
  • j0hLyI
  • j0hLyI
  • 4444444
  • 4444444
  • 4444 444!4"4#4$%4444444444&'4444(4)4*4444+444444,4-4444..444444444//44440144404444444423
  • j$hLyI
  • j4hLyI
  • F0;G0w
  • tXhHaJ
  • 9X,t*S
  • Ht|Htk-K
  • G zp+G
  • u+j@hLyI
  • j4hLyI
  • HtZHtG-"
  • j!hLyI
  • @Ph(_J
  • u>hdEJ
  • VPh<vJ
  • VPhPvJ
  • VPhhvJ
  • VPhxvJ
  • VPh(wJ
  • VPh@wJ
  • VPh\wJ
  • VPhtwJ
  • uPhPzJ
  • t@;1u1
  • ;] swj
  • t@;1u1
  • :PML_uY
  • :PML_t
  • LLLLLLLLL
  • LLLLLLLLLLLLL
  • LLLLLLLLLL
  •  !"#$%LLLLLLLLLL&LLLLLLLLLLL'LLLLLLLLLLLLLLLL()LLLLLLLLLLLLLLLLLLLLLLLL*L+L,-LLLL.LL/LLLLL0123L456789LLLL:;L<=LL>L?@LLLLLLLALLLLLLLBLLLCDLELLLLLLFLLLLLLLLLLLLGHIJLLLLLLLLK
  • gfff+N
  • gfff+N
  • gfff+N
  • SVWjA_jZ+
  • uBjAYjZ+
  • PVhAyG
  • SVhAyG
  • QQSVWd
  • SVjA[jZ^+
  • jAZjZ^
  • ~pjCXf
  • htHjlZ;
  • HHtXHHt
  • nt'joZ;
  • YYjgXf9
  • >0t<NAj0X
  • htHjlZ;
  • HHtXHHt
  • nt'joZ;
  • YYjgXf9
  • >0t<NAj0X
  • HtHu4j
  • Y;5x;L
  • Y;5x;L
  • Y;5x;L
  • HHtVHHt
  • tfHtWHtHHt/
  • ,SVWj0X
  • Wj0XPV
  • URPQQh
  • j@j _W
  • PP9E u
  • htFjlX;
  • it0jnX;
  • jnXf9C
  • uHjAXf;
  • uWjAXf;
  • QQSVWh
  • j"_f9y
  • jA[jZZ+
  • ~';_t|%3
  • HHtVHHt
  • rocA9F
  • RVSQSWV
  • Ht+Ht$Ht
  • HtHHt
  • +tHHt
  • +t"HHt
  • HAO8t
  • list<T> too long
  • IsThemeActive
  • OpenThemeData
  • DrawThemeBackground
  • CloseThemeData
  • {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Calibri;}}
  • {\colortbl ;\red0\green0\blue255;\red0\green0\blue0;}
  • {\*\generator Riched20 10.0.10240}\viewkind4\uc1
  • \pard\brdrb\brdrs\brdrw10\brsp20 \sb120\sa120\b\f0\fs24 SYSINTERNALS SOFTWARE LICENSE TERMS\fs28\par
  • \pard\sb120\sa120\b0\fs19 These license terms are an agreement between Sysinternals (a wholly owned subsidiary of Microsoft Corporation) and you. Please read them. They apply to the software you are downloading from Systinternals.com, which includes the media on which you received it, if any. The terms also apply to any Sysinternals\par
  • \pard\fi-363\li720\sb120\sa120\tx720\'b7\tab updates,\par
  • \pard\fi-363\li720\sb120\sa120\'b7\tab supplements,\par
  • \'b7\tab Internet-based services, and \par
  • \'b7\tab support services\par
  • \pard\sb120\sa120 for this software, unless other terms accompany those items. If so, those terms apply.\par
  • \b BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE.\par
  • \pard\brdrt\brdrs\brdrw10\brsp20 \sb120\sa120 If you comply with these license terms, you have the rights below.\par
  • \pard\fi-357\li357\sb120\sa120\tx360\fs20 1.\tab\fs19 INSTALLATION AND USE RIGHTS. \b0 You may install and use any number of copies of the software on your devices.\b\par
  • \caps\fs20 2.\tab\fs19 Scope of License\caps0 .\b0 The software is licensed, not sold. This agreement only gives you some rights to use the software. Sysinternals reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not\b\par
  • \pard\fi-363\li720\sb120\sa120\tx720\b0\'b7\tab work around any technical limitations in the binary versions of the software;\par
  • \pard\fi-363\li720\sb120\sa120\'b7\tab reverse engineer, decompile or disassemble the binary versions of the software, except and only to the extent that applicable law expressly permits, despite this limitation;\par
  • \'b7\tab make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;\par
  • \'b7\tab publish the software for others to copy;\par
  • \'b7\tab rent, lease or lend the software;\par
  • \'b7\tab transfer the software or this agreement to any third party; or\par
  • \'b7\tab use the software for commercial software hosting services.\par
  • \pard\fi-357\li357\sb120\sa120\tx360\b\fs20 3.\tab SENSITIVE INFORMATION. \b0 Please be aware that, similar to other debug tools that capture \ldblquote process state\rdblquote information, files saved by Sysinternals tools may include personally identifiable or other sensitive information (such as usernames, passwords, paths to files accessed, and paths to registry accessed). By using this software, you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Microsoft or any other party through your use of the software.\b\par
  • 5. \tab\fs19 DOCUMENTATION.\b0 Any person that has valid access to your computer or internal network may copy and use the documentation for your internal, reference purposes.\b\par
  • \caps\fs20 6.\tab\fs19 Export Restrictions\caps0 .\b0 The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations, end users and end use. For additional information, see {\cf1\ul{\field{\*\fldinst{HYPERLINK www.microsoft.com/exporting }}{\fldrslt{www.microsoft.com/exporting}}}}\cf1\ul\f0\fs19 <{{\field{\*\fldinst{HYPERLINK "http://www.microsoft.com/exporting"}}{\fldrslt{http://www.microsoft.com/exporting}}}}\f0\fs19 >\cf0\ulnone .\b\par
  • \caps\fs20 7.\tab\fs19 SUPPORT SERVICES.\caps0 \b0 Because this software is "as is, " we may not provide support services for it.\b\par
  • \caps\fs20 8.\tab\fs19 Entire Agreement.\b0\caps0 This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the software and support services.\par
  • \pard\keepn\fi-360\li360\sb120\sa120\tx360\cf2\b\caps\fs20 9.\tab\fs19 Applicable Law\caps0 .\par
  • \pard\fi-363\li720\sb120\sa120\tx720\cf0\fs20 a.\tab\fs19 United States.\b0 If you acquired the software in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.\b\par
  • \pard\fi-363\li720\sb120\sa120\fs20 b.\tab\fs19 Outside the United States.\b0 If you acquired the software in any other country, the laws of that country apply.\b\par
  • \pard\fi-357\li357\sb120\sa120\tx360\caps\fs20 10.\tab\fs19 Legal Effect.\b0\caps0 This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the software. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.\b\caps\par
  • \fs20 11.\tab\fs19 Disclaimer of Warranty.\caps0 \caps The software is licensed "as - is." You bear the risk of using it. SYSINTERNALS gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, SYSINTERNALS excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.\par
  • \pard\fi-360\li360\sb120\sa120\tx360\fs20 12.\tab\fs19 Limitation on and Exclusion of Remedies and Damages. You can recover from SYSINTERNALS and its suppliers only direct damages up to U.S. $5.00. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.\par
  • \pard\li357\sb120\sa120\b0\caps0 This limitation applies to\par
  • \pard\fi-363\li720\sb120\sa120\tx720\'b7\tab anything related to the software, services, content (including code) on third party Internet sites, or third party programs; and\par
  • \pard\fi-363\li720\sb120\sa120\'b7\tab claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.\par
  • \pard\li360\sb120\sa120 It also applies even if Sysinternals knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.\par
  • \pard\b Please note: As this software is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.\par
  • \pard\sb240\lang1036 Remarque : Ce logiciel \'e9tant distribu\'e9 au Qu\'e9bec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en fran\'e7ais.\par
  • \pard\sb120\sa120 EXON\'c9RATION DE GARANTIE.\b0 Le logiciel vis\'e9 par une licence est offert \'ab tel quel \'bb. Toute utilisation de ce logiciel est \'e0 votre seule risque et p\'e9ril. Sysinternals n'accorde aucune autre garantie expresse. Vous pouvez b\'e9n\'e9ficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit\'e9 marchande, d'ad\'e9quation \'e0 un usage particulier et d'absence de contrefa\'e7on sont exclues.\par
  • \pard\keepn\sb120\sa120\b LIMITATION DES DOMMAGES-INT\'c9R\'caTS ET EXCLUSION DE RESPONSABILIT\'c9 POUR LES DOMMAGES.\b0 Vous pouvez obtenir de Sysinternals et de ses fournisseurs une indemnisation en cas de dommages directs uniquement \'e0 hauteur de 5,00 $ US. Vous ne pouvez pr\'e9tendre \'e0 aucune indemnisation pour les autres dommages, y compris les dommages sp\'e9ciaux, indirects ou accessoires et pertes de b\'e9n\'e9fices.\par
  • \lang1033 Cette limitation concerne :\par
  • \pard\keepn\fi-360\li720\sb120\sa120\tx720\lang1036\'b7\tab tout ce qui est reli\'e9 au logiciel, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et\par
  • \pard\fi-363\li720\sb120\sa120\tx720\'b7\tab les r\'e9clamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit\'e9 stricte, de n\'e9gligence ou d'une autre faute dans la limite autoris\'e9e par la loi en vigueur.\par
  • \pard\sb120\sa120 Elle s'applique \'e9galement, m\'eame si Sysinternals connaissait ou devrait conna\'eetre l'\'e9ventualit\'e9 d'un tel dommage. Si votre pays n'autorise pas l'exclusion ou la limitation de responsabilit\'e9 pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l'exclusion ci-dessus ne s'appliquera pas \'e0 votre \'e9gard.\par
  • \b EFFET JURIDIQUE.\b0 Le pr\'e9sent contrat d\'e9crit certains droits juridiques. Vous pourriez avoir d'autres droits pr\'e9vus par les lois de votre pays. Le pr\'e9sent contrat ne modifie pas les droits que vous conf\'e8rent les lois de votre pays si celles-ci ne le permettent pas.\b\par
  • \pard\b0\fs20\lang1033\par
  • \pard\sa200\sl276\slmult1\f1\fs22\lang9\par
  • CommandLineToArgvW
  • Accept Eula (Y/N)?
  • HlinkSimpleNavigateToString
  • vector<T> too long
  • map/set<T> too long
  • RtlNtStatusToDosError
  • NtLoadDriver
  • DllGetVersion
  • GetNativeSystemInfo
  • P?ZwSetInformationThread
  • NtQueryVirtualMemory
  • RtlInitUnicodeString
  • NtOpenSymbolicLinkObject
  • NtQuerySymbolicLinkObject
  • NtClose
  • StartTraceW
  • ControlTraceW
  • OpenTraceW
  • ProcessTrace
  • EnableThemeDialogTexture
  • InitializeSRWLock
  • AcquireSRWLockExclusive
  • AcquireSRWLockShared
  • ReleaseSRWLockExclusive
  • ReleaseSRWLockShared
  • SetDllDirectoryW
  • IsWow64Process
  • Process32First
  • Process32Next
  • Thread32First
  • Thread32Next
  • NtSuspendThread
  • NtResumeThread
  • NtQuerySystemInformation
  • getaddrinfo
  • getnameinfo
  • freeaddrinfo
  • \ws2_32
  • \wship6
  • SymInitialize
  • EnumerateLoadedModules64
  • SymRegisterCallback64
  • SymGetModuleInfo64
  • SymCleanup
  • SymFromAddrW
  • SymGetSymFromName
  • SymSetOptions
  • SymSetHomeDirectoryW
  • SymLoadModuleExW
  • SymLoadModule64
  • SymUnloadModule64
  • StackWalk64
  • SymGetLineFromAddrW64
  • SymGetLinePrevW64
  • SymGetSourceFileTokenW
  • SymGetSourceFileW
  • SymGetModuleBase64
  • SymFunctionTableAccess64
  • SymSrvGetFileIndexesW
  • SymFindFileInPathW
  • SymSetSearchPathW
  • Module32FirstW
  • Module32NextW
  • CreateToolhelp32Snapshot
  • HungWindowFromGhostWindow
  • hhctrl.ocx
  • CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
  • bad allocation
  • generic
  • unknown error
  • iostream
  • iostream stream error
  • system
  • string too long
  • invalid string position
  • permission denied
  • file exists
  • no such device
  • filename too long
  • device or resource busy
  • io error
  • directory not empty
  • invalid argument
  • no space on device
  • no such file or directory
  • function not supported
  • no lock available
  • not enough memory
  • resource unavailable try again
  • cross device link
  • operation canceled
  • too many files open
  • permission_denied
  • address_in_use
  • address_not_available
  • address_family_not_supported
  • connection_already_in_progress
  • bad_file_descriptor
  • connection_aborted
  • connection_refused
  • connection_reset
  • destination_address_required
  • bad_address
  • host_unreachable
  • operation_in_progress
  • interrupted
  • invalid_argument
  • already_connected
  • too_many_files_open
  • message_size
  • filename_too_long
  • network_down
  • network_reset
  • network_unreachable
  • no_buffer_space
  • no_protocol_option
  • not_connected
  • not_a_socket
  • operation_not_supported
  • protocol_not_supported
  • wrong_protocol_type
  • timed_out
  • operation_would_block
  • address family not supported
  • address in use
  • address not available
  • already connected
  • argument list too long
  • argument out of domain
  • bad address
  • bad file descriptor
  • bad message
  • broken pipe
  • connection aborted
  • connection already in progress
  • connection refused
  • connection reset
  • destination address required
  • executable format error
  • file too large
  • host unreachable
  • identifier removed
  • illegal byte sequence
  • inappropriate io control operation
  • invalid seek
  • is a directory
  • message size
  • network down
  • network reset
  • network unreachable
  • no buffer space
  • no child process
  • no link
  • no message available
  • no message
  • no protocol option
  • no stream resources
  • no such device or address
  • no such process
  • not a directory
  • not a socket
  • not a stream
  • not connected
  • not supported
  • operation in progress
  • operation not permitted
  • operation not supported
  • operation would block
  • owner dead
  • protocol error
  • protocol not supported
  • read only file system
  • resource deadlock would occur
  • result out of range
  • state not recoverable
  • stream timeout
  • text file busy
  • timed out
  • too many files open in system
  • too many links
  • too many symbolic link levels
  • value too large
  • wrong protocol type
  • CorExitProcess
  • RoInitialize
  • RoUninitialize
  • Access violation - no RTTI data!
  • Bad dynamic_cast!
  • Unknown exception
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
  • January
  • February
  • August
  • September
  • October
  • November
  • December
  • MM/dd/yy
  • dddd, MMMM dd, yyyy
  • HH:mm:ss
  •  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
  • bad exception
  • FlsAlloc
  • FlsFree
  • FlsGetValue
  • FlsSetValue
  • InitializeCriticalSectionEx
  • CreateEventExW
  • CreateSemaphoreExW
  • SetThreadStackGuarantee
  • CreateThreadpoolTimer
  • SetThreadpoolTimer
  • WaitForThreadpoolTimerCallbacks
  • CloseThreadpoolTimer
  • CreateThreadpoolWait
  • SetThreadpoolWait
  • CloseThreadpoolWait
  • FlushProcessWriteBuffers
  • FreeLibraryWhenCallbackReturns
  • GetCurrentProcessorNumber
  • GetLogicalProcessorInformation
  • CreateSymbolicLinkW
  • SetDefaultDllDirectories
  • EnumSystemLocalesEx
  • CompareStringEx
  • GetDateFormatEx
  • GetLocaleInfoEx
  • GetTimeFormatEx
  • GetUserDefaultLocaleName
  • IsValidLocaleName
  • LCMapStringEx
  • GetCurrentPackageId
  • GetTickCount64
  • GetFileInformationByHandleExW
  • SetFileInformationByHandleW
  • (null)
  • `h````
  • xpxxxx
  • _hypot
  • _nextafter
  •  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
  •  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
  • `h`hhh
  • xppwpp
  • __based(
  • __cdecl
  • __pascal
  • __stdcall
  • __thiscall
  • __fastcall
  • __vectorcall
  • __clrcall
  • __eabi
  • __ptr64
  • __restrict
  • __unaligned
  • restrict(
  • delete
  • operator
  • `vftable'
  • `vbtable'
  • `vcall'
  • `typeof'
  • `local static guard'
  • `string'
  • `vbase destructor'
  • `vector deleting destructor'
  • `default constructor closure'
  • `scalar deleting destructor'
  • `vector constructor iterator'
  • `vector destructor iterator'
  • `vector vbase constructor iterator'
  • `virtual displacement map'
  • `eh vector constructor iterator'
  • `eh vector destructor iterator'
  • `eh vector vbase constructor iterator'
  • `copy constructor closure'
  • `udt returning'
  • `local vftable'
  • `local vftable constructor closure'
  • new[]
  • delete[]
  • `omni callsig'
  • `placement delete closure'
  • `placement delete[] closure'
  • `managed vector constructor iterator'
  • `managed vector destructor iterator'
  • `eh vector copy constructor iterator'
  • `eh vector vbase copy constructor iterator'
  • `dynamic initializer for '
  • `dynamic atexit destructor for '
  • `vector copy constructor iterator'
  • `vector vbase copy constructor iterator'
  • `managed vector copy constructor iterator'
  • `local static thread guard'
  • Type Descriptor'
  • Base Class Descriptor at (
  • Base Class Array'
  • Class Hierarchy Descriptor'
  • Complete Object Locator'
  • MessageBoxW
  • GetActiveWindow
  • GetLastActivePopup
  • GetUserObjectInformationW
  • GetProcessWindowStation
  • CreateFile2
  • 1#SNAN
  • 1#QNAN
  • C:\Builds\13810\Tools\Procmon_master\bin\Win32\Release\Procmon.pdb
  • WS2_32.dll
  • GetFileVersionInfoSizeW
  • GetFileVersionInfoW
  • VerQueryValueW
  • VERSION.dll
  • InitCommonControlsEx
  • ImageList_Destroy
  • ImageList_DrawEx
  • ImageList_Create
  • ImageList_ReplaceIcon
  • ImageList_SetBkColor
  • ImageList_Add
  • ImageList_SetOverlayImage
  • ImageList_GetIcon
  • ImageList_GetIconSize
  • CreateStatusWindowW
  • COMCTL32.dll
  • FilterConnectCommunicationPort
  • FilterSendMessage
  • FilterGetMessage
  • FilterReplyMessage
  • FLTLIB.DLL
  • InterlockedIncrement
  • InterlockedDecrement
  • FreeLibrary
  • GetProcAddress
  • MulDiv
  • GetTickCount
  • LoadLibraryW
  • GetModuleHandleW
  • GlobalAddAtomW
  • LocalAlloc
  • LocalFree
  • GetFileType
  • GetStdHandle
  • GetCommandLineW
  • GetModuleFileNameW
  • CreateThread
  • EnterCriticalSection
  • LeaveCriticalSection
  • WaitForSingleObject
  • CloseHandle
  • GetSystemTimeAsFileTime
  • InitializeCriticalSection
  • DeleteCriticalSection
  • VirtualAlloc
  • LockResource
  • GetCurrentProcess
  • GetLastError
  • SetLastError
  • LoadResource
  • SizeofResource
  • ExpandEnvironmentStringsW
  • FindResourceW
  • GetSystemDirectoryW
  • GetCurrentDirectoryW
  • SetFileAttributesW
  • DeleteFileW
  • GlobalMemoryStatusEx
  • VirtualFree
  • GetSystemInfo
  • GetFullPathNameW
  • GetFileAttributesW
  • GetVersionExW
  • LoadLibraryExW
  • EnumResourceNamesW
  • OpenProcess
  • CreateProcessW
  • SetCurrentDirectoryW
  • GlobalAlloc
  • GlobalLock
  • GlobalUnlock
  • CompareStringW
  • GetLocaleInfoW
  • TryEnterCriticalSection
  • GetFileSize
  • SetEndOfFile
  • SetFilePointer
  • MapViewOfFile
  • UnmapViewOfFile
  • CreateFileMappingW
  • CreateFileW
  • GetVersion
  • WriteFile
  • ReadFile
  • SystemTimeToFileTime
  • FileTimeToLocalFileTime
  • LocalFileTimeToFileTime
  • FileTimeToSystemTime
  • FormatMessageW
  • GetTimeFormatW
  • GetDateFormatW
  • GetNumberFormatW
  • HeapCreate
  • HeapDestroy
  • HeapAlloc
  • HeapFree
  • HeapSize
  • ExitProcess
  • GetCurrentThread
  • SetThreadPriority
  • SetEvent
  • ResetEvent
  • ReleaseSemaphore
  • WaitForMultipleObjects
  • CreateEventW
  • CreateSemaphoreW
  • GetComputerNameA
  • QueryPerformanceCounter
  • QueryPerformanceFrequency
  • SetProcessShutdownParameters
  • GetFileAttributesExW
  • GetComputerNameW
  • SetConsoleCtrlHandler
  • GetCurrentProcessId
  • OpenThread
  • GetThreadContext
  • LoadLibraryA
  • GetSystemDirectoryA
  • FindClose
  • FindFirstFileW
  • FindNextFileW
  • DecodePointer
  • HeapReAlloc
  • GetProcessHeap
  • RaiseException
  • InitializeCriticalSectionAndSpinCount
  • GetEnvironmentVariableW
  • SetEnvironmentVariableW
  • ExpandEnvironmentStringsA
  • KERNEL32.dll
  • SendMessageW
  • DefWindowProcW
  • CallWindowProcW
  • RegisterClassExW
  • CreateWindowExW
  • ShowWindow
  • SetWindowPos
  • SetFocus
  • GetFocus
  • GetKeyState
  • GetCapture
  • SetCapture
  • ReleaseCapture
  • SetTimer
  • GetSystemMetrics
  • DrawTextW
  • UpdateWindow
  • ReleaseDC
  • BeginPaint
  • EndPaint
  • GetUpdateRect
  • GetUpdateRgn
  • InvalidateRect
  • ValidateRect
  • ScrollWindowEx
  • SetPropW
  • GetPropW
  • GetClientRect
  • GetWindowRect
  • SetCursor
  • GetCursorPos
  • MapWindowPoints
  • GetSysColor
  • GetSysColorBrush
  • FillRect
  • InflateRect
  • IntersectRect
  • OffsetRect
  • GetWindowLongW
  • SetWindowLongW
  • GetClassLongW
  • GetParent
  • LoadCursorW
  • SetScrollInfo
  • GetScrollInfo
  • DialogBoxIndirectParamW
  • EndDialog
  • GetDlgItem
  • SetWindowTextW
  • MoveWindow
  • SetDlgItemTextW
  • GetWindowTextW
  • ChildWindowFromPoint
  • DialogBoxParamW
  • EnableWindow
  • GetDesktopWindow
  • GetAncestor
  • MessageBoxW
  • LoadStringW
  • PostMessageW
  • DestroyWindow
  • CheckDlgButton
  • IsDlgButtonChecked
  • GetCursor
  • FrameRect
  • SetClassLongW
  • LoadIconW
  • DestroyIcon
  • DrawIconEx
  • GetIconInfo
  • MonitorFromPoint
  • GetMonitorInfoW
  • PtInRect
  • CreateIconFromResourceEx
  • WaitForInputIdle
  • IsIconic
  • SetForegroundWindow
  • FindWindowW
  • FindWindowExW
  • GetWindowThreadProcessId
  • OpenClipboard
  • CloseClipboard
  • SetClipboardData
  • EmptyClipboard
  • ClientToScreen
  • LoadImageW
  • GetActiveWindow
  • GetWindow
  • RegisterWindowMessageW
  • DrawFrameControl
  • GetMessageW
  • TranslateMessage
  • DispatchMessageW
  • PostQuitMessage
  • RegisterClassW
  • FlashWindowEx
  • GetWindowPlacement
  • SetWindowPlacement
  • BeginDeferWindowPos
  • DeferWindowPos
  • EndDeferWindowPos
  • IsWindowVisible
  • IsZoomed
  • CreateDialogParamW
  • SetDlgItemInt
  • GetDlgItemInt
  • GetDlgItemTextW
  • CheckRadioButton
  • KillTimer
  • IsWindowEnabled
  • LoadAcceleratorsW
  • TranslateAcceleratorW
  • LoadMenuW
  • GetMenu
  • CreatePopupMenu
  • DestroyMenu
  • CheckMenuItem
  • EnableMenuItem
  • GetSubMenu
  • GetMenuItemCount
  • InsertMenuW
  • DeleteMenu
  • TrackPopupMenu
  • SetMenuInfo
  • InsertMenuItemW
  • GetMenuItemInfoW
  • SetMenuDefaultItem
  • SetActiveWindow
  • SetWindowTextA
  • MessageBeep
  • ScreenToClient
  • UnionRect
  • EqualRect
  • EnumChildWindows
  • GetClassNameW
  • LoadBitmapW
  • CopyImage
  • IsDialogMessageW
  • GetWindowDC
  • WindowFromPoint
  • USER32.dll
  • BitBlt
  • CreateCompatibleBitmap
  • CreateCompatibleDC
  • CreatePen
  • CreateRectRgn
  • CreateRectRgnIndirect
  • CreateSolidBrush
  • DeleteDC
  • DeleteObject
  • GetBkColor
  • GetBkMode
  • GetDeviceCaps
  • GetStockObject
  • RectInRegion
  • SelectClipRgn
  • SelectObject
  • SetBkColor
  • SetBkMode
  • SetTextColor
  • GetTextMetricsW
  • Polyline
  • SetMapMode
  • StartDocW
  • EndDoc
  • StartPage
  • EndPage
  • CreateFontIndirectW
  • GetObjectW
  • GetBitmapBits
  • LineTo
  • MoveToEx
  • Polygon
  • CreateBitmap
  • CreateFontW
  • GetPixel
  • SetPixel
  • GdiFlush
  • Rectangle
  • RestoreDC
  • SaveDC
  • SetROP2
  • GDI32.dll
  • PrintDlgW
  • GetSaveFileNameW
  • GetOpenFileNameW
  • ChooseColorW
  • FindTextW
  • ChooseFontW
  • COMDLG32.dll
  • RegQueryValueExW
  • RegSetValueExW
  • RegCloseKey
  • RegCreateKeyW
  • RegOpenKeyW
  • RegOpenKeyExW
  • OpenProcessToken
  • AdjustTokenPrivileges
  • LookupPrivilegeValueW
  • RegDeleteKeyW
  • RegDeleteValueW
  • GetTokenInformation
  • EqualSid
  • AllocateAndInitializeSid
  • FreeSid
  • GetLengthSid
  • MapGenericMask
  • LookupAccountSidW
  • RegCreateKeyExW
  • RegEnumKeyW
  • RegSetValueW
  • ConvertSidToStringSidW
  • ConvertStringSidToSidW
  • RegEnumValueW
  • RegQueryValueExA
  • RegOpenKeyExA
  • ADVAPI32.dll
  • ShellExecuteExW
  • SHGetFileInfoW
  • SHGetMalloc
  • SHGetSpecialFolderLocation
  • SHBrowseForFolderW
  • SHChangeNotify
  • DragQueryFileW
  • CommandLineToArgvW
  • SHGetPathFromIDListW
  • SHELL32.dll
  • CoInitialize
  • CoSetProxyBlanket
  • CoCreateInstance
  • CreateBindCtx
  • OleInitialize
  • RegisterDragDrop
  • ReleaseStgMedium
  • ole32.dll
  • OLEAUT32.dll
  • SHAutoComplete
  • SHLWAPI.dll
  • lstrlenA
  • MultiByteToWideChar
  • WideCharToMultiByte
  • IsDebuggerPresent
  • OutputDebugStringW
  • RtlUnwind
  • EncodePointer
  • GetModuleHandleExW
  • GetConsoleMode
  • ReadConsoleInputA
  • SetConsoleMode
  • IsProcessorFeaturePresent
  • ExitThread
  • GetCurrentThreadId
  • IsValidCodePage
  • GetACP
  • GetOEMCP
  • GetCPInfo
  • UnhandledExceptionFilter
  • SetUnhandledExceptionFilter
  • TerminateProcess
  • TlsAlloc
  • TlsGetValue
  • TlsSetValue
  • TlsFree
  • GetStartupInfoW
  • GetConsoleCP
  • GetStringTypeW
  • GetEnvironmentStringsW
  • FreeEnvironmentStringsW
  • LCMapStringW
  • SetFilePointerEx
  • WriteConsoleW
  • SetStdHandle
  • FlushFileBuffers
  • ReadConsoleW
  • abcdefghijklmnopqrstuvwxyz
  • ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • abcdefghijklmnopqrstuvwxyz
  • ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • .?AVCThemedWindow@@
  • .?AVCTreeList@@
  • .?AVCTreeListData@@
  • .?AVCListViewData@@
  • .?AVCViewRef@@
  • .?AVCEventRef@@
  • .?AUIUnknown@@
  • .?AVCCallTreeData@@
  • .?AUIDropTarget@@
  • .?AVCResizer@@
  • .?AVCDropTarget@@
  • .?AUPAS_ROW_CACHE@@
  • .?AVCFileSummary@@
  • .?AVCProcessTreeData@@
  • .?AV_com_error@@
  • .?AVbad_alloc@std@@
  • .?AVexception@std@@
  • .?AVlogic_error@std@@
  • .?AVlength_error@std@@
  • .?AVout_of_range@std@@
  • .?AVerror_category@std@@
  • .?AV_Generic_error_category@std@@
  • .?AV_Iostream_error_category@std@@
  • .?AV_System_error_category@std@@
  • .?AVtype_info@@
  • .?AV__non_rtti_object@std@@
  • .?AVbad_typeid@std@@
  • .?AVbad_cast@std@@
  • .?AVbad_exception@std@@
  • """"""
  • 333333
  • d*po0!
  • SS%%kk>
  • LO=L2B:c
  • :B2L9[Z{,,,,,,}?~
  • \QQQ\R+
  • AKabbaFK%
  • 4#';y&
  • < s&w
  • 6st::9v1/
  • mn opq2
  • IK#M#NR
  • AAAAAAAAA
  • AAAAAAA
  • AAAAAAAAA
  • pppppppp
  • pppppppp
  • pppppppp
  • pppppppp
  • pppppppp
  • pppppppp
  • pppppppp
  • pppppppp
  • o
  • F
  • VVU6UVVVV
  • UVV6VVVVVV
  • VV]66666666V
  • ]V]]]VVVVVVV
  • ]VV]]]]]VV
  • U]]]]UV
  • wwwpww
  • """"""
  • !This program cannot be run in DOS mode.
  • h.rdata
  • H.data
  • B.reloc
  • URPQQh
  • UQPXY]Y[
  • u]jIj0j
  • SjAj0j
  • tRj8hp
  • u2j8Vj
  • t`SSSSh
  • tOHt#Hu
  • hRegmj
  • System
  • C:\Builds\13810\Tools\Procmon_master\bin\Win32\Release\ProcMonDriver.pdb
  • hSeAlPj
  • 7@_^[]
  • uBhSeAlj
  • hSeAlVj
  • FFf9>t
  • FFf9>t
  • FFf9>t
  • FFf9>t
  • FFf9>t
  • tYf9>u
  • FFf9>t
  • VWhSeTsRj
  • WhPpRb
  • \hPpRb
  • @hPpUc@Pj
  • ExAcquireFastMutex
  • ExReleaseFastMutex
  • KeGetCurrentIrql
  • KfAcquireSpinLock
  • KfReleaseSpinLock
  • KeQueryPerformanceCounter
  • HAL.dll
  • RtlInitUnicodeString
  • RtlAnsiStringToUnicodeString
  • RtlCompareUnicodeString
  • RtlCopyUnicodeString
  • RtlAppendUnicodeStringToString
  • RtlFreeUnicodeString
  • KeInitializeDpc
  • KeInitializeEvent
  • KeSetEvent
  • KeInitializeTimer
  • KeSetTimer
  • KeWaitForSingleObject
  • ExFreePoolWithTag
  • ExQueueWorkItem
  • ObfDereferenceObject
  • ZwCreateFile
  • ZwSetInformationFile
  • ZwWriteFile
  • ZwClose
  • ZwOpenKey
  • ZwFlushKey
  • ZwQueryValueKey
  • ZwSetValueKey
  • PsGetCurrentProcessId
  • IoSetThreadHardErrorMode
  • ZwQuerySystemInformation
  • memcpy
  • KeClearEvent
  • IofCompleteRequest
  • IoCreateNotificationEvent
  • IoCreateSymbolicLink
  • IoDeleteDevice
  • IoDeleteSymbolicLink
  • memmove
  • KeDelayExecutionThread
  • MmProbeAndLockProcessPages
  • MmUnlockPages
  • MmMapLockedPagesSpecifyCache
  • IoAllocateMdl
  • IoFreeMdl
  • IoGetCurrentProcess
  • IoGetTopLevelIrp
  • IoSetTopLevelIrp
  • RtlLengthSid
  • IoThreadToProcess
  • FsRtlIsPagingFile
  • KeCancelTimer
  • KeQuerySystemTime
  • InterlockedPopEntrySList
  • InterlockedPushEntrySList
  • ExInitializeNPagedLookasideList
  • PsCreateSystemThread
  • RtlWalkFrameChain
  • PsGetCurrentThreadId
  • _alldiv
  • _alldvrm
  • _allmul
  • strncmp
  • strncpy
  • KeGetCurrentThread
  • KeInitializeTimerEx
  • KeSetTimerEx
  • KeWaitForMultipleObjects
  • MmGetSystemRoutineAddress
  • ObReferenceObjectByHandle
  • PsSetCreateProcessNotifyRoutine
  • PsSetCreateThreadNotifyRoutine
  • PsRemoveCreateThreadNotifyRoutine
  • PsSetLoadImageNotifyRoutine
  • PsRemoveLoadImageNotifyRoutine
  • ZwOpenProcess
  • KeStackAttachProcess
  • KeUnstackDetachProcess
  • PsReferencePrimaryToken
  • PsReferenceImpersonationToken
  • PsLookupThreadByThreadId
  • ObOpenObjectByPointer
  • ZwWaitForSingleObject
  • ZwQueryInformationToken
  • ZwOpenThread
  • ZwQueryInformationProcess
  • ZwOpenProcessToken
  • KeInsertQueueApc
  • KeInitializeApc
  • memset
  • ExAllocatePoolWithTag
  • PsGetVersion
  • KeInitializeMutex
  • KeReleaseMutex
  • ExAllocatePool
  • ExInitializePagedLookasideList
  • ProbeForRead
  • ProbeForWrite
  • ExGetPreviousMode
  • MmBuildMdlForNonPagedPool
  • MmUnmapLockedPages
  • MmCreateMdl
  • ZwCreateKey
  • ZwDeleteKey
  • ZwDeleteValueKey
  • ZwEnumerateKey
  • ZwEnumerateValueKey
  • ZwQueryKey
  • ObQueryNameString
  • ZwLoadKey
  • ZwUnloadKey
  • KeServiceDescriptorTable
  • ntoskrnl.exe
  • ZwSetSecurityObject
  • IoDeviceObjectType
  • IoCreateDevice
  • RtlUnwind
  • RtlGetDaclSecurityDescriptor
  • RtlGetSaclSecurityDescriptor
  • RtlGetGroupSecurityDescriptor
  • RtlGetOwnerSecurityDescriptor
  • _snwprintf
  • RtlLengthSecurityDescriptor
  • SeCaptureSecurityDescriptor
  • SeExports
  • IoIsWdmVersionAvailable
  • _wcsnicmp
  • RtlAddAccessAllowedAce
  • wcschr
  • RtlAbsoluteToSelfRelativeSD
  • RtlSetDaclSecurityDescriptor
  • RtlCreateSecurityDescriptor
  • FltGetVolumeName
  • FltGetDiskDeviceObject
  • FltEnumerateVolumes
  • FltObjectDereference
  • FltRegisterFilter
  • FltUnregisterFilter
  • FltStartFiltering
  • FltGetFileNameInformation
  • FltReleaseFileNameInformation
  • FltGetDestinationFileNameInformation
  • FltAttachVolume
  • FltDetachVolume
  • FltCreateFile
  • FltClose
  • FltCreateCommunicationPort
  • FltCloseCommunicationPort
  • FltCloseClientPort
  • FltSendMessage
  • FltBuildDefaultSecurityDescriptor
  • FltFreeSecurityDescriptor
  • FltGetFileNameInformationUnsafe
  • FLTMGR.SYS
  • KeTickCount
  • KeBugCheckEx
  • 2!3K3T3
  • 4-5;5E5U5f5r5
  • 6B7L7s7
  • 7$8.8>8D8R8l8w8
  • 9+9=9C9L9f9~9
  • ;2;o;u;
  • <7<A<W<o<y<
  • =9=B=K=T=y=
  • >%>,>4>9>@>F>r>
  • ?"?4?:?L?u?
  • 070K0U0[0a0
  • 1"1*11181>1C1M1R1]1
  • 546C6T6w6
  • 889C9M9S9}9
  • :H:^:q:
  • ;8;V;`;y;
  • <`=g=.>D>N>
  • 3(424a4f4k4v4|4
  • 5!5T5Z5*666{6
  • 8(868>8C8I8U8[8a8g8m8z8
  • :$:,:2:;:A:F:L:Q:V:\:b:h:o:
  • ;Z;.<C<g<
  • <+=2=I=R=Y=_=f=k=q=
  • =E>Q>o>x>
  • ? ?$?/?:?A?H?M?S?o?u?|?
  • 0!0(0;0@0F0S0`0r0
  • 2 2(2.2D2L2q2
  • 3D3J3^3|3
  • 3+4m4t4
  • 55$535<5B5[5j5
  • 6T7Z7h7
  • 8M8T8`8h8u8
  • 8S9x9-:
  • </<B<_<
  • 3&383L3R3Z3`3m3
  • 3`4q4x4
  • 686>6D6N6R6X6\6b6f6l6p6u6{6
  • 7 7&7-72787A7L7T7[7d7m7
  • 70:C:T:[:y:
  • :Q;W;i;o;
  • =&=+=:=
  • 0U0d0w0
  • 11+11161<1G1}1
  • 2+363<3D3{3
  • 4#4*41484?4a4
  • 5a5j5q5
  • 7)7/7M7[7`7g7s7y7
  • ;&;+;=;
  • ?.?G?\?
  • 0"0'030=0K0R0
  • 0"1*1S1
  • 1`4d4h4l4p4t4x4|4
  • 5&5/5?5E5P5V5s5
  • 6 6+686F6Q6^6l6w6
  • 7*757B7P7[7h7v7
  • 8)828@8F8L8W8u8{8
  • 9i:n:s:z:
  • ;;%;,;2;6;<;@;F;N;T;X;^;b;h;
  • <6<?<G<L<Q<_<h<n<
  • %0-080
  • 0#1+161
  • 132;2F2
  • 5c6k6v6
  • 6e7m7x7
  • :d;l;w;
  • =f=k=}=
  • =&>+>=>\>n>
  • >1?:?w?
  • 0(030G0W0
  • 0:1B1M1n1
  • ; ;&;,;2;8;>;D;J;P;V;\;b;h;n;t;z;
  • <"<(<.<4<:<@<F<L<R<X<^<d<j<p<v<|<
  • =$=*=0=6=<=B=H=N=T=Z=`=f=l=r=x=~=
  • > >&>,>2>8>>>D>
  • 5$5(585<5L5P5`5d5t5x5
  • 6(6<6@6P6T6d6h6x6|6
  • 7,707@7D7T7X7h7l7|7
  • P0l0p0x0|0
  • 1$1(1D1H1P1T1\1`1|1
  • 0'01050:0L0R0a0p0
  • 717M7\7w7
  • 8K8S8|8
  • 0B0S0w0
  • 00(0/0
  • Washington1
  • Redmond1
  • Microsoft Corporation1!0
  • Microsoft Time-Stamp PCA0
  • 160907175849Z
  • 180907175849Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:843D-37F6-F1041%0#
  • Microsoft Time-Stamp Service0
  • Chttp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
  • <http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
  • zpbU&%
  • Washington1
  • Redmond1
  • Microsoft Corporation1503
  • ,Microsoft Windows Hardware Compatibility PCA0
  • 170811203623Z
  • 180725203623Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1;09
  • 2Microsoft Windows Hardware Compatibility Publisher0
  • /V]+!Xf
  • MOPR1402
  • +230001+709c2e22-1483-40a3-8820-f42dbe30c77d0
  • ehttp://www.microsoft.com/pki/CRL/products/Microsoft%20Windows%20Hardware%20Compatibility%20PCA(1).crl0z
  • ^http://www.microsoft.com/pki/certs/Microsoft%20Windows%20Hardware%20Compatibility%20PCA(1).crt0
  • 0k}[3_s(8Y
  • microsoft1-0+
  • $Microsoft Root Certificate Authority0
  • 120604210546Z
  • 200604211546Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1503
  • ,Microsoft Windows Hardware Compatibility PCA0
  • =&l@T$
  • DhnPQn
  • ylj-E>
  • ?http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
  • 8http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
  • rPG/VK
  • microsoft1-0+
  • $Microsoft Root Certificate Authority0
  • 070403125309Z
  • 210403130309Z0w1
  • Washington1
  • Redmond1
  • Microsoft Corporation1!0
  • Microsoft Time-Stamp PCA0
  • microsoft1-0+
  • $Microsoft Root Certificate Authority
  • ?http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
  • 8http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
  • 1Jv1=+r
  • L&*H$_Z
  • Washington1
  • Redmond1
  • Microsoft Corporation1503
  • ,Microsoft Windows Hardware Compatibility PCA
  • http://www.sysinternals.com 0
  • +\G^2'
  • Washington1
  • Redmond1
  • Microsoft Corporation1!0
  • Microsoft Time-Stamp PCA
  • 180212232819Z0#
  • p%2uyU
  • Washington1
  • Redmond1
  • Microsoft Corporation1806
  • /Microsoft Windows Third Party Component CA 20120
  • 170912185049Z
  • 180912185049Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1;09
  • 2Microsoft Windows Hardware Compatibility Publisher0
  • 230153+2423520
  • chttp://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202012.crl0
  • ehttp://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202012.crt0
  • Washington1
  • Redmond1
  • Microsoft Corporation1200
  • )Microsoft Root Certificate Authority 20100
  • 120418234838Z
  • 270418235838Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1806
  • /Microsoft Windows Third Party Component CA 20120
  • -g<'<V
  • }PH.=C
  • Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
  • >http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
  • p%|Yi1$
  • Washington1
  • Redmond1
  • Microsoft Corporation1806
  • /Microsoft Windows Third Party Component CA 2012
  • http://www.sysinternals.com 0
  • ^9/l<z
  • 20180212232830.648Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:D236-37DA-97611%0#
  • Microsoft Time-Stamp Service
  • Washington1
  • Redmond1
  • Microsoft Corporation1200
  • )Microsoft Root Certificate Authority 20100
  • 100701213655Z
  • 250701214655Z0|1
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 20100
  • $`2X`F
  • Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
  • >http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
  • 1http://www.microsoft.com/PKI/docs/CPS/default.htm0@
  • oK0D$"<
  • r~akow
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 20100
  • 160907175655Z
  • 180907175655Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:D236-37DA-97611%0#
  • Microsoft Time-Stamp Service0
  • Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
  • >http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:D236-37DA-97611%0#
  • Microsoft Time-Stamp Service
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher NTS ESN:2665-4C3F-C5DE1+0)
  • "Microsoft Time Source Master Clock0
  • 20180212213837Z
  • 20180213213837Z0t0:
  • ; xJK:]OL
  • vS,Vco
  • Pd'y5U
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 2010
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 2010
  • !This program cannot be run in DOS mode.
  • ~Rich[
  • `.rdata
  • @.data
  • .pdata
  • @.rsrc
  • @.reloc
  • @SUVWH
  • WAVAWH
  • 0A_A^_
  • @WATAUAVAWH
  • 0A_A^A]A\_
  • @USVWATAUAVAWH
  • A_A^A]A\_^[]
  • t$ UATAUAVAWH
  • A_A^A]A\]
  • WATAUAVAWH
  • fE9a:u
  • A_A^A]A\_
  • @USVWATAUAVAWH
  • D$4;D$h
  • t HcD$4;E
  • D$4;D$h
  • A_A^A]A\_^[]
  • WAVAWH
  • WAVAWH
  • A_A^_
  • t5H9J(u
  • |$ AVH
  • @USVWATAUH
  • D$XL;c
  • |$8H;{
  • D$0L;c
  • A]A\_^[]
  • @USVWAUAWH
  • EX9EP}
  • E\9ET}
  • A_A]_^[]
  • @SATAVH
  • @A^A\[
  • @A^A\[
  • l$ VWATAVAWH
  • T$@+T$8E
  • A_A^A\_^
  • UVWAVAWH
  • D+t$$A
  • pA_A^_^]
  • \$ UVWATAUAVAWH
  • l$8+D$`+
  • \$(+t$L
  • A_A^A]A\_^]
  • |$ ATAVAWH
  • A_A^A\
  • |$ AVH
  • D$,+D$$H
  • @USVATAUAVAWH
  • A_A^A]A\^[]
  • @SUVWATAVH
  • 7;\$H}
  • l$$D;l$L}
  • D;l$T|
  • |$D+|$<D;
  • xA^A\_^][
  • @USVWATH
  • H;sHu,H
  • H;sHu,H
  • H;sHu[I
  • A\_^[]
  • UVWATAVH
  • A^A\_^]
  • UVATAVI
  • A^A\^]
  • D$D+D$L
  • @USVWH
  • t.HcG H
  • |$ UATAVH
  • @SUVWATAUAVAWH
  • xA_A^A]A\_^][
  • \$xtTH
  • VWATAVAWH
  • A_A^A\_^
  • \$ UVWATAUAVAWH
  • PA_A^A]A\_^]
  • @SVWAUAVH
  • \$H+\$@
  • +|$DA+
  • pA^A]_^[
  • T$H+T$@
  • L$L+L$DD
  • tiH;B0tcH
  • @USVWATAUAVAWH
  • D9|$hv,
  • D;|$hr
  • |$lD+|$hD
  • |$lD+|$hD
  • N<@E9~8u
  • A_A^A]A\_^[]
  • 9t$0tWL
  • WATAUAVAWH
  • A_A^A]A\_
  • F+D$LD+L$HA
  • @UVWAVAWH
  • A_A^_^]
  • \$ UVWH
  • WAVAWH
  • @SVWATAUH
  • @A]A\_^[
  • @A]A\_^[
  • F(H+B(H
  • TUUUUUU
  • @WATAUAVAWH
  • @A_A^A]A\_
  • G0H+G(H
  • _0H+_(H
  • W0H+W(H
  • @VWAVH
  • O0H+O(H
  • G0H+G(H
  • G0H+G(H
  • G0H+G(H
  • 0A^_^H
  • @VWATAVAWH
  • @A_A^A\_^
  • @UVAVH
  • @SUAVH
  • @UVWAVAWH
  • A_A^_^]
  • SUVWAVH
  • 0A^_^][
  • UVWAVAWH
  • @A_A^_^]
  • |$ AVH
  • |$ AVH
  • WATAUAVAWH
  • 0A_A^A]A\_
  • UATAUAVAWH
  • A_A^A]A\]
  • ATAVAWH
  • A_A^A\
  • A_A^A\
  • WATAUAVAWH
  • A_A^A]A\_
  • WATAUAVAWH
  • A_A^A]A\_
  • UVWAVAWH
  • C0H+C(H
  • C0H+C(H
  • PA_A^_^]
  • @VWAVH
  • @VWAVH
  • WAVAWH
  • A_A^_
  • H UVWATAUAVAWH
  • F0H+F(H
  • F0H+F(H
  • @A_A^A]A\_^]
  • G0H+G(H
  • UVWATAUAVAWH
  • E0H+E(H
  • M0H+M(H
  • @A_A^A]A\_^]
  • UWATAVAWH
  • A_A^A\_]H
  • @VWAVH
  • E0H+E(H
  • A0H+A(H
  • F0H+F(H
  • F0H+F(H
  • @WAVAWH
  • @A_A^_H
  • N0H+N(H
  • F0H+F(H
  • F0H+F(H
  • @VWATAVAWH
  • @A_A^A\_^
  • t$ ATAVAWH
  • A_A^A\
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • UVWATAUAVAWH
  • _PH;_X
  • 0A_A^A]A\_^]
  • @USVWATAVAWH
  • ~XI+~PH
  • effffff
  • pA_A^A\_^[]
  • _0H+_(H
  • @USVWATAUAVAWH
  • A_A^A]A\_^[]
  • @UVWATAUAVAWH
  • NXI+NPH
  • FXI+FPH
  • A_A^A]A\_^]
  • WAVAWH
  • YXH+YPH
  • GXH+GPH
  • OXH+OPH
  • AXH+APH
  • WAVAWH
  • PA_A^_
  • AXH+APH
  • WATAUAVAWH
  • D$HD9 u
  • D$HD9 u
  • A_A^A]A\_
  • WAVAWH
  • SUVWAVH
  • GXH+GPH
  • GXH+GPH
  • GXH+GPH
  • PA^_^][
  • @USVWATAUAVAWH
  • FXH+FPH
  • FXH+FPH
  • FXH+FPH
  • A_A^A]A\_^[]
  • UATAUAVAWH
  • OXI+OPH
  • _XI+_PH
  • A_A^A]A\]
  • VWATAVAWH
  • A_A^A\_^
  • AXH+APH
  • AXH+APH
  • AXH+APH
  • AXH+APH
  • AXH+APH
  • AXH+APH
  • AXH+APH
  • @USVWATAUAVAWH
  • A_A^A]A\_^[]
  • u89P s(H
  • AXH+APH
  • AXH+APH
  • @VWAVH
  • @VWAVH
  • @VWATAVAWH
  • @A_A^A\_^
  • @VWATAVAWH
  • @A_A^A\_^
  • TUUUUUU
  • ub'vb'v
  • 2333333
  • effffff
  • WATAUAVAWH
  • L;8u:H
  • @A_A^A]A\_
  • @WATAUAVAWH
  • @A_A^A]A\_
  • WATAUAVAWH
  • @A_A^A]A\_
  • @WATAUAVAWH
  • @A_A^A]A\_
  • @WATAUAVAWH
  • @A_A^A]A\_
  • @WATAUAVAWH
  • @A_A^A]A\_
  • @WATAUAVAWH
  • @A_A^A]A\_
  • WATAUAVAWH
  • A_A^A]A\_
  • @WATAUAVAWH
  • @A_A^A]A\_
  • @WATAUAVAWH
  • @A_A^A]A\_
  • @SUVWH
  • _0H+_(H
  • t$ AVH
  • ]PH;]Xt(ff
  • GXH+GPH
  • @USVWATAUAVAWH
  • A_A^A]A\_^[]
  • @UVWAVAWH
  • A_A^_^]
  • ]PH;]Xt(ff
  • ]PH;]Xt(ff
  • @USVWATAUAVAWH
  • A_A^A]A\_^[]
  • ]PH;]Xt(ff
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • ]PH;]Xt(ff
  • ]PH;]Xt(ff
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • ]PH;]Xt(ff
  • ]PH;]Xt(ff
  • ]PH;]Xt(ff
  • UVWATAUAVAWH
  • GXH+GPH
  • GXH+GPH
  • A_A^A]A\_^]
  • UVWATAUAVAWH
  • G0H9D$8H
  • A_A^A]A\_^]
  • @USVWATAVAWH
  • A_A^A\_^[]
  • ]PH;]Xt(ff
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • ]PH;]Xt(ff
  • ]PH;]Xt(ff
  • @UVWATAUAVAWH
  • AXH+APH
  • FXH+FPH
  • FXH+FPH
  • FXH+FPH
  • FXH+FPH
  • A_A^A]A\_^]
  • @UWAVAW
  • \$ fD9t$ t3f
  • A_A^_]
  • @UVWATAUAVAWH
  • uhH+upE
  • D8l$0t
  • A_A^A]A\_^]
  • UVWATAUAVAWH
  • yPH;yX
  • EgH;xX
  • A_A^A]A\_^]
  • WAVAWH
  • D$@L;D$Hu
  • WAVAWH
  • 0A_A^_
  • UVWAVAWH
  • 0A_A^_^]
  • D$@L;D$Hu
  • D$@L;D$Hu
  • @USVWATAUAVAWH
  • A_A^A]A\_^[]
  • @USVWATAUAVAWH
  • A_A^A]A\_^[]
  • @UATAUAVAWH
  • t$\D95
  • t$xfff
  • F0+F(D;
  • A_A^A]A\]
  • G0H+G(3
  • @UVWATAUAVAWH
  • fF9$xu
  • A_A^A]A\_^]
  • @USVWATAVAWH
  • A_A^A\_^[]
  • @USVWATAUAVAWH
  • A_A^A]A\_^[]
  • @USVWATAUAVAWH
  • A_A^A]A\_^[]
  • @SUAVH
  • @SUVATAVAWH
  • A_A^A\^][
  • D$@L;D$Hu
  • UATAUAVAWH
  • A_A^A]A\]
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • fA;HDsHD
  • UVWATAUAVAWH
  • t$HI;O
  • L+T$0D
  • A_A^A]A\_^]
  • \$ UVWATAUAVAWH
  • *H+K@H
  • A_A^A]A\_^]
  • USVWATAUAVAWH
  • EtD+ElH
  • MHI+M@H
  • A_A^A]A\_^[]
  • @VWAVH
  • @WATAUAVAWH
  • @A_A^A]A\_
  • UVWAVAWH
  • H;E@t/H
  • u0H+u(H
  • "H;E8u
  • `A_A^_^]
  • ^(H;^0t!
  • @VWAVH
  • G0H+G(H
  • @VWAVH
  • O0H+O(H
  • G0H+G(H
  • G0H+G(H
  • G0H+G(H
  • 0A^_^H
  • @VWAVH
  • UWATAVAWH
  • A_A^A\_]
  • @USVWAVH
  • A^_^[]
  • VWATAVAWH
  • @A_A^A\_^
  • t$ ATAVAWH
  • 0A_A^A\
  • \$ UWAVH
  • H9|$ u
  • UATAUAVAWH
  • L9|$ u\A
  • A_A^A]A\]
  • UVWATAUAVAWH
  • A_A^A]A\_^]
  • UATAUAVAWH
  • L9l$ uYA
  • A_A^A]A\]
  • @SUVWH
  • effffff
  • H9H s*
  • D;t$xH
  • @SUVWH
  • 7H;S vDH
  • @VWAVH
  • 0A^_^H
  • |$ AVH
  • TUUUUUU
  • TUUUUUU
  • WATAUAVAWH
  • @A_A^A]A\_
  • @WATAUAVAWH
  • @A_A^A]A\_
  • @WATAUAVAWH
  • @A_A^A]A\_
  • VWATAVAWH
  • 0A_A^A\_^
  • T$DD+T$<D
  • D$4D+L$8A
  • USVWAUAVAWH
  • A_A^A]_^[]
  • 3333333
  • 3333333333
  • 3333333333333333333
  • 3333333
  • 333333
  • 3333333333
  • 3333333
  • 333333 333!333"333333#3333333$%333&333'333333333333333333(333)333*333+333,333-333./333033313332
  • \$ WAVAWH
  • @USVWATAVAWH
  • A_A^A\_^[]
  • @UAUAVAWH
  • (A_A^A]]
  • (A_A^A]]
  • @UVWATAUAVAWH
  • `A_A^A]A\_^]
  • @UVWAVAWH
  • A_A^_^]
  • @USVWATAVAWH
  • A_A^A\_^[]
  • @SUVWAVAWH
  • A_A^_^][
  • |$ AVH
  • @USVWATH
  • fD9$Nu
  • A\_^[]
  • UATAUAVAWH
  • >0u&fA
  • A_A^A]A\]
  • @USVWATAUAVAWH
  • <w\tlA
  • A_A^A]A\_^[]
  • @UVWATAUAVAWH
  • `A_A^A]A\_^]
  • D$p9D$xu
  • D$@L;D$Hu
  • D$@L;D$Hu
  • WAVAWH
  • 0A_A^_
  • D$@L;D$Hu
  • WAVAWH
  • 0A_A^_
  • SVATAUAWH
  • A_A]A\^[
  • @WAVAW
  • UVATAVAWH
  • pA_A^A\^]
  • @UVWATAUAVAW
  • A_A^A]A\_^]
  • @UVWAVAWH
  • `A_A^_^]
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • TUUUUUU
  • H9H }*
  • @SUVWATAVAWH
  • H+C H=
  • A_A^A\_^][
  • @VWATAVAW
  • CXH+CPH
  • A_A^A\_^
  • UVWATAUAVAWH
  • A_A^A]A\_^]
  • D$0H+C
  • @UVWATAUAVAWH
  • H;_ t<
  • A_A^A]A\_^]
  • TUUUUUU
  • @WATAUAVAWH
  • @A_A^A]A\_
  • UATAWH
  • A_A\]
  • @UWAVAWH
  • (A_A^_]
  • ATAVAWH
  • A_A^A\
  • A_A^A\
  • WAVAWH
  • A_A^_
  • WATAUAVAWH
  • A_A^A]A\_
  • UATAUH
  • @A]A\]
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • @VWAVH
  • @SUVWATAVAWH
  • A_A^A\_^][
  • WAVAWH
  • @UWATAVAWH
  • @A_A^A\_]
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • @WATAUAVAWH
  • 0A_A^A]A\_
  • UATAUAVAWH
  • A_A^A]A\]
  • L$0;Y s
  • PA^_^H
  • PA^_^H
  • PA^_^H
  • PA^_^H
  • PA^_^H
  • UVWATAUAVAWH
  • I;^ht'
  • @A_A^A]A\_^]
  • @SUVWATAVAWH
  • `A_A^A\_^][H
  • @SUVWATAVAWH
  • `A_A^A\_^][H
  • PA^_^H
  • @UVWATAUAVAWH
  • A_A^A]A\_^]H
  • PA^_^H
  • PA^_^H
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • UWATAVAWH
  • A_A^A\_]
  • @UWAWH
  • effffff
  • TUUUUUU
  • effffff
  • effffff
  • effffff
  • TUUUUUU
  • TUUUUUU
  • A9q }EI
  • A;q }?I
  • A9q }EI
  • A;q }?I
  • 9C }(H
  • 9C }(H
  • H9H s*
  • @WATAUAVAWH
  • @A_A^A]A\_
  • @WATAUAVAWH
  • @A_A^A]A\_
  • @WATAUAVAWH
  • @A_A^A]A\_
  • @SUVAVAWH
  • @A_A^^][
  • \$ UVWH
  • D$(+D$
  • D$,+D$$
  • G +B(H
  • O(H+J0H
  • O0H+J8H
  • G8+B@H
  • G<+BDH
  • G@+BHH
  • Q@H+P@H+P8H
  • QPH+PPH
  • Q`H+P`H
  • HXI+HXt
  • @PA+@P
  • @VWAVH
  • I;.t,H
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • @VWAVH
  • I;6t,H
  • UWATAVAWH
  • A_A^A\_]
  • UVWATAUAVAWH
  • @A_A^A]A\_^]H
  • @USVWATAVAWH
  • A_A^A\_^[]
  • L9>t9A
  • @UVWATAUAVAWH
  • HcD$|;D$`}BH
  • A_A^A]A\_^]
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • @UVWATAUAVAWH
  • s0H+s(H
  • s0H+s(H
  • A_A^A]A\_^]
  • @UVWAVAWH
  • `A_A^_^]
  • 9D$0tP
  • l$ VWAVH
  • H0H91t1
  • EPHcEXH
  • L$ UWATAUAVH
  • A^A]A\_]
  • @VWAVH
  • @USVWATAUAVAWH
  • IcA Mc
  • A_A^A]A\_^[]
  • 4444444
  • 4444444
  • 4444 444!4"4#4$%4444444444&'4444(4)4*4444+444444,4-4444..444444444//44440144404444444423
  • UWATAVAWH
  • A_A^A\_]
  • UWATAVAWH
  • A_A^A\_]
  • @UVWAVAWH
  • 0A_A^_^]
  • UAVAWH
  • @VWAVH
  • @UVATAUH
  • A]A\^]
  • ;K }=H
  • ;K }=H
  • @UVWATAUAVAWH
  • t*HcD$0L
  • A_A^A]A\_^]
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • UVWATAUAVAWH
  • U(+U H
  • C0H+C(
  • M +M0Hc
  • M8+M0Lc
  • A_A^A]A\_^]
  • YH9X s
  • T$XA9AHs
  • AXH9CX
  • UVWATAUAVAWH
  • A_A^A]A\_^]
  • 9rPt<H
  • @USVWATAUAVAWH
  • A_A^A]A\_^[]
  • UWATAVAWH
  • A_A^A\_]
  • @USVATH
  • D9|$@}
  • D9|$H}
  • D9t$D}
  • D9t$L}
  • N0H91t
  • C0+C(D
  • nG +C
  • C0+C(D
  • nG(+C
  • C4+C,D
  • nG$+C$
  • W,+W$A
  • nG,+C$
  • T$,D+G4
  • UVWAVAWH
  • PA_A^_^]
  • UATAUAVAWH
  • A_A^A]A\]
  • @UVWAVAWH
  • A_A^_^]
  • @USVWAVH
  • A^_^[]
  • k VWAVH
  • D$,+D$$f
  • UAVAWH
  • UWATAVAWH
  • A_A^A\_]
  • @UVWAVAWH
  • D$xHc[
  • A_A^_^]
  • @SUVWAVAWH
  • T$8+L$4+T$0;V
  • LV ;N$
  • hA_A^_^][
  • WAVAWH
  • |$ AVH
  • @SUVWATAVAWH
  • A_A^A\_^][
  • WAVAWH
  • 0A_A^_
  • WAVAWH
  • A_A^_
  • UUUUUUU
  • l$ WAVAWH
  • A_A^_
  • UUUUUUU
  • @VWAVH
  • UUUUUUU
  • @VWAVH
  • D$@L;D$Hu
  • D$@L;D$Hu
  • WAVAWH
  • A_A^_
  • D$@L;D$Hu
  • D$@L;D$Hu
  • D$@L;D$Hu
  • D$@L;D$Hu
  • WAVAWH
  • 0A_A^_
  • D$@L;D$Hu
  • WAVAWH
  • 0A_A^_
  • D$@L;D$Hu
  • WAVAWH
  • 0A_A^_
  • |$ AVH
  • D$@L;D$Hu
  • WAVAWH
  • 0A_A^_
  • UUUUUUU
  • @USVWATAWH
  • D8d$hu%M
  • D9d$tupH
  • A_A\_^[]
  • D8d$et
  • D8d$gt]M
  • D8d$ktEA
  • D8d$rt
  • D8d$it1H
  • D8d$mt
  • D8d$qt
  • D8d$et
  • u.D8d$nu'L
  • t8D8%r
  • 3D8d$pu,D8%R
  • H9H s*
  • ATAVAWH
  • GXH+GPH
  • A_A^A\
  • @SVWATAUAVAWH
  • A_A^A]A\_^[
  • @UWATAVAWH
  • A(H;C(
  • K@D9I,wsH+Q8L
  • L+A0D+I,H
  • A_A^A\_]
  • UAVAWH
  • VWATAVAWH
  • A_A^A\_^
  • TUUUUUU
  • WATAUAVAWH
  • @A_A^A]A\_
  • UWATAVAWH
  • A_A^A\_]
  • @SUVWAVH
  • `A^_^][
  • t$@@8u
  • @UVWAVAWH
  • A_A^_^]
  • @SUVWATAVAWH
  • `A_A^A\_^][H
  • @SUVWATAVAWH
  • H;]0t*H
  • PA_A^A\_^][
  • D$@L;D$Hu
  • D$@L;D$Hu
  • WAVAWH
  • A_A^_
  • UVWATAUAVAWH
  • @A_A^A]A\_^]
  • @VWATAUAWH
  • `A_A]A\_^
  • @SUVWATAUAVAWH
  • A_A^A]A\_^][
  • |$ AVH
  • |$ ATAVAWH
  • \$@uDf
  • A_A^A\
  • |$ AVH
  • WAVAWH
  • PA_A^_
  • WAVAWH
  • \$ VWAVH
  • l$ VWATAVAWH
  • A_A^A\_^
  • WAVAWH
  • 0A_A^_
  • @UATAUAVAWH
  • A_A^A]A\]
  • SVWATAUAVAWH
  • @A_A^A]A\_^[
  • @UVWATAUAVAWH
  • effffff
  • effffff
  • A_A^A]A\_^]
  • |$ AVH
  • UVWATAUAVAWH
  • D9x0u<
  • A_A^A]A\_^]
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • |$ AVH
  • UVWATAUAVAWH
  • PA_A^A]A\_^]
  • WAVAWH
  • PA_A^_
  • {(PML_u@
  • UWATAVAWH
  • A_A^A\_]
  • @UVWAVAWH
  • pA_A^_^]
  • USVWATAVAWH
  • {(PML_t
  • A_A^A\_^[]
  • SUVWATAUAVAWH
  • A_A^A]A\_^][
  • USVWATAUAVAWH
  • 4/x&Mc
  • t$0fff
  • A_A^A]A\_^[]
  • effffff
  • LLLLLLLLL
  • LLLLLLLLLLLLL
  • LLLLLLLLLL
  •  !"#$%LLLLLLLLLL&LLLLLLLLLLL'LLLLLLLLLLLLLLLL()LLLLLLLLLLLLLLLLLLLLLLLL*L+L,-LLLL.LL/LLLLL0123L456789LLLL:;L<=LL>L?@LLLLLLLALLLLLLLBLLLCDLELLLLLLFLLLLLLLLLLLLGHIJLLLLLLLLKf
  • WAVAWH
  • A_A^_
  • |$ AVH
  • 2333333
  • WATAUAVAWH
  • L;0u:H
  • @A_A^A]A\_
  • @WATAUAVAWH
  • @A_A^A]A\_
  • @VWAVH
  • @SUVWATAUAVAWH
  • A_A^A]A\_^][
  • @USVWATAUAVAWH
  • A_A^A]A\_^[]
  • WAVAWH
  • A_A^_
  • WATAUAVAWH
  • A_A^A]A\_
  • @UVWATAUAVAWH
  • A_A^A]A\_^]
  • @USVWAVAWH
  • XA_A^_^[]
  • @VWAVH
  • @SVWAVH
  • L$@HcQ<H
  • @USVWATAUAVAWH
  • hA_A^A]A\_^[]
  • effffff
  • USVWATAUAVAWH
  • A_A^A]A\_^[]
  • @VWATAVAWH
  • @A_A^A\_^
  • @UWAVH
  • H;9tjH
  • t$ ATAVAWH
  • 0A_A^A\
  • L$8+T$4D+L$0E3
  • C,9D$0u
  • e A^_]
  • SVWAVH
  • 8A^_^[
  • fA;8utI
  • fA;0t)fA98t
  • @8l$8t
  • L$ USWH
  • WAVAWH
  • 0A_A^_
  • UAVAWH
  • VWATAVAWH
  • A_A^A\_^
  • x ATAVAWH
  • A_A^A\
  • ATAVAWH
  • A_A^A\
  • D8t$8t
  • fffffff
  • WATAUAVAWH
  • @A_A^A]A\_
  • t5f9t$(u
  • WAVAWH
  • fD9>u"
  • 0A_A^_
  • WATAUAVAWH
  • A_A^A]A\_
  • WAVAWH
  • 0A_A^_
  • SVWAVH
  • 8A^_^[
  • l$ VWAVH
  • 9\$ ~>L
  • H SVWH
  • t$ WAVAWH
  • 0A_A^_
  • UVWATAUAVAWH
  • D$`HcK
  • H;D$xu
  • A_A^A]A\_^]
  • WATAUAVAWH
  • A_A^A]A\_
  • SUVWATAUAVAWH
  • H9D$(u^L
  • L$0D;t$ s
  • HA_A^A]A\_^][
  • WATAUAVAWH
  • A_A^A]A\_
  • VWATAVAWH
  • A_A^A\_^
  • l$ VWATAVAWH
  • T$&@8t$&t9@8r
  • A81t@@8r
  • A_A^A\_^
  • UVWATAUAVAWH
  • 9D$LupE
  • A_A^A]A\_^]
  • UVWATAUAVAWH
  • 9D$XumE
  • A_A^A]A\_^]
  • WAVAWH
  • A_A^_
  • VWATAVAWH
  • A_A^A\_^
  • UVWATAUAVAWH
  • A_A^A]A\_^]
  • D8eoupH
  • UVWATAUAVAWH
  • pA_A^A]A\_^]
  • WATAUAVAWH
  • A_A^A]A\_
  • AUAVAWH
  • 0A_A^A]
  • @SVWATAUAVAWH
  • L!|$@L!
  • D$HHcH
  • A_A^A]A\_^[
  • SVWATAUAVAWH
  • 0A_A^A]A\_^[
  • WATAVH
  • @A^A\_
  • WATAUAVAWH
  • A_A^A]A\_
  • WAVAWH
  • A_A^_
  • t$ WAVAWH
  • LcA<E3
  • t$ WATAUAVAWH
  • D!l$h3
  • 0A_A^A]A\_
  • UVWATAUAVAWH
  • D$DD9T$X
  • |$h+t$D+
  • A_A^A]A\_^]
  • |$ ATAVAWH
  • A_A^A\
  • USVWAVH
  • A^_^[]
  • WATAUAVAWH
  • gfffffffH
  • D8L$Ht
  • A_A^A]A\_
  • x AUAVAWH
  • A_A^A]
  • @SUVWH
  • @SUVWH
  • @SUVWAVH
  • A^_^][
  • t$ WATAUAVAWH
  • 0A_A^A]A\_
  • AUAVAWH
  • 0A_A^A]
  • VWATAVAWH
  • A_A^A\_^
  • \$ UVWATAUAVAWH
  • D9l$dtXH
  • HcD$PH;
  • HcD$PH;
  • A_A^A]A\_^]
  • ` AUAVAWH
  • t$8Hc0I
  • \$0D9=
  • A_A^A]
  • @UATAUAVAWH
  • !t$(H!t$ I
  • A_A^A]A\]
  • UVWATAUAVAWH
  • T$hfE;"
  • t$HfD;
  • T$hfA;
  • T$hfD;
  • T$Du}E
  • |$@9L$Xt
  • D9\$Xt
  • D8\$4uiM
  • t$HfD;
  • \$`9D$Xt
  • D8\$Lt
  • D8l$5t
  • fD9#u1
  • \$pD9M
  • A_A^A]A\_^]
  • UVWATAUAVAWH
  • A_A^A]A\_^]
  • UVWATAUAVAWH
  • @A_A^A]A\_^]
  • UAVAWH
  • Hct$PH
  • seHcD$XH
  • fD9!u:A
  • fD93tSH
  • CfD93u
  • H3E H3E
  • @UATAUAVAWH
  • A_A^A]A\]
  • VWATAVAWH
  • A_A^A\_^
  • D82u&H
  • D8t$Ht
  • UVWATAUAVAWH
  • D$DD9T$X
  • |$h+t$D+
  • A_A^A]A\_^]
  • WAVAWH
  • A_A^_
  • @SUVWATAVAWH
  • tcH95a
  • PA_A^A\_^][
  • @USVWH
  • UVWATAUAVAWH
  • A_A^A]A\_^]
  • ` AUAVAWH
  • 0A_A^A]
  • l$ VWAUAVAWH
  • L$(fA;
  • u$HcG$H;
  • t5f9(t
  • A_A^A]_^
  • \$ UVWATAUAVAWH
  • A_A^A]A\_^]
  • |$ UATAUAVAWH
  • A_A^A]A\]
  • |$ UATAUAVAWH
  • A_A^A]A\]
  • UVWATAUAVAWH
  • A_A^A]A\_^]
  • UVWATAUAVAWH
  • A_A^A]A\_^]
  • x AUAVAWH
  • A_A^A]
  • WATAUAVAWH
  • A_A^A]A\_
  • USVWATAUAVAWH
  • 8UXt$@
  • XA_A^A]A\_^[]
  • WATAVH
  • ] H;]`t6H
  • H(H9J(u
  • list<T> too long
  • IsThemeActive
  • OpenThemeData
  • DrawThemeBackground
  • CloseThemeData
  • {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Calibri;}}
  • {\colortbl ;\red0\green0\blue255;\red0\green0\blue0;}
  • {\*\generator Riched20 10.0.10240}\viewkind4\uc1
  • \pard\brdrb\brdrs\brdrw10\brsp20 \sb120\sa120\b\f0\fs24 SYSINTERNALS SOFTWARE LICENSE TERMS\fs28\par
  • \pard\sb120\sa120\b0\fs19 These license terms are an agreement between Sysinternals (a wholly owned subsidiary of Microsoft Corporation) and you. Please read them. They apply to the software you are downloading from Systinternals.com, which includes the media on which you received it, if any. The terms also apply to any Sysinternals\par
  • \pard\fi-363\li720\sb120\sa120\tx720\'b7\tab updates,\par
  • \pard\fi-363\li720\sb120\sa120\'b7\tab supplements,\par
  • \'b7\tab Internet-based services, and \par
  • \'b7\tab support services\par
  • \pard\sb120\sa120 for this software, unless other terms accompany those items. If so, those terms apply.\par
  • \b BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE.\par
  • \pard\brdrt\brdrs\brdrw10\brsp20 \sb120\sa120 If you comply with these license terms, you have the rights below.\par
  • \pard\fi-357\li357\sb120\sa120\tx360\fs20 1.\tab\fs19 INSTALLATION AND USE RIGHTS. \b0 You may install and use any number of copies of the software on your devices.\b\par
  • \caps\fs20 2.\tab\fs19 Scope of License\caps0 .\b0 The software is licensed, not sold. This agreement only gives you some rights to use the software. Sysinternals reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not\b\par
  • \pard\fi-363\li720\sb120\sa120\tx720\b0\'b7\tab work around any technical limitations in the binary versions of the software;\par
  • \pard\fi-363\li720\sb120\sa120\'b7\tab reverse engineer, decompile or disassemble the binary versions of the software, except and only to the extent that applicable law expressly permits, despite this limitation;\par
  • \'b7\tab make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;\par
  • \'b7\tab publish the software for others to copy;\par
  • \'b7\tab rent, lease or lend the software;\par
  • \'b7\tab transfer the software or this agreement to any third party; or\par
  • \'b7\tab use the software for commercial software hosting services.\par
  • \pard\fi-357\li357\sb120\sa120\tx360\b\fs20 3.\tab SENSITIVE INFORMATION. \b0 Please be aware that, similar to other debug tools that capture \ldblquote process state\rdblquote information, files saved by Sysinternals tools may include personally identifiable or other sensitive information (such as usernames, passwords, paths to files accessed, and paths to registry accessed). By using this software, you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Microsoft or any other party through your use of the software.\b\par
  • 5. \tab\fs19 DOCUMENTATION.\b0 Any person that has valid access to your computer or internal network may copy and use the documentation for your internal, reference purposes.\b\par
  • \caps\fs20 6.\tab\fs19 Export Restrictions\caps0 .\b0 The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations, end users and end use. For additional information, see {\cf1\ul{\field{\*\fldinst{HYPERLINK www.microsoft.com/exporting }}{\fldrslt{www.microsoft.com/exporting}}}}\cf1\ul\f0\fs19 <{{\field{\*\fldinst{HYPERLINK "http://www.microsoft.com/exporting"}}{\fldrslt{http://www.microsoft.com/exporting}}}}\f0\fs19 >\cf0\ulnone .\b\par
  • \caps\fs20 7.\tab\fs19 SUPPORT SERVICES.\caps0 \b0 Because this software is "as is, " we may not provide support services for it.\b\par
  • \caps\fs20 8.\tab\fs19 Entire Agreement.\b0\caps0 This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the software and support services.\par
  • \pard\keepn\fi-360\li360\sb120\sa120\tx360\cf2\b\caps\fs20 9.\tab\fs19 Applicable Law\caps0 .\par
  • \pard\fi-363\li720\sb120\sa120\tx720\cf0\fs20 a.\tab\fs19 United States.\b0 If you acquired the software in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.\b\par
  • \pard\fi-363\li720\sb120\sa120\fs20 b.\tab\fs19 Outside the United States.\b0 If you acquired the software in any other country, the laws of that country apply.\b\par
  • \pard\fi-357\li357\sb120\sa120\tx360\caps\fs20 10.\tab\fs19 Legal Effect.\b0\caps0 This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the software. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.\b\caps\par
  • \fs20 11.\tab\fs19 Disclaimer of Warranty.\caps0 \caps The software is licensed "as - is." You bear the risk of using it. SYSINTERNALS gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, SYSINTERNALS excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.\par
  • \pard\fi-360\li360\sb120\sa120\tx360\fs20 12.\tab\fs19 Limitation on and Exclusion of Remedies and Damages. You can recover from SYSINTERNALS and its suppliers only direct damages up to U.S. $5.00. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.\par
  • \pard\li357\sb120\sa120\b0\caps0 This limitation applies to\par
  • \pard\fi-363\li720\sb120\sa120\tx720\'b7\tab anything related to the software, services, content (including code) on third party Internet sites, or third party programs; and\par
  • \pard\fi-363\li720\sb120\sa120\'b7\tab claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.\par
  • \pard\li360\sb120\sa120 It also applies even if Sysinternals knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.\par
  • \pard\b Please note: As this software is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.\par
  • \pard\sb240\lang1036 Remarque : Ce logiciel \'e9tant distribu\'e9 au Qu\'e9bec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en fran\'e7ais.\par
  • \pard\sb120\sa120 EXON\'c9RATION DE GARANTIE.\b0 Le logiciel vis\'e9 par une licence est offert \'ab tel quel \'bb. Toute utilisation de ce logiciel est \'e0 votre seule risque et p\'e9ril. Sysinternals n'accorde aucune autre garantie expresse. Vous pouvez b\'e9n\'e9ficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit\'e9 marchande, d'ad\'e9quation \'e0 un usage particulier et d'absence de contrefa\'e7on sont exclues.\par
  • \pard\keepn\sb120\sa120\b LIMITATION DES DOMMAGES-INT\'c9R\'caTS ET EXCLUSION DE RESPONSABILIT\'c9 POUR LES DOMMAGES.\b0 Vous pouvez obtenir de Sysinternals et de ses fournisseurs une indemnisation en cas de dommages directs uniquement \'e0 hauteur de 5,00 $ US. Vous ne pouvez pr\'e9tendre \'e0 aucune indemnisation pour les autres dommages, y compris les dommages sp\'e9ciaux, indirects ou accessoires et pertes de b\'e9n\'e9fices.\par
  • \lang1033 Cette limitation concerne :\par
  • \pard\keepn\fi-360\li720\sb120\sa120\tx720\lang1036\'b7\tab tout ce qui est reli\'e9 au logiciel, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et\par
  • \pard\fi-363\li720\sb120\sa120\tx720\'b7\tab les r\'e9clamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit\'e9 stricte, de n\'e9gligence ou d'une autre faute dans la limite autoris\'e9e par la loi en vigueur.\par
  • \pard\sb120\sa120 Elle s'applique \'e9galement, m\'eame si Sysinternals connaissait ou devrait conna\'eetre l'\'e9ventualit\'e9 d'un tel dommage. Si votre pays n'autorise pas l'exclusion ou la limitation de responsabilit\'e9 pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l'exclusion ci-dessus ne s'appliquera pas \'e0 votre \'e9gard.\par
  • \b EFFET JURIDIQUE.\b0 Le pr\'e9sent contrat d\'e9crit certains droits juridiques. Vous pourriez avoir d'autres droits pr\'e9vus par les lois de votre pays. Le pr\'e9sent contrat ne modifie pas les droits que vous conf\'e8rent les lois de votre pays si celles-ci ne le permettent pas.\b\par
  • \pard\b0\fs20\lang1033\par
  • \pard\sa200\sl276\slmult1\f1\fs22\lang9\par
  • CommandLineToArgvW
  • Accept Eula (Y/N)?
  • HlinkSimpleNavigateToString
  • vector<T> too long
  • map/set<T> too long
  • RtlNtStatusToDosError
  • NtLoadDriver
  • DllGetVersion
  • GetNativeSystemInfo
  • ZwSetInformationThread
  • NtQueryVirtualMemory
  • RtlInitUnicodeString
  • NtOpenSymbolicLinkObject
  • NtQuerySymbolicLinkObject
  • NtClose
  • StartTraceW
  • ControlTraceW
  • OpenTraceW
  • ProcessTrace
  • EnableThemeDialogTexture
  • InitializeSRWLock
  • AcquireSRWLockExclusive
  • AcquireSRWLockShared
  • ReleaseSRWLockExclusive
  • ReleaseSRWLockShared
  • SetDllDirectoryW
  • Process32First
  • Process32Next
  • Thread32First
  • Thread32Next
  • NtSuspendThread
  • NtResumeThread
  • NtQuerySystemInformation
  • getaddrinfo
  • getnameinfo
  • freeaddrinfo
  • \ws2_32
  • \wship6
  • SymInitialize
  • EnumerateLoadedModules64
  • SymRegisterCallback64
  • SymGetModuleInfo64
  • SymCleanup
  • SymFromAddrW
  • SymGetSymFromName
  • SymSetOptions
  • SymSetHomeDirectoryW
  • SymLoadModuleExW
  • SymLoadModule64
  • SymUnloadModule64
  • StackWalk64
  • SymGetLineFromAddrW64
  • SymGetLinePrevW64
  • SymGetSourceFileTokenW
  • SymGetSourceFileW
  • SymGetModuleBase64
  • SymFunctionTableAccess64
  • SymSrvGetFileIndexesW
  • SymFindFileInPathW
  • SymSetSearchPathW
  • Module32FirstW
  • Module32NextW
  • CreateToolhelp32Snapshot
  • HungWindowFromGhostWindow
  • hhctrl.ocx
  • CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
  • bad allocation
  • generic
  • unknown error
  • iostream
  • iostream stream error
  • system
  • string too long
  • invalid string position
  • permission denied
  • file exists
  • no such device
  • filename too long
  • device or resource busy
  • io error
  • directory not empty
  • invalid argument
  • no space on device
  • no such file or directory
  • function not supported
  • no lock available
  • not enough memory
  • resource unavailable try again
  • cross device link
  • operation canceled
  • too many files open
  • permission_denied
  • address_in_use
  • address_not_available
  • address_family_not_supported
  • connection_already_in_progress
  • bad_file_descriptor
  • connection_aborted
  • connection_refused
  • connection_reset
  • destination_address_required
  • bad_address
  • host_unreachable
  • operation_in_progress
  • interrupted
  • invalid_argument
  • already_connected
  • too_many_files_open
  • message_size
  • filename_too_long
  • network_down
  • network_reset
  • network_unreachable
  • no_buffer_space
  • no_protocol_option
  • not_connected
  • not_a_socket
  • operation_not_supported
  • protocol_not_supported
  • wrong_protocol_type
  • timed_out
  • operation_would_block
  • address family not supported
  • address in use
  • address not available
  • already connected
  • argument list too long
  • argument out of domain
  • bad address
  • bad file descriptor
  • bad message
  • broken pipe
  • connection aborted
  • connection already in progress
  • connection refused
  • connection reset
  • destination address required
  • executable format error
  • file too large
  • host unreachable
  • identifier removed
  • illegal byte sequence
  • inappropriate io control operation
  • invalid seek
  • is a directory
  • message size
  • network down
  • network reset
  • network unreachable
  • no buffer space
  • no child process
  • no link
  • no message available
  • no message
  • no protocol option
  • no stream resources
  • no such device or address
  • no such process
  • not a directory
  • not a socket
  • not a stream
  • not connected
  • not supported
  • operation in progress
  • operation not permitted
  • operation not supported
  • operation would block
  • owner dead
  • protocol error
  • protocol not supported
  • read only file system
  • resource deadlock would occur
  • result out of range
  • state not recoverable
  • stream timeout
  • text file busy
  • timed out
  • too many files open in system
  • too many links
  • too many symbolic link levels
  • value too large
  • wrong protocol type
  • CorExitProcess
  • RoInitialize
  • RoUninitialize
  • Access violation - no RTTI data!
  • Bad dynamic_cast!
  • _hypot
  • Unknown exception
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
  • January
  • February
  • August
  • September
  • October
  • November
  • December
  • MM/dd/yy
  • dddd, MMMM dd, yyyy
  • HH:mm:ss
  •  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
  • bad exception
  • FlsAlloc
  • FlsFree
  • FlsGetValue
  • FlsSetValue
  • InitializeCriticalSectionEx
  • CreateEventExW
  • CreateSemaphoreExW
  • SetThreadStackGuarantee
  • CreateThreadpoolTimer
  • SetThreadpoolTimer
  • WaitForThreadpoolTimerCallbacks
  • CloseThreadpoolTimer
  • CreateThreadpoolWait
  • SetThreadpoolWait
  • CloseThreadpoolWait
  • FlushProcessWriteBuffers
  • FreeLibraryWhenCallbackReturns
  • GetCurrentProcessorNumber
  • GetLogicalProcessorInformation
  • CreateSymbolicLinkW
  • SetDefaultDllDirectories
  • EnumSystemLocalesEx
  • CompareStringEx
  • GetDateFormatEx
  • GetLocaleInfoEx
  • GetTimeFormatEx
  • GetUserDefaultLocaleName
  • IsValidLocaleName
  • LCMapStringEx
  • GetCurrentPackageId
  • GetTickCount64
  • GetFileInformationByHandleExW
  • SetFileInformationByHandleW
  • (null)
  • `h````
  • xpxxxx
  •  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
  •  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
  • `h`hhh
  • xppwpp
  • __based(
  • __cdecl
  • __pascal
  • __stdcall
  • __thiscall
  • __fastcall
  • __vectorcall
  • __clrcall
  • __eabi
  • __ptr64
  • __restrict
  • __unaligned
  • restrict(
  • delete
  • operator
  • `vftable'
  • `vbtable'
  • `vcall'
  • `typeof'
  • `local static guard'
  • `string'
  • `vbase destructor'
  • `vector deleting destructor'
  • `default constructor closure'
  • `scalar deleting destructor'
  • `vector constructor iterator'
  • `vector destructor iterator'
  • `vector vbase constructor iterator'
  • `virtual displacement map'
  • `eh vector constructor iterator'
  • `eh vector destructor iterator'
  • `eh vector vbase constructor iterator'
  • `copy constructor closure'
  • `udt returning'
  • `local vftable'
  • `local vftable constructor closure'
  • new[]
  • delete[]
  • `omni callsig'
  • `placement delete closure'
  • `placement delete[] closure'
  • `managed vector constructor iterator'
  • `managed vector destructor iterator'
  • `eh vector copy constructor iterator'
  • `eh vector vbase copy constructor iterator'
  • `dynamic initializer for '
  • `dynamic atexit destructor for '
  • `vector copy constructor iterator'
  • `vector vbase copy constructor iterator'
  • `managed vector copy constructor iterator'
  • `local static thread guard'
  • Type Descriptor'
  • Base Class Descriptor at (
  • Base Class Array'
  • Class Hierarchy Descriptor'
  • Complete Object Locator'
  • MessageBoxW
  • GetActiveWindow
  • GetLastActivePopup
  • GetUserObjectInformationW
  • GetProcessWindowStation
  • _nextafter
  • CreateFile2
  • 1#SNAN
  • 1#QNAN
  • C:\Builds\13810\Tools\Procmon_master\bin\x64\Release\Procmon.pdb
  • 6d@.4
  • WS2_32.dll
  • GetFileVersionInfoSizeW
  • GetFileVersionInfoW
  • VerQueryValueW
  • VERSION.dll
  • InitCommonControlsEx
  • ImageList_Destroy
  • ImageList_DrawEx
  • ImageList_Create
  • ImageList_ReplaceIcon
  • ImageList_SetBkColor
  • ImageList_Add
  • ImageList_SetOverlayImage
  • ImageList_GetIcon
  • ImageList_GetIconSize
  • CreateStatusWindowW
  • COMCTL32.dll
  • FilterConnectCommunicationPort
  • FilterSendMessage
  • FilterGetMessage
  • FilterReplyMessage
  • FLTLIB.DLL
  • FreeLibrary
  • GetProcAddress
  • MulDiv
  • GetTickCount
  • LoadLibraryW
  • GetModuleHandleW
  • GlobalAddAtomW
  • LocalAlloc
  • LocalFree
  • GetFileType
  • GetStdHandle
  • GetCommandLineW
  • GetModuleFileNameW
  • CreateThread
  • EnterCriticalSection
  • LeaveCriticalSection
  • WaitForSingleObject
  • CloseHandle
  • GetSystemTimeAsFileTime
  • InitializeCriticalSection
  • DeleteCriticalSection
  • VirtualAlloc
  • LockResource
  • GetCurrentProcess
  • GetLastError
  • SetLastError
  • LoadResource
  • SizeofResource
  • ExpandEnvironmentStringsW
  • FindResourceW
  • GetSystemDirectoryW
  • GetCurrentDirectoryW
  • SetFileAttributesW
  • DeleteFileW
  • GlobalMemoryStatusEx
  • VirtualFree
  • GetSystemInfo
  • GetFullPathNameW
  • GetFileAttributesW
  • GetVersionExW
  • LoadLibraryExW
  • EnumResourceNamesW
  • OpenProcess
  • CreateProcessW
  • SetCurrentDirectoryW
  • GlobalAlloc
  • GlobalLock
  • GlobalUnlock
  • CompareStringW
  • GetLocaleInfoW
  • TryEnterCriticalSection
  • GetFileSize
  • SetEndOfFile
  • SetFilePointer
  • MapViewOfFile
  • UnmapViewOfFile
  • CreateFileMappingW
  • CreateFileW
  • GetVersion
  • WriteFile
  • ReadFile
  • SystemTimeToFileTime
  • FileTimeToLocalFileTime
  • LocalFileTimeToFileTime
  • FileTimeToSystemTime
  • FormatMessageW
  • GetTimeFormatW
  • GetDateFormatW
  • GetNumberFormatW
  • HeapCreate
  • HeapDestroy
  • HeapAlloc
  • HeapFree
  • HeapSize
  • ExitProcess
  • GetCurrentThread
  • SetThreadPriority
  • SetEvent
  • ResetEvent
  • ReleaseSemaphore
  • WaitForMultipleObjects
  • CreateEventW
  • CreateSemaphoreW
  • GetComputerNameA
  • QueryPerformanceCounter
  • QueryPerformanceFrequency
  • SetProcessShutdownParameters
  • GetFileAttributesExW
  • GetComputerNameW
  • SetConsoleCtrlHandler
  • GetCurrentProcessId
  • OpenThread
  • GetThreadContext
  • LoadLibraryA
  • GetSystemDirectoryA
  • FindClose
  • FindFirstFileW
  • FindNextFileW
  • DecodePointer
  • HeapReAlloc
  • GetProcessHeap
  • RaiseException
  • InitializeCriticalSectionAndSpinCount
  • GetEnvironmentVariableW
  • SetEnvironmentVariableW
  • IsWow64Process
  • ExpandEnvironmentStringsA
  • KERNEL32.dll
  • SendMessageW
  • DefWindowProcW
  • CallWindowProcW
  • RegisterClassExW
  • CreateWindowExW
  • ShowWindow
  • SetWindowPos
  • SetFocus
  • GetFocus
  • GetKeyState
  • GetCapture
  • SetCapture
  • ReleaseCapture
  • SetTimer
  • GetSystemMetrics
  • DrawTextW
  • UpdateWindow
  • ReleaseDC
  • BeginPaint
  • EndPaint
  • GetUpdateRect
  • GetUpdateRgn
  • InvalidateRect
  • ValidateRect
  • ScrollWindowEx
  • SetPropW
  • GetPropW
  • GetClientRect
  • GetWindowRect
  • SetCursor
  • GetCursorPos
  • MapWindowPoints
  • GetSysColor
  • GetSysColorBrush
  • FillRect
  • InflateRect
  • IntersectRect
  • OffsetRect
  • GetWindowLongPtrW
  • SetWindowLongPtrW
  • GetClassLongPtrW
  • GetParent
  • LoadCursorW
  • SetScrollInfo
  • GetScrollInfo
  • DialogBoxIndirectParamW
  • EndDialog
  • GetDlgItem
  • SetWindowTextW
  • MoveWindow
  • SetDlgItemTextW
  • GetWindowTextW
  • ChildWindowFromPoint
  • GetWindowLongW
  • DialogBoxParamW
  • EnableWindow
  • SetWindowLongW
  • GetDesktopWindow
  • GetAncestor
  • MessageBoxW
  • LoadStringW
  • PostMessageW
  • DestroyWindow
  • CheckDlgButton
  • IsDlgButtonChecked
  • GetCursor
  • FrameRect
  • SetClassLongPtrW
  • LoadIconW
  • DestroyIcon
  • DrawIconEx
  • GetIconInfo
  • MonitorFromPoint
  • GetMonitorInfoW
  • PtInRect
  • CreateIconFromResourceEx
  • WaitForInputIdle
  • IsIconic
  • SetForegroundWindow
  • FindWindowW
  • FindWindowExW
  • GetWindowThreadProcessId
  • OpenClipboard
  • CloseClipboard
  • SetClipboardData
  • EmptyClipboard
  • ClientToScreen
  • LoadImageW
  • GetActiveWindow
  • GetWindow
  • RegisterWindowMessageW
  • DrawFrameControl
  • GetMessageW
  • TranslateMessage
  • DispatchMessageW
  • PostQuitMessage
  • RegisterClassW
  • FlashWindowEx
  • GetWindowPlacement
  • SetWindowPlacement
  • BeginDeferWindowPos
  • DeferWindowPos
  • EndDeferWindowPos
  • IsWindowVisible
  • IsZoomed
  • CreateDialogParamW
  • SetDlgItemInt
  • GetDlgItemInt
  • GetDlgItemTextW
  • CheckRadioButton
  • KillTimer
  • IsWindowEnabled
  • LoadAcceleratorsW
  • TranslateAcceleratorW
  • LoadMenuW
  • GetMenu
  • CreatePopupMenu
  • DestroyMenu
  • CheckMenuItem
  • EnableMenuItem
  • GetSubMenu
  • GetMenuItemCount
  • InsertMenuW
  • DeleteMenu
  • TrackPopupMenu
  • SetMenuInfo
  • InsertMenuItemW
  • GetMenuItemInfoW
  • SetMenuDefaultItem
  • SetActiveWindow
  • SetWindowTextA
  • MessageBeep
  • ScreenToClient
  • UnionRect
  • EqualRect
  • EnumChildWindows
  • GetClassNameW
  • LoadBitmapW
  • CopyImage
  • IsDialogMessageW
  • GetWindowDC
  • WindowFromPoint
  • USER32.dll
  • BitBlt
  • CreateCompatibleBitmap
  • CreateCompatibleDC
  • CreatePen
  • CreateRectRgn
  • CreateRectRgnIndirect
  • CreateSolidBrush
  • DeleteDC
  • DeleteObject
  • GetBkColor
  • GetBkMode
  • GetDeviceCaps
  • GetStockObject
  • RectInRegion
  • SelectClipRgn
  • SelectObject
  • SetBkColor
  • SetBkMode
  • SetTextColor
  • GetTextMetricsW
  • Polyline
  • SetMapMode
  • StartDocW
  • EndDoc
  • StartPage
  • EndPage
  • CreateFontIndirectW
  • GetObjectW
  • GetBitmapBits
  • LineTo
  • MoveToEx
  • Polygon
  • CreateBitmap
  • CreateFontW
  • GetPixel
  • SetPixel
  • GdiFlush
  • Rectangle
  • RestoreDC
  • SaveDC
  • SetROP2
  • GDI32.dll
  • PrintDlgW
  • GetSaveFileNameW
  • GetOpenFileNameW
  • ChooseColorW
  • FindTextW
  • ChooseFontW
  • COMDLG32.dll
  • RegQueryValueExW
  • RegSetValueExW
  • RegCloseKey
  • RegCreateKeyW
  • RegOpenKeyW
  • RegOpenKeyExW
  • OpenProcessToken
  • AdjustTokenPrivileges
  • LookupPrivilegeValueW
  • RegDeleteKeyW
  • RegDeleteValueW
  • GetTokenInformation
  • EqualSid
  • AllocateAndInitializeSid
  • FreeSid
  • GetLengthSid
  • MapGenericMask
  • LookupAccountSidW
  • RegCreateKeyExW
  • RegEnumKeyW
  • RegSetValueW
  • ConvertSidToStringSidW
  • ConvertStringSidToSidW
  • RegEnumValueW
  • RegOpenKeyExA
  • RegQueryValueExA
  • ADVAPI32.dll
  • ShellExecuteExW
  • SHGetFileInfoW
  • SHGetMalloc
  • SHGetSpecialFolderLocation
  • SHBrowseForFolderW
  • SHChangeNotify
  • DragQueryFileW
  • CommandLineToArgvW
  • SHGetPathFromIDListW
  • SHELL32.dll
  • CoInitialize
  • CoSetProxyBlanket
  • CoCreateInstance
  • CreateBindCtx
  • OleInitialize
  • RegisterDragDrop
  • ReleaseStgMedium
  • ole32.dll
  • OLEAUT32.dll
  • SHAutoComplete
  • SHLWAPI.dll
  • lstrlenA
  • MultiByteToWideChar
  • WideCharToMultiByte
  • IsDebuggerPresent
  • OutputDebugStringW
  • RtlPcToFileHeader
  • RtlLookupFunctionEntry
  • RtlUnwindEx
  • EncodePointer
  • GetModuleHandleExW
  • GetConsoleMode
  • ReadConsoleInputA
  • SetConsoleMode
  • IsProcessorFeaturePresent
  • ExitThread
  • GetCurrentThreadId
  • IsValidCodePage
  • GetACP
  • GetOEMCP
  • GetCPInfo
  • RtlCaptureContext
  • RtlVirtualUnwind
  • UnhandledExceptionFilter
  • SetUnhandledExceptionFilter
  • TerminateProcess
  • TlsAlloc
  • TlsGetValue
  • TlsSetValue
  • TlsFree
  • GetStartupInfoW
  • GetConsoleCP
  • GetStringTypeW
  • GetEnvironmentStringsW
  • FreeEnvironmentStringsW
  • LCMapStringW
  • SetFilePointerEx
  • WriteConsoleW
  • SetStdHandle
  • FlushFileBuffers
  • ReadConsoleW
  • abcdefghijklmnopqrstuvwxyz
  • ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • abcdefghijklmnopqrstuvwxyz
  • ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • .?AVCThemedWindow@@
  • .?AVCTreeList@@
  • .?AVCTreeListData@@
  • .?AVCListViewData@@
  • .?AVCViewRef@@
  • .?AVCEventRef@@
  • .?AUIUnknown@@
  • .?AVCCallTreeData@@
  • .?AUIDropTarget@@
  • .?AVCResizer@@
  • .?AVCDropTarget@@
  • .?AUPAS_ROW_CACHE@@
  • .?AVCFileSummary@@
  • .?AVCProcessTreeData@@
  • .?AV_com_error@@
  • .?AVbad_alloc@std@@
  • .?AVexception@std@@
  • .?AVlogic_error@std@@
  • .?AVlength_error@std@@
  • .?AVout_of_range@std@@
  • .?AVerror_category@std@@
  • .?AV_Generic_error_category@std@@
  • .?AV_Iostream_error_category@std@@
  • .?AV_System_error_category@std@@
  • .?AVtype_info@@
  • .?AV__non_rtti_object@std@@
  • .?AVbad_typeid@std@@
  • .?AVbad_cast@std@@
  • .?AVbad_exception@std@@
  • """"""
  • 333333
  • d*po0!
  • SS%%kk>
  • LO=L2B:c
  • :B2L9[Z{,,,,,,}?~
  • \QQQ\R+
  • AKabbaFK%
  • 4#';y&
  • < s&w
  • 6st::9v1/
  • mn opq2
  • IK#M#NR
  • AAAAAAAAA
  • AAAAAAA
  • AAAAAAAAA
  • pppppppp
  • pppppppp
  • pppppppp
  • pppppppp
  • pppppppp
  • pppppppp
  • pppppppp
  • pppppppp
  • o
  • F
  • VVU6UVVVV
  • UVV6VVVVVV
  • VV]66666666V
  • ]V]]]VVVVVVV
  • ]VV]]]]]VV
  • U]]]]UV
  • wwwpww
  • """"""
  • !This program cannot be run in DOS mode.
  • h.rdata
  • H.data
  • .pdata
  • B.reloc
  • fffffff
  • fffffff
  • WAVAWH
  • A_A^_H
  • @UVWAVAWH
  • A_A^_^]
  • SUVWAVH
  • @A^_^][
  • UWATAVAWH
  • pA_A^A\_]
  • pA_A^A\_]
  • t$`t H
  • L$ WAVAWH
  • @A_A^_
  • xF9|$0v@H
  • WAVAWH
  • 0A_A^_
  • UVWAVAWH
  • @A_A^_^]
  • D$0H+D$8H
  • D$hH+D$ H=
  • WAVAWH
  • VWATAVAWH
  • A_A^A\_^
  • WATAUAVAWH
  • A_A^A]A\_
  • D$(Pmn
  • D$(Pmn
  • @UVATAVAWH
  • A_A^A\^]
  • A_A^A\^]
  • D9t$p|
  • \$ UWATAUAWH
  • ttf9|$h
  • f9|$XL
  • f9|$hL
  • H9}`u:A
  • A_A]A\_]
  • |$ AVH
  • D$(Pmn
  • @SUWAVAWH
  • 0A_A^_][
  • 0A_A^_][
  • VWATAVAWH
  • A_A^A\_^
  • u L9{(t
  • |$ AVH
  • H9?t$f
  • H96t)fff
  • uH9+t
  • D+C +S
  • VWATAVAWH
  • tJfE9 t
  • PA_A^A\_^
  • D$(RegmH
  • VWATAVAWH
  • PA_A^A\_^
  • PA_A^A\_^
  • WATAUAVAWH
  • PA_A^A]A\_
  • WATAUAVAWH
  • PA_A^A]A\_
  • UVWATAUAWH
  • HA_A]A\_^]
  • HA_A]A\_^]
  • WAVAWH
  • WATAUAVAWH
  • PA_A^A]A\_
  • WATAUAVAWH
  • PA_A^A]A\_
  • @VATAUAVH
  • XA^A]A\^
  • |$ ATAVAWH
  • 0A_A^A\
  • |$ ATAVAWH
  • 0A_A^A\
  • SVWAVAWH
  • @A_A^_^[
  • WAVAWH
  • 0A_A^_
  • |$ ATAVAWH
  • @A_A^A\
  • |$ ATAVAWH
  • A_A^A\
  • System
  • C:\Builds\13810\Tools\Procmon_master\bin\x64\Release\ProcMonDriver.pdb
  • VATAUAVAWH
  • A_A^A]A\^
  • UVWATAUAVAWH
  • A_A^A]A\_^]
  • UVWATAUAVAWH
  • @A_A^A]A\_^]
  • WATAUAVAWH
  • A_A^A]A\_
  • WATAUH
  • A]A\_
  • WATAUH
  • A]A\_
  • @SUVWATAUAVAWH
  • XA_A^A]A\_^][
  • l$ VWATH
  • fD9 t,
  • \$x!|$pfD
  • fF9$Iu
  • T$ H9\$
  • WATAUH
  • 0A]A\_
  • KeQueryPerformanceCounter
  • HAL.dll
  • RtlInitUnicodeString
  • RtlAnsiStringToUnicodeString
  • RtlCompareUnicodeString
  • RtlCopyUnicodeString
  • RtlAppendUnicodeStringToString
  • RtlFreeUnicodeString
  • KeInitializeDpc
  • KeInitializeEvent
  • KeSetEvent
  • KeInitializeTimer
  • KeSetTimer
  • KeWaitForSingleObject
  • ExFreePoolWithTag
  • ExAcquireFastMutex
  • ExReleaseFastMutex
  • ExQueueWorkItem
  • ObfDereferenceObject
  • ZwCreateFile
  • ZwSetInformationFile
  • ZwWriteFile
  • ZwClose
  • ZwOpenKey
  • ZwFlushKey
  • ZwQueryValueKey
  • ZwSetValueKey
  • PsGetCurrentProcessId
  • IoSetThreadHardErrorMode
  • ZwQuerySystemInformation
  • KeClearEvent
  • IofCompleteRequest
  • IoCreateNotificationEvent
  • IoCreateSymbolicLink
  • IoDeleteDevice
  • IoDeleteSymbolicLink
  • KeDelayExecutionThread
  • KeAcquireSpinLockRaiseToDpc
  • KeReleaseSpinLock
  • MmProbeAndLockProcessPages
  • MmUnlockPages
  • MmMapLockedPagesSpecifyCache
  • IoAllocateMdl
  • IoFreeMdl
  • IoGetCurrentProcess
  • IoGetTopLevelIrp
  • IoSetTopLevelIrp
  • RtlLengthSid
  • IoThreadToProcess
  • FsRtlIsPagingFile
  • __C_specific_handler
  • KeCancelTimer
  • ExQueryDepthSList
  • ExpInterlockedPopEntrySList
  • ExpInterlockedPushEntrySList
  • ExInitializeNPagedLookasideList
  • PsCreateSystemThread
  • IoGetStackLimits
  • RtlWalkFrameChain
  • PsGetCurrentThreadId
  • strncmp
  • strncpy
  • KeInitializeTimerEx
  • KeSetTimerEx
  • KeWaitForMultipleObjects
  • MmGetSystemRoutineAddress
  • ObReferenceObjectByHandle
  • PsSetCreateProcessNotifyRoutine
  • PsSetCreateThreadNotifyRoutine
  • PsRemoveCreateThreadNotifyRoutine
  • PsSetLoadImageNotifyRoutine
  • PsRemoveLoadImageNotifyRoutine
  • ZwOpenProcess
  • KeStackAttachProcess
  • KeUnstackDetachProcess
  • PsReferencePrimaryToken
  • PsReferenceImpersonationToken
  • PsLookupThreadByThreadId
  • ObOpenObjectByPointer
  • ZwWaitForSingleObject
  • ZwQueryInformationToken
  • ZwOpenThread
  • ZwQueryInformationProcess
  • ZwOpenProcessToken
  • KeInsertQueueApc
  • KeInitializeApc
  • ExAllocatePoolWithTag
  • PsGetVersion
  • KeInitializeMutex
  • KeReleaseMutex
  • ExInitializePagedLookasideList
  • ProbeForRead
  • ProbeForWrite
  • ExGetPreviousMode
  • MmUnmapLockedPages
  • ObQueryNameString
  • ntoskrnl.exe
  • IoCreateDevice
  • ZwSetSecurityObject
  • IoDeviceObjectType
  • _snwprintf
  • RtlLengthSecurityDescriptor
  • SeCaptureSecurityDescriptor
  • RtlCreateSecurityDescriptor
  • RtlSetDaclSecurityDescriptor
  • RtlAbsoluteToSelfRelativeSD
  • IoIsWdmVersionAvailable
  • SeExports
  • wcschr
  • _wcsnicmp
  • RtlAddAccessAllowedAce
  • RtlGetSaclSecurityDescriptor
  • RtlGetDaclSecurityDescriptor
  • RtlGetGroupSecurityDescriptor
  • RtlGetOwnerSecurityDescriptor
  • ZwCreateKey
  • FltGetVolumeName
  • FltGetDiskDeviceObject
  • FltEnumerateVolumes
  • FltObjectDereference
  • FltRegisterFilter
  • FltUnregisterFilter
  • FltStartFiltering
  • FltGetFileNameInformation
  • FltReleaseFileNameInformation
  • FltGetDestinationFileNameInformation
  • FltAttachVolume
  • FltDetachVolume
  • FltCreateFile
  • FltClose
  • FltCreateCommunicationPort
  • FltCloseCommunicationPort
  • FltCloseClientPort
  • FltSendMessage
  • FltBuildDefaultSecurityDescriptor
  • FltFreeSecurityDescriptor
  • FltGetFileNameInformationUnsafe
  • FLTMGR.SYS
  • KeBugCheckEx
  • Washington1
  • Redmond1
  • Microsoft Corporation1!0
  • Microsoft Time-Stamp PCA0
  • 160907175851Z
  • 180907175851Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1&0$
  • Thales TSS ESN:C3B0-0F6A-41111%0#
  • Microsoft Time-Stamp Service0
  • Chttp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
  • <http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
  • Washington1
  • Redmond1
  • Microsoft Corporation1503
  • ,Microsoft Windows Hardware Compatibility PCA0
  • 170811203623Z
  • 180725203623Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1;09
  • 2Microsoft Windows Hardware Compatibility Publisher0
  • /V]+!Xf
  • MOPR1402
  • +230001+709c2e22-1483-40a3-8820-f42dbe30c77d0
  • ehttp://www.microsoft.com/pki/CRL/products/Microsoft%20Windows%20Hardware%20Compatibility%20PCA(1).crl0z
  • ^http://www.microsoft.com/pki/certs/Microsoft%20Windows%20Hardware%20Compatibility%20PCA(1).crt0
  • 0k}[3_s(8Y
  • microsoft1-0+
  • $Microsoft Root Certificate Authority0
  • 120604210546Z
  • 200604211546Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1503
  • ,Microsoft Windows Hardware Compatibility PCA0
  • =&l@T$
  • DhnPQn
  • ylj-E>
  • ?http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
  • 8http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
  • rPG/VK
  • microsoft1-0+
  • $Microsoft Root Certificate Authority0
  • 070403125309Z
  • 210403130309Z0w1
  • Washington1
  • Redmond1
  • Microsoft Corporation1!0
  • Microsoft Time-Stamp PCA0
  • microsoft1-0+
  • $Microsoft Root Certificate Authority
  • ?http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
  • 8http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
  • 1Jv1=+r
  • L&*H$_Z
  • Washington1
  • Redmond1
  • Microsoft Corporation1503
  • ,Microsoft Windows Hardware Compatibility PCA
  • http://www.sysinternals.com 0
  • u+)!]ez
  • Washington1
  • Redmond1
  • Microsoft Corporation1!0
  • Microsoft Time-Stamp PCA
  • 180212232508Z0#
  • Washington1
  • Redmond1
  • Microsoft Corporation1806
  • /Microsoft Windows Third Party Component CA 20120
  • 170912185049Z
  • 180912185049Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1;09
  • 2Microsoft Windows Hardware Compatibility Publisher0
  • 230153+2423520
  • chttp://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202012.crl0
  • ehttp://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202012.crt0
  • Washington1
  • Redmond1
  • Microsoft Corporation1200
  • )Microsoft Root Certificate Authority 20100
  • 120418234838Z
  • 270418235838Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1806
  • /Microsoft Windows Third Party Component CA 20120
  • -g<'<V
  • }PH.=C
  • Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
  • >http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
  • p%|Yi1$
  • Washington1
  • Redmond1
  • Microsoft Corporation1806
  • /Microsoft Windows Third Party Component CA 2012
  • http://www.sysinternals.com 0
  • 20180212232512.963Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:D236-37DA-97611%0#
  • Microsoft Time-Stamp Service
  • Washington1
  • Redmond1
  • Microsoft Corporation1200
  • )Microsoft Root Certificate Authority 20100
  • 100701213655Z
  • 250701214655Z0|1
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 20100
  • $`2X`F
  • Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
  • >http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
  • 1http://www.microsoft.com/PKI/docs/CPS/default.htm0@
  • oK0D$"<
  • r~akow
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 20100
  • 160907175655Z
  • 180907175655Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:D236-37DA-97611%0#
  • Microsoft Time-Stamp Service0
  • Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
  • >http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:D236-37DA-97611%0#
  • Microsoft Time-Stamp Service
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher NTS ESN:2665-4C3F-C5DE1+0)
  • "Microsoft Time Source Master Clock0
  • 20180212213837Z
  • 20180213213837Z0t0:
  • ; xJK:]OL
  • vS,Vco
  • Pd'y5U
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 2010
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 2010
  • <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  • <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="Procmon" version="2.0.0.0" type="win32"></assemblyIdentity><description>Process Monitor</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application><ms_compatibility:compatibility xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" xmlns="urn:schemas-microsoft-com:compatibility.v1"><ms_compatibility:application xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1"><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></ms_compatibility:supportedOS><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></ms_compatibility:supportedOS><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></ms_compatibility:supportedOS><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></ms_compatibility:supportedOS><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></ms_compatibility:supportedOS></ms_compatibility:application></ms_compatibility:compatibility></assembly>
  • Washington1
  • Redmond1
  • Microsoft Corporation1!0
  • Microsoft Time-Stamp PCA0
  • 160907175849Z
  • 180907175849Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:57C8-2D15-1C8B1%0#
  • Microsoft Time-Stamp Service0
  • 7|"R?8{
  • Chttp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
  • <http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
  • y|.WNR
  • Washington1
  • Redmond1
  • Microsoft Corporation1#0!
  • Microsoft Code Signing PCA0
  • 170811201115Z
  • 180811201115Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • Microsoft Corporation0
  • b{VpuOg
  • MOPR1402
  • +229803+1abf9e5f-ced0-42e6-a65d-d9350959fe0e0
  • Ehttp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
  • >http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
  • ?w?^s'W
  • microsoft1-0+
  • $Microsoft Root Certificate Authority0
  • 100831221932Z
  • 200831222932Z0y1
  • Washington1
  • Redmond1
  • Microsoft Corporation1#0!
  • Microsoft Code Signing PCA0
  • ?http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
  • 8http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
  • `Ge`@N
  • microsoft1-0+
  • $Microsoft Root Certificate Authority0
  • 070403125309Z
  • 210403130309Z0w1
  • Washington1
  • Redmond1
  • Microsoft Corporation1!0
  • Microsoft Time-Stamp PCA0
  • microsoft1-0+
  • $Microsoft Root Certificate Authority
  • ?http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
  • 8http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
  • 1Jv1=+r
  • L&*H$_Z
  • Washington1
  • Redmond1
  • Microsoft Corporation1#0!
  • Microsoft Code Signing PCA
  • y|.WNR
  • http://www.sysinternals.com 0
  • Washington1
  • Redmond1
  • Microsoft Corporation1!0
  • Microsoft Time-Stamp PCA
  • 180212232653Z0#
  • Z|{8;m
  • Washington1
  • Redmond1
  • Microsoft Corporation1(0&
  • Microsoft Code Signing PCA 20110
  • 170811202024Z
  • 180811202024Z0t1
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • Microsoft Corporation0
  • MOPR1402
  • +230012+c804b5ea-49b4-4238-8362-d851fa2254fc0
  • Chttp://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
  • Ehttp://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
  • +Z1[9j
  • Washington1
  • Redmond1
  • Microsoft Corporation1200
  • )Microsoft Root Certificate Authority 20110
  • 110708205909Z
  • 260708210909Z0~1
  • Washington1
  • Redmond1
  • Microsoft Corporation1(0&
  • Microsoft Code Signing PCA 20110
  • Ihttp://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^
  • Bhttp://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
  • 3http://www.microsoft.com/pkiops/docs/primarycps.htm0@
  • *?*kXIc
  • QEX82q'
  • WqVNHE
  • Washington1
  • Redmond1
  • Microsoft Corporation1(0&
  • Microsoft Code Signing PCA 2011
  • http://www.sysinternals.com 0
  • 20180212232654.669Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:D236-37DA-97611%0#
  • Microsoft Time-Stamp Service
  • Washington1
  • Redmond1
  • Microsoft Corporation1200
  • )Microsoft Root Certificate Authority 20100
  • 100701213655Z
  • 250701214655Z0|1
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 20100
  • $`2X`F
  • Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
  • >http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
  • 1http://www.microsoft.com/PKI/docs/CPS/default.htm0@
  • oK0D$"<
  • r~akow
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 20100
  • 160907175655Z
  • 180907175655Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:D236-37DA-97611%0#
  • Microsoft Time-Stamp Service0
  • Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
  • >http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:D236-37DA-97611%0#
  • Microsoft Time-Stamp Service
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher NTS ESN:2665-4C3F-C5DE1+0)
  • "Microsoft Time Source Master Clock0
  • 20180212213837Z
  • 20180213213837Z0t0:
  • ; xJK:]OL
  • vS,Vco
  • Pd'y5U
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 2010
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 2010
  • `F_X]w
  • .=wt?)
  • <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  • <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="Procmon" version="2.0.0.0" type="win32"></assemblyIdentity><description>Process Monitor</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application><ms_compatibility:compatibility xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" xmlns="urn:schemas-microsoft-com:compatibility.v1"><ms_compatibility:application xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1"><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></ms_compatibility:supportedOS><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></ms_compatibility:supportedOS><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></ms_compatibility:supportedOS><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></ms_compatibility:supportedOS><ms_compatibility:supportedOS xmlns:ms_compatibility="urn:schemas-microsoft-com:compatibility.v1" Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></ms_compatibility:supportedOS></ms_compatibility:application></ms_compatibility:compatibility></assembly>
  • 1/1U1`1s1
  • 2'252@2H2N2T2Z2a2g2l2q2
  • 3!3&3-3I3P3U3i3p3u3
  • 474F4V4d4
  • 5#5)5A5J5O5U5_5s5y5
  • 66$6:6?6Q6[6`6q6w6|6
  • 7"717A7K7P7a7q7w7|7
  • 8"83898>8K8U8_8m8r8
  • 9"939>9K9Q9[9e9i9q9v9
  • :(:.:8:B:F:N:S:b:o:u:
  • ;;#;+;0;?;L;R;\;f;j;r;w;
  • <!<*<4<><B<J<O<^<k<p<v<
  • =$=)=8=E=K=U=_=c=k=p=
  • >">(>2><>@>H>M>\>f>o>y>
  • ?!?'?,?E?O?T?a?m?y?
  • 132a2v2
  • 5&585]5
  • 576H6P6W6`6m6
  • 617a7`8t8
  • ;(;J;P;_;z;
  • <E<]<d<q<
  • =)=K=`=
  • >4>N>g>
  • 2D4R4X4
  • 707G7[7:8@8M8
  • 9S:z:;;W;d;n;w;
  • >%?0?F?U?l?
  • 8&808>8N8x8
  • 2(292C2P2]2g2
  • 2)3V3a3
  • 6J7^7e7
  • 8'9A9m9
  • 9L:\:n:
  • ;7;A;`;f;q;v;{;
  • ?*?M?\?l?
  • 031B1s1
  • 1(282R2
  • 3"3N3i3z3
  • 8>9E9a9q9
  • 9:g:~:
  • ;!<*<F<W<_<
  • 70N0`0v0
  • 1"1L1w1
  • 3 3&3>3J3b3p3
  • 3 4%4K4P4v4{4
  • 505<5A5H5_5
  • 7/8_8v8
  • 9*989O9\9w:
  • :';X;_;
  • ;]<4=Y=
  • =)>=>n>
  • 4 4$4(4,4044484<4@4D4H4L4P4T4+5F5
  • 8 8$8(8,878
  • ::/:=:W:d:
  • ;,;9;e;
  • <:<L<j<
  • 080g0w0
  • 1S1*2D2
  • 3"3*3:3_3{3
  • 8"8B8W8
  • 0+0;0F0l0
  • 2)2K2W2m2
  • 2:3a3~3J4
  • 5)575A5L5~5
  • 9F9M9f9m9x9
  • :Y<r<I=`=
  • 2 2$2(2,2024282<2@2D2
  • 2034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
  • 3 474E4z4
  • 6:6V6s6
  • 7!777@7^7z7
  • 9/9H9b9k9
  • :*:V:[:a:h:s:z:
  • :';2;>;h;u;
  • =(=-=5=B=y=
  • >1?Y?j?w?
  • 0X0d0j0t0~0
  • 0(141E1m1
  • 2=2P2g2s2
  • 3 3+3K3h3
  • 4%434N4Y4_4q4z4
  • 5+6G6h6n6
  • 7!7=7H7Q7_7n7u7
  • 7&888b8o8t8z8
  • :0:9:Y:g:
  • ;1;e;x;
  • ;&<8<W<n<
  • 2&383_3
  • 4&474O4
  • 8H9f9x9
  • 95:V:e:}:
  • :G;W;g;|;
  • =i>f?u?
  • 5666D6
  • 8&888T8_8m8r8
  • :#:):2:=:F:p:
  • ;0;:;O;t;
  • <A<N<S<Z<x<
  • <7=L=S=u=
  • >&>8>N>i>t>
  • >8?J?b?m?v?
  • 0+040=0Z0l0
  • 1O1j1o1u1|1
  • 22(2-232:2?2I2O2
  • 263D3^3
  • 8C9R97:F:
  • <"<2<M<k<{<
  • 0 000K0
  • 0 1$1(1,161G1f1
  • 66D6H6L6P6f6t6
  • 7]7h7r7
  • 8)8]8{8
  • =*=6=U=[=`=d=h=l=p=
  • 4D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
  • 6f7w7F:T:g:n:t:
  • 9'9<9v9
  • <c<l<&=
  • 0 0$0(0,0004080<0@0D0
  • 0,2024282<2@2D2H2e2
  • 4,434I4P4
  • 5<5I5f5t5f6x6
  • :F:X:s:
  • =(=c=k=
  • >&?5?M?c?l?r?x?
  • 1,2V2e2}2
  • 3$3<3K3g3
  • 5+7s728
  • !0&181
  • 4&484c4
  • 6'6?6A8
  • ;6;E;v;
  • >d>u>s?
  • 3 3=5{5
  • 7(7R7`7k7
  • :\:j:>;
  • <J<?=I=V=
  • 0;0f0x0
  • 1F2U2m2
  • 3@3R3]3
  • ::/:<:^:
  • <8<Z<d<
  • =7=B=k=
  • 3%4I4Z4
  • 5!6*60656;6D6J6P6U6[6p6
  • 6x7h8g=m=|=
  • 0/02191v1
  • 2U2_2x2
  • 4(4@4F5
  • 4f5x566H6
  • 8F9T9&:5:
  • <&=7=O=
  • >P>y>-?2?U?l?p?t?x?|?
  • 20>0C0a0i0v0~0
  • 2'272T2d2r2
  • 2E3R3`3
  • 5 5$5(5,505f5x5
  • 868G8_8
  • =+>f>{>
  • 1L2P2T2X2\2`2d2h2l2p2
  • 2;3f3w3
  • 464K4l4
  • 8&878O8
  • ;#<E<v<
  • 5&6;6\6
  • >6?G?_?
  • 8 828T8f8y8
  • ?0?Q?i?o?u?
  • 5$5U6o6
  • ;E;^;w;
  • >%?f?u?
  • :":+:1:C:Y:t:z:
  • ;#;+;0;8;>;P;U;[;a;
  • ?6?L?e?u?
  • 1-131U1_1u1
  • 1,2@2}2
  • 23&393@3
  • 4,4D4T4[4l4s4|4
  • 5)5@5G5[5i5w5
  • 5:6V6l6
  • 6/7I7f7
  • =8>>>v>
  • 0&020B0J0
  • 1+131I1_1
  • 2/2D2U2q2|2
  • 5%5J5U5f5y5
  • 7 7P7`7f7
  • 7 8&8.8C8J8Y8`8k8
  • 919?9T9Z9`9e9k9s9
  • :x;~;}<
  • >P>T>X>\>`>6?K?
  • 3J6W6w6
  • 9#9-9I9S9o9y9
  • %0/0J0
  • 363@3\3f3
  • >#>6>Y>m>
  • 2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
  • 24383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
  • 4 4$4(4,4044484<4@4D4H4
  • 6+686F6X6
  • 9 9$9(9,90949f9x9
  • =&>5>T>
  • 0 0O0\0l0q0
  • 1#191B1
  • 8 8$868D8
  • ;7<T<Y<n<
  • 364E4d4u4
  • 5$6H6L6P6T6X6f6u6
  • 70757E7
  • 969E9d9u9
  • ;*;B;R;w;
  • = =P=`=l=
  • 4<4G4j4z4
  • 465@5W5
  • 677I7X7_7j7
  • 9&989v9
  • :':B:K:Z:
  • <9<A<N<
  • 2.2D2X2^2|2
  • 9w:<;f;x;
  • C061H1y2
  • 4B5T5o5x5
  • 8&8D8Q8v8
  • 9!90979G9#:,:9:E:
  • :*;9;%<v<
  • <8=<=@=D=Z=`=~=
  • >/>9>A>Q>X>^>q>
  • 070A0F0L0S0
  • 0%1,1{1
  • 3%4;4Y4v4
  • 7'7W7\7
  • ::&:]:
  • >,?5?`?f?o?u?
  • 3T3\3n3
  • 3,4F4Q4
  • 5$5^6o6
  • :,:W:e:
  • :?;E;R;W;l;
  • >4>A>V>p>
  • 0!0'0-0O0o0
  • 3'678V8h86:H:F;X;v=
  • 4c5m5w5
  • 6!6B6L6V6`6
  • 7'7i7s7}7
  • 88)848
  • 9"9m9t9|9
  • :!:+:5:?:I:S:]:g:q:{:
  • ;%;/;9;C;M;W;a;k;u;
  • <<)<3<=<G<Q<[<e<o<y<
  • <5=?=I=S=q={=
  • >'>.>3>=>G>Q>[>e>o>
  • ?#?(?2?<?F?P?Z?d?n?x?
  • 0"0,0Y0`0e0o0y0
  • 1+151?1e1o1y1
  • 1-24292C2M2W2a2
  • 3'313a3k3u3
  • 4&414z4
  • 5A5H5M5W5a5k5u5
  • 6(626<6F6P6Z6d6
  • 7'7 9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|9`:d:h:l:p:t:x:
  • < <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
  • ? ?$?(?,?0?4?8?<?
  • @0D0H0L0P0d0h0l0p0t0x0|0
  • 1H1L1P1T1X1\1`1
  • 757>7~7
  • 8.8C8X8m8
  • 9*9?9T9i9~9
  • :&:;:P:e:z:
  • ;";7;L;a;v;
  • <3<\<`<d<h<l<p<t<x<|<
  • = =$=(=,=0=4=8=<=@=V=h=
  • >[?b?n?
  • 1<1V1a1
  • 3&464k4r4z4
  • 5"5@5K5U5`5j5u5
  • 64686<6@6D6H6f6v6
  • 8(838K8V8n8y8
  • 929=9U9`9x9
  • :%:.:b:k:
  • ;+<B<d<
  • 030Z0q0
  • 1)1J2z2
  • 3'303P3[3q3
  • 3&464W4r4}4
  • 9P9U9`9x9
  • :<:@:D:H:L:P:
  • 4 4A4H4^4e4|4
  • 7!8&8,838O8l8
  • ::;s;x;
  • >4>A>l>
  • 1.1:1@1v1
  • 2D2O2^2
  • 6$666;6Y6`6
  • 6)757F7M7\7d7k7
  • 838E8Q8l8
  • 9-9f9u9
  • ::1:I:g:
  • ;.;:;?;E;J;W;^;d;i;|;
  • >$>1>7><>
  • <1=D=N=X=i=o=
  • >$>^>t>
  • >:?T?[?
  • 0(02080@0F0Z0}0
  • 0E1V1_1k1x1~1
  • 2>2l2r2z2
  • 2 383@3J3Z3_3e3
  • 4/4@4F4
  • 66$6)6/666;6D6a6h6
  • 8$8h8t8y8
  • 9*9/989E9K9U9Z9`9e9k9q9
  • :F;Q;^;m;
  • =!=D=Y=
  • =%>,>9>?>E>N>T>Z>c>n>x>
  • ?&?E?k?}?
  • 030=0C0X0i0
  • 1'232E2K2w2
  • 3'3D3P3[3
  • 5h6l6p6t6x6|6
  • 6B7N7y7
  • 748r8x8
  • 9"979D9t9z9
  • :<:C:t:
  • <'<8<E<S<`<q<j=
  • >">+>6>W>`>k>v>
  • 5J7T7Z7_7i7o7
  • 878B8I8
  • 9(9.9u9{9
  • > ?B?S?
  • 0 040;0
  • 1,212:2h2l2p2t2x2|2
  • 3>4Z4g4
  • 7&7,727:7B7H7N7T7Z7d7
  • 8(8/898f8y8
  • <C=J=Q=
  • 1&1<1B1d1h1l1p1t1x1|1
  • 667F7^7z7
  • :5;<;o;
  • >(?2?8?>?G?Z?m?y?
  • >"?F?X?s?
  • 2&282S2
  • 4"5F5X5s5
  • 2&383S3
  • 464H4c4
  • 7(7@7I7
  • ;(;9;A;T;Z;q;w;|;
  • <<.<6<=<D<J<P<a<|<
  • 5?6V6e6
  • 71G3W5g7
  • 3(3&48465H5V6h6
  • :F;T;|;
  • >%>N>Z>f>
  • >O?f?w?
  • 3\3d4q4
  • 595H5Q5a5
  • 7"7f7x7
  • 8"8\8p8
  • 969>9s9
  • :Y:j:o:v:
  • ;Q;W;];w;};
  • ;,<1<<<
  • <;=P=`=i=u=
  • ? ?$?(?,?0?4?8?<?@?c?
  • d0h0l0p0t0x0|0
  • 3'3,3B3P3\3a3r3
  • 4!4&494>4W4l4
  • 5(5?5W5\5b5g5m5w5
  • 596X6_6s6y6
  • 77%7W7
  • 8'9@9X9o9
  • ;&<]<c<
  • =2=8=N=Z=b=s=
  • 1&1.1S1Y1g1m1y1
  • 212V2a2x2
  • 2,313>3F3M3V3j3
  • 8(8?8D8N8U8c8j8x8~8
  • 8;9U9^9d9j9o9x9
  • =*=0=_=f=|=
  • >$>9>v>
  • 0'0M0Y0u0
  • 1\1h1n1
  • 1*202J2V2
  • 3I4O4&50565<5A5Y5g5q5
  • 67K7f7
  • 8q9|9W:
  • <<[<a<i<}<
  • =(=.=F=O=a=
  • 0B1H1Y1j1r1
  • 2K3a3+4@4
  • 4%5+5]5d5o5
  • 8;8C8Q8[8h8n8
  • 9*9=9W9\9
  • :N:U:j:p:
  • :-;C;l;w;~;
  • = =)=R=d=|=
  • >6>a>g>s>
  • ?$?H?N?e?
  • 0090@0W0l0
  • 1*111S1Z1m1
  • 2/2D2U2\2b2u2
  • 363=3S3Z3v3}3
  • 4*4@4P4e4{4
  • 5%5;5`5d5h5l5p5t5x5|5064686<6@6D6H6V6e6|6
  • 70767I7P7V7[7`7q7v7{7
  • 868E8S8X8^8x8
  • 4 4$4(4,40444F4W4
  • 7&7@7D7H7L7P7T7X7\7`7v7
  • :+;6;`;l<p<t<x<|<
  • =,=>=C=I=N=T=^=h=r=y=
  • >$>)>.>3>8>B>O>t>y>
  • ?&?6?W?\?g?
  • %0+090>0E0w0|0
  • 1-141F1M1R1W1a1
  • 2!2[2b2i2|2
  • 3.3>3n3
  • 4&4.474?4H4P4Y4a4t4
  • 565F5r5
  • 8=8K8Q8W8j8
  • 9#91969;9@9M9d9l9v9|9
  • :#:0:A:K:Q:W:o:
  • ;*;9;D;S;p;
  • <%<+<;<@<K<P<\<j<
  • =!=;=U=[=s=z=
  • >1>8>_>f>l>y>
  • >(?6?O?X?^?d?m?
  • 0#0)0B0a0f0
  • 1 1*1:1O1p1v1
  • 2-2[2p2
  • 2'313U3[3a3
  • 5,5A5T5d5k5p5
  • 626;6B6m6y6
  • 6"7(7.747N7U7d7n7t7
  • 7@8G8V8`8f8z8
  • 939T9g9w9~9
  • :$:*:0:6:;:L:R:Y:f:l:r:~:
  • :%;3;9;A;\;b;i;o;
  • ;*<q<w<}<
  • =$=*=0=9=?=E=K=P=U=_=e=
  • >!>*>0>6><>J>P>V>\>j>p>v>|>
  • ?7?>?Q?x?
  • 0080P0e0
  • 011H1`1k1
  • 12&2:2A2K2U2[2b2t2z2
  • 44&4s4
  • 5$5>5F5N5V5[5`5f5w5
  • 5*6?6D6K6P6x6
  • 6&7,72787A7G7p7
  • 8 8&8,8N8b8
  • 859:9?9F9K9~9
  • :):/:5:>:D:J:P:U:Z:d:j:
  • ;%;k;u;{;
  • <+<G<M<Z<
  • ="=,=2=j=
  • >@>d>v>
  • ?&?2?q?
  • 0C0I0g0l0s0x0~0
  • 2%2D2\2
  • 24383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
  • 526\6b6
  • 8L8X8^8l8r8~8
  • 829E9O9U9[9`9s9|9
  • :0:6:x:
  • 2.2?2U2[2q2}2
  • 2E3Q3W3e3k3w3
  • 5"575=5e5
  • 6a6f6r6{6
  • 77F7e7z7
  • 929j9p9
  • :/:5:R:Y:n:t:
  • <s<y<~<
  • ?'?6?L?T?w?
  • 1(121=1C1L1[1}1
  • 4O4]4y4
  • 4\5b5h5n5
  • 6W6]6e7u7
  • :';9;v;
  • <J<T<_<e<o<u<
  • =?=F=Q=X=>Y>b>
  • 171B1b1p1
  • 44:4?4P4
  • 5!5&5-565D5
  • 91979=9C9m9s9y9
  • :!:':Q:W:]:c:
  • ;(;;;f;m;u;|;
  • ;.<N<k<
  • =%=1=9=G=N=U=e=
  • =H>T>n>
  • 4"4)4<4P4W4v4}4
  • ; ;$;(;,;
  • ;"<)<A<U<e<
  • 0B0W0d0v0
  • 102C2N2a2
  • 4+4H4e4
  • 5,5I5f5k5u5
  • 6B6I6r6z6
  • 9(9@9L9Q9^9h9v9{9
  • 9":(:.:7:C:Y:w:
  • ;.<R<`<n<
  • = =N=[=
  • >!>6>K>V>f>
  • ?C?I?Q?
  • 030:0@0d0i0s0
  • 1!1H1Q1j1r1
  • 1)272<2I2U2
  • 3%3,3u3
  • 4'4v4|4
  • 5"575B5[5f5p5
  • 6B6U6\6
  • 708G8R8`8u8
  • :B:X:q:
  • ;3;Y;_;j;p;
  • =*=F=O=^=q=
  • ?9?M?S?
  • 0L0X0^0l0r0~0
  • 021E1O1U1[1`1s1|1
  • 20262x2
  • 313e3[4
  • 5&848M8
  • 8*909C9T9j9p9
  • 96:F:^:
  • <#<9<_<u<A=
  • ?G?p?v?
  • G0i0z0
  • 0*1G1x1
  • 333:3K3W3^3o3
  • 545I5W5b5
  • 8 8-848I8q8
  • 9(9.9E9T9
  • <.<a<p<
  • ?4?E?Y?j?
  • 0$0.090O0
  • 041J1g1t1
  • 1&2;2T2Z2a2g2o2v2
  • 33%31373<3A3F3K3R3W3q3w3}3
  • ;6;F;X;q;
  • >.>B>L>k>y>
  • >&?8?x?~?
  • 0%0800161Q2X2`2g263H3^3w3
  • 4(464D4I4N4S4X4^4l4
  • 5%5*52595A5G5X5]5e5l5u5{5
  • 5(6-6D6W6
  • 7+828Y8z8
  • 919G9W9\9c9p9v9
  • :0:::@:L:X:`:p:v:
  • ;$;f;|;
  • <)<:<x<
  • =!=Z=q=
  • >F>W>q>w>
  • 0=0C0[0k0
  • 1.1Q1W1_1f1y1
  • 3303>3D3
  • 4#5/5G5y5
  • 6$636A6G6{6
  • 8(8;8G8L8]8k8
  • :>:Q:X:
  • :J;P;\;g;x;~;
  • <!<_<j<
  • =&=,=2=P=
  • =*>5>:>C>O>Y>_>y>
  • >d?k?t?
  • 0$0Q0f0x0
  • 101:1I1d1
  • 2#2C2Q2W2k2
  • 3(3B3H3T3Y3e3j3}3
  • 5d5i5o5
  • 5S6Z6i6
  • 6e76;F;
  • 8/868O8V8o8v8
  • 9@9L9X9]9b9h9n9z9
  • ::6:Z:p:
  • ;>;X;r;
  • ; <6<S<p<
  • >2>=>y>
  • ?!?-?S?j?~?
  • 0#0)0L0r0
  • 1?1s1y1
  • 1 2%2;2A2N2T2Z2a2q2
  • 3b3s3}3
  • 5%5D5I5`5f5q5w5}5
  • 61676=6B6^6d6i6o6u6}6
  • 7%7+717R7c7u7
  • 7K8_8u8|8
  • 87;V;h;f<x<
  • >#>,>3>>>G>{>
  • ?L?c?k?~?
  • 1,1V1b1g1m1t1|1
  • 1!2O2e2
  • 5+51565>5D5K5Q5X5^5e5k5r5x5
  • <)<3<@<J<W<a<n<x<
  • 656?6[6e6
  • 7>7K7d7h7l7p7t7x7|7
  • 8#858@8h8
  • 9%9D9_9A:
  • : ;$;(;,;0;4;8;<;
  • 7+7H7v7
  • 8*888L8
  • <6=E=h=
  • 0&0F0U0
  • 1\2l2O3v3
  • 1J2U2`2j2t2~2
  • 313R3]3
  • 01090I0P0X0g0m0
  • 1_1d1n1
  • 7%7,797W7j7z7
  • G0f0x0
  • 2(2t2y2
  • 1M1R1Y1
  • 6B6I6O6l6r6
  • 6Q7f7x7
  • 1Q1`1&252
  • 6E7P7|7/8
  • 90:;:c:
  • =(=8>{>
  • 8%8,838:8A8H8O8V8]8d8k8r8y8
  • 9!9(9/969=9D9K9R9Y9`9g9n9u9|9
  • :2:9:>:E:L:S:Z:a:h:o:v:}:
  • ;";);0;7;>;E;
  • <%<,<K<R<Y<u<z<
  • = =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
  • > > ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?
  • 0 0$0(0,0004080<0,1014181<1@1D1
  • 5(6L6F8
  • >(>F?X?
  • 4 4.434=4P4Y4b4j4p4~4
  • 515<5f5u5
  • 6O7X7^7d7k7s7y7
  • 969H9_9
  • :.;9;~;
  • <3<8<D<^<i<
  • =7===c=v={=
  • 4!4'4/4<4E4K4a4g4u4z4
  • 5(5H5X5^56'6:6@6
  • 70797H7Z7_7
  • 858S8Y8
  • 9"9(9-9:9D9Q9^9i9n9x9
  • ; ;M;T;Y;c;k;
  • <,<3<>=C=J=R=X=_=d=j=
  • >&?8?k?
  • 0$0*060L0z0
  • 3!3.3A3U3f3u3
  • 5!5(5.555;5B5H5O5U5\5b5i5o5v5|5
  • 6&6;6d6p6w6}6
  • =+=1=J=
  • 4G5^5u5
  • 8$8.858U8b8h8
  • 9A9X9v9
  • : :&:,:2:8:>:D:J:P:j:
  • 0<1J1T1x1
  • 5,5;5D5J5P5
  • 9$9:9D9
  • 10I0N0
  • 3)3r3y3
  • 4z5D7g7
  • 8%8.8P8
  • :#:B:X:b:h:s:
  • ;";4;S;r;
  • >">(>d>v>|>
  • ?'?0?s?
  • 2 2$2(2,2024282
  • 3 3'3,30343U3
  • 4$4(4,404
  • <E>c>|>
  • ? ?$?(?r?x?|?
  • 0 0$0E0o0
  • 31373J3P3[3b3v3|3
  • 11'131<1A1G1Q1[1k1{1
  • 2&2.292>2D2N2X2k2p2L4[4
  • 4c5j5r5~5
  • 5?6G6S6Y6`6k6p6v6
  • ==>J>r>
  • 7<7^7t7
  • ;";9;D;s;
  • <"<7<A<Z<d<q<{<
  • 0&0-040L0[0e0r0|0
  • 4464P4k4s4
  • 4%5[5n5
  • 898q8y8
  • 9?9Z9r9~9
  • 9E:O:q:
  • 5F8J8N8R8V8Z8^8b8K9s:
  • 2]5a5e5i5m5q5u5y5
  • 6L6R6W6_6
  • 89;Y=g=q=
  • 2,4>4W4
  • 7 8%8@8E8g8
  • :#:2:<:B:T:f:
  • ;";(;0;5;;;C;H;N;V;[;a;i;n;t;|;
  • <'<,<2<:<?<E<M<R<X<`<e<k<s<x<~<
  • =#=)=1=6=<=D=I=N=W=\=b=j=p=~=
  • >$>c>{>
  • ?'?U?h?
  • 60;0M0k0
  • 0&1,121B1H1T1Y1^1c1l1
  • 22$212
  • 4 4D4K4X4r4
  • 5/5`5m5v5
  • 6&7;7b7
  • ===C=b=h=
  • -1115191=1A1E1I1Z1k1
  • 2!2&2y2
  • 3Q7F8W8
  • :L:X:d:z:
  • ;1;:;C;
  • <R<]<o<
  • 3n4B7d7o7
  • ;!;,<y<
  • 2z2G3v3
  • <%=1=q=
  • =%>+>2>
  • <0>6>B>s?
  • 2&21282>2D2
  • 5 5>5Z5b5g5
  • 7&787J7\7n7
  • =*=S=a=g=
  • =5>I>n>
  • ???P?V?b?r?x?
  • 0%0+040:0D0O0
  • 1 1G1T1Y1g1
  • 3K4L5\5m5u5
  • ;,<1<7<><
  • 0&0@0X0c0u0
  • 4G5S5o5
  • 5"626`6
  • 6#797L7n7u7
  • 8&828W8^8
  • >A>q>$?
  • =!=-=<=
  • 8-8F8^8
  • <"=2=@=
  • 0#1p2x2
  • 2$3B3s3
  • =">B>b>
  • 7+8R8r8
  • <R=a=i=
  • $090A0r0
  • 4J4l4t4
  • 5"5B5b5|5
  • <"<B<b<
  • ="=B=~=
  • >2?A?\?q?
  • 1"2k2H3
  • 78R8z8
  • 5S6a6i6w6
  • :2:_:q:y:
  • >!><>Q>l>
  • 1!1+151P1z1
  • 5/6#7J7z7
  • 7#8S8r8
  • 829I9Q9z9
  • >!>,>C>Q>f>
  • >A?G?R?d?l?
  • 0&0R0e0p0y0
  • 041<1O1
  • 243<3O3
  • 6"646J6t6|6
  • 8&828C8T8Z8v8
  • 8F9V9h9x9
  • :&:8:H:V:^:c:u:
  • ;!;6;b;t;|;
  • <Q<W<^<b<i<m<t<x<~<
  • 7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
  • 7`;d;h;l;p;t;x;|;
  • ; ;$;(;,;4;8;<;@;D;H;L;P;T;X;`;d;h;l;p;t;x;|;
  • < <$<(<
  • 6(686H6X6h6x6
  • D1H1L1T1X1\1d1h1l1
  • 2$2(2,24282<2D2H2L2T2X2\2d2h2l2t2x2|2
  • 3$3(3,34383<3D3H3L3T3X3\3d3h3l3t3x3|3
  • 4$4(4,44484<4D4H4L4T4X4\4d4h4l4t4x4|4
  • 5$5(5,54585<5D5H5L5T5X5\5d5h5l5t5x5|5
  • 6$6(6,64686<6D6H6L6T6X6\6d6h6l6t6x6|6
  • 7 7(7,74787@7D7L7P7X7\7d7h7p7t7|7
  • 8 8$8(8084888<8@8H8L8T8X8`8d8l8p8t8x8|8
  • 9 9$9,90949<9@9D9\9`9d9|9
  • ;4=<=D=
  • T2\2d2l2t2|2
  • 2D;H;P;T;\;`;h;l;t;x;
  • $0,040<0D0L0T0\0d0l0t0|0
  • 1$1,141<1D1L1<9D9L9T9\9d9l9t9|9
  • :$:,:4:<:D:L:T:d;l;t;|;
  • X1`1h1p1x1
  • 2$2<2D2L2T2\2d2l2t2|2
  • 8$8,8D:H:
  • 0888@8H8P8X8`8h8p8x8
  • 9 9(90989@9H9P9X9`9h9p9x9
  • > >(>0>8>@>H>P>X>`>h>p>x>
  • 4 4x4|4
  • 4<7@7D7H7L7P7T7X7
  • :P;\;h;t;
  • 3(3D3X3t3
  • 6 6,686D6P6
  • 8(848@8L8 9,989D9P9\9h9t9
  • :(:4:T:X:`:d:l:p:
  • > >,>8>D>P>\>h>t>
  • : :$:(:,:0:4:8:<:@:D:`:d:h:l:p:t:x:
  • ;$;,;4;<;D;L;T;\;d;l;t;|;
  • <$<,<4<<<D<L<T<\<d<l<t<|<
  • =$=,=4=<=L=T=\=d=l=t=|=
  • >$>,>4><>D>L>T>\>d>l>t>|>
  • ?$?,?4?<?D?L?T?\?d?l?t?|?
  • <p=t=x=
  • 5$5,545<5D5L5T5\5d5l5
  • :$:,:4:<:D:L:T:\:d:l:t:|:
  • ;$;,;4;<;D;L;T;\;d;l;t;|;
  • <$<,<4<<<D<L<T<\<d<l<t<|<
  • =$=,=4=<=D=L=T=\=d=l=t=|=
  • >$>,>4><>D>L>T>\>d>l>t>|>
  • ?$?,?4?<?D?L?T?\?d?l?t?|?
  • 0$0,040<0D0L0T0\0d0l0t0|0
  • 1 1(10181@1H1P1X1`1h1p1x1
  • 2 2(20282@2H2P2X2`2h2p2x2
  • 3 3(30383@3H3P3X3`3h3p3x3
  • 4 4(40484@4H4P4X4`4h4p4x4
  • 5 5(50585@5H5P5X5`5h5p5x5
  • 6 6(60686@6H6P6X6`6h6p6x6
  • 7 7(70787@7H7P7X7`7h7p7x7
  • ; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
  • 4 4044484@4X4\4t4
  • 5,50585P5`5d5t5x5|5
  • 6,60646<6T6d6h6x6|6
  • 7$7<7L7P7`7d7h7p7
  • 8,80848<8T8d8h8x8|8
  • 9 9(9@9P9T9d9h9p9
  • :$:4:8:H:L:P:T:\:t:
  • ;,;0;@;D;H;P;h;x;|;
  • 3(3H3T3t3|3
  • 4,484X4d4
  • 5(5H5P5\5
  • 6 6(606<6\6d6p6
  • 7(707P7X7`7|7
  • 8(848T8\8h8
  • 9$9H9h9p9x9
  • :$:,:4:<:D:L:T:\:d:l:x:
  • ; ;(;0;8;@;H;P;X;`;h;p;x;
  • < <H<l<x<
  • = =(=4=T=\=d=p=
  • > >@>H>P>\>|>
  • ?<?H?h?t?
  • 0(0P0t0
  • 101T1`1h1
  • 20282@2H2P2X2`2h2t2
  • 3$3,343<3D3L3T3\3d3p3
  • 4 4(40484@4H4P4\4|4
  • 5 5@5H5T5t5|5
  • 686\6h6p6
  • 7 7@7d7p7x7
  • 8$808X8|8
  • 9$9,9H9P9h9t9
  • :,:@:H:d:l:
  • ; ;(;0;8;@;H;P;\;|;
  • < <(<0<8<D<d<l<t<|<
  • =<=D=L=T=\=h=
  • >$>,>4>@>`>h>p>x>
  • ?8?@?H?P?X?`?h?p?x?
  • 0$0,040<0H0l0
  • 1 1@1L1l1x1
  • 2(202P2t2
  • 3 3(303H3l3x3
  • 4(404P4t4
  • 5$5,5@5H5h5|5
  • 6 6D6P6X6x6
  • 787L7\7d7x7
  • 8$8,8@8H8h8|8
  • 989L9\9p9x9
  • :(:0:P:d:t:
  • ; ;(;0;8;@;H;P;X;`;l;
  • <8<D<h<
  • =$=0=P=X=d=
  • > >(>0>8>@>H>P>X>`>h>p>x>
  • ? ?(?0?8?@?H?P?X?`?h?p?x?
  • 0@0`0h0p0x0
  • 1 1(141T1\1h1
  • 2@2`2h2p2x2
  • 3(343X3x3
  • 4 4(40484@4H4P4X4`4h4p4x4
  • 50585@5L5l5t5|5
  • 6<6H6P6p6
  • 7(7H7P7X7`7h7p7x7
  • 848@8`8l8
  • 949<9D9L9T9\9d9l9x9
  • :<:D:L:T:\:d:l:t:|:
  • ;0;P;X;`;h;p;x;
  • <$<H<h<p<x<
  • =$=,=4=<=D=P=p=|=
  • >$>,>4><>H>h>p>x>
  • ?4?X?d?l?
  • 0<0P0`0t0|0
  • 1 1(10181@1H1P1X1`1h1p1x1
  • 2$2D2P2p2|2
  • 3$3,343@3`3l3
  • 484D4L4d4l4t4
  • 5 5,5P5p5x5
  • 6$6,646<6D6P6t6
  • 7$7D7L7T7\7d7l7t7|7
  • 8@8`8h8p8x8
  • 989@9L9l9t9
  • :$:L:p:|:
  • : ;,;4;T;h;x;
  • ;$<H<T<\<|<
  • =,=P=\=d=
  • >$>,>4><>D>L>X>|>
  • ? ?(?0?8?D?h?
  • 0 0(00080@0L0l0t0|0
  • 10181@1H1P1X1`1l1
  • 2 2(20282@2H2P2X2`2h2p2x2
  • 3$3,343<3D3L3T3\3d3l3t3
  • 4$4,444<4H4h4p4x4
  • 5$5,545<5D5L5T5\5d5l5t5|5
  • 6 6(60686@6H6P6\6
  • 7(747T7\7d7p7
  • 8 8(80888@8H8P8X8`8h8p8x8
  • 9 9(90989@9H9P9X9`9h9p9x9
  • :$:,:8:X:`:h:p:x:
  • ; ;(;0;8;@;H;P;X;`;h;p;x;
  • <8<X<`<h<p<x<
  • =$=,=4=<=D=L=X=|=
  • >,>4><>D>L>T>\>d>p>
  • ? ?(?4?T?\?d?l?t?|?
  • 0$0,040<0D0L0T0`0
  • 1(1H1P1X1`1h1p1x1
  • 2 2,2L2T2\2d2l2t2|2
  • 3$3,343<3D3L3T3\3d3l3t3|3
  • 3 4,444T4x4
  • 5(545<5\5p5
  • 686D6L6l6
  • 7@7L7T7t7
  • 8,8@8P8X8l8t8
  • 9$9L9p9|9
  • : :(:0:8:@:H:P:X:`:h:p:x:
  • ; ;(;0;8;@;L;l;t;|;
  • <0<8<D<d<p<
  • =$=D=P=p=x=
  • >0><>d>
  • ?(?8?L?T?t?
  • 0,080X0`0l0
  • 1 1(10181@1H1P1X1`1h1p1x1
  • 2 2(202<2`2
  • 3 3(30383@3L3l3t3|3
  • 4(444T4`4
  • 5(545X5x5
  • 6,6P6\6d6|6
  • 7 7(707<7`7
  • 8$8,848<8H8h8p8x8
  • 9 9(90989@9H9P9X9`9h9p9x9
  • :,:4:<:D:P:t:
  • ;$;0;8;X;|;
  • <<<P<`<t<|<
  • =,=4=T=h=x=
  • > >(>@>H>P>X>l>|>
  • ?0?8?L?T?h?p?x?
  • 0 0@0`0
  • 1 1<1@1`1
  • 2$282@2H2P2T2\2p2
  • 383D3`3|3
  • 4,404@4d4p4x4
  • 5 5<5@5`5
  • 6(6D6H6h6
  • 0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
  • 1(1,1\1`1d1h1l1p1t1x1|1
  • 9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9l9p9t9x9|9
  • :D:T:d:t:
  • :$<(<,<0<4<8<<<@<D<H<P<X<
  • ?$?,?4?<?D?L?T?\?d?l?t?|?
  • h0p0t0x0|0
  • 5(5D5`5x5
  • 6 6<6X6x6
  • 7,7P7|7
  • Washington1
  • Redmond1
  • Microsoft Corporation1!0
  • Microsoft Time-Stamp PCA0
  • 171002225757Z
  • 190102225757Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1&0$
  • Thales TSS ESN:96FF-4BC5-A7DC1%0#
  • Microsoft Time-Stamp Service0
  • Chttp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
  • <http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
  • y|.WNR
  • Washington1
  • Redmond1
  • Microsoft Corporation1#0!
  • Microsoft Code Signing PCA0
  • 170811201115Z
  • 180811201115Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • Microsoft Corporation0
  • b{VpuOg
  • MOPR1402
  • +229803+1abf9e5f-ced0-42e6-a65d-d9350959fe0e0
  • Ehttp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
  • >http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
  • ?w?^s'W
  • microsoft1-0+
  • $Microsoft Root Certificate Authority0
  • 100831221932Z
  • 200831222932Z0y1
  • Washington1
  • Redmond1
  • Microsoft Corporation1#0!
  • Microsoft Code Signing PCA0
  • ?http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
  • 8http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
  • `Ge`@N
  • microsoft1-0+
  • $Microsoft Root Certificate Authority0
  • 070403125309Z
  • 210403130309Z0w1
  • Washington1
  • Redmond1
  • Microsoft Corporation1!0
  • Microsoft Time-Stamp PCA0
  • microsoft1-0+
  • $Microsoft Root Certificate Authority
  • ?http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
  • 8http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
  • 1Jv1=+r
  • L&*H$_Z
  • Washington1
  • Redmond1
  • Microsoft Corporation1#0!
  • Microsoft Code Signing PCA
  • y|.WNR
  • http://www.sysinternals.com 0
  • Washington1
  • Redmond1
  • Microsoft Corporation1!0
  • Microsoft Time-Stamp PCA
  • 180212232946Z0#
  • Washington1
  • Redmond1
  • Microsoft Corporation1(0&
  • Microsoft Code Signing PCA 20110
  • 170811202024Z
  • 180811202024Z0t1
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • Microsoft Corporation0
  • MOPR1402
  • +230012+c804b5ea-49b4-4238-8362-d851fa2254fc0
  • Chttp://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
  • Ehttp://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
  • +Z1[9j
  • Washington1
  • Redmond1
  • Microsoft Corporation1200
  • )Microsoft Root Certificate Authority 20110
  • 110708205909Z
  • 260708210909Z0~1
  • Washington1
  • Redmond1
  • Microsoft Corporation1(0&
  • Microsoft Code Signing PCA 20110
  • Ihttp://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^
  • Bhttp://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
  • 3http://www.microsoft.com/pkiops/docs/primarycps.htm0@
  • *?*kXIc
  • QEX82q'
  • WqVNHE
  • Washington1
  • Redmond1
  • Microsoft Corporation1(0&
  • Microsoft Code Signing PCA 2011
  • http://www.sysinternals.com 0
  • 20180212232954.495Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:F6FF-2DA7-BB751%0#
  • Microsoft Time-Stamp Service
  • Washington1
  • Redmond1
  • Microsoft Corporation1200
  • )Microsoft Root Certificate Authority 20100
  • 100701213655Z
  • 250701214655Z0|1
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 20100
  • $`2X`F
  • Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
  • >http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
  • 1http://www.microsoft.com/PKI/docs/CPS/default.htm0@
  • oK0D$"<
  • r~akow
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 20100
  • 160907175650Z
  • 180907175650Z0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:F6FF-2DA7-BB751%0#
  • Microsoft Time-Stamp Service0
  • Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
  • >http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher DSE ESN:F6FF-2DA7-BB751%0#
  • Microsoft Time-Stamp Service
  • Washington1
  • Redmond1
  • Microsoft Corporation1
  • AOC1'0%
  • nCipher NTS ESN:2665-4C3F-C5DE1+0)
  • "Microsoft Time Source Master Clock0
  • 20180212213207Z
  • 20180213213207Z0t0:
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 2010
  • Washington1
  • Redmond1
  • Microsoft Corporation1&0$
  • Microsoft Time-Stamp PCA 2010
  • aXsH[Qh
  • Quo!|U
  • /.)11Y
  • &!% !#>"4)
  • dAH@CB
  • \AM}Au
  • VV`GFA@
  • vy,x6{X
  • W/V?QX
  • :::2D+
  • D$:]~u
  • WuVoQe
  • _ !>>D>
  • `SKvvc
  • mrtsSS
  • ShlbiWu
  • HQ{Dx
  • YP @DI
  • |U UR}
  • aW&rt
  • ?)18%818H _
  • ~Rd]f\_
  • 'IIIIR
  • TwA09+
  • H@nSDL
  • qpr !w
  • )*(=+*Y
  • S^X[|kZjwE_c{S
  • _MZ[CBQX
  • MVQW!wE
  • T+W)V.-E
  • MVoF_5
  • SnROH_MMc
  • _zXC\C
  • ~IIII`g}{IIII|z}
  • IIIIMEE)
  • R!::;7
  • sTTkyz
  • SQ4@7d6+)
  • S~2=<?t
  • TTTTdcibTTTTz~QN
  • QLeiIIII{lcn
  • _`kL~O{_`
  • _N|IQHK
  • KYJZUm
  • _`TT]W8
  • c,-W[<
  • AlAAc[
  • uMuKuuD
  • _c'22,/_c
  • _*3-3-3G
  • _c[\[K
  • EKP;N8<
  • _D[GSF`
  • _BLML4
  • aArX_ZW
  • WvDyr)
  • J=L~/M
  • 3S%Z(.
  • O$G&hpK
  • _T.aVmd8k*;
  • tI+~zHR
  • o>T-BX
  • ExG}'@
  • A{Tii9
  • `}d(:kN
  • (uazyt
  • 29UT+s
  • 3NaKC9
  • FpkfLY
  • :Aq<f8s
  • yj\cp%
  • NIUvNwX
  • 2L@S-E
  • e`Ba|1oV
  • D&'D.:
  • MMYyyH
  • IL&NE3
  • ugpax"#?u}}
  • Mfehkf:z<:VYSYUO:K3;92
  • *"?.;'
  • ;:ZxiMor~xnnUx|m
  • QMDVUCPG~OKAPM
  • ~UKLFMUQ
  • TGPQKML
  • /:zp:+#f
  • ./5f'66*/%'2
  • ;z8/)(f.'
  • 4#73#52#"f2.
  • 353'*f1'?h
  • fvwrru
  • [UU$-\/
  • DC::::
  • c8:::5d
  • ::::HR
  • ::::cs
  • ::::n!
  • ::::s\
  • `Gcgp
  • >(:::-
  • ::::5k
  • Q53z8:
  • .'Nka!
  • ;:::F8
  • :::mli
  • :::ilm
  • PzR:*::
  • z69w*9
  • _2:::z
  • =::ilm
  • (R>;::
  • R:*::P2
  • 2R>;::
  • (R>;::
  • jR>;::
  • >;::Ga
  • :::P9P:P;R:::
  • :::P:P:P8P:P8R:::z
  • :R:*::P2
  • H@%8::
  • :pa8::HH%8::
  • H@%8::
  • Fxy8::
  • 1LHI8::
  • H@e8::
  • -Rz::F
  • :pa8::H@%8::
  • 1:pe8::
  • NHI8::@
  • :LH%8::.
  • :pa8::HH%8::
  • NH%8::@
  • H@%8::
  • NH%8::N@m8::@
  • L@m8::NH%8::N@58::O
  • MP*8::MPq8::A
  • ExY8::
  • NH]8::F
  • -Y:::F
  • -J(;:N
  • u-b<;:
  • 9;:::-
  • -E|::N
  • -%!;:N
  • -~;::F
  • -4';:N
  • D$::2:
  • 9;:::-
  • Y::,6;::
  • AF;::N
  • AI8::N
  • -z2::F
  • ,\>::N
  • 9;:::-
  • 9;:::-
  • 9;:::-
  • -MW::N5
  • -,T::N5
  • ,";::N
  • -UU::N5
  • -@U::F%
  • jjjjjj
  • jjjjjj
  • jjjjjj
  • jjjjjjjjjjj
  • jjjjjj
  • jjjjjj
  • jjjjjj
  • jjjjjj
  • jjjjjj
  • jjjjjjj
  • jjjjjjj
  • {%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
  • EventTrace
  • Header
  • Unknown
  • root\wmi
  • format
  • StringTermination
  • pointer
  • extension
  • NullTerminated
  • Counted
  • ReverseCounted
  • NotCounted
  • IPAddr
  • IPAddrV6
  • IPAddrV4
  • WmiTime
  • __CLASS
  • WmiDataId
  • EventType
  • EventTypeName
  • DisplayName
  • EventVersion
  • uxtheme.dll
  • @not implemented
  • @treeview
  • TreeListWindowClass
  • TreeListProperty
  • tooltips_class32
  • SysHeader32
  • ScrollBar
  • Static
  • SPLITTER_CURSOR
  • SYSINTERNALS SOFTWARE LICENSE TERMS
  • These license terms are an agreement between Sysinternals(a wholly owned subsidiary of Microsoft Corporation) and you.Please read them.They apply to the software you are downloading from technet.microsoft.com / sysinternals, which includes the media on which you received it, if any.The terms also apply to any Sysinternals
  • * updates,
  • *supplements,
  • *Internet - based services,
  • *and support services
  • for this software, unless other terms accompany those items.If so, those terms apply.
  • BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS.IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE.
  • If you comply with these license terms, you have the rights below.
  • INSTALLATION AND USER RIGHTS
  • You may install and use any number of copies of the software on your devices.
  • SCOPE OF LICENSE
  • The software is licensed, not sold.This agreement only gives you some rights to use the software.Sysinternals reserves all other rights.Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement.In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways.You may not
  • * work around any technical limitations in the software;
  • *reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite this limitation;
  • *make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;
  • *publish the software for others to copy;
  • *rent, lease or lend the software;
  • *transfer the software or this agreement to any third party; or
  • * use the software for commercial software hosting services.
  • SENSITIVE INFORMATION
  • Please be aware that, similar to other debug tools that capture
  • process state
  • information, files saved by Sysinternals tools may include personally identifiable or other sensitive information(such as usernames, passwords, paths to files accessed, and paths to registry accessed).By using this software, you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Microsoft or any other party through your use of the software.
  • DOCUMENTATION
  • Any person that has valid access to your computer or internal network may copy and use the documentation for your internal, reference purposes.
  • EXPORT RESTRICTIONS
  • The software is subject to United States export laws and regulations.You must comply with all domestic and international export laws and regulations that apply to the software.These laws include restrictions on destinations, end users and end use.For additional information, see www.microsoft.com / exporting .
  • SUPPORT SERVICES
  • Because this software is "as is, " we may not provide support services for it.
  • ENTIRE AGREEMENT
  • This agreement, and the terms for supplements, updates, Internet - based services and support services that you use, are the entire agreement for the software and support services.
  • APPLICABLE LAW
  • United States.If you acquired the software in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles.The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
  • Outside the United States.If you acquired the software in any other country, the laws of that country apply.
  • LEGAL EFFECT
  • This agreement describes certain legal rights.You may have other rights under the laws of your country.You may also have rights with respect to the party from whom you acquired the software.This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
  • DISCLAIMER OF WARRANTY
  • The software is licensed "as - is." You bear the risk of using it.Sysinternals gives no express warranties, guarantees or conditions.You may have additional consumer rights under your local laws which this agreement cannot change.To the extent permitted under your local laws, sysinternals excludes the implied warranties of merchantability, fitness for a particular purpose and non - infringement.
  • LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES
  • You can recover from sysinternals and its suppliers only direct damages up to U.S.$5.00.You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
  • This limitation applies to
  • * anything related to the software, services, content(including code) on third party Internet sites, or third party programs; and
  • * claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
  • It also applies even if Sysinternals knew or should have known about the possibility of the damages.The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
  • Please note : As this software is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.
  • Remarque : Ce logiciel
  • tant distribu
  • au Qu
  • bec, Canada, certaines des clauses dans ce contrat sont fournies ci - dessous en fran
  • EXON
  • RATION DE GARANTIE.Le logiciel vis
  • par une licence est offert
  • tel quel
  • .Toute utilisation de ce logiciel est
  • votre seule risque et p
  • ril.Sysinternals n'accorde aucune autre garantie expresse. Vous pouvez b
  • ficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit
  • marchande, d'ad
  • quation
  • un usage particulier et d'absence de contrefa
  • on sont exclues.
  • LIMITATION DES DOMMAGES - INT
  • TS ET EXCLUSION DE RESPONSABILIT
  • POUR LES DOMMAGES.Vous pouvez obtenir de Sysinternals et de ses fournisseurs une indemnisation en cas de dommages directs uniquement
  • hauteur de 5, 00 $ US.Vous ne pouvez pr
  • tendre
  • aucune indemnisation pour les autres dommages, y compris les dommages sp
  • ciaux, indirects ou accessoires et pertes de b
  • fices.
  • Cette limitation concerne :
  • tout ce qui est reli
  • au logiciel, aux services ou au contenu(y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et
  • clamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
  • stricte, de n
  • gligence ou d'une autre faute dans la limite autoris
  • e par la loi en vigueur.
  • Elle s'applique
  • galement, m
  • me si Sysinternals connaissait ou devrait conna
  • tre l'
  • ventualit
  • d'un tel dommage. Si votre pays n'autorise pas l'exclusion ou la limitation de responsabilit
  • pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l'exclusion ci - dessus ne s'appliquera pas
  • votre
  • EFFET JURIDIQUE.Le pr
  • sent contrat d
  • crit certains droits juridiques.Vous pourriez avoir d'autres droits pr
  • vus par les lois de votre pays. Le pr
  • sent contrat ne modifie pas les droits que vous conf
  • rent les lois de votre pays si celles-ci ne le permettent pas.
  • Sysinternals License
  • %s License Agreement
  • Software\Sysinternals\%s
  • Riched32.dll
  • License Agreement
  • MS Shell Dlg
  • You can also use the /accepteula command-line switch to accept the EULA.
  • &Agree
  • &Decline
  • &Print
  • RICHEDIT
  • EulaAccepted
  • Shell32.dll
  • /accepteula
  • -accepteula
  • Software\Microsoft\windows nt\currentversion
  • ProductName
  • iotuap
  • Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels
  • NanoServer
  • This is the first run of this program. You must accept EULA to continue.
  • Use -accepteula to accept EULA.
  • Software\Sysinternals
  • gURLMON.DLL
  • HyperlinkClass
  • http://www.sysinternals.com
  • FileVersion
  • LegalCopyright
  • @Display index %d moved from snapshot %d:%d to %d
  • PROGRESS
  • %d%% - %d:%02d remaining (%s)
  • Searching for Bookmarks
  • %9.5f%%
  • ntdll.dll
  • BINRES
  • %SYSTEMROOT%\Procmon.Pmb
  • SupportedFeatures
  • Instances
  • Process Monitor 24 Instance
  • DefaultInstance
  • 385200
  • Altitude
  • PROCMON24.SYS
  • %s\Drivers\%s
  • RCDRIVERNT
  • %%TEMP%%\%s
  • \ProcessMonitor24Port
  • SeLoadDriverPrivilege
  • System\CurrentControlSet\Services\PROCMON24
  • ErrorControl
  • \??\%s
  • ImagePath
  • \Registry\Machine\System\CurrentControlSet\Services\PROCMON24
  • System\CurrentControlSet\Services\PROCMON24\Enum
  • System\CurrentControlSet\Services\PROCMON24\Security
  • System\CurrentControlSet\Services\PROCMON24\Parameters
  • Parameters
  • Security
  • \Drivers\PROCMON24.SYS
  • Unable to write
  • Make sure that you have permission to
  • write to the %%SystemRoot%%\System32\Drivers directory.
  • Process Monitor
  • BOOTLOG_OPTIONS
  • Process Monitor is configured to log activity during the next boot.
  • FSFilter Activity Monitor
  • DeleteFlag
  • System32\Drivers\
  • ThreadProfiling
  • RuntimeSeconds
  • Error configuring boot logging
  • Completion
  • Process
  • Registry
  • File System
  • Profiling
  • Network
  • Process Defined
  • Process Create
  • Process Exit
  • Thread Create
  • Thread Exit
  • Load Image
  • Thread Profile
  • Process Start
  • Process Statistics
  • System Statistics
  • Thread Profiling
  • Process Profiling
  • Debug Output Profiling
  • RegOpenKey
  • RegCreateKey
  • RegCloseKey
  • RegQueryKey
  • RegSetValue
  • RegQueryValue
  • RegEnumValue
  • RegEnumKey
  • RegSetInfoKey
  • RegDeleteKey
  • RegDeleteValue
  • RegFlushKey
  • RegLoadKey
  • RegUnloadKey
  • RegRenameKey
  • RegQueryMultipleValueKey
  • RegSetKeySecurity
  • RegQueryKeySecurity
  • UDP Unknown
  • TCP Unknown
  • UDP Other
  • TCP Other
  • UDP Send
  • TCP Send
  • UDP Receive
  • TCP Receive
  • UDP Accept
  • TCP Accept
  • UDP Connect
  • TCP Connect
  • UDP Disconnect
  • TCP Disconnect
  • UDP Reconnect
  • TCP Reconnect
  • UDP Retransmit
  • TCP Retransmit
  • UDP TCPCopy
  • TCP TCPCopy
  • Read Metadata
  • Write Metadata
  • Command line
  • Parent PID
  • Current directory
  • Environment
  • Image Base
  • Image Size
  • Commit Peak
  • System Calls
  • Context Switches
  • Thread ID
  • Exit Status
  • %.07f seconds
  • User Time
  • Kernel Time
  • Private Bytes
  • Peak Private Bytes
  • Working Set
  • Peak Working Set
  • Thread %u
  • Output
  • Length
  • is not
  • less than
  • more than
  • begins with
  • ends with
  • contains
  • excludes
  • IRP_MJ_
  • FASTIO_
  • Procmon.exe
  • Procexp.exe
  • Autoruns.exe
  • System
  • pagefile.sys
  • $MftMirr
  • $LogFile
  • $Volume
  • $AttrDef
  • $Bitmap
  • $BadClus
  • $Secure
  • $UpCase
  • $Extend
  • FAST IO
  • Include
  • Exclude
  • Okay to overwrite event log '
  • An error occurred opening the snapshot
  • Applying Event Filter
  • Operation cancelled: The listview data may be incomplete
  • Process Monitor can open at most
  • backing files
  • <pagefile>
  • ProcessIndex
  • address
  • location
  • process
  • ProcessId
  • ParentProcessId
  • ParentProcessIndex
  • AuthenticationId
  • CreateTime
  • FinishTime
  • IsVirtualized
  • Is64bit
  • Integrity
  • ProcessName
  • CommandLine
  • CompanyName
  • Version
  • Description
  • modulelist
  • module
  • Timestamp
  • BaseAddress
  • Company
  • Process Monitor - Exporting event data
  • wt, ccs=UTF-8
  • <?xml version="1.0" encoding="UTF-8"?>
  • procmon
  • processlist
  • eventlist
  • ISUCCESS
  • Counting occurrences of values
  • Scanning process information
  • Scanning file information
  • Scanning Registry information
  • Scanning Network information
  • <unknown>
  • Scanning event stack information
  • Scanning events
  • Searching
  • SysListView32
  • QueryControlInformationVolume
  • QueryFullSizeInformationVolume
  • QueryObjectIdInformationVolume
  • IRP_MJ_SET_VOLUME_INFORMATION
  • FASTIO_SET_VOLUME_INFORMATION
  • SetControlInformationVolume
  • SetLabelInformationVolume
  • SetObjectIdInformationVolume
  • IRP_MJ_QUERY_INFORMATION
  • FASTIO_QUERY_INFORMATION
  • QueryAllInformationFile
  • QueryAttributeTagFile
  • QueryBasicInformationFile
  • QueryCompressionInformationFile
  • QueryEaInformationFile
  • QueryFileInternalInformationFile
  • QueryMoveClusterInformationFile
  • QueryNetworkOpenInformationFile
  • QueryPositionInformationFile
  • QueryStandardInformationFile
  • QueryStreamInformationFile
  • QueryNameInformationFile
  • IRP_MN_QUERY_INFORMATION
  • QueryShortNameInformationFile
  • QueryNormalizedNameInformationFile
  • QueryNetworkPhysicalNameInformationFile
  • QueryIdBothDirectory
  • QueryValidDataLength
  • QueryIoPiorityHint
  • QueryLinks
  • QueryId
  • QueryEndOfFile
  • QueryAttributeTag
  • QueryIdGlobalTxDirectoryInformation
  • QueryIsRemoteDeviceInformation
  • QueryAttributeCacheInformation,
  • QueryNumaNodeInformation
  • QueryStandardLinkInformation
  • QueryRemoteProtocolInformation
  • QueryRenameInformationBypassAccessCheck
  • QueryLinkInformationBypassAccessCheck
  • QueryVolumeNameInformation
  • QueryIdInformation
  • QueryIdExtdDirectoryInformation
  • QueryHardLinkFullIdInformation
  • QueryIdExtdBothDirectoryInformation
  • QueryDesiredStorageClassInformation
  • QueryStatInformation
  • QueryMemoryPartitionInformation
  • IRP_MJ_SET_INFORMATION
  • FASTIO_SET_INFORMATION
  • SetAllocationInformationFile
  • SetBasicInformationFile
  • SetDispositionInformationFile
  • SetEndOfFileInformationFile
  • SetLinkInformationFile
  • SetPositionInformationFile
  • SetRenameInformationFile
  • SetValidDataLengthInformationFile
  • SetFileStreamInformation
  • SetPipeInformation
  • SetShortNameInformation
  • SetDispositionInformationEx
  • SetReplaceCompletionInformation
  • SetRenameInformationEx
  • SetRenameInformationExBypassAccessCheck
  • IRP_MJ_DIRECTORY_CONTROL
  • FASTIO_DIRECTORY_CONTROL
  • QueryDirectory
  • NotifyChangeDirectory
  • IRP_MJ_PNP
  • StartDevice
  • QueryRemoveDevice
  • RemoveDevice
  • CancelRemoveDevice
  • StopDevice
  • QueryStopDevice
  • CancelStopDevice
  • QueryDeviceRelations
  • QueryInterface
  • QueryCapabilities
  • QueryResources
  • QueryResourceRequirements
  • QueryDeviceText
  • FilterResourceRequirements
  • ReadConfig
  • WriteConfig
  • SetLock
  • QueryPnpDeviceState
  • QueryBusInformation
  • DeviceUsageNotification
  • SurpriseRemoval
  • QueryLegacyBusInformation
  • IRP_MJ_VOLUME_DISMOUNT
  • VolumeDismount
  • IRP_MJ_VOLUME_MOUNT
  • VolumeMount
  • FASTIO_MDL_WRITE_COMPLETE
  • FASTIO_PREPARE_MDL_WRITE
  • FASTIO_MDL_READ_COMPLETE
  • FASTIO_MDL_READ
  • FASTIO_NETWORK_QUERY_OPEN
  • QueryOpen
  • FASTIO_CHECK_IF_POSSIBLE
  • IRP_MJ_12
  • IRP_MJ_11
  • IRP_MJ_10
  • IRP_MJ_9
  • IRP_MJ_8
  • FASTIO_NOTIFY_STREAM_FO_CREATION
  • FASTIO_RELEASE_FOR_CC_FLUSH
  • FASTIO_ACQUIRE_FOR_CC_FLUSH
  • FASTIO_RELEASE_FOR_MOD_WRITE
  • FASTIO_ACQUIRE_FOR_MOD_WRITE
  • FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION
  • FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION
  • CreateFileMapping
  • IRP_MJ_CREATE
  • CreateFile
  • IRP_MJ_CREATE_NAMED_PIPE
  • CreatePipe
  • IRP_MJ_CLOSE
  • QueryInformationFile
  • SetInformationFile
  • IRP_MJ_QUERY_EA
  • QueryEAFile
  • IRP_MJ_SET_EA
  • SetEAFile
  • IRP_MJ_FLUSH_BUFFERS
  • FlushBuffersFile
  • QueryVolumeInformation
  • SetVolumeInformation
  • DirectoryControl
  • IRP_MJ_FILE_SYSTEM_CONTROL
  • FileSystemControl
  • IRP_MJ_DEVICE_CONTROL
  • DeviceIoControl
  • IRP_MJ_INTERNAL_DEVICE_CONTROL
  • InternalDeviceIoControl
  • IRP_MJ_SHUTDOWN
  • Shutdown
  • LockUnlockFile
  • IRP_MJ_CLEANUP
  • CloseFile
  • IRP_MJ_CREATE_MAILSLOT
  • CreateMailSlot
  • IRP_MJ_QUERY_SECURITY
  • QuerySecurityFile
  • IRP_MJ_SET_SECURITY
  • SetSecurityFile
  • IRP_MJ_POWER
  • IRP_MJ_SYSTEM_CONTROL
  • SystemControl
  • IRP_MJ_DEVICE_CHANGE
  • DeviceChange
  • IRP_MJ_QUERY_QUOTA
  • QueryFileQuota
  • IRP_MJ_SET_QUOTA
  • SetFileQuota
  • IRP_MJ_PNP
  • PlugAndPlay
  • IRP_MJ_MAXIMUM_FUNCTION
  • IRP_MJ_LOCK_CONTROL
  • FASTIO_LOCK
  • LockFile
  • FASTIO_UNLOCK_SINGLE
  • UnlockFileSingle
  • FASTIO_UNLOCK_ALL
  • UnlockFileAll
  • FASTIO_UNLOCK_ALL_BY_KEY
  • UnlockFileByKey
  • IRP_MJ_READ
  • FASTIO_READ
  • ReadFile
  • IRP_MJ_WRITE
  • FASTIO_WRITE
  • WriteFile
  • IRP_MJ_QUERY_VOLUME_INFORMATION
  • FASTIO_QUERY_VOLUME_INFORMATION
  • QueryInformationVolume
  • QueryLabelInformationVolume
  • QuerySizeInformationVolume
  • QueryDeviceInformationVolume
  • QueryAttributeInformationVolume
  • Delete
  • <Unknown>
  • Attributes
  • ReparseTag
  • CreationTime
  • LastAccessTime
  • LastWriteTime
  • ChangeTime
  • FileAttributes
  • IndexNumber
  • Position
  • AllocationSize
  • ValidDataLength
  • Access
  • EndOfFile
  • NumberOfLinks
  • DeletePending
  • Directory
  • EaSize
  • IFILE_DISPOSITION_DELETE
  • FILE_DISPOSITION_POSIX_SEMANTICS
  • FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK
  • FILE_DISPOSITION_ON_CLOSE
  • Category
  • FILE_DISPOSITION_DO_NOT_DELETE
  • IFILE_RENAME_REPLACE_IF_EXISTS
  • FILE_RENAME_POSIX_SEMANTICS
  • FILE_RENAME_SUPPRESS_PIN_STATE_INHERITANCE
  • FileName
  • ReplaceIfExists
  • AlignmentRequirement
  • VolumeCreationTime
  • %04X-%04X
  • VolumeSerialNumber
  • SupportsObjects
  • VolumeLabel
  • TotalAllocationUnits
  • AvailableAllocationUnits
  • SectorsPerAllocationUnit
  • BytesPerSector
  • DeviceType
  • Characteristics
  • FileSystemAttributes
  • MaximumComponentNameLength
  • FileSystemName
  • FreeSpaceStartFiltering
  • FreeSpaceThreshold
  • FreeSpaceStopFiltering
  • DefaultQuotaThreshold
  • DefaultQuotaLimit
  • FileSystemControlFlags
  • CallerAvailableAllocationUnits
  • ActualAvailableAllocationUnits
  • ObjectId
  • Filter
  • ShortName
  • IFILE_NOTIFY_CHANGE_FILE_NAME
  • FILE_NOTIFY_CHANGE_DIR_NAME
  • FILE_NOTIFY_CHANGE_NAME
  • FILE_NOTIFY_CHANGE_ATTRIBUTES
  • FILE_NOTIFY_CHANGE_SIZE
  • FILE_NOTIFY_CHANGE_LAST_WRITE
  • FILE_NOTIFY_CHANGE_LAST_ACCESS
  • FILE_NOTIFY_CHANGE_CREATION
  • FILE_NOTIFY_CHANGE_EA
  • FILE_NOTIFY_CHANGE_SECURITY
  • FILE_NOTIFY_CHANGE_STREAM_NAME
  • FILE_NOTIFY_CHANGE_STREAM_SIZE
  • FILE_NOTIFY_CHANGE_STREAM_WRITE
  • <Unknown :
  • UnlockSingle
  • UnlockAll
  • UnlockAllByKey
  • Lock Type
  • Exclusive
  • Offset
  • Fail Immediately
  • I/O Flags
  • Priority
  • Desired Access
  • Disposition
  • Options
  • ShareMode
  • Impersonating
  • OpenResult
  • Information
  • Operation
  • CD-ROM
  • Device Type
  • Control
  • WriteLength
  • ReadLength
  • SyncTypeOther
  • SyncTypeCreateSection
  • Unknown:
  • SyncType
  • PAGE_READONLY
  • PAGE_READWRITE
  • PAGE_WRITECOPY
  • PAGE_EXECUTE
  • PAGE_EXECUTE_READ
  • PAGE_EXECUTE_READWRITE
  • PAGE_EXECUTE_WRITECOPY
  • |PAGE_NOCACHE
  • PageProtection
  • EndingOffset
  • Minor ID
  • IRP Flags
  • GraphWindowClass
  • GraphProperty
  • Time:
  • The full name of the selected key or value is not available.
  • \HKEY_LOCAL_MACHINE
  • \HKEY_CURRENT_USER
  • \HKEY_CURRENT_CONFIG
  • \HKEY_CLASSES_ROOT
  • \HKEY_USERS
  • RegEdit_RegEdit
  • regedit.exe
  • Process Monitor was unable to launch Regedit.
  • SysTreeView32
  • The full name of the selected directory or file is not available.
  • explorer /select,
  • Explorer could not open
  • ICON_MYCOMPUTER
  • ICON_CLOSEDFOLDER
  • ICON_OPENFOLDER
  • comctl32.dll
  • Text File (*.CSV)
  • Export Listview
  • Unable to open file for writing
  • SeShutdownPrivilege
  • SeChangeNotifyPrivilege
  • SeUndockPrivilege
  • SeIncreaseWorkingSetPrivilege
  • SeTimeZonePrivilege
  • IAll Access
  • Read/Write
  • Execute
  • Query Value
  • Set Value
  • Create Sub Key
  • Enumerate Sub Keys
  • Notify
  • Create Link
  • WOW64_Res
  • WOW64_32Key
  • WOW64_64Key
  • Generic Read/Write/Execute
  • Generic Read/Write
  • Generic Read/Execute
  • Generic Write/Execute
  • Generic Read
  • Generic Write
  • Generic Execute
  • Read Data/List Directory
  • Write Data/Add File
  • Append Data/Add Subdirectory/Create Pipe Instance
  • Read EA
  • Write EA
  • Execute/Traverse
  • Delete Child
  • Read Attributes
  • Write Attributes
  • Read Control
  • Write DAC
  • Write Owner
  • Synchronize
  • Access System Security
  • Maximum Allowed
  • kernel32.dll
  • \fltlib.dll
  • %s%07d
  • %02u:%02u:%02u.%07u
  • %02u:%02u:%02u
  • 0x%I64x
  • Windows 2000
  • Windows XP
  • Windows XP x64
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2
  • Windows 8
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2012 R2
  • Windows 10
  • Windows Server 2016
  • Windows %d.%d
  • (build %d.%d)
  • %08x:%08x
  • 64-bit
  • 32-bit
  • %x:%x:%x:%x:%x:%x:%x:%x
  • %d.%d.%d.%d
  • DACL Protected
  • SACL Protected
  • DACL Unprotected
  • SACL Unprotected
  • Attribute
  • Process Trust Label
  • Backup
  • IWrite Through
  • Sequential Access
  • No Buffering
  • Synchronous IO Alert
  • Synchronous IO Non-Alert
  • Non-Directory File
  • Create Tree Connection
  • Complete If Oplocked
  • No EA Knowledge
  • Open for Recovery
  • Random Access
  • Delete On Close
  • Open By ID
  • Open For Backup
  • No Compression
  • Reserve OpFilter
  • Open Reparse Point
  • Open No Recall
  • Open For Free Space Query
  • Open Requiring Oplock
  • Disallow Exclusive
  • FSCTL_REQUEST_OPLOCK_LEVEL_1
  • FSCTL_REQUEST_OPLOCK_LEVEL_2
  • FSCTL_REQUEST_BATCH_OPLOCK
  • FSCTL_OPLOCK_BREAK_ACKNOWLEDGE
  • FSCTL_OPBATCH_ACK_CLOSE_PENDING
  • FSCTL_OPLOCK_BREAK_NOTIFY
  • FSCTL_LOCK_VOLUME
  • FSCTL_UNLOCK_VOLUME
  • FSCTL_DISMOUNT_VOLUME
  • FSCTL_IS_VOLUME_MOUNTED
  • FSCTL_IS_PATHNAME_VALID
  • FSCTL_MARK_VOLUME_DIRTY
  • FSCTL_QUERY_RETRIEVAL_POINTERS
  • FSCTL_QUERY_DEPENDENT_VOLUME
  • FSCTL_GET_COMPRESSION
  • FSCTL_SET_COMPRESSION
  • FSCTL_OPLOCK_BREAK_ACK_NO_2
  • FSCTL_QUERY_FAT_BPB
  • FSCTL_REQUEST_FILTER_OPLOCK
  • FSCTL_FILESYSTEM_GET_STATISTICS
  • FSCTL_GET_NTFS_VOLUME_DATA
  • FSCTL_GET_NTFS_FILE_RECORD
  • FSCTL_GET_VOLUME_BITMAP
  • FSCTL_GET_RETRIEVAL_POINTERS
  • FSCTL_MOVE_FILE
  • FSCTL_IS_VOLUME_DIRTY
  • FSCTL_ALLOW_EXTENDED_DASD_IO
  • FSCTL_READ_PROPERTY_DATA
  • FSCTL_WRITE_PROPERTY_DATA
  • FSCTL_FIND_FILES_BY_SID
  • FSCTL_DUMP_PROPERTY_DATA
  • FSCTL_SET_OBJECT_ID
  • FSCTL_GET_OBJECT_ID
  • FSCTL_DELETE_OBJECT_ID
  • FSCTL_SET_REPARSE_POINT
  • FSCTL_GET_REPARSE_POINT
  • FSCTL_DELETE_REPARSE_POINT
  • FSCTL_ENUM_USN_DATA
  • FSCTL_SECURITY_ID_CHECK
  • FSCTL_READ_USN_JOURNAL
  • FSCTL_SET_OBJECT_ID_EXTENDED
  • FSCTL_CREATE_OR_GET_OBJECT_ID
  • FSCTL_SET_SPARSE
  • FSCTL_SET_ZERO_DATA
  • FSCTL_QUERY_ALLOCATED_RANGES
  • FSCTL_ENABLE_UPGRADE
  • FSCTL_SET_ENCRYPTION
  • FSCTL_ENCRYPTION_FSCTL_IO
  • FSCTL_WRITE_RAW_ENCRYPTED
  • FSCTL_READ_RAW_ENCRYPTED
  • FSCTL_CREATE_USN_JOURNAL
  • FSCTL_READ_FILE_USN_DATA
  • FSCTL_WRITE_USN_CLOSE_RECORD
  • FSCTL_EXTEND_VOLUME
  • FSCTL_QUERY_USN_JOURNAL
  • FSCTL_DELETE_USN_JOURNAL
  • FSCTL_MARK_HANDLE
  • FSCTL_SIS_COPYFILE
  • FSCTL_SIS_LINK_FILES
  • FSCTL_HSM_MSG
  • IOCTL_SHADOW_END_REINT
  • IOCTL_GETSHADOW
  • FSCTL_TXFS_LIST_TRANSACTIONS
  • FSCTL_FILE_PREFETCH
  • CSC_FSCTL_OPERATION_QUERY_HANDLE
  • FSCTL_PIPE_DISCONNECT
  • FSCTL_PIPE_ASSIGN_EVENT
  • FSCTL_PIPE_QUERY_EVENT
  • FSCTL_PIPE_LISTEN
  • FSCTL_PIPE_IMPERSONATE
  • FSCTL_PIPE_WAIT
  • FSCTL_QUERY_CLIENT_PROCESS
  • FSCTL_PIPE_SET_CLIENT_PROCESS
  • FSCTL_PIPE_PEEK
  • FSCTL_PIPE_INTERNAL_READ
  • FSCTL_PIPE_INTERNAL_WRITE
  • FSCTL_PIPE_TRANSCEIVE
  • FSCTL_PIPE_INTERNAL_TRANSCEIVE
  • FSCTL_MAILSLOT_PEEK
  • FSCTL_NETWORK_GET_CONNECTION_INFO
  • FSCTL_NETWORK_ENUMERATE_CONNECTIONS
  • FSCTL_NETWORK_DELETE_CONNECTION
  • FSCTL_NETWORK_SET_CONFIGURATION_INFO
  • FSCTL_NETWORK_GET_CONFIGURATION_INFO
  • FSCTL_NETWORK_GET_STATISTICS
  • FSCTL_NETWORK_SET_DOMAIN_NAME
  • FSCTL_NETWORK_REMOTE_BOOT_INIT_SCRT
  • IOCTL_MOUNTDEV_QUERY_DEVICE_NAME
  • IOCTL_MOUNTDEV_QUERY_UNIQUE_ID
  • IOCTL_MOUNTDEV_UNIQUE_ID_CHANGE_NOTIFY
  • IOCTL_MOUNTDEV_QUERY_SUGGESTED_LINK_NAME
  • IOCTL_MOUNTDEV_LINK_CREATED
  • IOCTL_MOUNTDEV_LINK_DELETED
  • IOCTL_DISK_GET_DRIVE_GEOMETRY
  • IOCTL_DISK_GET_PARTITION_INFO
  • IOCTL_DISK_SET_PARTITION_INFO
  • IOCTL_DISK_GET_DRIVE_LAYOUT
  • IOCTL_DISK_SET_DRIVE_LAYOUT
  • IOCTL_DISK_VERIFY
  • IOCTL_DISK_FORMAT_TRACKS
  • IOCTL_DISK_REASSIGN_BLOCKS
  • IOCTL_DISK_PERFORMANCE
  • IOCTL_DISK_IS_WRITABLE
  • IOCTL_DISK_LOGGING
  • IOCTL_DISK_FORMAT_TRACKS_EX
  • IOCTL_DISK_HISTOGRAM_STRUCTURE
  • IOCTL_DISK_HISTOGRAM_DATA
  • IOCTL_DISK_HISTOGRAM_RESET
  • IOCTL_DISK_REQUEST_STRUCTURE
  • IOCTL_DISK_REQUEST_DATA
  • IOCTL_DISK_PERFORMANCE_OFF
  • SMART_GET_VERSION
  • SMART_SEND_DRIVE_COMMAND
  • SMART_RCV_DRIVE_DATA
  • IOCTL_DISK_GET_PARTITION_INFO_EX
  • IOCTL_DISK_SET_PARTITION_INFO_EX
  • IOCTL_DISK_GET_DRIVE_LAYOUT_EX
  • IOCTL_DISK_SET_DRIVE_LAYOUT_EX
  • IOCTL_DISK_CREATE_DISK
  • IOCTL_DISK_GET_LENGTH_INFO
  • IOCTL_DISK_GET_DRIVE_GEOMETRY_EX
  • IOCTL_DISK_REASSIGN_BLOCKS_EX
  • IOCTL_DISK_UPDATE_DRIVE_SIZE
  • IOCTL_DISK_GROW_PARTITION
  • IOCTL_DISK_GET_CACHE_INFORMATION
  • IOCTL_DISK_SET_CACHE_INFORMATION
  • IOCTL_DISK_UPDATE_PROPERTIES
  • IOCTL_DISK_CHECK_VERIFY
  • IOCTL_DISK_MEDIA_REMOVAL
  • IOCTL_DISK_EJECT_MEDIA
  • IOCTL_DISK_LOAD_MEDIA
  • IOCTL_DISK_RESERVE
  • IOCTL_DISK_RELEASE
  • IOCTL_DISK_FIND_NEW_DEVICES
  • IOCTL_DISK_GET_MEDIA_TYPES
  • IOCTL_DISK_QUERY_DEVICE_STATE
  • IOCTL_DISK_QUERY_DISK_SIGNATURE
  • IOCTL_DISK_GET_CLUSTER_INFO
  • IOCTL_DISK_SET_CLUSTER_INFO
  • IOCTL_DISK_GET_DISK_ATTRIBUTES
  • IOCTL_DISK_SET_DISK_ATTRIBUTES
  • IOCTL_STORAGE_CHECK_VERIFY
  • IOCTL_STORAGE_CHECK_VERIFY2
  • IOCTL_STORAGE_MEDIA_REMOVAL
  • IOCTL_STORAGE_EJECT_MEDIA
  • IOCTL_STORAGE_LOAD_MEDIA
  • IOCTL_STORAGE_LOAD_MEDIA2
  • IOCTL_STORAGE_RESERVE
  • IOCTL_STORAGE_RELEASE
  • IOCTL_STORAGE_FIND_NEW_DEVICES
  • IOCTL_STORAGE_EJECTION_CONTROL
  • IOCTL_STORAGE_MCN_CONTROL
  • IOCTL_STORAGE_GET_MEDIA_TYPES
  • IOCTL_STORAGE_GET_MEDIA_TYPES_EX
  • IOCTL_STORAGE_GET_MEDIA_SERIAL_NUMBER
  • IOCTL_STORAGE_GET_HOTPLUG_INFO
  • IOCTL_STORAGE_SET_HOTPLUG_INFO
  • IOCTL_STORAGE_RESET_BUS
  • IOCTL_STORAGE_RESET_DEVICE
  • IOCTL_STORAGE_BREAK_RESERVATION
  • IOCTL_STORAGE_PERSISTENT_RESERVE_IN
  • IOCTL_STORAGE_PERSISTENT_RESERVE_OUT
  • IOCTL_STORAGE_GET_DEVICE_NUMBER
  • IOCTL_STORAGE_PREDICT_FAILURE
  • IOCTL_STORAGE_READ_CAPACITY
  • IOCTL_STORAGE_QUERY_PROPERTY
  • IOCTL_STORAGE_QUERY_DEPENDENT_DISK
  • IOCTL_VOLUME_GET_GPT_ATTRIBUTES
  • IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS
  • IOCTL_SCSI_PASS_THROUGH
  • IOCTL_SCSI_PASS_THROUGH_DIRECT
  • IOCTL_SCSI_GET_ADDRESS
  • IOCTL_SCSI_GET_DUMP_POINTERS
  • IOCTL_SCSI_FREE_DUMP_POINTERS
  • IOCTL_CDROM_GET_CONFIGURATION
  • IOCTL_CDROM_CHECK_VERIFY
  • IOCTL_CDROM_MEDIA_REMOVAL
  • IOCTL_CDROM_EJECT_MEDIA
  • IOCTL_CDROM_LOAD_MEDIA
  • FSCTL_LMR_START
  • FSCTL_LMR_STOP
  • FSCTL_LMR_BIND_TO_TRANSPORT
  • FSCTL_LMR_UNBIND_FROM_TRANSPORT
  • FSCTL_LMR_ENUMERATE_TRANSPORTS
  • FSCTL_LMR_GET_HINT_SIZE
  • FSCTL_LMR_FORCE_DISCONNECT
  • FSCTL_LMR_TRANSACT
  • FSCTL_LMR_ENUMERATE_PRINT_INFO
  • FSCTL_LMR_START_SMBTRACE
  • FSCTL_LMR_END_SMBTRACE
  • FSCTL_LMR_START_RBR
  • FSCTL_LMR_SET_SERVER_GUID
  • FSCTL_LMR_QUERY_TARGET_INFO
  • FSCTL_LMR_QUERY_DEBUG_INFO
  • IOCTL_LMR_LWIO_PREIO
  • IOCTL_LMR_LWIO_POSTIO
  • IOCTL_LMR_DISABLE_LOCAL_BUFFERING
  • IOCTL_LMR_QUERY_REMOTE_SERVER_NAME
  • IOCTL_SMBMRX_START
  • IOCTL_SMBMRX_STOP
  • IOCTL_SMBMRX_GETSTATE
  • IOCTL_SMBMRX_ADDCONN
  • IOCTL_SMBMRX_DELCONN
  • IOCTL_UMRX_RELEASE_THREADS
  • IOCTL_UMRX_GET_REQUEST
  • IOCTL_UMRX_RESPONSE_AND_REQUEST
  • IOCTL_UMRX_RESPONSE
  • IOCTL_UMRX_GET_LOCK_OWNER
  • IOCTL_UMRX_PREPARE_QUEUE
  • FSCTL_DFS_TRANSLATE_PATH
  • FSCTL_DFS_GET_REFERRALS
  • FSCTL_DFS_REPORT_INCONSISTENCY
  • FSCTL_DFS_IS_SHARE_IN_DFS
  • FSCTL_DFS_IS_ROOT
  • FSCTL_DFS_GET_VERSION
  • IOCTL_VOLSNAP_FLUSH_AND_HOLD_WRITES
  • IOCTL_VOLSNAP_RELEASE_WRITES
  • IOCTL_VOLSNAP_PREPARE_FOR_SNAPSHOT
  • IOCTL_VOLSNAP_ABORT_PREPARED_SNAPSHOT
  • IOCTL_VOLSNAP_COMMIT_SNAPSHOT
  • IOCTL_VOLSNAP_END_COMMIT_SNAPSHOT
  • IOCTL_VOLSNAP_QUERY_NAMES_OF_SNAPSHOTS
  • IOCTL_VOLSNAP_CLEAR_DIFF_AREA
  • IOCTL_VOLSNAP_ADD_VOLUME_TO_DIFF_AREA
  • IOCTL_VOLSNAP_QUERY_DIFF_AREA
  • IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE
  • IOCTL_VOLSNAP_QUERY_DIFF_AREA_SIZES
  • IOCTL_VOLSNAP_DELETE_OLDEST_SNAPSHOT
  • IOCTL_VOLSNAP_AUTO_CLEANUP
  • IOCTL_VOLSNAP_DELETE_SNAPSHOT
  • IOCTL_VOLSNAP_QUERY_REVERT
  • IOCTL_VOLSNAP_REVERT_CLEANUP
  • IOCTL_VOLSNAP_REVERT
  • IOCTL_VOLSNAP_QUERY_REVERT_PROGRESS
  • IOCTL_VOLSNAP_CANCEL_REVERT
  • IOCTL_VOLSNAP_QUERY_EPIC
  • IOCTL_VOLSNAP_QUERY_OFFLINE
  • IOCTL_VOLSNAP_QUERY_DIFF_AREA_MINIMUM_SIZE
  • IOCTL_VOLSNAP_QUERY_COPY_FREE_BITMAP
  • IOCTL_VOLSNAP_BLOCK_DELETE_IN_THE_MIDDLE
  • IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE_TEMP
  • IOCTL_VOLSNAP_SET_APPLICATION_FLAGS
  • IOCTL_VOLSNAP_QUERY_APPLICATION_FLAGS
  • IOCTL_VOLSNAP_SET_BC_FAILURE_MODE
  • IOCTL_VOLSNAP_QUERY_PERFORMANCE_COUNTERS
  • IOCTL_VOLSNAP_SET_PRE_COPY_AMOUNTS
  • IOCTL_VOLSNAP_QUERY_PRE_COPY_AMOUNTS
  • IOCTL_VOLSNAP_QUERY_DEFAULT_PRE_COPY_AMOUNTS
  • IOCTL_VOLSNAP_PRE_EXPOSE_DEVICES
  • IOCTL_VOLSNAP_QUERY_ORIGINAL_VOLUME_NAME
  • IOCTL_VOLSNAP_QUERY_CONFIG_INFO
  • IOCTL_VOLSNAP_SET_APPLICATION_INFO
  • IOCTL_VOLSNAP_QUERY_APPLICATION_INFO
  • IOCTL_VOLSNAP_HAS_CHANGED
  • IOCTL_VOLSNAP_SET_SNAPSHOT_PRIORITY
  • IOCTL_VOLSNAP_QUERY_SNAPSHOT_PRIORITY
  • IOCTL_VOLSNAP_QUERY_DELTA_BITMAP
  • IOCTL_VOLSNAP_QUERY_SNAPSHOT_SUPPLEMENTAL
  • IOCTL_VOLSNAP_QUERY_COPIED_BITMAP
  • IOCTL_VOLSNAP_QUERY_MOVE_LIST
  • IOCTL_VOLSNAP_QUERY_PRE_COPIED_BITMAP
  • IOCTL_VOLSNAP_QUERY_USED_PRE_COPIED_BITMAP
  • IOCTL_VOLSNAP_QUERY_DEFRAG_PRE_COPIED_BITMAP
  • IOCTL_VOLSNAP_QUERY_FREESPACE_PRE_COPIED_BITMAP
  • IOCTL_VOLSNAP_QUERY_HOTBLOCKS_PRE_COPIED_BITMAP
  • IOCTL_VOLSNAP_QUERY_DIFF_AREA_FILE_SIZES
  • FSCTL_REQUEST_OPLOCK
  • FSCTL_GET_BOOT_AREA_INFO
  • FSCTL_CSV_TUNNEL_REQUEST
  • FSCTL_QUERY_FILE_SYSTEM_RECOGNITION
  • FSCTL_CSV_GET_VOLUME_NAME_FOR_VOLUME_MOUNT_POINT
  • FSCTL_CSV_GET_VOLUME_PATH_NAMES_FOR_VOLUME_NAME
  • FSCTL_IS_FILE_ON_CSV_VOLUME
  • FSCTL_CORRUPTION_HANDLING
  • FSCTL_OFFLOAD_READ
  • FSCTL_OFFLOAD_WRITE
  • FSCTL_FILE_LEVEL_TRIM
  • FSCTL_SET_PURGE_FAILURE_MODE
  • FSCTL_QUERY_FILE_LAYOUT
  • FSCTL_IS_VOLUME_OWNED_BYCSVFS
  • FSCTL_GET_INTEGRITY_INFORMATION
  • FSCTL_QUERY_FILE_REGIONS
  • FSCTL_SCRUB_DATA
  • FSCTL_REPAIR_COPIES
  • FSCTL_DISABLE_LOCAL_BUFFERING
  • FSCTL_SET_EXTERNAL_BACKING
  • FSCTL_GET_EXTERNAL_BACKING
  • IOCTL_CHANNEL_GET_SNDCHANNEL
  • (Device:
  • Function:
  • Method:
  • Created
  • DoesNotExist
  • Exists
  • Opened
  • Overwritten
  • Superseded
  • Supersede
  • Create
  • OpenIf
  • Overwrite
  • OverwriteIf
  • Very Low
  • Normal
  • Critical
  • IBuffered
  • Non-cached
  • Paging I/O
  • Synchronous
  • Synchronous Paging I/O
  • JCase Preserved
  • Case Sensitive
  • Unicode
  • Compression
  • Compressed
  • Named Streams
  • Read Only
  • Object IDs
  • Reparse Points
  • Sparse Files
  • Quotas
  • Transactions
  • 8042 Port
  • Battery
  • Bus Extender
  • Changer
  • Controller
  • Datalink
  • DFS FS
  • DFS Volume
  • Disk FS
  • Fullscreen Video
  • Inport Port
  • Keyboard
  • Mailslot
  • Mass Storage
  • MIDI In
  • MIDI Out
  • Multi-UNC Provider
  • Named Pipe
  • Network Browser
  • Network FS
  • Network Redirector
  • Parallel Port
  • Physical Netcard
  • Printer
  • Scanner
  • Screen
  • Serenum
  • Serial Mouse Port
  • Serial Port
  • Smartcard
  • Streams
  • Tape FS
  • TermSrv
  • Transport
  • Virtual Disk
  • Wave In
  • Wave Out
  • JAutogenerated Name
  • Plug and Play
  • Mounted
  • Secure Open
  • Floppy Diskette
  • Remote
  • Removable
  • Virtual
  • Write Once
  • 32 Byte
  • 64 Byte
  • 128 Byte
  • 256 Byte
  • 512 Byte
  • \SystemRoot
  • System32
  • SysWOW64
  • \System32\Drivers\
  • J\Device\Mup
  • \Device\Harddisk?\DR?
  • DEVICE_PATH
  • \Device\LanmanRedirector\
  • \Device\Mup\
  • \SystemRoot\
  • SYSTEM\Select
  • Current
  • \REGISTRY\
  • MACHINE
  • \SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT
  • \SOFTWARE\CLASSES
  • \SYSTEM\ControlSet
  • HKLM\System\CurrentControlSet
  • _CLASSES
  • HKCU\Software\Classes
  • Select Remote Computer
  • Software\Classes\
  • shell\open\command
  • "%s" /Run32 /OpenLog "%%1"
  • "%s" /OpenLog "%%1"
  • DefaultIcon
  • "%s",0
  • Mandatory Level
  • Unsupported processor type: %d
  • /originalpath "
  • 64.exe
  • %TEMP%
  • http\shell\open\command
  • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
  • ProgId
  • \shell\open\command
  • %s "? %s"
  • Process Monitor Error
  • No web browser is configured.
  • &apos;
  • &quot;
  • SeIncreaseBasePriorityPrivilege
  • PROCMON: Terminating due to unexpected socket error
  • The remote system has closed the connection
  • Converting boot-time event data
  • Ntdll.dll
  • Unable to create socket
  • Unable to bind socket
  • Unable to query the port
  • Accept failed
  • Unable to connect to remote system
  • Capture requires 64-bit mode.
  • Process Monitor is already monitoring this system.
  • Capture requires Administrators group membership
  • Another version of the Process Monitor driver is already loaded. A reboot is required to run this version.
  • Unable to load Process Monitor device driver
  • Error enabling capture
  • PROCMON: Error waiting for console connection:
  • PROCMON: already running on this system
  • PROCMON: Unable to load device driver
  • Unable to resolve address for computer '
  • Unable to open connection to '
  • ' on port
  • e\Global??\%c:
  • \Sessions\%d\DosDevices\%08x-%08x\%c:
  • \Device\LanmanRedirector\;
  • startime
  • endtime
  • EventTimeStamp
  • StackProcess
  • StackThread
  • Stack1
  • Stack2
  • Stack3
  • Stack4
  • Stack5
  • Stack6
  • Stack7
  • Stack8
  • Stack9
  • Stack10
  • Stack11
  • Stack12
  • Stack13
  • Stack14
  • Stack15
  • Stack16
  • Stack17
  • Stack18
  • Stack19
  • Stack20
  • Stack21
  • Stack22
  • Stack23
  • Stack24
  • Stack25
  • Stack26
  • Stack27
  • Stack28
  • Stack29
  • Stack30
  • Stack31
  • Stack32
  • 0x%08X
  • 0x%llX
  • %03d.%03d.%03d.%03d
  • %02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x
  • "%*hs"
  • "%*ws"
  • MSNT_TcpIpInformation
  • StackWalk
  • LostEvent
  • SendIPV4
  • SendIPV6
  • RecvIPV4
  • RecvIPV6
  • Accept
  • AcceptIPV4
  • AcceptIPV6
  • Connect
  • ConnectIPV4
  • ConnectIPV6
  • Disconnect
  • DisconnectIPV4
  • DisconnectIPV6
  • Reconnect
  • ReconnectIPV4
  • ReconnectIPV6
  • Retransmit
  • RetransmitIPV4
  • RetransmitIPV6
  • TCPCopy
  • TCPCopyIPV4
  • TCPCopyIPV6
  • PROCMON TRACE
  • NT Kernel Logger
  • advapi32.dll
  • Network trace initialization failed: Error %d
  • SYSTEM
  • JFilter#
  • Module
  • Dstatus
  • Button
  • ResizerClass
  • Unlabeled
  • ThisProperty
  • No events
  • (capture disabled)
  • The current filter excludes all %s events
  • Showing all %s events
  • Showing %s of %s events (%s%%)
  • virtual memory
  • Backed by %s
  • Process Monitor - Sysinternals: www.sysinternals.com
  • FileViewerDialog
  • The file '
  • ' could not be opened
  • Courier New
  • ' could not be read
  • FILE_VIEWER
  • SystemDetailsDialog
  • unknown
  • ProfilingDialog
  • commdlg_ColorOK
  • commdlg_SetRGBColor
  • SELECTHIGHLIGHTCOLORS
  • ModulePropertiesDialog
  • Filter %d
  • Replace existing filter '
  • SAVE_FILTER
  • Procmon Filter (*.PMF)
  • Error writing filter file
  • Error reading filter file
  • A filter by that name already exists. Do you want to overwrite it?
  • Device Path
  • User Path
  • DevicePathDialog
  • DevicePathColumns
  • Event Count
  • Event Bytes
  • Pending Events
  • Process Count
  • Dictionary Count
  • Icon Count
  • Commited
  • BackingFileDialog
  • BackingFileColumns
  • ProcMon load: %.2f%% @ p%d (%s bytes pending)
  • MB available)
  • Procmon Log (*.PML)
  • Please provide a path to the backing file.
  • Your changes will take affect the next time you begin capturing a new log.
  • Address
  • (Running)
  • MODULE_PROPERTIES
  • Description:
  • Company:
  • Modules:
  • CONTEXT_STACKTRACE
  • PropertySheetDialog
  • Event Properties
  • PROP_EVENT
  • PROP_PROCESS
  • PROP_STACKTRACE
  • PROPERTIES
  • Column
  • Relation
  • Action
  • FilterControlColumns
  • FILTER_CONTROL
  • FilterDialog
  • You did not add the item you were editing. Add it now?
  • HighlightDialog
  • PreviousFilterItem
  • UniqueDialog
  • OccurrencesDialog
  • OccurrencesColumns
  • %Iu items
  • Kernel CPU;%
  • Total CPU;%
  • File Bytes
  • File Operations
  • Registry Operations
  • Network Bytes
  • Network Operations
  • Working Set Bytes
  • Process Timeline -
  • ProcessTimelineDialog
  • /second
  • Process Name
  • File Events
  • File I/O Bytes
  • Registry Events
  • Network Events
  • Working Set Peak
  • ProcessActivitySummaryDialog
  • ProcessSummaryColumns2
  • PROCESS_TIMELINE
  • File Time
  • Total Events
  • Closes
  • Writes
  • Read Bytes
  • Write Bytes
  • Get ACL
  • Set ACL
  • Extension
  • By Path
  • By Folder
  • By Extension
  • FileSummaryColumns
  • FileSummaryColumns.ByFolder
  • FileSummaryColumns.ByExtension
  • FileSummaryDialog
  • <none>
  • <Total>
  • %Iu file paths
  • Registry Time
  • RegistrySummaryDialog
  • RegistrySummaryColumns
  • Network Time
  • Connects
  • Disconnects
  • Receives
  • Send Bytes
  • Receive Bytes
  • NetworkSummaryDialog
  • NetworkSummaryColumns
  • % Count
  • % Time
  • Location
  • StackSummaryDialog
  • StackSummaryColumns
  • Adding items
  • Unable to locate associated event in the visible items
  • Writers
  • Readers
  • CrossReferenceSummaryDialog
  • CrossReferenceSummaryColumns
  • HistoryDepthDialog
  • History depth must be 1-
  • @%s (%s)
  • <graph>
  • <undefined>
  • ProcessTreeDialog
  • Process Tree -
  • Process Tree
  • Image Path
  • Life Time
  • Command
  • Start Time
  • End Time
  • ProcessTreeColumns
  • ProcessTree.ShowRunningOnly
  • ProcessTree.ShowAllHistory
  • CONTEXT_PROCESSTREE
  • : The operation was cancelled
  • : There are no items to be saved
  • : The selected file is not writable
  • : The disk is full, or an internal size limit was exceeded
  • : An error occurred saving the data
  • : The operation was successful
  • SaveDialog
  • Logfile
  • Procmon Log (*.PML)
  • Text File (*.CSV)
  • XML File (*.XML)
  • You must supply a path
  • already exists.
  • Do you want to replace it?
  • Error Saving File
  • Log files must be native Process Monitor log files with a .pml extension.
  • The specified log file does not exist.
  • There %s %Id additional file%s associated with this log. Do you wish to open all files?
  • \SystemRoot
  • <remote boot-log>
  • Procmon Log (*.PML,*.PMB)
  • *.PML;*.PMB
  • The log of boot-time activity created by a previous instance of Process Monitor is incomplete and cannot be read.
  • A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data now?
  • Bootlog.pml
  • Unable to create the requested PML file
  • An error occurred processing the boot-time data
  • Include '
  • Exclude '
  • Highlight '
  • Copy '
  • Edit Filter '
  • Exclude Events Before
  • Exclude Events After
  • MainWindow
  • ToolbarWindow32
  • (not found)
  • commdlg_FindReplace
  • CONTEXT_HEADER
  • Highlight
  • Unable to determine process ID for selected window
  • A system or application resource limit has been exceeded
  • that prevents Process Monitor from capturing additional events.
  • Cannot find string "
  • Bookmarks are not enabled because the file is read-only.
  • No more bookmarks
  • PROFILING_OPTIONS
  • COLUMNCHOOSER
  • Jump not implemented for this event class
  • FILTER
  • No filter rules are currently defined
  • ORGANIZE_FILTERS
  • HIGHLIGHT
  • HISTORY_DEPTH
  • SYSTEM_DETAILS
  • There are no events in the trace
  • UNIQUE
  • OCCURRENCES
  • PROCESS_TREE
  • PROCESS_SUMMARY
  • FILE_SUMMARY
  • REGISTRY_SUMMARY
  • NETWORK_SUMMARY
  • STACK_SUMMARY
  • CROSS_REFERENCE_SUMMARY
  • SYMBOLCONFIG
  • No more highlights
  • \procmon.chm
  • %s:Zone.Identifier
  • Unable to open help file
  • ABOUTBOX
  • BACKINGFILE
  • ProcmonConfiguration.pmc
  • Procmon Configuration (*.PMC)
  • The selected file cannot be opened
  • DISCONNECTING
  • Unable to enable capturing of events.
  • <remote system root>
  • <remote computer name>
  • MAIN_MENU
  • PROCMON_WINDOW_CLASS
  • Out of memory: Unable to allocate a memory block of size %Iu
  • Software\Microsoft\Windows NT\CurrentVersion
  • Kernel32.dll
  • OpenLog
  • Terminate
  • WaitForIdle
  • SaveAs
  • SaveAs1
  • SaveAs2
  • SaveApplyFilter
  • EnableBootLogging
  • ConvertBootLog
  • LoadConfig
  • NoFilter
  • BackingFile
  • OriginalPath
  • PagingFile
  • NoConnect
  • Client
  • Minimized
  • Runtime
  • HookRegistry
  • ExternalCapture
  • Software\Microsoft\Windows\CurrentVersion\Policies\System
  • EnableLUA
  • Process Monitor must be run from an administrator account.
  • Unable to extract x64 image. Run Process Monitor from a writable directory.
  • Invalid argument:
  • The /SaveAs option is valid only when used with /OpenLog
  • The /SaveApplyFilter option is valid only when used with /SaveAs
  • Procmon was unable to allocate sufficient memory to run.
  • Try increasing the size of your page file.
  • Runtime parameter must be specified in seconds.
  • Runtime parameter must be between 1 and 3600 seconds.
  • SeDebugPrivilege
  • ProcMon Log File
  • ProcMon.Logfile.1
  • Software\Sysinternals\Process Monitor32
  • Software\Sysinternals\Process Monitor
  • The selected configuration file cannot be opened
  • DeviceNameMap
  • Invalid file extension in /SaveAs option
  • The file was not saved.
  • ACCELERATORS
  • FILTER_INIT
  • NT AUTHORITY\SYSTEM
  • REG_NONE
  • REG_SZ
  • REG_EXPAND_SZ
  • REG_BINARY
  • REG_DWORD
  • REG_DWORD_BIG_ENDIAN
  • REG_LINK
  • REG_MULTI_SZ
  • REG_RESOURCE_LIST
  • REG_FULL_RESOURCE_DESCRIPTOR
  • REG_RESOURCE_REQUIREMENTS_LIST
  • REG_QWORD
  • REG_CREATED_NEW_KEY
  • REG_OPENED_EXISTING_KEY
  • <Unknown:
  • Granted Access
  • Hive Path
  • New Name
  • Cached
  • HandleTags
  • UserFlags
  • SubKeys
  • Values
  • KeyWriteTimeInformation
  • KeyWow64FlagsInformation
  • KeySetHandleTagsInformation
  • KeySetInformationClass
  • Wow64Flags
  • dColumns
  • ColumnCount
  • ColumnMap
  • DbgHelpPath
  • HighlightFG
  • HighlightBG
  • LogFont
  • BoookmarkFont
  • AdvancedMode
  • Autoscroll
  • HistoryDepth
  • DestructiveFilter
  • AlwaysOnTop
  • ResolveAddresses
  • SourcePath
  • SymbolPath
  • FilterRules
  • HighlightRules
  • %_NT_SYMBOL_PATH%
  • srv*https://msdl.microsoft.com/download/symbols
  • Internal error: Snapshot is already open
  • Unable to open '
  • ' for reading
  • ' is not a valid backing file (truncated)
  • An error occurred attempting to memory map '
  • is not a Process Monitor backing file (signature missing).
  • is not compatible with this version of Process Monitor.
  • was not closed cleanly during capture and is corrupt.
  • must be opened using the 64-bit version of Process Monitor.
  • ' is corrupt and cannot be opened.
  • PRIVILEGE NOT HELD
  • INSUFFICIENT SERVER RESOURCES
  • ACCESS VIOLATION
  • THREAD NOT IN PROCESS
  • INSUFFICIENT RESOURCES
  • KEY DELETED
  • IO FAILED
  • REGISTRY CORRUPT
  • NO MEMORY
  • FILE DELETED
  • PATH SYNTAX BAD
  • BAD IMPERSONATION
  • FILES OPEN
  • DEVICE DATA ERROR
  • CRC ERROR
  • NOT IMPLEMENTED
  • EAS NOT SUPPORTED
  • TOO MANY COMMANDS
  • DEVICE NOT CONNECTED
  • NOT SAME DEVICE
  • EA TOO LARGE
  • DATATYPE MISALIGNMENT
  • HIVE UNLOADED
  • FILE INVALID
  • NONEXISTENT EA ENTRY
  • BAD NETWORK NAME
  • INVALID NETWORK RESPONSE
  • NOTIFY ENUM DIR
  • FILE CORRUPT
  • DISK CORRUPT
  • RANGE NOT LOCKED
  • FILE CLOSED
  • DUPLICATE NAME
  • DATA OVERRUN
  • REDIRECTOR NOT STARTED
  • UNSUCCESSFUL
  • NOT FOUND
  • NO MORE MATCHES
  • OBJECT PATH INVALID
  • INFO LENGTH MISMATCH
  • CANNOT IMPERSONATE
  • LOGON FAILURE
  • DOWNGRADE DETECTED
  • INVALID ADDRESS COMPONENT
  • IN PAGE ERROR
  • CANCELLED
  • NO EAS ON FILE
  • EA CORRUPT ERROR
  • QUOTA EXCEEDED
  • NOT SUPPORTED
  • NO MORE FILES
  • BUFFER TOO SMALL
  • NAME INVALID
  • NAME NOT FOUND
  • NOT A DIRECTORY
  • NO SUCH FILE
  • NAME COLLISION
  • NONEXISTENT SECTOR
  • BAD NETWORK PATH
  • PATH NOT FOUND
  • NO SUCH DEVICE
  • END OF FILE
  • NOTIFY CLEANUP
  • CSC OBJECT PATH NOT FOUND
  • BUFFER OVERFLOW
  • OBJECTID NOT FOUND
  • OBJECT TYPE MISMATCH
  • NO MORE ENTRIES
  • ACCESS DENIED
  • SHARING VIOLATION
  • INVALID PARAMETER
  • OPLOCK BREAK IN PROGRESS
  • CANNOT BREAK OPLOCK
  • OPLOCK NOT GRANTED
  • FILE LOCK CONFLICT
  • REPARSE
  • MORE ENTRIES
  • FS DRIVER REQUIRED
  • DELETE PENDING
  • CANNOT DELETE
  • NOT GRANTED
  • IS DIRECTORY
  • ALREADY COMMITTED
  • INVALID EA FLAG
  • INVALID INFO CLASS
  • INVALID HANDLE
  • INVALID DEVICE REQUEST
  • WRONG VOLUME
  • CHILD MUST BE VOLATILE
  • NETWORK ERROR
  • DISCONNECTED
  • DFS UNAVAILABLE
  • LOG FILE FULL
  • INVALID DEVICE STATE
  • NO MEDIA
  • PREDEFINED HANDLE
  • DISK FULL
  • NOT EMPTY
  • NOT REPARSE POINT
  • MEDIA WRITE PROTECTED
  • CANNOT MAKE
  • INVALID PARAMETER 1
  • INVALID PARAMETER 2
  • INVALID PARAMETER 3
  • INVALID PARAMETER 4
  • E_WRONG_PRINCIPAL
  • INVALID LEVEL
  • OPLOCK SWITCHED TO NEW HANDLE
  • OPLOCK HANDLE CLOSED
  • WAIT FOR OPLOCK
  • DEVICE FEATURE NOT SUPPORTED
  • INVALID TRANSACTION
  • CANNOT EXECUTE FILE IN TRANSACTION
  • SPARSE NOT ALLOWED IN TRANSACTION
  • TRANSACTED MAPPING UNSUPPORTED REMOTE
  • TRANSACTIONAL OPEN NOT ALLOWED
  • EFS NOT ALLOWED IN TRANSACTION
  • FILE LOCKED WITH ONLY READERS
  • FILE LOCKED WITH WRITERS
  • TRANSACTIONAL CONFLICT
  • TRANSACTION_NOT_ACTIVE
  • INSTANCE NOT AVAILABLE
  • PIPE NOT AVAILABLE
  • INVALID PIPE STATE
  • PIPE BUSY
  • PIPE DISCONNECTED
  • PIPE CLOSING
  • PIPE CONNECTED
  • PIPE LISTENING
  • INVALID READ MODE
  • FILE SYSTEM LIMITATION
  • PIPE EMPTY
  • PIPE BROKEN
  • IO TIMEOUT
  • PATH NOT COVERED
  • FAST IO DISALLOWED
  • IO DEVICE ERROR
  • CANT WAIT
  • USER MAPPED FILE
  • USER SESSION DELETED
  • LOGIN WKSTA RESTRICTION
  • STATUS_OFFLOAD_READ_FLT_NOT_SUPPORTED
  • STATUS_OFFLOAD_WRITE_FLT_NOT_SUPPORTED
  • OFFLOAD READ FILE NOT SUPPORTED
  • _NT_SYMBOL_PATH
  • ntoskrnl.exe
  • Ntkrnlmp.exe
  • ntkrnlpa.exe
  • Ntkrpamp.exe
  • Loading symbol module for
  • Loading symbols for
  • Retrieving function names for
  • Retrieving source path for
  • Configure the symbol engine for symbols
  • Resolving symbols...
  • http://www.microsoft.com/whdc/devtools/debugging/default.mspx
  • Software\Microsoft\DebuggingTools
  • Windbg
  • DbgHelp.dll
  • %ProgramFiles%\Debugging Tools for Windows (x86)\dbghelp.dll
  • C:\Debuggers\dbghelp.dll
  • \dbghelp.dll
  • dbghelp.dll
  • imagehlp.dll
  • %PATH%
  • Specify dbghelp.dll...
  • Dbghelp DLL (dbghelp.dll)
  • Browse for Symbols Directory
  • Browse for Source Directory
  • The DLL you specified is not a valid Dbghelp DLL.
  • SYMBOLCONFIGWARNING
  • \StringFileInfo\%04X%04X\%s
  • \VarFileInfo\Translation
  • FileDescription
  • user32.dll
  • ERROR : Unable to initialize critical section in CAtlBaseModule
  • Gmscoree.dll
  • ;T^h<U_i=V`j>Wak?Xbl@YcmAZdnB[eoC\fpD]gq
  • combase.dll
  • Jja-JP
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
  • January
  • February
  • August
  • September
  • October
  • November
  • December
  • MM/dd/yy
  • dddd, MMMM dd, yyyy
  • HH:mm:ss
  • JR6002
  • - floating point support not loaded
  • - not enough space for arguments
  • - not enough space for environment
  • - abort() has been called
  • - not enough space for thread data
  • - unexpected multithread lock error
  • - unexpected heap error
  • - unable to open console device
  • - not enough space for _onexit/atexit table
  • - pure virtual function call
  • - not enough space for stdio initialization
  • - not enough space for lowio initialization
  • - unable to initialize heap
  • - CRT not initialized
  • - Attempt to initialize the CRT more than once.
  • This indicates a bug in your application.
  • - not enough space for locale information
  • - Attempt to use MSIL code from this assembly during native code initialization
  • This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
  • - inconsistent onexit begin-end variables
  • DOMAIN error
  • SING error
  • TLOSS error
  • runtime error
  • Runtime Error!
  • Program:
  • <program name unknown>
  • Microsoft Visual C++ Runtime Library
  • (null)
  • CONIN$
  • UTF-16LE
  • UNICODE
  • ((((( H
  • ((((( H
  • zh-CHS
  • az-AZ-Latn
  • uz-UZ-Latn
  • kok-IN
  • syr-SY
  • div-MV
  • quz-BO
  • sr-SP-Latn
  • az-AZ-Cyrl
  • uz-UZ-Cyrl
  • quz-EC
  • sr-SP-Cyrl
  • quz-PE
  • smj-NO
  • bs-BA-Latn
  • smj-SE
  • sr-BA-Latn
  • sma-NO
  • sr-BA-Cyrl
  • sma-SE
  • sms-FI
  • smn-FI
  • zh-CHT
  • az-az-cyrl
  • az-az-latn
  • bs-ba-latn
  • div-mv
  • kok-in
  • quz-bo
  • quz-ec
  • quz-pe
  • sma-no
  • sma-se
  • smj-no
  • smj-se
  • smn-fi
  • sms-fi
  • sr-ba-cyrl
  • sr-ba-latn
  • sr-sp-cyrl
  • sr-sp-latn
  • syr-sy
  • uz-uz-cyrl
  • uz-uz-latn
  • zh-chs
  • zh-cht
  • USER32.DLL
  • 2CONOUT$
  • ACCELERATORS
  • MAIN_MENU
  • CONTEXT_HEADER
  • CONTEXT_PROCESSTREE
  • ABOUTBOX
  • COLUMNCHOOSER
  • FILTER
  • SYMBOLDBGHELPGWARNING
  • SYMBOLCONFIGWARNING
  • SYMBOLCONFIG
  • PROP_STACKTRACE
  • BACKINGFILE
  • PROPERTIES
  • PROP_PROCESS
  • HISTORY_DEPTH
  • UNIQUE
  • FILTER_CONTROL
  • HIGHLIGHT
  • SELECTHIGHLIGHTCOLORS
  • MODULE_PROPERTIES
  • SAVE_FILTER
  • ORGANIZE_FILTERS
  • PROP_EVENT
  • PROGRESS
  • OCCURRENCES
  • PROCESS_SUMMARY
  • FILE_SUMMARY
  • FILTER_INIT
  • REGISTRY_SUMMARY
  • STACK_SUMMARY
  • PROFILING_OPTIONS
  • DEVICE_PATH
  • PROCESS_TREE
  • FILE_VIEWER
  • CROSS_REFERENCE_SUMMARY
  • PROCESS_TIMELINE
  • SYSTEM_DETAILS
  • NETWORK_SUMMARY
  • DISCONNECTING
  • BOOTLOG_OPTIONS
  • SPLITTER_CURSOR
  • BINRES
  • RCDRIVERNT
  • &Open...
  • Ctrl+O
  • &Save...
  • Ctrl+S
  • Backing Files...
  • &Capture Events
  • Ctrl+E
  • Export Configuration...
  • Import Configuration...
  • Ctrl+C
  • &Find...
  • Ctrl+F
  • Find &Highlight
  • Find &Bookmark
  • &Auto Scroll
  • Ctrl+A
  • C&lear Display
  • Ctrl+X
  • E&vent
  • Properties...
  • Ctrl+P
  • Stac&k...
  • Ctrl+K
  • Toggle &Bookmark
  • Ctrl+B
  • Jump To...
  • Ctrl+J
  • Search Online...
  • Include
  • IncludeDummy
  • Exclude
  • ExcludeDummy
  • Highlight
  • HighlightDummy
  • Fi&lter
  • Enable &Advanced Output
  • Filter...
  • Ctrl+L
  • Reset Filter
  • Ctrl+R
  • Load Filter
  • LoadFilterDummy
  • Save Filter...
  • Organize Filters...
  • Drop Filtered Events
  • Highlight...
  • Ctrl+H
  • &Tools
  • System Details...
  • Process Tree...
  • Ctrl+T
  • Process Activity Summary...
  • File Summary...
  • Registry Summary...
  • Stack Summary...
  • Network Summary...
  • Cross Reference Summary...
  • Count Occurrences...
  • &Options
  • Always on &Top
  • Fo&nt...
  • Highlight &Colors...
  • &Configure Symbols...
  • &Select Columns...
  • &History Depth...
  • &Profiling Events...
  • Enable &Boot Logging
  • Show &Resolved Network Addresses
  • Ctrl+N
  • Hex File &Offsets and Lengths
  • He&x Process and Thread IDs
  • &Help...
  • Command Line Options...
  • &About...
  • Properties...
  • Search Online...
  • View Source...
  • Context Menu
  • &Select Columns...
  • Context Menu
  • &Go To Event
  • &Add process to Include filter
  • Add process and &children to Include filter
  • VS_VERSION_INFO
  • StringFileInfo
  • 040904b0
  • CompanyName
  • Sysinternals - www.sysinternals.com
  • FileDescription
  • Process Monitor
  • FileVersion
  • InternalName
  • Process Monitor
  • LegalCopyright
  • Copyright
  • 1996-2018 Mark Russinovich
  • OriginalFilename
  • Process Monitor
  • ProductName
  • Sysinternals Procmon
  • ProductVersion
  • VarFileInfo
  • Translation
  • About Process Monitor
  • MS Shell Dlg
  • Process Monitor v
  • Sysinternals - www.sysinternals.com
  • Copyright
  • 1996-2013 Mark Russinovich
  • Process Monitor Column Selection
  • MS Shell Dlg
  • Cancel
  • Select columns to appear in the Process Monitor window:
  • Application Details
  • Process Name
  • Image Path
  • Command Line
  • Company Name
  • Description
  • Version
  • Architecture
  • Event Details
  • Sequence Number
  • Event Class
  • Operation
  • Date &&Time
  • Time of Day
  • Category
  • Detail
  • Result
  • Relative Time
  • Duration
  • Process Management
  • User Name
  • Session ID
  • Authentication ID
  • Integrity
  • Process ID
  • Thread ID
  • Parent PID
  • Virtualized
  • Completion Time
  • Process Monitor Filter
  • MS Shell Dlg
  • &Cancel
  • A&pply
  • Display entries matching these conditions:
  • Process Monitor Warning
  • MS Shell Dlg
  • Symbols are not currently configured.
  • You must configure symbols in order to view thread stack information.
  • Install the
  • Microsoft Debugging Tools for Windows
  • and configure a symbol server
  • address in the Options|Configure Symbols dialog for the best symbol support.
  • Process Monitor Warning
  • MS Shell Dlg
  • The version of Dbghelp.dll configured does not support the Microsoft Symbol Server.
  • Microsoft Debugging Tools for Windows
  • version that does.
  • Please download and install the
  • to get a
  • Configure Symbols
  • MS Shell Dlg
  • Cancel
  • DbgHelp.dll path (version 6.0 or later):
  • Symbol paths:
  • Process Monitor uses symbols to resolve function names when displaying thread stack locations on the Stack page of an event's properties dialog.
  • If you do not require that information you do not need to configure symbols.
  • Source code paths:
  • When displaying stack traces for modules for which you have both symbols and source code available Process Monitor can let you view the source associated with a stack frame.
  • MS Shell Dlg
  • SysListView32
  • Status...
  • &Properties...
  • &Save...
  • Source...
  • Search...
  • Process Monitor Backing Files
  • MS Shell Dlg
  • Cancel
  • SysListView32
  • Process Monitor can store events in virtual memory (limited by the system commit limit), or in a file you specify (limited by free disk space). Which do you prefer?
  • Use &virtual memory
  • Use file &named:
  • These backing file objects are being used to store event data:
  • Static
  • Static
  • Save To File
  • MS Shell Dlg
  • Cancel
  • All events
  • Events displayed using current filter
  • Highlighted events
  • Events to save:
  • Format:
  • Comma-Separated Values (CSV)
  • Native Process Monitor Format (PML)
  • Extensible Markup Language (XML)
  • Include stack traces (will increase file size)
  • Resolve stack symbols (will be slow)
  • Also include profiling events
  • Properties
  • MS Shell Dlg
  • SysTabControl32
  • Next Highlighted
  • Copy All
  • MS Shell Dlg
  • Version:
  • Command Line:
  • Parent PID:
  • Session ID:
  • Auth ID:
  • Started:
  • Architecture:
  • Virtualized:
  • Integrity:
  • Ended:
  • Modules:
  • SysListView32
  • History Depth
  • MS Shell Dlg
  • Cancel
  • msctls_updown32
  • The history depth limits the total number of events kept during a run.
  • Number of events (millions):
  • Show Unique Values
  • MS Shell Dlg
  • &Save...
  • Column:
  • Double-click an item to filter on that value.
  • &Filter...
  • MS Shell Dlg
  • &Remove
  • SysListView32
  • Process Monitor Highlighting
  • MS Shell Dlg
  • Highlight entries matching these conditions:
  • &Cancel
  • A&pply
  • &Make Filter
  • Choose Highlight Colors
  • MS Shell Dlg
  • &Select
  • &Cancel
  • &Color choices:
  • |S&olid
  • &Green:
  • Bl&ue:
  • &Add to Custom Colors
  • Preview
  • Module Properties
  • MS Shell Dlg
  • Version:
  • Company:
  • Description:
  • Module:
  • Timestamp:
  • Save Filter
  • MS Shell Dlg
  • Cancel
  • Enter a name for the filter:
  • Organize Filters
  • MS Shell Dlg
  • &Rename
  • &Delete
  • Export...
  • Import...
  • MS Shell Dlg
  • Thread:
  • Class:
  • Operation:
  • Result:
  • Duration:
  • Dialog
  • MS Shell Dlg
  • Cancel
  • msctls_progress32
  • Initializing...
  • Count Values Occurrences
  • MS Shell Dlg
  • &Save...
  • Column:
  • SysListView32
  • Double-click an item to filter on that value.
  • &Filter...
  • Static
  • Process Activity Summary
  • MS Shell Dlg
  • &Detail...
  • &Save...
  • Static
  • Processes generating events during trace:
  • Command Line:
  • Started:
  • Ended:
  • Total User CPU:
  • Total Kernel CPU:
  • SysTreeView32
  • File Summary
  • MS Shell Dlg
  • &Save...
  • Static
  • Files accessed during trace:
  • SysTabControl32
  • Filter...
  • Process Monitor Usage
  • MS Shell Dlg
  • Command line arguments:
  • /OpenLog <PML file>
  • /BackingFile <PML file>
  • /NoConnect
  • /NoFilter
  • /AcceptEula
  • /Profiling
  • Open a previously saved event file
  • Save events in the specified backing file
  • Don't automatically begin collecting events at start up
  • Clear the filter at start up
  • Accept the EULA automatically (don't show a dialog)
  • Enable the thread profiling feature
  • /PagingFile
  • Save events in the virtual memory
  • /Minimized
  • /Terminate
  • Start the application minimized
  • Terminate all instances of ProcMon and exit
  • /Quiet
  • Don't confirm filter settings during start up
  • /Run32
  • Run the 32-bit version to load 32-bit log files (x64 only)
  • /WaitForIdle
  • Wait for an instance of ProcMon to become ready
  • /HookRegistry
  • Hook Registry for Softgrid troubleshooting (x86 Vista only)
  • /SaveAs <path>
  • Export to an XML, CSV or PML file
  • /SaveAs1 <path>
  • Export including stack traces (XML only)
  • /SaveAs2 <path>
  • Export including stack traces with symbols (XML only)
  • /LoadConfig <file>
  • Load a previously saved configuration file
  • /SaveApplyFilter
  • Apply current filter before exporting
  • /EnableBootLogging
  • Configures logging of next boot
  • /ConvertBootLog <PML file>
  • Automatically processes a boot log after reboot
  • /Runtime
  • Run for the specified number of seconds and terminate
  • Process Monitor Filter
  • MS Shell Dlg
  • Filters were in effect the last time you exited Process Monitor:
  • Display entries matching these conditions:
  • &Cancel
  • A&pply
  • Registry Summary
  • MS Shell Dlg
  • &Save...
  • SysListView32
  • Static
  • Registry paths accessed during trace:
  • Filter...
  • Stack Summary
  • MS Shell Dlg
  • Stack traces during trace:
  • Static
  • SysTreeView32
  • Go to Event
  • Source...
  • Filter...
  • Thread Profiling Options
  • MS Shell Dlg
  • Cancel
  • Process Monitor can generate thread profiling events that capture the state of all executing threads at a regular interval.
  • Generate thread profiling events
  • Every second
  • Every 100 milliseconds
  • Define Device Path
  • MS Shell Dlg
  • Provide a translation for this device path to the DOS path:
  • Device path:
  • User path:
  • Remove
  • Existing translations:
  • SysListView32
  • Full path:
  • Remove All
  • Process Tree
  • MS Shell Dlg
  • &Close
  • Only show processes still running at end of current trace
  • SysTreeView32
  • Description:
  • Company:
  • Command:
  • Process ID
  • Started:
  • Started
  • Exited:
  • Exited
  • &Go To Event
  • Timelines cover displayed events only
  • &Include Process
  • Include &Subtree
  • File Viewer
  • MS Shell Dlg
  • Cross Reference Summary
  • MS Shell Dlg
  • &Close
  • &Save...
  • SysListView32
  • Static
  • Paths that are written and read between differing processes:
  • &Filter on Row
  • Process Timeline
  • MS Shell Dlg
  • CPU Utilization
  • File I/O Bytes
  • File I/O Operations
  • Registry Operations
  • Private Memory Bytes
  • Memory Working Set
  • 100 MB/sec
  • 100 Operations/sec
  • 100 Operations/sec
  • 100 MB
  • 100 MB
  • Click on a graph to go to the closest event in the trace.
  • Network Bytes
  • Network Operations
  • 100 MB/sec
  • 100 Operations/sec
  • System Details
  • MS Shell Dlg
  • System on which trace was captured:
  • Computer Name:
  • System Root:
  • Operating System:
  • Memory (RAM):
  • System Type:
  • Logical Processors:
  • Network Summary
  • MS Shell Dlg
  • &Save...
  • SysListView32
  • Static
  • Network paths accessed during trace:
  • Filter...
  • Process Monitor
  • MS Shell Dlg
  • Disconnecting from Event Tracing for Windows (ETW). This can take up to a minute.
  • Enable Boot Logging
  • MS Shell Dlg
  • Cancel
  • Process Monitor can generate thread profiling events that capture the state of all running applications at a regular interval.
  • Generate thread profiling events
  • Every second
  • Every 100 milliseconds
  • \SystemRoot\System32\Drivers\
  • \SystemRoot\Procmon.pmb
  • Parameters
  • ThreadProfiling
  • RuntimeSeconds
  • \SystemRoot
  • D:P(A;;GA;;;AU)
  • \device\ProcmonDebugLogger
  • \DosDevices\Global\ProcmonDebugLogger
  • \device\ProcmonExternalLogger
  • \??\ProcmonExternalLoggerEnabled
  • \ProcessMonitor24Port
  • ZwQueryInformationThread
  • SeLocateProcessImageName
  • PsSetCreateProcessNotifyRoutineEx2
  • PsSetCreateThreadNotifyRoutineEx
  • ZwOpenProcessTokenEx
  • 500000
  • (Default)
  • CmRegisterCallback
  • CmRegisterCallbackEx
  • CmUnRegisterCallback
  • CmCallbackGetKeyObjectID
  • IoValidateDeviceIoControlAccess
  • IoCreateDeviceSecure
  • D:P(A;;GA;;;SY)
  • D:P(A;;GA;;;SY)(A;;GA;;;BA)
  • D:P(A;;GA;;;SY)(A;;GRGX;;;BA)
  • D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)
  • D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)(A;;GR;;;RC)
  • D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GRGW;;;WD)(A;;GR;;;RC)
  • D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GRGWGX;;;WD)(A;;GRGWGX;;;RC)
  • {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
  • \Registry\Machine\System\CurrentControlSet\Control\Class
  • Security
  • Properties
  • Exclusive
  • DeviceCharacteristics
  • DeviceType
  • NoUseClass
  • NoDisplayClass
  • <INSUFFICIENT RESOURCES>
  • <INVALID NAME>
  • \Registry
  • VS_VERSION_INFO
  • StringFileInfo
  • 040904b0
  • CompanyName
  • Sysinternals - www.sysinternals.com
  • FileDescription
  • Process Monitor Driver
  • FileVersion
  • InternalName
  • Procmon.sys
  • LegalCopyright
  • Copyright (C) 2006-2014 M. Russinovich
  • OriginalFilename
  • procmon.Sys
  • ProductName
  • Process Monitor
  • ProductVersion
  • VarFileInfo
  • Translation
  • ProcMonDrive
  • ProcMonDrive
  • Legal_Policy_Statement
  • {%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
  • EventTrace
  • Header
  • Unknown
  • root\wmi
  • format
  • StringTermination
  • pointer
  • extension
  • NullTerminated
  • Counted
  • ReverseCounted
  • NotCounted
  • IPAddr
  • IPAddrV6
  • IPAddrV4
  • WmiTime
  • __CLASS
  • WmiDataId
  • EventType
  • EventTypeName
  • DisplayName
  • EventVersion
  • uxtheme.dll
  • not implemented
  • treeview
  • TreeListWindowClass
  • TreeListProperty
  • tooltips_class32
  • SysHeader32
  • ScrollBar
  • Static
  • SPLITTER_CURSOR
  • SYSINTERNALS SOFTWARE LICENSE TERMS
  • These license terms are an agreement between Sysinternals(a wholly owned subsidiary of Microsoft Corporation) and you.Please read them.They apply to the software you are downloading from technet.microsoft.com / sysinternals, which includes the media on which you received it, if any.The terms also apply to any Sysinternals
  • * updates,
  • *supplements,
  • *Internet - based services,
  • *and support services
  • for this software, unless other terms accompany those items.If so, those terms apply.
  • BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS.IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE.
  • If you comply with these license terms, you have the rights below.
  • INSTALLATION AND USER RIGHTS
  • You may install and use any number of copies of the software on your devices.
  • SCOPE OF LICENSE
  • The software is licensed, not sold.This agreement only gives you some rights to use the software.Sysinternals reserves all other rights.Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement.In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways.You may not
  • * work around any technical limitations in the software;
  • *reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite this limitation;
  • *make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;
  • *publish the software for others to copy;
  • *rent, lease or lend the software;
  • *transfer the software or this agreement to any third party; or
  • * use the software for commercial software hosting services.
  • SENSITIVE INFORMATION
  • Please be aware that, similar to other debug tools that capture
  • process state
  • information, files saved by Sysinternals tools may include personally identifiable or other sensitive information(such as usernames, passwords, paths to files accessed, and paths to registry accessed).By using this software, you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Microsoft or any other party through your use of the software.
  • DOCUMENTATION
  • Any person that has valid access to your computer or internal network may copy and use the documentation for your internal, reference purposes.
  • EXPORT RESTRICTIONS
  • The software is subject to United States export laws and regulations.You must comply with all domestic and international export laws and regulations that apply to the software.These laws include restrictions on destinations, end users and end use.For additional information, see www.microsoft.com / exporting .
  • SUPPORT SERVICES
  • Because this software is "as is, " we may not provide support services for it.
  • ENTIRE AGREEMENT
  • This agreement, and the terms for supplements, updates, Internet - based services and support services that you use, are the entire agreement for the software and support services.
  • APPLICABLE LAW
  • United States.If you acquired the software in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles.The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
  • Outside the United States.If you acquired the software in any other country, the laws of that country apply.
  • LEGAL EFFECT
  • This agreement describes certain legal rights.You may have other rights under the laws of your country.You may also have rights with respect to the party from whom you acquired the software.This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
  • DISCLAIMER OF WARRANTY
  • The software is licensed "as - is." You bear the risk of using it.Sysinternals gives no express warranties, guarantees or conditions.You may have additional consumer rights under your local laws which this agreement cannot change.To the extent permitted under your local laws, sysinternals excludes the implied warranties of merchantability, fitness for a particular purpose and non - infringement.
  • LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES
  • You can recover from sysinternals and its suppliers only direct damages up to U.S.$5.00.You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
  • This limitation applies to
  • * anything related to the software, services, content(including code) on third party Internet sites, or third party programs; and
  • * claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
  • It also applies even if Sysinternals knew or should have known about the possibility of the damages.The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
  • Please note : As this software is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.
  • Remarque : Ce logiciel
  • tant distribu
  • au Qu
  • bec, Canada, certaines des clauses dans ce contrat sont fournies ci - dessous en fran
  • EXON
  • RATION DE GARANTIE.Le logiciel vis
  • par une licence est offert
  • tel quel
  • .Toute utilisation de ce logiciel est
  • votre seule risque et p
  • ril.Sysinternals n'accorde aucune autre garantie expresse. Vous pouvez b
  • ficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit
  • marchande, d'ad
  • quation
  • un usage particulier et d'absence de contrefa
  • on sont exclues.
  • LIMITATION DES DOMMAGES - INT
  • TS ET EXCLUSION DE RESPONSABILIT
  • POUR LES DOMMAGES.Vous pouvez obtenir de Sysinternals et de ses fournisseurs une indemnisation en cas de dommages directs uniquement
  • hauteur de 5, 00 $ US.Vous ne pouvez pr
  • tendre
  • aucune indemnisation pour les autres dommages, y compris les dommages sp
  • ciaux, indirects ou accessoires et pertes de b
  • fices.
  • Cette limitation concerne :
  • tout ce qui est reli
  • au logiciel, aux services ou au contenu(y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et
  • clamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
  • stricte, de n
  • gligence ou d'une autre faute dans la limite autoris
  • e par la loi en vigueur.
  • Elle s'applique
  • galement, m
  • me si Sysinternals connaissait ou devrait conna
  • tre l'
  • ventualit
  • d'un tel dommage. Si votre pays n'autorise pas l'exclusion ou la limitation de responsabilit
  • pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l'exclusion ci - dessus ne s'appliquera pas
  • votre
  • EFFET JURIDIQUE.Le pr
  • sent contrat d
  • crit certains droits juridiques.Vous pourriez avoir d'autres droits pr
  • vus par les lois de votre pays. Le pr
  • sent contrat ne modifie pas les droits que vous conf
  • rent les lois de votre pays si celles-ci ne le permettent pas.
  • Sysinternals License
  • %s License Agreement
  • Software\Sysinternals\%s
  • Riched32.dll
  • License Agreement
  • MS Shell Dlg
  • You can also use the /accepteula command-line switch to accept the EULA.
  • &Agree
  • &Decline
  • &Print
  • RICHEDIT
  • EulaAccepted
  • Shell32.dll
  • /accepteula
  • -accepteula
  • Software\Microsoft\windows nt\currentversion
  • ProductName
  • iotuap
  • Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels
  • NanoServer
  • This is the first run of this program. You must accept EULA to continue.
  • Use -accepteula to accept EULA.
  • Software\Sysinternals
  • URLMON.DLL
  • HyperlinkClass
  • http://www.sysinternals.com
  • FileVersion
  • LegalCopyright
  • Display index %d moved from snapshot %d:%d to %d
  • PROGRESS
  • %d%% - %d:%02d remaining (%s)
  • Searching for Bookmarks
  • %9.5f%%
  • ntdll.dll
  • BINRES
  • %SYSTEMROOT%\Procmon.Pmb
  • SupportedFeatures
  • Instances
  • Process Monitor 24 Instance
  • DefaultInstance
  • 385200
  • Altitude
  • PROCMON24.SYS
  • %s\Drivers\%s
  • RCDRIVERNT
  • %%TEMP%%\%s
  • \ProcessMonitor24Port
  • SeLoadDriverPrivilege
  • System\CurrentControlSet\Services\PROCMON24
  • ErrorControl
  • \??\%s
  • ImagePath
  • \Registry\Machine\System\CurrentControlSet\Services\PROCMON24
  • System\CurrentControlSet\Services\PROCMON24\Enum
  • System\CurrentControlSet\Services\PROCMON24\Security
  • System\CurrentControlSet\Services\PROCMON24\Parameters
  • Parameters
  • Security
  • \Drivers\PROCMON24.SYS
  • Unable to write
  • Make sure that you have permission to
  • write to the %%SystemRoot%%\System32\Drivers directory.
  • Process Monitor
  • BOOTLOG_OPTIONS
  • Process Monitor is configured to log activity during the next boot.
  • FSFilter Activity Monitor
  • DeleteFlag
  • System32\Drivers\
  • ThreadProfiling
  • RuntimeSeconds
  • Error configuring boot logging
  • Completion
  • Process
  • Registry
  • File System
  • Profiling
  • Network
  • Process Defined
  • Process Create
  • Process Exit
  • Thread Create
  • Thread Exit
  • Load Image
  • Thread Profile
  • Process Start
  • Process Statistics
  • System Statistics
  • Thread Profiling
  • Process Profiling
  • Debug Output Profiling
  • RegOpenKey
  • RegCreateKey
  • RegCloseKey
  • RegQueryKey
  • RegSetValue
  • RegQueryValue
  • RegEnumValue
  • RegEnumKey
  • RegSetInfoKey
  • RegDeleteKey
  • RegDeleteValue
  • RegFlushKey
  • RegLoadKey
  • RegUnloadKey
  • RegRenameKey
  • RegQueryMultipleValueKey
  • RegSetKeySecurity
  • RegQueryKeySecurity
  • UDP Unknown
  • TCP Unknown
  • UDP Other
  • TCP Other
  • UDP Send
  • TCP Send
  • UDP Receive
  • TCP Receive
  • UDP Accept
  • TCP Accept
  • UDP Connect
  • TCP Connect
  • UDP Disconnect
  • TCP Disconnect
  • UDP Reconnect
  • TCP Reconnect
  • UDP Retransmit
  • TCP Retransmit
  • UDP TCPCopy
  • TCP TCPCopy
  • Read Metadata
  • Write Metadata
  • Command line
  • Parent PID
  • Current directory
  • Environment
  • Image Base
  • Image Size
  • Commit Peak
  • System Calls
  • Context Switches
  • Thread ID
  • Exit Status
  • %.07f seconds
  • User Time
  • Kernel Time
  • Private Bytes
  • Peak Private Bytes
  • Working Set
  • Peak Working Set
  • Thread %u
  • Output
  • Length
  • is not
  • less than
  • more than
  • begins with
  • ends with
  • contains
  • excludes
  • IRP_MJ_
  • FASTIO_
  • Procmon.exe
  • Procexp.exe
  • Autoruns.exe
  • Procmon64.exe
  • Procexp64.exe
  • System
  • pagefile.sys
  • $MftMirr
  • $LogFile
  • $Volume
  • $AttrDef
  • $Bitmap
  • $BadClus
  • $Secure
  • $UpCase
  • $Extend
  • FAST IO
  • Include
  • Exclude
  • Okay to overwrite event log '
  • An error occurred opening the snapshot
  • Applying Event Filter
  • Operation cancelled: The listview data may be incomplete
  • Process Monitor can open at most
  • backing files
  • <pagefile>
  • ProcessIndex
  • address
  • location
  • process
  • ProcessId
  • ParentProcessId
  • ParentProcessIndex
  • AuthenticationId
  • CreateTime
  • FinishTime
  • IsVirtualized
  • Is64bit
  • Integrity
  • ProcessName
  • CommandLine
  • CompanyName
  • Version
  • Description
  • modulelist
  • module
  • Timestamp
  • BaseAddress
  • Company
  • Process Monitor - Exporting event data
  • wt, ccs=UTF-8
  • <?xml version="1.0" encoding="UTF-8"?>
  • procmon
  • processlist
  • eventlist
  • SUCCESS
  • Counting occurrences of values
  • Scanning process information
  • Scanning file information
  • Scanning Registry information
  • Scanning Network information
  • <unknown>
  • Scanning event stack information
  • Scanning events
  • Searching
  • SysListView32
  • IRP_MJ_LOCK_CONTROL
  • FASTIO_LOCK
  • LockFile
  • FASTIO_UNLOCK_SINGLE
  • UnlockFileSingle
  • FASTIO_UNLOCK_ALL
  • UnlockFileAll
  • FASTIO_UNLOCK_ALL_BY_KEY
  • UnlockFileByKey
  • IRP_MJ_READ
  • FASTIO_READ
  • ReadFile
  • IRP_MJ_WRITE
  • FASTIO_WRITE
  • WriteFile
  • IRP_MJ_QUERY_VOLUME_INFORMATION
  • FASTIO_QUERY_VOLUME_INFORMATION
  • QueryInformationVolume
  • QueryLabelInformationVolume
  • QuerySizeInformationVolume
  • QueryDeviceInformationVolume
  • QueryAttributeInformationVolume
  • QueryControlInformationVolume
  • QueryFullSizeInformationVolume
  • QueryObjectIdInformationVolume
  • IRP_MJ_SET_VOLUME_INFORMATION
  • FASTIO_SET_VOLUME_INFORMATION
  • SetControlInformationVolume
  • SetLabelInformationVolume
  • SetObjectIdInformationVolume
  • IRP_MJ_QUERY_INFORMATION
  • FASTIO_QUERY_INFORMATION
  • QueryAllInformationFile
  • QueryAttributeTagFile
  • QueryBasicInformationFile
  • QueryCompressionInformationFile
  • QueryEaInformationFile
  • QueryFileInternalInformationFile
  • QueryMoveClusterInformationFile
  • QueryNetworkOpenInformationFile
  • QueryPositionInformationFile
  • QueryStandardInformationFile
  • QueryStreamInformationFile
  • QueryNameInformationFile
  • IRP_MN_QUERY_INFORMATION
  • QueryShortNameInformationFile
  • QueryNormalizedNameInformationFile
  • QueryNetworkPhysicalNameInformationFile
  • QueryIdBothDirectory
  • QueryValidDataLength
  • QueryIoPiorityHint
  • QueryLinks
  • QueryId
  • QueryEndOfFile
  • QueryAttributeTag
  • QueryIdGlobalTxDirectoryInformation
  • QueryIsRemoteDeviceInformation
  • QueryAttributeCacheInformation,
  • QueryNumaNodeInformation
  • QueryStandardLinkInformation
  • QueryRemoteProtocolInformation
  • QueryRenameInformationBypassAccessCheck
  • QueryLinkInformationBypassAccessCheck
  • QueryVolumeNameInformation
  • QueryIdInformation
  • QueryIdExtdDirectoryInformation
  • QueryHardLinkFullIdInformation
  • QueryIdExtdBothDirectoryInformation
  • QueryDesiredStorageClassInformation
  • QueryStatInformation
  • QueryMemoryPartitionInformation
  • IRP_MJ_SET_INFORMATION
  • FASTIO_SET_INFORMATION
  • SetAllocationInformationFile
  • SetBasicInformationFile
  • SetDispositionInformationFile
  • SetEndOfFileInformationFile
  • SetLinkInformationFile
  • SetPositionInformationFile
  • SetRenameInformationFile
  • SetValidDataLengthInformationFile
  • SetFileStreamInformation
  • SetPipeInformation
  • SetShortNameInformation
  • SetDispositionInformationEx
  • SetReplaceCompletionInformation
  • SetRenameInformationEx
  • SetRenameInformationExBypassAccessCheck
  • IRP_MJ_DIRECTORY_CONTROL
  • FASTIO_DIRECTORY_CONTROL
  • QueryDirectory
  • NotifyChangeDirectory
  • IRP_MJ_PNP
  • StartDevice
  • QueryRemoveDevice
  • RemoveDevice
  • CancelRemoveDevice
  • StopDevice
  • QueryStopDevice
  • CancelStopDevice
  • QueryDeviceRelations
  • QueryInterface
  • QueryCapabilities
  • QueryResources
  • QueryResourceRequirements
  • QueryDeviceText
  • FilterResourceRequirements
  • ReadConfig
  • WriteConfig
  • SetLock
  • QueryPnpDeviceState
  • QueryBusInformation
  • DeviceUsageNotification
  • SurpriseRemoval
  • QueryLegacyBusInformation
  • IRP_MJ_VOLUME_DISMOUNT
  • VolumeDismount
  • IRP_MJ_VOLUME_MOUNT
  • VolumeMount
  • FASTIO_MDL_WRITE_COMPLETE
  • FASTIO_PREPARE_MDL_WRITE
  • FASTIO_MDL_READ_COMPLETE
  • FASTIO_MDL_READ
  • FASTIO_NETWORK_QUERY_OPEN
  • QueryOpen
  • FASTIO_CHECK_IF_POSSIBLE
  • IRP_MJ_12
  • IRP_MJ_11
  • IRP_MJ_10
  • IRP_MJ_9
  • IRP_MJ_8
  • FASTIO_NOTIFY_STREAM_FO_CREATION
  • FASTIO_RELEASE_FOR_CC_FLUSH
  • FASTIO_ACQUIRE_FOR_CC_FLUSH
  • FASTIO_RELEASE_FOR_MOD_WRITE
  • FASTIO_ACQUIRE_FOR_MOD_WRITE
  • FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION
  • FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION
  • CreateFileMapping
  • IRP_MJ_CREATE
  • CreateFile
  • IRP_MJ_CREATE_NAMED_PIPE
  • CreatePipe
  • IRP_MJ_CLOSE
  • QueryInformationFile
  • SetInformationFile
  • IRP_MJ_QUERY_EA
  • QueryEAFile
  • IRP_MJ_SET_EA
  • SetEAFile
  • IRP_MJ_FLUSH_BUFFERS
  • FlushBuffersFile
  • QueryVolumeInformation
  • SetVolumeInformation
  • DirectoryControl
  • IRP_MJ_FILE_SYSTEM_CONTROL
  • FileSystemControl
  • IRP_MJ_DEVICE_CONTROL
  • DeviceIoControl
  • IRP_MJ_INTERNAL_DEVICE_CONTROL
  • InternalDeviceIoControl
  • IRP_MJ_SHUTDOWN
  • Shutdown
  • LockUnlockFile
  • IRP_MJ_CLEANUP
  • CloseFile
  • IRP_MJ_CREATE_MAILSLOT
  • CreateMailSlot
  • IRP_MJ_QUERY_SECURITY
  • QuerySecurityFile
  • IRP_MJ_SET_SECURITY
  • SetSecurityFile
  • IRP_MJ_POWER
  • IRP_MJ_SYSTEM_CONTROL
  • SystemControl
  • IRP_MJ_DEVICE_CHANGE
  • DeviceChange
  • IRP_MJ_QUERY_QUOTA
  • QueryFileQuota
  • IRP_MJ_SET_QUOTA
  • SetFileQuota
  • IRP_MJ_PNP
  • PlugAndPlay
  • IRP_MJ_MAXIMUM_FUNCTION
  • Delete
  • <Unknown>
  • Attributes
  • ReparseTag
  • CreationTime
  • LastAccessTime
  • LastWriteTime
  • ChangeTime
  • FileAttributes
  • IndexNumber
  • Position
  • AllocationSize
  • ValidDataLength
  • Access
  • EndOfFile
  • NumberOfLinks
  • DeletePending
  • Directory
  • EaSize
  • FILE_DISPOSITION_DELETE
  • FILE_DISPOSITION_POSIX_SEMANTICS
  • FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK
  • FILE_DISPOSITION_ON_CLOSE
  • Category
  • FILE_DISPOSITION_DO_NOT_DELETE
  • FILE_RENAME_REPLACE_IF_EXISTS
  • FILE_RENAME_POSIX_SEMANTICS
  • FILE_RENAME_SUPPRESS_PIN_STATE_INHERITANCE
  • FileName
  • ReplaceIfExists
  • AlignmentRequirement
  • VolumeCreationTime
  • %04X-%04X
  • VolumeSerialNumber
  • SupportsObjects
  • VolumeLabel
  • TotalAllocationUnits
  • AvailableAllocationUnits
  • SectorsPerAllocationUnit
  • BytesPerSector
  • DeviceType
  • Characteristics
  • FileSystemAttributes
  • MaximumComponentNameLength
  • FileSystemName
  • FreeSpaceStartFiltering
  • FreeSpaceThreshold
  • FreeSpaceStopFiltering
  • DefaultQuotaThreshold
  • DefaultQuotaLimit
  • FileSystemControlFlags
  • CallerAvailableAllocationUnits
  • ActualAvailableAllocationUnits
  • ObjectId
  • Filter
  • ShortName
  • FILE_NOTIFY_CHANGE_FILE_NAME
  • FILE_NOTIFY_CHANGE_DIR_NAME
  • FILE_NOTIFY_CHANGE_NAME
  • FILE_NOTIFY_CHANGE_ATTRIBUTES
  • FILE_NOTIFY_CHANGE_SIZE
  • FILE_NOTIFY_CHANGE_LAST_WRITE
  • FILE_NOTIFY_CHANGE_LAST_ACCESS
  • FILE_NOTIFY_CHANGE_CREATION
  • FILE_NOTIFY_CHANGE_EA
  • FILE_NOTIFY_CHANGE_SECURITY
  • FILE_NOTIFY_CHANGE_STREAM_NAME
  • FILE_NOTIFY_CHANGE_STREAM_SIZE
  • FILE_NOTIFY_CHANGE_STREAM_WRITE
  • <Unknown :
  • UnlockSingle
  • UnlockAll
  • UnlockAllByKey
  • Lock Type
  • Exclusive
  • Offset
  • Fail Immediately
  • I/O Flags
  • Priority
  • Desired Access
  • Disposition
  • Options
  • ShareMode
  • Impersonating
  • OpenResult
  • Information
  • Operation
  • CD-ROM
  • Device Type
  • Control
  • WriteLength
  • ReadLength
  • SyncTypeOther
  • SyncTypeCreateSection
  • Unknown:
  • SyncType
  • PAGE_READONLY
  • PAGE_READWRITE
  • PAGE_WRITECOPY
  • PAGE_EXECUTE
  • PAGE_EXECUTE_READ
  • PAGE_EXECUTE_READWRITE
  • PAGE_EXECUTE_WRITECOPY
  • |PAGE_NOCACHE
  • PageProtection
  • EndingOffset
  • Minor ID
  • IRP Flags
  • GraphWindowClass
  • GraphProperty
  • Time:
  • The full name of the selected key or value is not available.
  • \HKEY_LOCAL_MACHINE
  • \HKEY_CURRENT_USER
  • \HKEY_CURRENT_CONFIG
  • \HKEY_CLASSES_ROOT
  • \HKEY_USERS
  • RegEdit_RegEdit
  • regedit.exe
  • Process Monitor was unable to launch Regedit.
  • SysTreeView32
  • The full name of the selected directory or file is not available.
  • explorer /select,
  • Explorer could not open
  • ICON_MYCOMPUTER
  • ICON_CLOSEDFOLDER
  • ICON_OPENFOLDER
  • comctl32.dll
  • Text File (*.CSV)
  • Export Listview
  • Unable to open file for writing
  • All Access
  • Read/Write
  • Execute
  • Query Value
  • Set Value
  • Create Sub Key
  • Enumerate Sub Keys
  • Notify
  • Create Link
  • WOW64_Res
  • WOW64_32Key
  • WOW64_64Key
  • Generic Read/Write/Execute
  • Generic Read/Write
  • Generic Read/Execute
  • Generic Write/Execute
  • Generic Read
  • Generic Write
  • Generic Execute
  • Read Data/List Directory
  • Write Data/Add File
  • Append Data/Add Subdirectory/Create Pipe Instance
  • Read EA
  • Write EA
  • Execute/Traverse
  • Delete Child
  • Read Attributes
  • Write Attributes
  • Read Control
  • Write DAC
  • Write Owner
  • Synchronize
  • Access System Security
  • Maximum Allowed
  • SeShutdownPrivilege
  • SeChangeNotifyPrivilege
  • SeUndockPrivilege
  • SeIncreaseWorkingSetPrivilege
  • SeTimeZonePrivilege
  • kernel32.dll
  • \fltlib.dll
  • %s%07d
  • %02u:%02u:%02u.%07u
  • %02u:%02u:%02u
  • 0x%I64x
  • Windows 2000
  • Windows XP
  • Windows XP x64
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2
  • Windows 8
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2012 R2
  • Windows 10
  • Windows Server 2016
  • Windows %d.%d
  • (build %d.%d)
  • %08x:%08x
  • 64-bit
  • 32-bit
  • %x:%x:%x:%x:%x:%x:%x:%x
  • %d.%d.%d.%d
  • DACL Protected
  • SACL Protected
  • DACL Unprotected
  • SACL Unprotected
  • Attribute
  • Process Trust Label
  • Backup
  • Write Through
  • Sequential Access
  • No Buffering
  • Synchronous IO Alert
  • Synchronous IO Non-Alert
  • Non-Directory File
  • Create Tree Connection
  • Complete If Oplocked
  • No EA Knowledge
  • Open for Recovery
  • Random Access
  • Delete On Close
  • Open By ID
  • Open For Backup
  • No Compression
  • Reserve OpFilter
  • Open Reparse Point
  • Open No Recall
  • Open For Free Space Query
  • Open Requiring Oplock
  • Disallow Exclusive
  • FSCTL_REQUEST_OPLOCK_LEVEL_1
  • FSCTL_REQUEST_OPLOCK_LEVEL_2
  • FSCTL_REQUEST_BATCH_OPLOCK
  • FSCTL_OPLOCK_BREAK_ACKNOWLEDGE
  • FSCTL_OPBATCH_ACK_CLOSE_PENDING
  • FSCTL_OPLOCK_BREAK_NOTIFY
  • FSCTL_LOCK_VOLUME
  • FSCTL_UNLOCK_VOLUME
  • FSCTL_DISMOUNT_VOLUME
  • FSCTL_IS_VOLUME_MOUNTED
  • FSCTL_IS_PATHNAME_VALID
  • FSCTL_MARK_VOLUME_DIRTY
  • FSCTL_QUERY_RETRIEVAL_POINTERS
  • FSCTL_QUERY_DEPENDENT_VOLUME
  • FSCTL_GET_COMPRESSION
  • FSCTL_SET_COMPRESSION
  • FSCTL_OPLOCK_BREAK_ACK_NO_2
  • FSCTL_QUERY_FAT_BPB
  • FSCTL_REQUEST_FILTER_OPLOCK
  • FSCTL_FILESYSTEM_GET_STATISTICS
  • FSCTL_GET_NTFS_VOLUME_DATA
  • FSCTL_GET_NTFS_FILE_RECORD
  • FSCTL_GET_VOLUME_BITMAP
  • FSCTL_GET_RETRIEVAL_POINTERS
  • FSCTL_MOVE_FILE
  • FSCTL_IS_VOLUME_DIRTY
  • FSCTL_ALLOW_EXTENDED_DASD_IO
  • FSCTL_READ_PROPERTY_DATA
  • FSCTL_WRITE_PROPERTY_DATA
  • FSCTL_FIND_FILES_BY_SID
  • FSCTL_DUMP_PROPERTY_DATA
  • FSCTL_SET_OBJECT_ID
  • FSCTL_GET_OBJECT_ID
  • FSCTL_DELETE_OBJECT_ID
  • FSCTL_SET_REPARSE_POINT
  • FSCTL_GET_REPARSE_POINT
  • FSCTL_DELETE_REPARSE_POINT
  • FSCTL_ENUM_USN_DATA
  • FSCTL_SECURITY_ID_CHECK
  • FSCTL_READ_USN_JOURNAL
  • FSCTL_SET_OBJECT_ID_EXTENDED
  • FSCTL_CREATE_OR_GET_OBJECT_ID
  • FSCTL_SET_SPARSE
  • FSCTL_SET_ZERO_DATA
  • FSCTL_QUERY_ALLOCATED_RANGES
  • FSCTL_ENABLE_UPGRADE
  • FSCTL_SET_ENCRYPTION
  • FSCTL_ENCRYPTION_FSCTL_IO
  • FSCTL_WRITE_RAW_ENCRYPTED
  • FSCTL_READ_RAW_ENCRYPTED
  • FSCTL_CREATE_USN_JOURNAL
  • FSCTL_READ_FILE_USN_DATA
  • FSCTL_WRITE_USN_CLOSE_RECORD
  • FSCTL_EXTEND_VOLUME
  • FSCTL_QUERY_USN_JOURNAL
  • FSCTL_DELETE_USN_JOURNAL
  • FSCTL_MARK_HANDLE
  • FSCTL_SIS_COPYFILE
  • FSCTL_SIS_LINK_FILES
  • FSCTL_HSM_MSG
  • IOCTL_SHADOW_END_REINT
  • IOCTL_GETSHADOW
  • FSCTL_TXFS_LIST_TRANSACTIONS
  • FSCTL_FILE_PREFETCH
  • CSC_FSCTL_OPERATION_QUERY_HANDLE
  • FSCTL_PIPE_DISCONNECT
  • FSCTL_PIPE_ASSIGN_EVENT
  • FSCTL_PIPE_QUERY_EVENT
  • FSCTL_PIPE_LISTEN
  • FSCTL_PIPE_IMPERSONATE
  • FSCTL_PIPE_WAIT
  • FSCTL_QUERY_CLIENT_PROCESS
  • FSCTL_PIPE_SET_CLIENT_PROCESS
  • FSCTL_PIPE_PEEK
  • FSCTL_PIPE_INTERNAL_READ
  • FSCTL_PIPE_INTERNAL_WRITE
  • FSCTL_PIPE_TRANSCEIVE
  • FSCTL_PIPE_INTERNAL_TRANSCEIVE
  • FSCTL_MAILSLOT_PEEK
  • FSCTL_NETWORK_GET_CONNECTION_INFO
  • FSCTL_NETWORK_ENUMERATE_CONNECTIONS
  • FSCTL_NETWORK_DELETE_CONNECTION
  • FSCTL_NETWORK_SET_CONFIGURATION_INFO
  • FSCTL_NETWORK_GET_CONFIGURATION_INFO
  • FSCTL_NETWORK_GET_STATISTICS
  • FSCTL_NETWORK_SET_DOMAIN_NAME
  • FSCTL_NETWORK_REMOTE_BOOT_INIT_SCRT
  • IOCTL_MOUNTDEV_QUERY_DEVICE_NAME
  • IOCTL_MOUNTDEV_QUERY_UNIQUE_ID
  • IOCTL_MOUNTDEV_UNIQUE_ID_CHANGE_NOTIFY
  • IOCTL_MOUNTDEV_QUERY_SUGGESTED_LINK_NAME
  • IOCTL_MOUNTDEV_LINK_CREATED
  • IOCTL_MOUNTDEV_LINK_DELETED
  • IOCTL_DISK_GET_DRIVE_GEOMETRY
  • IOCTL_DISK_GET_PARTITION_INFO
  • IOCTL_DISK_SET_PARTITION_INFO
  • IOCTL_DISK_GET_DRIVE_LAYOUT
  • IOCTL_DISK_SET_DRIVE_LAYOUT
  • IOCTL_DISK_VERIFY
  • IOCTL_DISK_FORMAT_TRACKS
  • IOCTL_DISK_REASSIGN_BLOCKS
  • IOCTL_DISK_PERFORMANCE
  • IOCTL_DISK_IS_WRITABLE
  • IOCTL_DISK_LOGGING
  • IOCTL_DISK_FORMAT_TRACKS_EX
  • IOCTL_DISK_HISTOGRAM_STRUCTURE
  • IOCTL_DISK_HISTOGRAM_DATA
  • IOCTL_DISK_HISTOGRAM_RESET
  • IOCTL_DISK_REQUEST_STRUCTURE
  • IOCTL_DISK_REQUEST_DATA
  • IOCTL_DISK_PERFORMANCE_OFF
  • SMART_GET_VERSION
  • SMART_SEND_DRIVE_COMMAND
  • SMART_RCV_DRIVE_DATA
  • IOCTL_DISK_GET_PARTITION_INFO_EX
  • IOCTL_DISK_SET_PARTITION_INFO_EX
  • IOCTL_DISK_GET_DRIVE_LAYOUT_EX
  • IOCTL_DISK_SET_DRIVE_LAYOUT_EX
  • IOCTL_DISK_CREATE_DISK
  • IOCTL_DISK_GET_LENGTH_INFO
  • IOCTL_DISK_GET_DRIVE_GEOMETRY_EX
  • IOCTL_DISK_REASSIGN_BLOCKS_EX
  • IOCTL_DISK_UPDATE_DRIVE_SIZE
  • IOCTL_DISK_GROW_PARTITION
  • IOCTL_DISK_GET_CACHE_INFORMATION
  • IOCTL_DISK_SET_CACHE_INFORMATION
  • IOCTL_DISK_UPDATE_PROPERTIES
  • IOCTL_DISK_CHECK_VERIFY
  • IOCTL_DISK_MEDIA_REMOVAL
  • IOCTL_DISK_EJECT_MEDIA
  • IOCTL_DISK_LOAD_MEDIA
  • IOCTL_DISK_RESERVE
  • IOCTL_DISK_RELEASE
  • IOCTL_DISK_FIND_NEW_DEVICES
  • IOCTL_DISK_GET_MEDIA_TYPES
  • IOCTL_DISK_QUERY_DEVICE_STATE
  • IOCTL_DISK_QUERY_DISK_SIGNATURE
  • IOCTL_DISK_GET_CLUSTER_INFO
  • IOCTL_DISK_SET_CLUSTER_INFO
  • IOCTL_DISK_GET_DISK_ATTRIBUTES
  • IOCTL_DISK_SET_DISK_ATTRIBUTES
  • IOCTL_STORAGE_CHECK_VERIFY
  • IOCTL_STORAGE_CHECK_VERIFY2
  • IOCTL_STORAGE_MEDIA_REMOVAL
  • IOCTL_STORAGE_EJECT_MEDIA
  • IOCTL_STORAGE_LOAD_MEDIA
  • IOCTL_STORAGE_LOAD_MEDIA2
  • IOCTL_STORAGE_RESERVE
  • IOCTL_STORAGE_RELEASE
  • IOCTL_STORAGE_FIND_NEW_DEVICES
  • IOCTL_STORAGE_EJECTION_CONTROL
  • IOCTL_STORAGE_MCN_CONTROL
  • IOCTL_STORAGE_GET_MEDIA_TYPES
  • IOCTL_STORAGE_GET_MEDIA_TYPES_EX
  • IOCTL_STORAGE_GET_MEDIA_SERIAL_NUMBER
  • IOCTL_STORAGE_GET_HOTPLUG_INFO
  • IOCTL_STORAGE_SET_HOTPLUG_INFO
  • IOCTL_STORAGE_RESET_BUS
  • IOCTL_STORAGE_RESET_DEVICE
  • IOCTL_STORAGE_BREAK_RESERVATION
  • IOCTL_STORAGE_PERSISTENT_RESERVE_IN
  • IOCTL_STORAGE_PERSISTENT_RESERVE_OUT
  • IOCTL_STORAGE_GET_DEVICE_NUMBER
  • IOCTL_STORAGE_PREDICT_FAILURE
  • IOCTL_STORAGE_READ_CAPACITY
  • IOCTL_STORAGE_QUERY_PROPERTY
  • IOCTL_STORAGE_QUERY_DEPENDENT_DISK
  • IOCTL_VOLUME_GET_GPT_ATTRIBUTES
  • IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS
  • IOCTL_SCSI_PASS_THROUGH
  • IOCTL_SCSI_PASS_THROUGH_DIRECT
  • IOCTL_SCSI_GET_ADDRESS
  • IOCTL_SCSI_GET_DUMP_POINTERS
  • IOCTL_SCSI_FREE_DUMP_POINTERS
  • IOCTL_CDROM_GET_CONFIGURATION
  • IOCTL_CDROM_CHECK_VERIFY
  • IOCTL_CDROM_MEDIA_REMOVAL
  • IOCTL_CDROM_EJECT_MEDIA
  • IOCTL_CDROM_LOAD_MEDIA
  • FSCTL_LMR_START
  • FSCTL_LMR_STOP
  • FSCTL_LMR_BIND_TO_TRANSPORT
  • FSCTL_LMR_UNBIND_FROM_TRANSPORT
  • FSCTL_LMR_ENUMERATE_TRANSPORTS
  • FSCTL_LMR_GET_HINT_SIZE
  • FSCTL_LMR_FORCE_DISCONNECT
  • FSCTL_LMR_TRANSACT
  • FSCTL_LMR_ENUMERATE_PRINT_INFO
  • FSCTL_LMR_START_SMBTRACE
  • FSCTL_LMR_END_SMBTRACE
  • FSCTL_LMR_START_RBR
  • FSCTL_LMR_SET_SERVER_GUID
  • FSCTL_LMR_QUERY_TARGET_INFO
  • FSCTL_LMR_QUERY_DEBUG_INFO
  • IOCTL_LMR_LWIO_PREIO
  • IOCTL_LMR_LWIO_POSTIO
  • IOCTL_LMR_DISABLE_LOCAL_BUFFERING
  • IOCTL_LMR_QUERY_REMOTE_SERVER_NAME
  • IOCTL_SMBMRX_START
  • IOCTL_SMBMRX_STOP
  • IOCTL_SMBMRX_GETSTATE
  • IOCTL_SMBMRX_ADDCONN
  • IOCTL_SMBMRX_DELCONN
  • IOCTL_UMRX_RELEASE_THREADS
  • IOCTL_UMRX_GET_REQUEST
  • IOCTL_UMRX_RESPONSE_AND_REQUEST
  • IOCTL_UMRX_RESPONSE
  • IOCTL_UMRX_GET_LOCK_OWNER
  • IOCTL_UMRX_PREPARE_QUEUE
  • FSCTL_DFS_TRANSLATE_PATH
  • FSCTL_DFS_GET_REFERRALS
  • FSCTL_DFS_REPORT_INCONSISTENCY
  • FSCTL_DFS_IS_SHARE_IN_DFS
  • FSCTL_DFS_IS_ROOT
  • FSCTL_DFS_GET_VERSION
  • IOCTL_VOLSNAP_FLUSH_AND_HOLD_WRITES
  • IOCTL_VOLSNAP_RELEASE_WRITES
  • IOCTL_VOLSNAP_PREPARE_FOR_SNAPSHOT
  • IOCTL_VOLSNAP_ABORT_PREPARED_SNAPSHOT
  • IOCTL_VOLSNAP_COMMIT_SNAPSHOT
  • IOCTL_VOLSNAP_END_COMMIT_SNAPSHOT
  • IOCTL_VOLSNAP_QUERY_NAMES_OF_SNAPSHOTS
  • IOCTL_VOLSNAP_CLEAR_DIFF_AREA
  • IOCTL_VOLSNAP_ADD_VOLUME_TO_DIFF_AREA
  • IOCTL_VOLSNAP_QUERY_DIFF_AREA
  • IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE
  • IOCTL_VOLSNAP_QUERY_DIFF_AREA_SIZES
  • IOCTL_VOLSNAP_DELETE_OLDEST_SNAPSHOT
  • IOCTL_VOLSNAP_AUTO_CLEANUP
  • IOCTL_VOLSNAP_DELETE_SNAPSHOT
  • IOCTL_VOLSNAP_QUERY_REVERT
  • IOCTL_VOLSNAP_REVERT_CLEANUP
  • IOCTL_VOLSNAP_REVERT
  • IOCTL_VOLSNAP_QUERY_REVERT_PROGRESS
  • IOCTL_VOLSNAP_CANCEL_REVERT
  • IOCTL_VOLSNAP_QUERY_EPIC
  • IOCTL_VOLSNAP_QUERY_OFFLINE
  • IOCTL_VOLSNAP_QUERY_DIFF_AREA_MINIMUM_SIZE
  • IOCTL_VOLSNAP_QUERY_COPY_FREE_BITMAP
  • IOCTL_VOLSNAP_BLOCK_DELETE_IN_THE_MIDDLE
  • IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE_TEMP
  • IOCTL_VOLSNAP_SET_APPLICATION_FLAGS
  • IOCTL_VOLSNAP_QUERY_APPLICATION_FLAGS
  • IOCTL_VOLSNAP_SET_BC_FAILURE_MODE
  • IOCTL_VOLSNAP_QUERY_PERFORMANCE_COUNTERS
  • IOCTL_VOLSNAP_SET_PRE_COPY_AMOUNTS
  • IOCTL_VOLSNAP_QUERY_PRE_COPY_AMOUNTS
  • IOCTL_VOLSNAP_QUERY_DEFAULT_PRE_COPY_AMOUNTS
  • IOCTL_VOLSNAP_PRE_EXPOSE_DEVICES
  • IOCTL_VOLSNAP_QUERY_ORIGINAL_VOLUME_NAME
  • IOCTL_VOLSNAP_QUERY_CONFIG_INFO
  • IOCTL_VOLSNAP_SET_APPLICATION_INFO
  • IOCTL_VOLSNAP_QUERY_APPLICATION_INFO
  • IOCTL_VOLSNAP_HAS_CHANGED
  • IOCTL_VOLSNAP_SET_SNAPSHOT_PRIORITY
  • IOCTL_VOLSNAP_QUERY_SNAPSHOT_PRIORITY
  • IOCTL_VOLSNAP_QUERY_DELTA_BITMAP
  • IOCTL_VOLSNAP_QUERY_SNAPSHOT_SUPPLEMENTAL
  • IOCTL_VOLSNAP_QUERY_COPIED_BITMAP
  • IOCTL_VOLSNAP_QUERY_MOVE_LIST
  • IOCTL_VOLSNAP_QUERY_PRE_COPIED_BITMAP
  • IOCTL_VOLSNAP_QUERY_USED_PRE_COPIED_BITMAP
  • IOCTL_VOLSNAP_QUERY_DEFRAG_PRE_COPIED_BITMAP
  • IOCTL_VOLSNAP_QUERY_FREESPACE_PRE_COPIED_BITMAP
  • IOCTL_VOLSNAP_QUERY_HOTBLOCKS_PRE_COPIED_BITMAP
  • IOCTL_VOLSNAP_QUERY_DIFF_AREA_FILE_SIZES
  • FSCTL_REQUEST_OPLOCK
  • FSCTL_GET_BOOT_AREA_INFO
  • FSCTL_CSV_TUNNEL_REQUEST
  • FSCTL_QUERY_FILE_SYSTEM_RECOGNITION
  • FSCTL_CSV_GET_VOLUME_NAME_FOR_VOLUME_MOUNT_POINT
  • FSCTL_CSV_GET_VOLUME_PATH_NAMES_FOR_VOLUME_NAME
  • FSCTL_IS_FILE_ON_CSV_VOLUME
  • FSCTL_CORRUPTION_HANDLING
  • FSCTL_OFFLOAD_READ
  • FSCTL_OFFLOAD_WRITE
  • FSCTL_FILE_LEVEL_TRIM
  • FSCTL_SET_PURGE_FAILURE_MODE
  • FSCTL_QUERY_FILE_LAYOUT
  • FSCTL_IS_VOLUME_OWNED_BYCSVFS
  • FSCTL_GET_INTEGRITY_INFORMATION
  • FSCTL_QUERY_FILE_REGIONS
  • FSCTL_SCRUB_DATA
  • FSCTL_REPAIR_COPIES
  • FSCTL_DISABLE_LOCAL_BUFFERING
  • FSCTL_SET_EXTERNAL_BACKING
  • FSCTL_GET_EXTERNAL_BACKING
  • IOCTL_CHANNEL_GET_SNDCHANNEL
  • (Device:
  • Function:
  • Method:
  • Created
  • DoesNotExist
  • Exists
  • Opened
  • Overwritten
  • Superseded
  • Supersede
  • Create
  • OpenIf
  • Overwrite
  • OverwriteIf
  • Very Low
  • Normal
  • Critical
  • Buffered
  • Non-cached
  • Paging I/O
  • Synchronous
  • Synchronous Paging I/O
  • Case Preserved
  • Case Sensitive
  • Unicode
  • Compression
  • Compressed
  • Named Streams
  • Read Only
  • Object IDs
  • Reparse Points
  • Sparse Files
  • Quotas
  • Transactions
  • 8042 Port
  • Battery
  • Bus Extender
  • Changer
  • Controller
  • Datalink
  • DFS FS
  • DFS Volume
  • Disk FS
  • Fullscreen Video
  • Inport Port
  • Keyboard
  • Mailslot
  • Mass Storage
  • MIDI In
  • MIDI Out
  • Multi-UNC Provider
  • Named Pipe
  • Network Browser
  • Network FS
  • Network Redirector
  • Parallel Port
  • Physical Netcard
  • Printer
  • Scanner
  • Screen
  • Serenum
  • Serial Mouse Port
  • Serial Port
  • Smartcard
  • Streams
  • Tape FS
  • TermSrv
  • Transport
  • Virtual Disk
  • Wave In
  • Wave Out
  • Autogenerated Name
  • Plug and Play
  • Mounted
  • Secure Open
  • Floppy Diskette
  • Remote
  • Removable
  • Virtual
  • Write Once
  • 32 Byte
  • 64 Byte
  • 128 Byte
  • 256 Byte
  • 512 Byte
  • \SystemRoot
  • System32
  • SysWOW64
  • \System32\Drivers\
  • \Device\Mup
  • \Device\Harddisk?\DR?
  • DEVICE_PATH
  • \Device\LanmanRedirector\
  • \Device\Mup\
  • \SystemRoot\
  • SYSTEM\Select
  • Current
  • \REGISTRY\
  • MACHINE
  • \SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT
  • \SOFTWARE\CLASSES
  • \SYSTEM\ControlSet
  • HKLM\System\CurrentControlSet
  • _CLASSES
  • HKCU\Software\Classes
  • Select Remote Computer
  • Software\Classes\
  • shell\open\command
  • "%s" /Run32 /OpenLog "%%1"
  • "%s" /OpenLog "%%1"
  • DefaultIcon
  • "%s",0
  • Mandatory Level
  • Unsupported processor type: %d
  • /originalpath "
  • 64.exe
  • %TEMP%
  • http\shell\open\command
  • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
  • ProgId
  • \shell\open\command
  • %s "? %s"
  • Process Monitor Error
  • No web browser is configured.
  • &apos;
  • &quot;
  • SeIncreaseBasePriorityPrivilege
  • PROCMON: Terminating due to unexpected socket error
  • The remote system has closed the connection
  • Converting boot-time event data
  • Ntdll.dll
  • Unable to create socket
  • Unable to bind socket
  • Unable to query the port
  • Accept failed
  • Unable to connect to remote system
  • Capture requires 64-bit mode.
  • Process Monitor is already monitoring this system.
  • Capture requires Administrators group membership
  • Another version of the Process Monitor driver is already loaded. A reboot is required to run this version.
  • Unable to load Process Monitor device driver
  • Error enabling capture
  • PROCMON: Error waiting for console connection:
  • PROCMON: already running on this system
  • PROCMON: Unable to load device driver
  • Unable to resolve address for computer '
  • Unable to open connection to '
  • ' on port
  • e\Global??\%c:
  • \Sessions\%d\DosDevices\%08x-%08x\%c:
  • \Device\LanmanRedirector\;
  • \Device\LanmanRedirector\;Z:0000000000000000
  • startime
  • endtime
  • EventTimeStamp
  • StackProcess
  • StackThread
  • Stack1
  • Stack2
  • Stack3
  • Stack4
  • Stack5
  • Stack6
  • Stack7
  • Stack8
  • Stack9
  • Stack10
  • Stack11
  • Stack12
  • Stack13
  • Stack14
  • Stack15
  • Stack16
  • Stack17
  • Stack18
  • Stack19
  • Stack20
  • Stack21
  • Stack22
  • Stack23
  • Stack24
  • Stack25
  • Stack26
  • Stack27
  • Stack28
  • Stack29
  • Stack30
  • Stack31
  • Stack32
  • 0x%08X
  • 0x%llX
  • %03d.%03d.%03d.%03d
  • %02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x
  • "%*hs"
  • "%*ws"
  • MSNT_TcpIpInformation
  • StackWalk
  • LostEvent
  • SendIPV4
  • SendIPV6
  • RecvIPV4
  • RecvIPV6
  • Accept
  • AcceptIPV4
  • AcceptIPV6
  • Connect
  • ConnectIPV4
  • ConnectIPV6
  • Disconnect
  • DisconnectIPV4
  • DisconnectIPV6
  • Reconnect
  • ReconnectIPV4
  • ReconnectIPV6
  • Retransmit
  • RetransmitIPV4
  • RetransmitIPV6
  • TCPCopy
  • TCPCopyIPV4
  • TCPCopyIPV6
  • PROCMON TRACE
  • NT Kernel Logger
  • advapi32.dll
  • Network trace initialization failed: Error %d
  • SYSTEM
  • Filter#
  • Module
  • status
  • Button
  • ResizerClass
  • Unlabeled
  • ThisProperty
  • No events
  • (capture disabled)
  • The current filter excludes all %s events
  • Showing all %s events
  • Showing %s of %s events (%s%%)
  • virtual memory
  • Backed by %s
  • Process Monitor - Sysinternals: www.sysinternals.com
  • FileViewerDialog
  • The file '
  • ' could not be opened
  • Courier New
  • ' could not be read
  • FILE_VIEWER
  • SystemDetailsDialog
  • unknown
  • ProfilingDialog
  • commdlg_ColorOK
  • commdlg_SetRGBColor
  • SELECTHIGHLIGHTCOLORS
  • ModulePropertiesDialog
  • Filter %d
  • Replace existing filter '
  • SAVE_FILTER
  • Procmon Filter (*.PMF)
  • Error writing filter file
  • Error reading filter file
  • A filter by that name already exists. Do you want to overwrite it?
  • Device Path
  • User Path
  • DevicePathDialog
  • DevicePathColumns
  • Event Count
  • Event Bytes
  • Pending Events
  • Process Count
  • Dictionary Count
  • Icon Count
  • Commited
  • BackingFileDialog
  • BackingFileColumns
  • ProcMon load: %.2f%% @ p%d (%s bytes pending)
  • MB available)
  • Procmon Log (*.PML)
  • Please provide a path to the backing file.
  • Your changes will take affect the next time you begin capturing a new log.
  • Address
  • (Running)
  • MODULE_PROPERTIES
  • Description:
  • Company:
  • Modules:
  • CONTEXT_STACKTRACE
  • PropertySheetDialog
  • Event Properties
  • PROP_EVENT
  • PROP_PROCESS
  • PROP_STACKTRACE
  • PROPERTIES
  • Column
  • Relation
  • Action
  • FilterControlColumns
  • FILTER_CONTROL
  • FilterDialog
  • You did not add the item you were editing. Add it now?
  • HighlightDialog
  • PreviousFilterItem
  • UniqueDialog
  • OccurrencesDialog
  • OccurrencesColumns
  • %Iu items
  • Kernel CPU;%
  • Total CPU;%
  • File Bytes
  • File Operations
  • Registry Operations
  • Network Bytes
  • Network Operations
  • Working Set Bytes
  • Process Timeline -
  • ProcessTimelineDialog
  • /second
  • Process Name
  • File Events
  • File I/O Bytes
  • Registry Events
  • Network Events
  • Working Set Peak
  • ProcessActivitySummaryDialog
  • ProcessSummaryColumns2
  • PROCESS_TIMELINE
  • File Time
  • Total Events
  • Closes
  • Writes
  • Read Bytes
  • Write Bytes
  • Get ACL
  • Set ACL
  • Extension
  • By Path
  • By Folder
  • By Extension
  • FileSummaryColumns
  • FileSummaryColumns.ByFolder
  • FileSummaryColumns.ByExtension
  • FileSummaryDialog
  • <none>
  • <Total>
  • %Iu file paths
  • Registry Time
  • RegistrySummaryDialog
  • RegistrySummaryColumns
  • Network Time
  • Connects
  • Disconnects
  • Receives
  • Send Bytes
  • Receive Bytes
  • NetworkSummaryDialog
  • NetworkSummaryColumns
  • % Count
  • % Time
  • Location
  • StackSummaryDialog
  • StackSummaryColumns
  • Adding items
  • Unable to locate associated event in the visible items
  • Writers
  • Readers
  • CrossReferenceSummaryDialog
  • CrossReferenceSummaryColumns
  • HistoryDepthDialog
  • History depth must be 1-
  • %s (%s)
  • <graph>
  • <undefined>
  • ProcessTreeDialog
  • Process Tree -
  • Process Tree
  • Image Path
  • Life Time
  • Command
  • Start Time
  • End Time
  • ProcessTreeColumns
  • ProcessTree.ShowRunningOnly
  • ProcessTree.ShowAllHistory
  • CONTEXT_PROCESSTREE
  • : The operation was cancelled
  • : There are no items to be saved
  • : The selected file is not writable
  • : The disk is full, or an internal size limit was exceeded
  • : An error occurred saving the data
  • : The operation was successful
  • SaveDialog
  • Logfile
  • Procmon Log (*.PML)
  • Text File (*.CSV)
  • XML File (*.XML)
  • You must supply a path
  • already exists.
  • Do you want to replace it?
  • Error Saving File
  • Log files must be native Process Monitor log files with a .pml extension.
  • The specified log file does not exist.
  • There %s %Id additional file%s associated with this log. Do you wish to open all files?
  • \SystemRoot
  • <remote boot-log>
  • Procmon Log (*.PML,*.PMB)
  • *.PML;*.PMB
  • The log of boot-time activity created by a previous instance of Process Monitor is incomplete and cannot be read.
  • A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data now?
  • Bootlog.pml
  • Unable to create the requested PML file
  • An error occurred processing the boot-time data
  • Include '
  • Exclude '
  • Highlight '
  • Copy '
  • Edit Filter '
  • Exclude Events Before
  • Exclude Events After
  • MainWindow
  • ToolbarWindow32
  • (not found)
  • commdlg_FindReplace
  • CONTEXT_HEADER
  • Highlight
  • Unable to determine process ID for selected window
  • A system or application resource limit has been exceeded
  • that prevents Process Monitor from capturing additional events.
  • Cannot find string "
  • Bookmarks are not enabled because the file is read-only.
  • No more bookmarks
  • PROFILING_OPTIONS
  • COLUMNCHOOSER
  • Jump not implemented for this event class
  • FILTER
  • No filter rules are currently defined
  • ORGANIZE_FILTERS
  • HIGHLIGHT
  • HISTORY_DEPTH
  • SYSTEM_DETAILS
  • There are no events in the trace
  • UNIQUE
  • OCCURRENCES
  • PROCESS_TREE
  • PROCESS_SUMMARY
  • FILE_SUMMARY
  • REGISTRY_SUMMARY
  • NETWORK_SUMMARY
  • STACK_SUMMARY
  • CROSS_REFERENCE_SUMMARY
  • SYMBOLCONFIG
  • No more highlights
  • \procmon.chm
  • %s:Zone.Identifier
  • Unable to open help file
  • ABOUTBOX
  • BACKINGFILE
  • ProcmonConfiguration.pmc
  • Procmon Configuration (*.PMC)
  • The selected file cannot be opened
  • DISCONNECTING
  • Unable to enable capturing of events.
  • <remote system root>
  • <remote computer name>
  • MAIN_MENU
  • PROCMON_WINDOW_CLASS
  • Out of memory: Unable to allocate a memory block of size %Iu
  • Software\Microsoft\Windows NT\CurrentVersion
  • Kernel32.dll
  • OpenLog
  • Terminate
  • WaitForIdle
  • SaveAs
  • SaveAs1
  • SaveAs2
  • SaveApplyFilter
  • EnableBootLogging
  • ConvertBootLog
  • LoadConfig
  • NoFilter
  • BackingFile
  • OriginalPath
  • PagingFile
  • NoConnect
  • Client
  • Minimized
  • Runtime
  • ExternalCapture
  • Software\Microsoft\Windows\CurrentVersion\Policies\System
  • EnableLUA
  • Process Monitor must be run from an administrator account.
  • Unable to extract x64 image. Run Process Monitor from a writable directory.
  • Invalid argument:
  • The /SaveAs option is valid only when used with /OpenLog
  • The /SaveApplyFilter option is valid only when used with /SaveAs
  • Procmon was unable to allocate sufficient memory to run.
  • Try increasing the size of your page file.
  • Runtime parameter must be specified in seconds.
  • Runtime parameter must be between 1 and 3600 seconds.
  • SeDebugPrivilege
  • ProcMon Log File
  • ProcMon.Logfile.1
  • Software\Sysinternals\Process Monitor32
  • Software\Sysinternals\Process Monitor
  • The selected configuration file cannot be opened
  • DeviceNameMap
  • Invalid file extension in /SaveAs option
  • The file was not saved.
  • ACCELERATORS
  • FILTER_INIT
  • NT AUTHORITY\SYSTEM
  • REG_NONE
  • REG_SZ
  • REG_EXPAND_SZ
  • REG_BINARY
  • REG_DWORD
  • REG_DWORD_BIG_ENDIAN
  • REG_LINK
  • REG_MULTI_SZ
  • REG_RESOURCE_LIST
  • REG_FULL_RESOURCE_DESCRIPTOR
  • REG_RESOURCE_REQUIREMENTS_LIST
  • REG_QWORD
  • REG_CREATED_NEW_KEY
  • REG_OPENED_EXISTING_KEY
  • <Unknown:
  • Granted Access
  • Hive Path
  • New Name
  • Cached
  • HandleTags
  • UserFlags
  • SubKeys
  • Values
  • KeyWriteTimeInformation
  • KeyWow64FlagsInformation
  • KeySetHandleTagsInformation
  • KeySetInformationClass
  • Wow64Flags
  • Columns
  • ColumnCount
  • ColumnMap
  • DbgHelpPath
  • HighlightFG
  • HighlightBG
  • LogFont
  • BoookmarkFont
  • AdvancedMode
  • Autoscroll
  • HistoryDepth
  • DestructiveFilter
  • AlwaysOnTop
  • ResolveAddresses
  • SourcePath
  • SymbolPath
  • FilterRules
  • HighlightRules
  • %_NT_SYMBOL_PATH%
  • srv*https://msdl.microsoft.com/download/symbols
  • Internal error: Snapshot is already open
  • Unable to open '
  • ' for reading
  • ' is not a valid backing file (truncated)
  • An error occurred attempting to memory map '
  • is not a Process Monitor backing file (signature missing).
  • is not compatible with this version of Process Monitor.
  • was not closed cleanly during capture and is corrupt.
  • must be opened using the 32-bit version of Process Monitor.
  • Run the 32-bit version by specifying the /run32 command-line option.
  • ' is corrupt and cannot be opened.
  • PRIVILEGE NOT HELD
  • INSUFFICIENT SERVER RESOURCES
  • ACCESS VIOLATION
  • THREAD NOT IN PROCESS
  • INSUFFICIENT RESOURCES
  • KEY DELETED
  • IO FAILED
  • REGISTRY CORRUPT
  • NO MEMORY
  • FILE DELETED
  • PATH SYNTAX BAD
  • BAD IMPERSONATION
  • FILES OPEN
  • DEVICE DATA ERROR
  • CRC ERROR
  • NOT IMPLEMENTED
  • EAS NOT SUPPORTED
  • TOO MANY COMMANDS
  • DEVICE NOT CONNECTED
  • NOT SAME DEVICE
  • EA TOO LARGE
  • DATATYPE MISALIGNMENT
  • HIVE UNLOADED
  • FILE INVALID
  • NONEXISTENT EA ENTRY
  • BAD NETWORK NAME
  • INVALID NETWORK RESPONSE
  • NOTIFY ENUM DIR
  • FILE CORRUPT
  • DISK CORRUPT
  • RANGE NOT LOCKED
  • FILE CLOSED
  • DUPLICATE NAME
  • DATA OVERRUN
  • REDIRECTOR NOT STARTED
  • UNSUCCESSFUL
  • NOT FOUND
  • NO MORE MATCHES
  • OBJECT PATH INVALID
  • INFO LENGTH MISMATCH
  • CANNOT IMPERSONATE
  • LOGON FAILURE
  • DOWNGRADE DETECTED
  • INVALID ADDRESS COMPONENT
  • IN PAGE ERROR
  • CANCELLED
  • NO EAS ON FILE
  • EA CORRUPT ERROR
  • QUOTA EXCEEDED
  • NOT SUPPORTED
  • NO MORE FILES
  • BUFFER TOO SMALL
  • NAME INVALID
  • NAME NOT FOUND
  • NOT A DIRECTORY
  • NO SUCH FILE
  • NAME COLLISION
  • NONEXISTENT SECTOR
  • BAD NETWORK PATH
  • PATH NOT FOUND
  • NO SUCH DEVICE
  • END OF FILE
  • NOTIFY CLEANUP
  • CSC OBJECT PATH NOT FOUND
  • BUFFER OVERFLOW
  • OBJECTID NOT FOUND
  • OBJECT TYPE MISMATCH
  • NO MORE ENTRIES
  • ACCESS DENIED
  • SHARING VIOLATION
  • INVALID PARAMETER
  • OPLOCK BREAK IN PROGRESS
  • CANNOT BREAK OPLOCK
  • OPLOCK NOT GRANTED
  • FILE LOCK CONFLICT
  • REPARSE
  • MORE ENTRIES
  • FS DRIVER REQUIRED
  • DELETE PENDING
  • CANNOT DELETE
  • NOT GRANTED
  • IS DIRECTORY
  • ALREADY COMMITTED
  • INVALID EA FLAG
  • INVALID INFO CLASS
  • INVALID HANDLE
  • INVALID DEVICE REQUEST
  • WRONG VOLUME
  • CHILD MUST BE VOLATILE
  • NETWORK ERROR
  • DISCONNECTED
  • DFS UNAVAILABLE
  • LOG FILE FULL
  • INVALID DEVICE STATE
  • NO MEDIA
  • PREDEFINED HANDLE
  • DISK FULL
  • NOT EMPTY
  • NOT REPARSE POINT
  • MEDIA WRITE PROTECTED
  • CANNOT MAKE
  • INVALID PARAMETER 1
  • INVALID PARAMETER 2
  • INVALID PARAMETER 3
  • INVALID PARAMETER 4
  • E_WRONG_PRINCIPAL
  • INVALID LEVEL
  • OPLOCK SWITCHED TO NEW HANDLE
  • OPLOCK HANDLE CLOSED
  • WAIT FOR OPLOCK
  • DEVICE FEATURE NOT SUPPORTED
  • INVALID TRANSACTION
  • CANNOT EXECUTE FILE IN TRANSACTION
  • SPARSE NOT ALLOWED IN TRANSACTION
  • TRANSACTED MAPPING UNSUPPORTED REMOTE
  • TRANSACTIONAL OPEN NOT ALLOWED
  • EFS NOT ALLOWED IN TRANSACTION
  • FILE LOCKED WITH ONLY READERS
  • FILE LOCKED WITH WRITERS
  • TRANSACTIONAL CONFLICT
  • TRANSACTION_NOT_ACTIVE
  • INSTANCE NOT AVAILABLE
  • PIPE NOT AVAILABLE
  • INVALID PIPE STATE
  • PIPE BUSY
  • PIPE DISCONNECTED
  • PIPE CLOSING
  • PIPE CONNECTED
  • PIPE LISTENING
  • INVALID READ MODE
  • FILE SYSTEM LIMITATION
  • PIPE EMPTY
  • PIPE BROKEN
  • IO TIMEOUT
  • PATH NOT COVERED
  • FAST IO DISALLOWED
  • IO DEVICE ERROR
  • CANT WAIT
  • USER MAPPED FILE
  • USER SESSION DELETED
  • LOGIN WKSTA RESTRICTION
  • STATUS_OFFLOAD_READ_FLT_NOT_SUPPORTED
  • STATUS_OFFLOAD_WRITE_FLT_NOT_SUPPORTED
  • OFFLOAD READ FILE NOT SUPPORTED
  • _NT_SYMBOL_PATH
  • ntoskrnl.exe
  • Ntkrnlmp.exe
  • ntkrnlpa.exe
  • Ntkrpamp.exe
  • Loading symbol module for
  • Loading symbols for
  • Retrieving function names for
  • Retrieving source path for
  • Configure the symbol engine for symbols
  • Resolving symbols...
  • http://www.microsoft.com/whdc/devtools/debugging/default.mspx
  • Software\Microsoft\DebuggingTools
  • Windbg
  • DbgHelp.dll
  • %ProgramFiles%\Debugging Tools for Windows (x64)\dbghelp.dll
  • C:\Debuggers\dbghelp.dll
  • \dbghelp.dll
  • dbghelp.dll
  • imagehlp.dll
  • %PATH%
  • Specify dbghelp.dll...
  • Dbghelp DLL (dbghelp.dll)
  • Browse for Symbols Directory
  • Browse for Source Directory
  • The DLL you specified is not a valid Dbghelp DLL.
  • SYMBOLCONFIGWARNING
  • \StringFileInfo\%04X%04X\%s
  • \VarFileInfo\Translation
  • FileDescription
  • user32.dll
  • ERROR : Unable to initialize critical section in CAtlBaseModule
  • mscoree.dll
  • ;T^h<U_i=V`j>Wak?Xbl@YcmAZdnB[eoC\fpD]gq
  • combase.dll
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
  • January
  • February
  • August
  • September
  • October
  • November
  • December
  • MM/dd/yy
  • dddd, MMMM dd, yyyy
  • HH:mm:ss
  • - floating point support not loaded
  • - not enough space for arguments
  • - not enough space for environment
  • - abort() has been called
  • - not enough space for thread data
  • - unexpected multithread lock error
  • - unexpected heap error
  • - unable to open console device
  • - not enough space for _onexit/atexit table
  • - pure virtual function call
  • - not enough space for stdio initialization
  • - not enough space for lowio initialization
  • - unable to initialize heap
  • - CRT not initialized
  • - Attempt to initialize the CRT more than once.
  • This indicates a bug in your application.
  • - not enough space for locale information
  • - Attempt to use MSIL code from this assembly during native code initialization
  • This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
  • - inconsistent onexit begin-end variables
  • DOMAIN error
  • SING error
  • TLOSS error
  • runtime error
  • Runtime Error!
  • Program:
  • <program name unknown>
  • Microsoft Visual C++ Runtime Library
  • (null)
  • CONIN$
  • UTF-16LE
  • UNICODE
  • ((((( H
  • ((((( H
  • zh-CHS
  • az-AZ-Latn
  • uz-UZ-Latn
  • kok-IN
  • syr-SY
  • div-MV
  • quz-BO
  • sr-SP-Latn
  • az-AZ-Cyrl
  • uz-UZ-Cyrl
  • quz-EC
  • sr-SP-Cyrl
  • quz-PE
  • smj-NO
  • bs-BA-Latn
  • smj-SE
  • sr-BA-Latn
  • sma-NO
  • sr-BA-Cyrl
  • sma-SE
  • sms-FI
  • smn-FI
  • zh-CHT
  • az-az-cyrl
  • az-az-latn
  • bs-ba-latn
  • div-mv
  • kok-in
  • quz-bo
  • quz-ec
  • quz-pe
  • sma-no
  • sma-se
  • smj-no
  • smj-se
  • smn-fi
  • sms-fi
  • sr-ba-cyrl
  • sr-ba-latn
  • sr-sp-cyrl
  • sr-sp-latn
  • syr-sy
  • uz-uz-cyrl
  • uz-uz-latn
  • zh-chs
  • zh-cht
  • USER32.DLL
  • CONOUT$
  • ACCELERATORS
  • MAIN_MENU
  • CONTEXT_HEADER
  • CONTEXT_PROCESSTREE
  • ABOUTBOX
  • COLUMNCHOOSER
  • FILTER
  • SYMBOLDBGHELPGWARNING
  • SYMBOLCONFIGWARNING
  • SYMBOLCONFIG
  • PROP_STACKTRACE
  • BACKINGFILE
  • PROPERTIES
  • PROP_PROCESS
  • HISTORY_DEPTH
  • UNIQUE
  • FILTER_CONTROL
  • HIGHLIGHT
  • SELECTHIGHLIGHTCOLORS
  • MODULE_PROPERTIES
  • SAVE_FILTER
  • ORGANIZE_FILTERS
  • PROP_EVENT
  • PROGRESS
  • OCCURRENCES
  • PROCESS_SUMMARY
  • FILE_SUMMARY
  • FILTER_INIT
  • REGISTRY_SUMMARY
  • STACK_SUMMARY
  • PROFILING_OPTIONS
  • DEVICE_PATH
  • PROCESS_TREE
  • FILE_VIEWER
  • CROSS_REFERENCE_SUMMARY
  • PROCESS_TIMELINE
  • SYSTEM_DETAILS
  • NETWORK_SUMMARY
  • DISCONNECTING
  • BOOTLOG_OPTIONS
  • SPLITTER_CURSOR
  • BINRES
  • RCDRIVERNT
  • &Open...
  • Ctrl+O
  • &Save...
  • Ctrl+S
  • Backing Files...
  • &Capture Events
  • Ctrl+E
  • Export Configuration...
  • Import Configuration...
  • Ctrl+C
  • &Find...
  • Ctrl+F
  • Find &Highlight
  • Find &Bookmark
  • &Auto Scroll
  • Ctrl+A
  • C&lear Display
  • Ctrl+X
  • E&vent
  • Properties...
  • Ctrl+P
  • Stac&k...
  • Ctrl+K
  • Toggle &Bookmark
  • Ctrl+B
  • Jump To...
  • Ctrl+J
  • Search Online...
  • Include
  • IncludeDummy
  • Exclude
  • ExcludeDummy
  • Highlight
  • HighlightDummy
  • Fi&lter
  • Enable &Advanced Output
  • Filter...
  • Ctrl+L
  • Reset Filter
  • Ctrl+R
  • Load Filter
  • LoadFilterDummy
  • Save Filter...
  • Organize Filters...
  • Drop Filtered Events
  • Highlight...
  • Ctrl+H
  • &Tools
  • System Details...
  • Process Tree...
  • Ctrl+T
  • Process Activity Summary...
  • File Summary...
  • Registry Summary...
  • Stack Summary...
  • Network Summary...
  • Cross Reference Summary...
  • Count Occurrences...
  • &Options
  • Always on &Top
  • Fo&nt...
  • Highlight &Colors...
  • &Configure Symbols...
  • &Select Columns...
  • &History Depth...
  • &Profiling Events...
  • Enable &Boot Logging
  • Show &Resolved Network Addresses
  • Ctrl+N
  • Hex File &Offsets and Lengths
  • He&x Process and Thread IDs
  • &Help...
  • Command Line Options...
  • &About...
  • Properties...
  • Search Online...
  • View Source...
  • Context Menu
  • &Select Columns...
  • Context Menu
  • &Go To Event
  • &Add process to Include filter
  • Add process and &children to Include filter
  • VS_VERSION_INFO
  • StringFileInfo
  • 040904b0
  • CompanyName
  • Sysinternals - www.sysinternals.com
  • FileDescription
  • Process Monitor
  • FileVersion
  • InternalName
  • Process Monitor
  • LegalCopyright
  • Copyright
  • 1996-2018 Mark Russinovich
  • OriginalFilename
  • Process Monitor
  • ProductName
  • Sysinternals Procmon
  • ProductVersion
  • VarFileInfo
  • Translation
  • About Process Monitor
  • MS Shell Dlg
  • Process Monitor v
  • Sysinternals - www.sysinternals.com
  • Copyright
  • 1996-2013 Mark Russinovich
  • Process Monitor Column Selection
  • MS Shell Dlg
  • Cancel
  • Select columns to appear in the Process Monitor window:
  • Application Details
  • Process Name
  • Image Path
  • Command Line
  • Company Name
  • Description
  • Version
  • Architecture
  • Event Details
  • Sequence Number
  • Event Class
  • Operation
  • Date &&Time
  • Time of Day
  • Category
  • Detail
  • Result
  • Relative Time
  • Duration
  • Process Management
  • User Name
  • Session ID
  • Authentication ID
  • Integrity
  • Process ID
  • Thread ID
  • Parent PID
  • Virtualized
  • Completion Time
  • Process Monitor Filter
  • MS Shell Dlg
  • &Cancel
  • A&pply
  • Display entries matching these conditions:
  • Process Monitor Warning
  • MS Shell Dlg
  • Symbols are not currently configured.
  • You must configure symbols in order to view thread stack information.
  • Install the
  • Microsoft Debugging Tools for Windows
  • and configure a symbol server
  • address in the Options|Configure Symbols dialog for the best symbol support.
  • Process Monitor Warning
  • MS Shell Dlg
  • The version of Dbghelp.dll configured does not support the Microsoft Symbol Server.
  • Microsoft Debugging Tools for Windows
  • version that does.
  • Please download and install the
  • to get a
  • Configure Symbols
  • MS Shell Dlg
  • Cancel
  • DbgHelp.dll path (version 6.0 or later):
  • Symbol paths:
  • Process Monitor uses symbols to resolve function names when displaying thread stack locations on the Stack page of an event's properties dialog.
  • If you do not require that information you do not need to configure symbols.
  • Source code paths:
  • When displaying stack traces for modules for which you have both symbols and source code available Process Monitor can let you view the source associated with a stack frame.
  • MS Shell Dlg
  • SysListView32
  • Status...
  • &Properties...
  • &Save...
  • Source...
  • Search...
  • Process Monitor Backing Files
  • MS Shell Dlg
  • Cancel
  • SysListView32
  • Process Monitor can store events in virtual memory (limited by the system commit limit), or in a file you specify (limited by free disk space). Which do you prefer?
  • Use &virtual memory
  • Use file &named:
  • These backing file objects are being used to store event data:
  • Static
  • Static
  • Save To File
  • MS Shell Dlg
  • Cancel
  • All events
  • Events displayed using current filter
  • Highlighted events
  • Events to save:
  • Format:
  • Comma-Separated Values (CSV)
  • Native Process Monitor Format (PML)
  • Extensible Markup Language (XML)
  • Include stack traces (will increase file size)
  • Resolve stack symbols (will be slow)
  • Also include profiling events
  • Properties
  • MS Shell Dlg
  • SysTabControl32
  • Next Highlighted
  • Copy All
  • MS Shell Dlg
  • Version:
  • Command Line:
  • Parent PID:
  • Session ID:
  • Auth ID:
  • Started:
  • Architecture:
  • Virtualized:
  • Integrity:
  • Ended:
  • Modules:
  • SysListView32
  • History Depth
  • MS Shell Dlg
  • Cancel
  • msctls_updown32
  • The history depth limits the total number of events kept during a run.
  • Number of events (millions):
  • Show Unique Values
  • MS Shell Dlg
  • &Save...
  • Column:
  • Double-click an item to filter on that value.
  • &Filter...
  • MS Shell Dlg
  • &Remove
  • SysListView32
  • Process Monitor Highlighting
  • MS Shell Dlg
  • Highlight entries matching these conditions:
  • &Cancel
  • A&pply
  • &Make Filter
  • Choose Highlight Colors
  • MS Shell Dlg
  • &Select
  • &Cancel
  • &Color choices:
  • |S&olid
  • &Green:
  • Bl&ue:
  • &Add to Custom Colors
  • Preview
  • Module Properties
  • MS Shell Dlg
  • Version:
  • Company:
  • Description:
  • Module:
  • Timestamp:
  • Save Filter
  • MS Shell Dlg
  • Cancel
  • Enter a name for the filter:
  • Organize Filters
  • MS Shell Dlg
  • &Rename
  • &Delete
  • Export...
  • Import...
  • MS Shell Dlg
  • Thread:
  • Class:
  • Operation:
  • Result:
  • Duration:
  • Dialog
  • MS Shell Dlg
  • Cancel
  • msctls_progress32
  • Initializing...
  • Count Values Occurrences
  • MS Shell Dlg
  • &Save...
  • Column:
  • SysListView32
  • Double-click an item to filter on that value.
  • &Filter...
  • Static
  • Process Activity Summary
  • MS Shell Dlg
  • &Detail...
  • &Save...
  • Static
  • Processes generating events during trace:
  • Command Line:
  • Started:
  • Ended:
  • Total User CPU:
  • Total Kernel CPU:
  • SysTreeView32
  • File Summary
  • MS Shell Dlg
  • &Save...
  • Static
  • Files accessed during trace:
  • SysTabControl32
  • Filter...
  • Process Monitor Usage
  • MS Shell Dlg
  • Command line arguments:
  • /OpenLog <PML file>
  • /BackingFile <PML file>
  • /NoConnect
  • /NoFilter
  • /AcceptEula
  • /Profiling
  • Open a previously saved event file
  • Save events in the specified backing file
  • Don't automatically begin collecting events at start up
  • Clear the filter at start up
  • Accept the EULA automatically (don't show a dialog)
  • Enable the thread profiling feature
  • /PagingFile
  • Save events in the virtual memory
  • /Minimized
  • /Terminate
  • Start the application minimized
  • Terminate all instances of ProcMon and exit
  • /Quiet
  • Don't confirm filter settings during start up
  • /Run32
  • Run the 32-bit version to load 32-bit log files (x64 only)
  • /WaitForIdle
  • Wait for an instance of ProcMon to become ready
  • /HookRegistry
  • Hook Registry for Softgrid troubleshooting (x86 Vista only)
  • /SaveAs <path>
  • Export to an XML, CSV or PML file
  • /SaveAs1 <path>
  • Export including stack traces (XML only)
  • /SaveAs2 <path>
  • Export including stack traces with symbols (XML only)
  • /LoadConfig <file>
  • Load a previously saved configuration file
  • /SaveApplyFilter
  • Apply current filter before exporting
  • /EnableBootLogging
  • Configures logging of next boot
  • /ConvertBootLog <PML file>
  • Automatically processes a boot log after reboot
  • /Runtime
  • Run for the specified number of seconds and terminate
  • Process Monitor Filter
  • MS Shell Dlg
  • Filters were in effect the last time you exited Process Monitor:
  • Display entries matching these conditions:
  • &Cancel
  • A&pply
  • Registry Summary
  • MS Shell Dlg
  • &Save...
  • SysListView32
  • Static
  • Registry paths accessed during trace:
  • Filter...
  • Stack Summary
  • MS Shell Dlg
  • Stack traces during trace:
  • Static
  • SysTreeView32
  • Go to Event
  • Source...
  • Filter...
  • Thread Profiling Options
  • MS Shell Dlg
  • Cancel
  • Process Monitor can generate thread profiling events that capture the state of all executing threads at a regular interval.
  • Generate thread profiling events
  • Every second
  • Every 100 milliseconds
  • Define Device Path
  • MS Shell Dlg
  • Provide a translation for this device path to the DOS path:
  • Device path:
  • User path:
  • Remove
  • Existing translations:
  • SysListView32
  • Full path:
  • Remove All
  • Process Tree
  • MS Shell Dlg
  • &Close
  • Only show processes still running at end of current trace
  • SysTreeView32
  • Description:
  • Company:
  • Command:
  • Process ID
  • Started:
  • Started
  • Exited:
  • Exited
  • &Go To Event
  • Timelines cover displayed events only
  • &Include Process
  • Include &Subtree
  • File Viewer
  • MS Shell Dlg
  • Cross Reference Summary
  • MS Shell Dlg
  • &Close
  • &Save...
  • SysListView32
  • Static
  • Paths that are written and read between differing processes:
  • &Filter on Row
  • Process Timeline
  • MS Shell Dlg
  • CPU Utilization
  • File I/O Bytes
  • File I/O Operations
  • Registry Operations
  • Private Memory Bytes
  • Memory Working Set
  • 100 MB/sec
  • 100 Operations/sec
  • 100 Operations/sec
  • 100 MB
  • 100 MB
  • Click on a graph to go to the closest event in the trace.
  • Network Bytes
  • Network Operations
  • 100 MB/sec
  • 100 Operations/sec
  • System Details
  • MS Shell Dlg
  • System on which trace was captured:
  • Computer Name:
  • System Root:
  • Operating System:
  • Memory (RAM):
  • System Type:
  • Logical Processors:
  • Network Summary
  • MS Shell Dlg
  • &Save...
  • SysListView32
  • Static
  • Network paths accessed during trace:
  • Filter...
  • Process Monitor
  • MS Shell Dlg
  • Disconnecting from Event Tracing for Windows (ETW). This can take up to a minute.
  • Enable Boot Logging
  • MS Shell Dlg
  • Cancel
  • Process Monitor can generate thread profiling events that capture the state of all running applications at a regular interval.
  • Generate thread profiling events
  • Every second
  • Every 100 milliseconds
  • \SystemRoot\System32\Drivers\
  • \SystemRoot\Procmon.pmb
  • Parameters
  • ThreadProfiling
  • RuntimeSeconds
  • \SystemRoot
  • D:P(A;;GA;;;AU)
  • \device\ProcmonDebugLogger
  • \DosDevices\Global\ProcmonDebugLogger
  • \device\ProcmonExternalLogger
  • \??\ProcmonExternalLoggerEnabled
  • \ProcessMonitor24Port
  • ZwQueryInformationThread
  • SeLocateProcessImageName
  • PsSetCreateProcessNotifyRoutineEx2
  • PsSetCreateThreadNotifyRoutineEx
  • ZwOpenProcessTokenEx
  • 500000
  • (Default)
  • CmRegisterCallback
  • CmRegisterCallbackEx
  • CmUnRegisterCallback
  • CmCallbackGetKeyObjectID
  • IoCreateDeviceSecure
  • IoValidateDeviceIoControlAccess
  • D:P(A;;GA;;;SY)
  • D:P(A;;GA;;;SY)(A;;GA;;;BA)
  • D:P(A;;GA;;;SY)(A;;GRGX;;;BA)
  • D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)
  • D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)(A;;GR;;;RC)
  • D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GRGW;;;WD)(A;;GR;;;RC)
  • D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GRGWGX;;;WD)(A;;GRGWGX;;;RC)
  • Properties
  • NoDisplayClass
  • NoUseClass
  • Security
  • DeviceType
  • DeviceCharacteristics
  • Exclusive
  • \Registry\Machine\System\CurrentControlSet\Control\Class
  • {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
  • <INSUFFICIENT RESOURCES>
  • <INVALID NAME>
  • \Registry
  • VS_VERSION_INFO
  • StringFileInfo
  • 040904b0
  • CompanyName
  • Sysinternals - www.sysinternals.com
  • FileDescription
  • Process Monitor Driver
  • FileVersion
  • InternalName
  • Procmon.sys
  • LegalCopyright
  • Copyright (C) 2006-2014 M. Russinovich
  • OriginalFilename
  • procmon.Sys
  • ProductName
  • Process Monitor
  • ProductVersion
  • VarFileInfo
  • Translation
  • ProcMonDrive
  • ProcMonDrive
  • Legal_Policy_Statement
  • Capture (Ctrl+E)
  • Autoscroll (Ctrl+A)
  • Clear (Ctrl+X)
  • Show Process Tree
  • Filter (Ctrl+L)
  • Find (Ctrl+F)
  • Save (Ctrl+S)
  • High Resolution Date & Time
  • Jump to Object (Ctrl+J)
  • Date & Time
  • Process Name
  • Operation
  • Result
  • Detail
  • Sequence
  • Object Reference
  • Show File System Activity
  • Show Registry Activity
  • Show Network Activity Show Process and Thread Activity
  • Highlight (Ctrl+H)
  • Show Profiling Events
  • Include Process From Window
  • Company
  • Description
  • Command Line
  • Image Path
  • Session
  • Event Complete
  • Image Load
  • Address
  • Relative Time
  • Duration
  • Time of Day
  • Module
  • Location
  • Version
  • Event Class
  • Authentication ID
  • Virtualized
  • Integrity
  • Category
  • Parent PID
  • Architecture
  • Completion Time
  • Procmo
  • Legal_policy_statement
  • Procmo
  • Legal_Policy_Statement
  • Capture (Ctrl+E)
  • Autoscroll (Ctrl+A)
  • Clear (Ctrl+X)
  • Show Process Tree
  • Filter (Ctrl+L)
  • Find (Ctrl+F)
  • Save (Ctrl+S)
  • High Resolution Date & Time
  • Jump to Object (Ctrl+J)
  • Date & Time
  • Process Name
  • Operation
  • Result
  • Detail
  • Sequence
  • Object Reference
  • Show File System Activity
  • Show Registry Activity
  • Show Network Activity Show Process and Thread Activity
  • Highlight (Ctrl+H)
  • Show Profiling Events
  • Include Process From Window
  • Company
  • Description
  • Command Line
  • Image Path
  • Session
  • Event Complete
  • Image Load
  • Address
  • Relative Time
  • Duration
  • Time of Day
  • Module
  • Location
  • Version
  • Event Class
  • Authentication ID
  • Virtualized
  • Integrity
  • Category
  • Parent PID
  • Architecture
  • Completion Time
  • Procmo
  • Legal_policy_statement
  • Procmo
  • Legal_Policy_Statement

Dropped Files


Name
14dc422082f96f5c_reader_sl.exe.dat
Size
35.7 kB
Type
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
452fa961163ef4aee4815796a13ab2cf
SHA1
225f15c62b396c467623527be89ab0de83d891de
SHA256
14dc422082f96f5c21c41a5e5f6e8445547cc4b02b18f0a86a34669ca2ce18a7
SHA512
37924b9b6bdadd6e1a5cffc239f7bb9d061d8f9e691989ad29e2ed093f277b8aadae12528d0c79ae406c75396664e1629c8d507e3ae0c0d0406d6e03ccefb3e6
Ssdeep
768:hzq2Nr3t0ECteEx+/ewdpgJ1qivypDkmOy3iLL4IbuD:hzX7uEWeEseYGMOy3iLly
Name
60aa70dedb7a7be8_dvasion_exp.dll.dat
Size
2.9 MB
Type
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5
5cc8b7a61a989cf0d6ea2d7ca13e2111
SHA1
122d9cd2b632acff207a9c1c4503bb51600a49df
SHA256
60aa70dedb7a7be816118c91459a3e1393e2371017a37d4db2452e3b8d099815
SHA512
57417292a96f862d717273579566a3beda3809162e4be141fe890b5eec29d117f357ee855996bf1175cca4514d95cac6d31129a64f057792f861d30b7a428fdb
Ssdeep
49152:ZjwpWdRbMfxfo006vqod33JYBPlQw0K4Z:upWjQR
Name
881ce21c2380064e_dvasion_exp.exe.dat
Size
3.1 MB
Type
PE32 executable (console) Intel 80386, for MS Windows
MD5
d87a0d617fc12cd1ec6c9f7a1554b044
SHA1
c91e6d492cd9bce6800420e4e0e5bfedcd20b43a
SHA256
881ce21c2380064e8c416a184579ee6dd50e52f3daef066ff4f6aa7c5d8ccebb
SHA512
5840ca2c1793f3f8898589f3cfad7275577dbec54b3c6131c08f92c3a2a8b5e671853ccb4df73da15fe73a7eb5d619bc8e75c3a718c0a8880ea08735013b55b1
Ssdeep
49152:vWiEmG/pKD5z/n4llP4uhxLL+juY7tUuyk1+8uTv:jEmAKD5zQN
Name
9bc7b75bb7f8b0af_drconfiglib.dll.dat
Size
554.0 kB
Type
PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5
c8c7485719a99b8c945a32fcdc3628a1
SHA1
344b832c35d40948e3f52d37223e520f47d4e39b
SHA256
9bc7b75bb7f8b0af07420bd390c2d08ea07142d302217c7bf26cbaffc7d15e74
SHA512
fb47a28662991638ac3df4594b8b33e88ed3631b10fdd5d4310008d30f2423501c8175a8ea8c437b991221108583252652676b00738ea91854ead2cc2043f9b7
Ssdeep
6144:aZhXo3tVpkHvqc2ZJUTjU9wb76GDuAwD+fJbi:Co9VWCc2ZJUT49wb76+uAI+fdi
Name
de055a89de246e62_symsrv.dll
Size
69.3 kB
Type
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
MD5
7574cf2c64f35161ab1292e2f532aabf
SHA1
14ba3fa927a06224dfe587014299e834def4644f
SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
Ssdeep
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZL:c8y93KQjy7G55riF1cMo03V
Name
eeb9eee57fc9198c_17e826fa0f6297f80b459948ab12efbdefc06f3cb999184a5cb1eddcf7b7d55064.exe
Size
1.2 MB
Type
PE32+ executable (GUI) x86-64, for MS Windows
MD5
11b0b711d25b7b047f1f7f08de19c102
SHA1
8b298412ec523b7d261b460682688d903a226a89
SHA256
eeb9eee57fc9198c95b8a8a762ffb7d4959363ef2747d3271d53b32c8f7f0e49
SHA512
58c562458795fa7b10d61b186b1c974b224c2eeee1b25d1216b0bc64ccfcc52808506bcfb8589ac7c152772d62ccfd8e2958f41691529e81b7eefc3d93ea6382
Ssdeep
24576:ChXZR0+idPJWRIsBvgBjyTv11f1jPS9ihsljaH7r/+yNl5j:qXvBIsyBjuv11f1jKwsRAVJ

Network


DNS Requests

Domain IP Address Destination Location
www.aieov.com 104.200.23.95 US
5isohu.com Not Available
www.aieov.com 104.200.22.130 US
c.0.f.6.c.9.5.7.7.b.a.3.1.a.c.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa Not Available
6.b.5.c.2.1.1.c.b.f.8.a.c.6.8.a.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa Not Available
b.9.9.d.c.c.4.4.6.3.a.0.b.4.9.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa Not Available
b.f.8.4.6.b.2.2.6.f.0.a.e.f.1.1.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa Not Available
8.3.5.d.7.b.6.3.e.4.d.2.d.5.0.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa Not Available
3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa Not Available
dns.msftncsi.com 131.107.255.255 US

HTTP Requests

GET /logo.gif HTTP/1.1
Accept: */*
Host: www.aieov.com

GET /so.gif HTTP/1.1
Accept: */*
Host: www.aieov.com

Hosts Involved

IP Address Country of Origin
104.200.22.130 US
216.58.205.238 US
104.200.23.95 US

Geolocation

Destination Country


US:
100%
AfghanistanAngolaAlbaniaAlandAndorraUnited Arab EmiratesArgentinaArmeniaAntarcticaFr. S. Antarctic LandsAustraliaAustriaAzerbaijanBurundiBelgiumBeninBurkina FasoBangladeshBulgariaBahrainBahamasBosnia and Herz.BelarusBelizeBoliviaBrazilBarbadosBruneiBhutanBotswanaCentral African Rep.