'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-11-02 05:32:29.915902 2017-11-02 05:34:20.035072 110 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2017-11-02 05:32:30 2017-11-02 05:34:19

File Details

File name 3598d0e8d9142ab7762ec32077a4479a44dabb6f.exe
File size 1562906 bytes
File type PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 08ACEB56
MD5 2a776d745a9f08ffb247c4844f346aeb
SHA1 3598d0e8d9142ab7762ec32077a4479a44dabb6f
SHA256 6df58f5235e1f076ac6189fa844e4a6306628b398d3686ef56ca6d046d589d01
SHA512 88d2297d674a20c8f88bb3dec17bb281b499eab7a3049355d48af909f3010926c0d58dc2937334fde4b5eb454a952a594099b8ee835f4e86009b3353929e2caf
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal Permalink
VirusTotal Scan Date: 2017-11-02 09:31:29
Detection Rate: 6/67 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=50, Anomalies=0, PEiD=0, Yara=2, VT[1509615277]=100): Snort Events=0, AV Events=0
Total Score=100

Signatures

antivm_queries_computername details
pe_features details
raises_exception details
Roaming_Profile_Modified details
allocates_rwx details
antisandbox_foregroundwindows details
antivm_disk_size details
creates_shortcut details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Imports

Strings

Dropped Files

388a796580234efc__setup64.tmp

69ee202870c982c2_3598d0e8d9142ab7762ec32077a4479a44dabb6f.tmp

f4eed63b29cc82d9_rgspoxpuhi.lnk

36ffc9de4b2fae70_jtmxdatfaed.lnk

7709c670cacd4a43_rrdzgiwyzm.lnk

9e4d0c53914dfcab_dzyfetarnm.lnk

3770cd76f6973792_unins000.dat

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\3598d0e8d9142ab7762ec32077a4479a44dabb6f.exe
  • C:\Users\Harry Dresden\Desktop\jTMxDAtFaeD.pptx
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini
  • C:\Users\Harry Dresden\Desktop\rgSPoXPUHI.docx
  • C:\Users\desktop.ini
  • C:\Users\Public\desktop.ini
  • C:\Users\Harry Dresden\Desktop\wDTrWkJzQYMG.doc
  • C:\Users\Public\Desktop\desktop.ini
  • C:\Users\Harry Dresden\Desktop\desktop.ini
  • C:\Users\Harry Dresden\Desktop\ChsqxvuQTNCt.docm
  • C:\Users\Harry Dresden\Desktop\IFfGAgTwtrkneMY.ppt
  • C:\Users\Harry Dresden\AppData\Local\Temp\3598d0e8d9142ab7762ec32077a4479a44dabb6f.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-65QVV.tmp\3598d0e8d9142ab7762ec32077a4479a44dabb6f.tmp
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-65QVV.tmp\3598d0e8d9142ab7762ec32077a4479a44dabb6f.tmp
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Recent\DzyfeTarNM.lnk
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Recent\rgSPoXPUHI.lnk
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Recent\rrdzgIwyzM.lnk
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Recent\jTMxDAtFaeD.lnk
  • C:\Program Files (x86)\Nutapam\is-I3K6O.tmp
  • C:\Program Files (x86)\Nutapam\is-3792R.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-H1EJ1.tmp\_isetup\_setup64.tmp
  • C:\Program Files (x86)\Nutapam\is-HHS6U.tmp
  • C:\Program Files (x86)\Nutapam\is-95T6L.tmp
  • C:\Program Files (x86)\Nutapam\is-EAD7D.tmp
  • C:\Program Files (x86)\Nutapam\is-V5VL4.tmp
  • C:\Program Files (x86)\Nutapam\is-L628V.tmp
  • C:\Program Files (x86)\Nutapam\is-GHQTA.tmp
  • C:\Program Files (x86)\Nutapam\is-RDJVQ.tmp
  • C:\Program Files (x86)\Nutapam\is-SUCM1.tmp
  • C:\Program Files (x86)\Nutapam\is-G645D.tmp
  • C:\Program Files (x86)\Nutapam\is-4PDHD.tmp
  • C:\Program Files (x86)\Nutapam\is-NGSMF.tmp
  • C:\Program Files (x86)\Nutapam\unins000.dat
  • C:\Program Files (x86)\Nutapam\is-CJDBG.tmp
  • C:\Program Files (x86)\Nutapam\is-184UT.tmp
  • C:\Program Files (x86)\Nutapam\is-DJ8F3.tmp
  • C:\Program Files (x86)\Nutapam\is-6RVDV.tmp
  • C:\Program Files (x86)\Nutapam\is-IKF26.tmp
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-65QVV.tmp\3598d0e8d9142ab7762ec32077a4479a44dabb6f.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-H1EJ1.tmp\_isetup\_setup64.tmp
File-Opened
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\System32\en-US\netmsg.dll.mui
  • C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
  • C:\Windows\System32\netmsg.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\3598d0e8d9142ab7762ec32077a4479a44dabb6f.exe
  • C:\Python27\
  • C:\
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\WER\ReportArchive
  • C:\Users\Harry Dresden\Desktop\rrdzgIwyzM.txt
  • c:\program files (x86)\microsoft office\root\VFS\Windows\installer\{90160000-000f-0000-0000-0000000ff1ce}\pptico.exe
  • C:\Users\Harry Dresden\Desktop
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\oregres.dll.mui
  • C:\Users\Public\Desktop\desktop.ini
  • C:\Users\Harry Dresden\Desktop\desktop.ini
  • C:\Windows\System32\en-US\tzres.dll.mui
  • C:\Users\Harry Dresden\Desktop\IFfGAgTwtrkneMY.ppt
  • C:\Users
  • C:\Windows\
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini
  • C:\Users\
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\Desktop\wDTrWkJzQYMG.doc
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\oregres.dll
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms
  • C:\Users\Public
  • c:\program files (x86)\microsoft office\root\VFS\Windows\installer\{90160000-000f-0000-0000-0000000ff1ce}\wordicon.exe
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows
  • C:\Program Files\Windows NT\Accessories\
  • C:\Windows\System32\tzres.dll
  • C:\Program Files (x86)\Microsoft Office\
  • C:\Users\Harry Dresden\Desktop\rgSPoXPUHI.docx
  • C:\Users\desktop.ini
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\431a5b43435cc60b.automaticDestinations-ms
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\
  • C:\Users\Harry Dresden\AppData\Roaming
  • C:\Users\Harry Dresden
  • C:\Windows\AppPatch\AppPatch64\sysmain.sdb
  • C:\Users\Harry Dresden\Desktop\jTMxDAtFaeD.pptx
  • C:\Program Files (x86)\Microsoft Office\root\Office16\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\WER\ERC
  • C:\Users\Harry Dresden\Desktop\
  • C:\Windows\System32\
  • C:\Users\Public\desktop.ini
  • C:\Program Files (x86)\Microsoft Office\root\
  • C:\Users\Harry Dresden\Desktop\ChsqxvuQTNCt.docm
  • C:\ProgramData\Microsoft\Windows\WER\ReportArchive
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft
  • C:\Users\Harry Dresden\Desktop\DzyfeTarNM.txt
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\
  • C:\Users\Harry Dresden\AppData
  • C:\Windows\System32\imageres.dll
  • C:\
  • C:\Program Files (x86)\Nutapam\is-EAD7D.tmp
  • C:\Program Files (x86)\Nutapam\is-RDJVQ.tmp
  • C:\Windows\System32\en-US\netmsg.dll.mui
  • C:\Program Files (x86)\Nutapam\is-4PDHD.tmp
  • C:\Windows\SysWOW64\en-US\shell32.dll.mui
  • C:\Program Files (x86)\Nutapam\is-HHS6U.tmp
  • C:\Program Files (x86)\Nutapam\is-L628V.tmp
  • C:\Program Files (x86)\Nutapam\is-6RVDV.tmp
  • C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
  • C:\Windows\System32
  • C:\Program Files (x86)\Nutapam\is-3792R.tmp
  • C:\Windows\System32\netmsg.dll
  • C:\Program Files (x86)\Nutapam\is-95T6L.tmp
  • C:\Program Files (x86)\Nutapam\is-V5VL4.tmp
  • C:\Program Files (x86)\Nutapam\is-NGSMF.tmp
  • C:\Program Files (x86)\Nutapam\is-DJ8F3.tmp
  • C:\Program Files (x86)\Nutapam\is-I3K6O.tmp
  • C:\Windows\System32\shell32.dll
  • C:\Program Files (x86)\Nutapam\is-GHQTA.tmp
  • C:\Program Files (x86)\Nutapam\is-SUCM1.tmp
  • C:\Windows\System32\en-US\imageres.dll.mui
  • C:\Program Files (x86)\Nutapam\is-184UT.tmp
  • C:\Program Files (x86)\Nutapam\is-IKF26.tmp
  • C:\Program Files (x86)\Nutapam\is-G645D.tmp
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\Harry Dresden\AppData\Local\Temp\3598d0e8d9142ab7762ec32077a4479a44dabb6f.exe
  • C:\Program Files (x86)\Nutapam\is-CJDBG.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-65QVV.tmp\3598d0e8d9142ab7762ec32077a4479a44dabb6f.tmp
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-65QVV.tmp
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\WER\ERC
  • C:\Users\Harry Dresden\AppData\Roaming
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Recent
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-H1EJ1.tmp
  • C:\Users\Harry Dresden\AppData\Local\Programs
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-H1EJ1.tmp\_isetup
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Users\Harry Dresden\AppData\Local\Programs\Common
  • C:\Program Files (x86)\Nutapam
Directory-Removed
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-65QVV.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-H1EJ1.tmp\_isetup
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-H1EJ1.tmp
Directory-Enumerated
  • C:\Program Files (x86)\Nutapam\unins???.*
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-H1EJ1.tmp\_isetup\*
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-65QVV.tmp\3598d0e8d9142ab7762ec32077a4479a44dabb6f.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\is-H1EJ1.tmp\*
Registry Key-Opened
  • HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
  • HKEY_LOCAL_MACHINE\Software\Borland\Locales
  • HKEY_CURRENT_USER\Software\Borland\Locales
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.101
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{DAB69A6A-4D2A-4D44-94BF-E0091898C881}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{DAB69A6A-4D2A-4D44-94BF-E0091898C881}.check.100
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\DefaultSecurity
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ERC
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{01979c6a-42fa-414c-b8aa-eee2c8202018}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A}
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{945a8954-c147-4acd-923f-40c45405a658}.check.42
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.103
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.104
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}.check.101
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.106
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{945a8954-c147-4acd-923f-40c45405a658}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A}.check.100
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101
  • HKEY_CURRENT_USER\Software
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PropertyBag
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3416602863-1947377224-293699093-1003
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\3598d0e8d9142ab7762ec32077a4479a44dabb6f.tmp
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
  • HKEY_LOCAL_MACHINE\Software
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
  • HKEY_LOCAL_MACHINE\Software\Microsoft\RestartManager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\3598d0e8d9142ab7762ec32077a4479a44dabb6f.tmp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\PropertyBag
  • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\3598d0e8d9142ab7762ec32077a4479a44dabb6f.tmp
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_CURRENT_USER\Software\Policies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\PropertyBag
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}
  • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
  • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\PnpLockdownFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons
  • HKEY_LOCAL_MACHINE\Software\Policies
  • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\3598d0e8d9142ab7762ec32077a4479a44dabb6f.tmp
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
  • HKEY_CURRENT_USER\Control Panel\Desktop
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1
Registry Key-Deleted
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pptx\MRUList
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\MRUList
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Sequence
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Owner
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\SessionHash
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IsoBurn\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\accwiz.exe\NoOpenWith
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
  • HKEY_CURRENT_USER\Applications\python.exe\shell\open\NeverDefault
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\textfile\AppUserModelID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\HideInWebView
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\NOLEGACYWEBVIEW
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1A6FDBA2-F42D-4358-A798-B74D745926C5}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\PinToNameSpaceTree
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{3D644C9B-1FB8-4F30-9B45-F670235F79C0}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\HideOnDesktopPerUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\LocalizedString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Favorites
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\IsShortcut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsFORDISPLAY
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\WantsFORDISPLAY
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt\MRUListEx
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pptx\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\WantsUniversalDelegate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DBD2C50-62AD-11D0-B806-00C04FD706EC}\UseOutOfProcHandlerCache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.DocumentMacroEnabled.12\CLSID\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{DAB69A6A-4D2A-4D44-94BF-E0091898C881}\LastKnownState
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\QueryForInfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pptx\MajorDoc
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{A520A1A4-1780-4FF6-BD18-167343C5AF16}
  • HKEY_CURRENT_USER\Applications\python.exe\shell\open\command\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1004
  • HKEY_CURRENT_USER\Applications\python.exe\BrowseInPlace
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{054FAE61-4DD8-4787-80B6-090220C4B700}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\NoFileFolderJunction
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{2227A280-3AEA-1069-A2DE-08002B30309D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\MapNetDriveVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\QueryForInfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\UseDropHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\WantsParseDisplayName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanServer\DefaultSecurity\SrvsvcDefaultShareInfo
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{BCB5256F-79F6-4CEE-B725-DC34E402FD46}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\shell\Open\NeverDefault
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\EditFlags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\LastKnownState
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\HideInWebView
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\CTXMENU_NOVERBS
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\SortOrderIndex
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.doc\shellex\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{2C36C0AA-5812-4B87-BFD0-4CD0DFB19B39}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\MapNetDriveVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Administrative Tools
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{E555AB60-153B-4D17-9F04-A5FE99FC15EC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\WantsFORPARSING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\shell\Open\NeverDefault
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NOTEPAD.EXE\NoOpenWith
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\MajorDoc
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\SuppressionPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\HasNavigationEnum
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LastQueuePesterTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\EditFlags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Recent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docm\PerceivedType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{b155bdf8-02f0-451e-9a26-ae317cfd7779}\SuppressionPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Templates
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\AppUserModelID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Access\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\NoFileFolderJunction
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{35786D3C-B075-49B9-88DD-029876E11C01}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\CallForAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\NoFileFolderJunction
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{945a8954-c147-4acd-923f-40c45405a658}.check.42\CheckSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\NoFileFolderJunction
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\HideOnDesktopPerUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{15CA69B3-30EE-49C1-ACE1-6B5EC372AFB5}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.RTF.8\IsShortcut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\PinToNameSpaceTree
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\WantsParseDisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\shell\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100\CheckSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\QueryForInfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\System.ItemNameDisplay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\WantsAliasedNotifications
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\NO_WEBVIEW
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\LoadWithoutCOM
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Presentation\Microsoft PowerPoint\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Publishing\Microsoft Publisher\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DBD2C50-62AD-11D0-B806-00C04FD706EC}\NoOplock
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\WantsFORDISPLAY
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101\CheckSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\WantsParseDisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\HasNavigationEnum
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\RestrictedAttributes
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PropertySystem\FormatForDisplayHelper
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\RestrictedAttributes
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{C870044B-F49E-4126-A9C3-B52A1FF411E8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Pictures
  • HKEY_CURRENT_USER\Applications\python.exe\NoStaticDefaultVerb
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wordpad.exe\NoStaticDefaultVerb
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\NEEDSFILESYSANCESTOR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\CallForAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Contacts\Address Book\Capabilities\Hidden
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pptx\MRUList
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wordpad.exe\shell\open\NeverDefault
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\WantsUniversalDelegate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NOTEPAD.EXE\NoStaticDefaultVerb
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\docxfile\NoStaticDefaultVerb
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\OEM Links
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{21EC2020-3AEA-1069-A2DD-08002B30309D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\WantsFORPARSING
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{491E922F-5643-4AF4-A7EB-4E7A138D8174}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\UseDropHandler
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DBD2C50-62AD-11D0-B806-00C04FD706EC}\UseInProcHandlerCache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\NOTAFILESYSTEM
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\CallForAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\PinToNameSpaceTree
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\shell\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\CallForAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\AppUserModelID
  • HKEY_CURRENT_USER\Local Settings\MuiCache\4A\52C64B7E\@C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\shell\Read\command\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{F4754C9B-64F5-4B40-8AF4-679732AC0607}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{374DE290-123F-4565-9164-39C4925E467B}
  • HKEY_CURRENT_USER\Applications\python.exe\AlwaysShowExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HideFolderVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rtf\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRUList
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.docx
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A}.check.100\CheckSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\HasNavigationEnum
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\IsShortcut
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Templates
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\SendTo
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\RestrictedAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\UseInProcHandlerCache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\textfile\shell\open\NeverDefault
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.pptx
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NOTEPAD.EXE\shell\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\CTXMENU_XPQCMFLAGS
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\WantsParseDisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\WantsParseDisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\DisableProcessIsolation
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1405
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs
  • HKEY_CURRENT_USER\*\EditFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\textfile\NoStaticDefaultVerb
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\UseDropHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\WantsUniversalDelegate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.txt\PerceivedType
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Music
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Video
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{945a8954-c147-4acd-923f-40c45405a658}\LastKnownState
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\shell\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\NoStaticDefaultVerb
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\WantsFORPARSING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonMusic
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\HideInWebView
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt\1
  • HKEY_CURRENT_USER\Local Settings\MuiCache\4A\52C64B7E\@C:\Windows\system32\netshell.dll,-1200
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt\0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{A990AE9F-A03B-4E80-94BC-9912D7504104}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{35786D3C-B075-49b9-88DD-029876E11C01}\SuppressionPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\{28636AA6-953D-11D2-B5D6-00C04FD918D0} 34
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\PerceivedType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\InprocServer32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clguba.rkr
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{64818D10-4F9B-11CF-86EA-00AA00B929E8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Outlook\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\HideInWebView
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsFORPARSING
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt\2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonPictures
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.RTF.8\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\WantsFORPARSING
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2017
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\CallForAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\WantsUniversalDelegate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\NoFileFolderJunction
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\MapNetDriveVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.103\CheckSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\HideFolderVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HideOnDesktopPerUser
  • HKEY_CURRENT_USER\Applications\python.exe\IsShortcut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\CTXMENU_LIMITEDQI
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\QueryForOverlay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\PinToNameSpaceTree
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsUniversalDelegate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\LoadWithoutCOM
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\SuppressionPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\COCREATESHELLFOLDERONLY
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\HideFolderVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\EditFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\QueryForOverlay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\Attributes
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1201
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\PinToNameSpaceTree
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{01979c6a-42fa-414c-b8aa-eee2c8202018}\LastKnownState
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\System.ItemNameDisplay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\MapNetDriveVerbs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.101\CheckSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\PinToNameSpaceTree
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\SortOrderIndex
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{7B0DB17D-9CD2-4A93-9733-46CC89022E7C}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\HideInWebView
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} {BB2E617C-0920-11D1-9A0B-00C04FC2D6C1} 0xFFFF
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A}\LastKnownState
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\NoStaticDefaultVerb
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.DocumentMacroEnabled.12\FriendlyTypeName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\NoStaticDefaultVerb
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Documents
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\HideOnDesktopPerUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{B250C668-F57D-4EE1-A63C-290EE7D1AA1F}
  • HKEY_CURRENT_USER\Local Settings\MuiCache\4A\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1806
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1803
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\InternetSettingsDisableNotify
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{56784854-C6CB-462B-8169-88E350ACB882}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\QueryForInfoTip
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\NOIPROPERTYSTORE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\IsShortcut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\WantsFORPARSING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\HasNavigationEnum
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{B155BDF8-02F0-451E-9A26-AE317CFD7779}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\HideOnDesktopPerUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\shell\Read\NeverDefault
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\UseDropHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FF393560-C2A7-11CF-BFF4-444553540000}\InProcServer32\LoadWithoutCOM
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DBD2C50-62AD-11D0-B806-00C04FD706EC}\DisableProcessIsolation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\IsShortcut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{00020906-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{48DAF80B-E6CF-4F4E-B800-0E69D84EE384}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\QueryForOverlay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\HideFolderVerbs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Start Menu
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Note Taking\Microsoft OneNote\16.0\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\CallForAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\WantsFORDISPLAY
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\QueryForInfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docm\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\WantsAliasedNotifications
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97E467B4-98C6-4F19-9588-161B7773D6F6}\EnableShareDenyNone
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\MRUList
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\shell\Open\command\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{2112AB0A-C86A-4FFE-A368-0DE96E47012E}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.doc\PerceivedType
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\docxfile\shell\open\NeverDefault
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ppt\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Administrative Tools
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsAliasedNotifications
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\HasNavigationEnum
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\QueryForOverlay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\KillList
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList\MRUList
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\NetHood
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\RestrictedAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ppt\shellex\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\NoOplock
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\WantsUniversalDelegate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\HideFolderVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\QueryForOverlay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FF393560-C2A7-11CF-BFF4-444553540000}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wordpad.exe\NoOpenWith
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pptx\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.DocumentMacroEnabled.12\IsShortcut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.DocumentMacroEnabled.12\DefaultIcon\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\textfile\shell\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}.check.101\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102\CheckSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\RestrictedAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{5CE4A5E9-E4EB-479D-B89F-130C02886155}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\WantsUniversalDelegate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{DE92C1C7-837F-4F69-A3BB-86E631204A23}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\InProcServer32\LoadWithoutCOM
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HideInWebView
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.106\CheckSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wordpad.exe\shell\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\CallForAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\QueryForOverlay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\MapNetDriveVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\PINDLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\NoFileFolderJunction
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\WantsAliasedNotifications
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\VistaSp1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.DocumentMacroEnabled.12\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3416602863-1947377224-293699093-1003\ProfileImagePath
  • HKEY_CURRENT_USER\Applications\python.exe\NoOpenWith
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\HasNavigationEnum
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1806
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{C4900540-2379-4C75-844B-64E6FAF8716B}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ppt\PerceivedType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\UseOutOfProcHandlerCache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\textfile\shell\open\command\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\NoOpenWith
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AutoUpdateDisableNotify
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NOTEPAD.EXE\shell\open\command\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\WantsFORPARSING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\QueryForInfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\HideInWebView
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\HideFolderVerbs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\UseDropHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kind.Document\EditFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\QueryForOverlay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{7B396E54-9EC5-4300-BE0A-2482EBAE1A26}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NOTEPAD.EXE\shell\open\NeverDefault
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\NoStaticDefaultVerb
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\WantsUniversalDelegate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{7007ACC7-3202-11D1-AAD2-00805FC1270E}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\WantsParseDisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\text\EditFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{26EE0668-A00A-44D7-9371-BEB064C98683}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\WantsFORPARSING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.txt\EditFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\RestrictedAttributes
  • HKEY_CURRENT_USER\Applications\python.exe\EditFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\MapNetDriveVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\docxfile\shell\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.doc\PerceivedType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\WantsFORDISPLAY
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.txt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\SortOrderIndex
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97E467B4-98C6-4F19-9588-161B7773D6F6}\InProcServer32\LoadWithoutCOM
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\InProcServer32\LoadWithoutCOM
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\PrintHood
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rtf\PerceivedType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\PinToNameSpaceTree
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\SortOrderIndex
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\WantsParseDisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsParseDisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\UseDropHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\HideOnDesktopPerUser
  • HKEY_CURRENT_USER\Applications\python.exe\NoStartPage
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{A75D362E-50FC-4FB7-AC2C-A8BEAA314493}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100\CheckSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Spreadsheet\Microsoft Excel\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\System.HideOnDesktop
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\MapNetDriveVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\HideFolderVerbs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\MRUListEx
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97E467B4-98C6-4F19-9588-161B7773D6F6}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media Center\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ppt\PerceivedType
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101\CheckSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
  • HKEY_CURRENT_USER\Applications\python.exe\shell\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\OTNEEDSSFCACHE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag\PreferredFolder
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.104\CheckSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Word Processing\Microsoft Word\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docm\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx\EditFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\LocalizedString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\LocalizedString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\WantsFORDISPLAY
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\WantsAliasedNotifications
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\EditFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\UseDropHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.txt\MajorDoc
  • HKEY_CURRENT_USER\Applications\python.exe\NeverShowExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonVideo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\HasNavigationEnum
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{859EAD94-2E85-48AD-A71A-0969CB56A6CD}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{DEBF2536-E1A8-4C59-B6A2-414586476AEA}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\WantsFORDISPLAY
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\WantsAliasedNotifications
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{DAB69A6A-4D2A-4D44-94BF-E0091898C881}.check.100\CheckSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\RestrictedAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.doc\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList\a
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList\b
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\HideOnDesktopPerUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\NoFileFolderJunction
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\HideFolderVerbs
  • HKEY_CURRENT_USER\Applications\python.exe\IsHostApp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\UseDropHandler
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\4
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\5
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\6
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\7
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\EnableShareDenyNone
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\3
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\8
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\PinToNameSpaceTree
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\QueryForOverlay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\CallForAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\NeverDefault
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pptx\PerceivedType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\WantsAliasedNotifications
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\MapNetDriveVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\docxfile\shell\open\command\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pptx\MRUListEx
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Programs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\HideOnDesktopPerUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\NoFileFolderJunction
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\NEEDSSTORAGEANCESTOR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\WantsAliasedNotifications
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media Player\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wordpad.exe\shell\open\command\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.txt\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\UNBINDABLE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\WantsFORDISPLAY
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\QueryForInfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\docxfile\AppUserModelID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\RestrictedAttributes
  • HKEY_CURRENT_USER\Applications\python.exe\DocObject
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\GWX\Capabilities\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\HideInWebView
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\QueryForInfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HasNavigationEnum
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Roamable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\InitFolderHandler
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\ESCount
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Cefased.txt
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\PendingFileRenameOperations
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Roamable
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\RegFiles0000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\unins000.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Karohafa.pif
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\LocalizedName
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Sequence
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Lofofasekala.com
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\RRCount
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\RelativePath
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\RegProcs0000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Sipokusu
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\PendingFileRenameOperations2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WaitToKillServiceTimeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Lenunogemi.com
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner
  • HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Pobiceka.csv
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\InfoTip
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\JSCount
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\RegSvcs0000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Casateg.mpg
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Somatenopi.csv
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Pogos.msg
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Gomolekalel.jar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Tasipe.odt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Dedikefa
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Pepog.log
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3416602863-1947377224-293699093-1003\ProfileImagePath
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Secor.s
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Icon
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Toralel.csv
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\803391A4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Godap.xml
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Description
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemDrive%\Program Files (x86)\Nutapam\Hadarapoba.msg
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}
Registry Key-Written
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\a
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\10
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\11
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100\CheckSetting
  • HKEY_CURRENT_USER\Local Settings\MuiCache\4A\52C64B7E\LanguageList
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Clguba27\clguba.rkr
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pptx\MRUListEx
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt\3
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt\2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}.check.101\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\MRUListEx
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12
  • HKEY_CURRENT_USER\Local Settings\MuiCache\4A\52C64B7E\@C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pptx\0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.106\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.104\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRUList
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.103\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} {BB2E617C-0920-11D1-9A0B-00C04FC2D6C1} 0xFFFF
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt\MRUListEx
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList\MRUList
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfile
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\8
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\Inno Setup: Language
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\VersionMinor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\Inno Setup: Icon Group
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\Inno Setup: Setup Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\QuietUninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\VersionMajor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\NoRepair
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\MajorVersion
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Sequence
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\NoModify
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\EstimatedSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\InstallLocation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\Inno Setup: User
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Owner
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\InstallDate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\DisplayVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\DisplayName
  • HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\SessionHash
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\Inno Setup: App Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Nutapam_is1\MinorVersion
Mutex-Accessed
  • Global\C::Users:Harry Dresden:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs
  • Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
  • Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Users\Harry Dresden\AppData\Local\Temp\3598d0e8d9142ab7762ec32077a4479a44dabb6f.exe" PID: 1216, Parent PID: 748

"C:\Users\HARRYD~1\AppData\Local\Temp\is-65QVV.tmp\3598d0e8d9142ab7762ec32077a4479a44dabb6f.tmp" /SL5="$70180,1309664,121856,C:\Users\Harry Dresden\AppData\Local\Temp\3598d0e8d9142ab7762ec32077a4479a44dabb6f.exe" PID: 3980, Parent PID: 1216

C:\Windows\Explorer.EXE PID: 1420, Parent PID: 1404

Volatility

Nothing to display.