Category	Started On	Completed On	Duration	Cuckoo Version
FILE	2018-05-06 13:37:08.293496	2018-05-06 13:39:07.230642	118 seconds	2.0-dev

Machine	Label	Manager	Started On	Shutdown On
win7cuckoo	win7 Clone 1	VirtualBox	2018-05-06 13:37:08	2018-05-06 13:39:04

File Details

File name

53f65e9613f235458010c3979345c1b8da040871.zip

File size

468261 bytes

File type

Zip archive data, at least v2.0 to extract

CRC32

30121287

MD5

3394c44f7d814072f8aa3c2568c70e3c

SHA1

53f65e9613f235458010c3979345c1b8da040871

SHA256

ee68e5dfebcbe94f61b344252f3729542f0f7c920cd32a613dfdba612be5933e

SHA512

ddbc4d2e9a6575fee1ce498caeee9c1181da52c760dc1f6f86d6243ddedaf54f6aba8a6b35248963a5cf3c12fced9797170a7bd6359fe8fa7a330d36b755591a

Ssdeep

None

PEiD

None matched

Yara

None matched

VirusTotal

Permalink
VirusTotal Scan Date: 2018-04-30 23:21:59
Detection Rate: 1/63 (Expand)

Antivirus	Version	Result
Ad-Aware	3.0.5.370	Clean
AegisLab	4.2	Clean
AhnLab-V3	3.12.1.20782	Clean
Alibaba	1.0	Clean
ALYac	1.1.1.5	Clean
Antiy-AVL	3.0.0.1	Clean
Arcabit	1.0.0.831	Clean
Avast	18.3.3860.0	Clean
Avast-Mobile	180430-02	Clean
AVG	18.3.3860.0	Clean
Avira	8.3.3.6	Clean
AVware	1.5.0.42	Clean
Babable	9107201	Clean
Baidu	1.0.0.2	Clean
BitDefender	7.2	Clean
Bkav	1.3.0.9466	Clean
CAT-QuickHeal	14.00	Clean
ClamAV	0.99.2.0	Clean
CMC	1.1.0.977	Backdoor.Win32.Agent!O
Comodo	28934	Clean
Cylance	2.3.1.101	Clean
Cyren	5.4.30.7	Clean
DrWeb	7.0.28.2020	Clean
Emsisoft	4.0.2.899	Clean
ESET-NOD32	17307	Clean
F-Prot	4.7.1.166	Clean
F-Secure	11.0.19100.45	Clean
Fortinet	5.4.247.0	Clean
GData	A:25.16888B:25.12151	Clean
Ikarus	0.1.5.2	Clean
Invincea	6.3.4.26036	Clean
Jiangmin	16.0.100	Clean
K7AntiVirus	10.45.26988	Clean
K7GW	10.45.26986	Clean
Kaspersky	15.0.1.13	Clean
Kingsoft	2013.8.14.323	Clean
Malwarebytes	2.1.1.1115	Clean
MAX	2017.11.15.1	Clean
McAfee	6.0.6.653	Clean
McAfee-GW-Edition	v2017.2786	Clean
Microsoft	1.1.14800.3	Clean
MicroWorld-eScan	14.0.297.0	Clean
NANO-Antivirus	1.0.106.22618	Clean
nProtect	2018-04-30.02	Clean
Panda	4.6.4.2	Clean
Qihoo-360	1.0.0.1120	Clean
Rising	25.0.0.1	Clean
Sophos	4.98.0	Clean
SUPERAntiSpyware	5.6.0.1032	Clean
Symantec	1.5.0.0	Clean
Tencent	1.0.0.1	Clean
TheHacker	6.8.0.5.2735	Clean
TotalDefense	37.1.62.1	Clean
TrendMicro	10.0.0.1040	Clean
TrendMicro-HouseCall	9.950.0.1006	Clean
VBA32	3.12.28.0	Clean
VIPRE	66350	Clean
ViRobot	2014.3.20.0	Clean
Webroot	1.0.0.403	Clean
Yandex	5.5.1.3	Clean
Zillya	2.0.0.3546	Clean
ZoneAlarm	1.0	Clean
Zoner	1.0	Clean

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1525628401]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

raises_exception details

openprocess_nonchild details

allocates_rwx details

injection_duplicate_handle details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

cc783a04ccbca4ed_setup.tmp

388a796580234efc__setup64.tmp

setup.exe

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

URL	Data
http://armmf.adobe.com/arm-manifests/win/Upgrade/1033/LatestReader11UpgradeManifest.msi	GET /arm-manifests/win/Upgrade/1033/LatestReader11UpgradeManifest.msi HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 20 Mar 2018 06:26:21 GMT Range: bytes=4864-11263 User-Agent: Microsoft BITS/7.5 Host: armmf.adobe.com
http://armmf.adobe.com/arm-manifests/win/11/autoupgradeclockstarted.txt	GET /arm-manifests/win/11/autoupgradeclockstarted.txt HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: armmf.adobe.com Connection: Keep-Alive
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/3679CA35668772304D30A5FB873B0FA77BB70D54.crt?911320f9b04be75f	GET /msdownload/update/v3/static/trustedr/en/3679CA35668772304D30A5FB873B0FA77BB70D54.crt?911320f9b04be75f HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ctldl.windowsupdate.com
http://armmf.adobe.com/arm-manifests/win/Upgrade/1033/LatestReader11UpgradeManifest.msi	GET /arm-manifests/win/Upgrade/1033/LatestReader11UpgradeManifest.msi HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 20 Mar 2018 06:26:21 GMT Range: bytes=16891-23039 User-Agent: Microsoft BITS/7.5 Host: armmf.adobe.com
http://armmf.adobe.com/arm-manifests/win/Upgrade/1033/LatestReader11UpgradeManifest.msi	HEAD /arm-manifests/win/Upgrade/1033/LatestReader11UpgradeManifest.msi HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 Host: armmf.adobe.com
http://armmf.adobe.com/arm-manifests/win/Upgrade/1033/LatestReader11UpgradeManifest.msi	GET /arm-manifests/win/Upgrade/1033/LatestReader11UpgradeManifest.msi HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 20 Mar 2018 06:26:21 GMT Range: bytes=11264-16890 User-Agent: Microsoft BITS/7.5 Host: armmf.adobe.com
http://armmf.adobe.com/arm-manifests/win/11/autoupgradeeligible.txt	GET /arm-manifests/win/11/autoupgradeeligible.txt HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: armmf.adobe.com Connection: Keep-Alive
http://armmf.adobe.com/arm-manifests/win/Upgrade/1033/LatestReader11UpgradeManifest.msi	GET /arm-manifests/win/Upgrade/1033/LatestReader11UpgradeManifest.msi HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 20 Mar 2018 06:26:21 GMT Range: bytes=0-4863 User-Agent: Microsoft BITS/7.5 Host: armmf.adobe.com
http://armmf.adobe.com/arm-manifests/win/11/upgradeoffered.txt	GET /arm-manifests/win/11/upgradeoffered.txt HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: armmf.adobe.com Connection: Keep-Alive

Behavior Summary

File-Read

C:\Users\Harry Dresden\AppData\Local\Temp\setup.exe
C:\Users\Harry Dresden\Desktop\BFTplRIYjuyJTNAHb.pptx
C:\Users\Harry Dresden\AppData\Local\Temp\setup.exe
C:\Windows\win.ini

File-Written

C:\Users\Harry Dresden\AppData\Local\Temp\is-PEPEH.tmp\setup.tmp
C:\Users\Harry Dresden\AppData\Local\Temp\is-12M0G.tmp\_isetup\_setup64.tmp

File-Opened

C:\Windows\System32\en-US\netmsg.dll.mui
C:\Users\Harry Dresden\AppData\Local\Temp\setup.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\System32\netmsg.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\Harry Dresden\Desktop\BFTplRIYjuyJTNAHb.pptx
C:\Windows\System32\en-US\tzres.dll.mui
C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\WER\ReportArchive
C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\oregres.dll
C:\ProgramData\Microsoft\Windows\WER\ReportArchive
C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\oregres.dll.mui
C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\WER\ERC
C:\Windows\System32\tzres.dll
C:\Windows\System32\imageres.dll
C:\Windows\System32\netmsg.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\Harry Dresden\AppData\Local\Temp\setup.exe
C:\Windows\win.ini
C:\Windows\System32\en-US\imageres.dll.mui
C:\Windows\System32\en-US\netmsg.dll.mui
C:\Windows\SysWOW64\en-US\shell32.dll.mui
C:\Windows\System32\shell32.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui

Directory-Created

C:\Users\Harry Dresden\AppData\Local\Temp\is-PEPEH.tmp
C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\WER\ERC
C:\Users\Harry Dresden
C:\Users\Harry Dresden\AppData\Local\Temp\is-12M0G.tmp\_isetup
C:\Users\Harry Dresden\AppData\Local\Programs
C:\Users\Harry Dresden\AppData\Local
C:\Users\Harry Dresden\AppData\Local\Programs\Common
C:\Users\Harry Dresden\AppData\Local\Temp\is-12M0G.tmp

Directory-Enumerated

C:\Users\Harry Dresden\AppData\Local\Temp\is-PEPEH.tmp\setup.tmp

Registry Key-Opened

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.101
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{DAB69A6A-4D2A-4D44-94BF-E0091898C881}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{DAB69A6A-4D2A-4D44-94BF-E0091898C881}.check.100
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ERC
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{01979c6a-42fa-414c-b8aa-eee2c8202018}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{945a8954-c147-4acd-923f-40c45405a658}.check.42
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.103
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.104
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}.check.101
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.106
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{945a8954-c147-4acd-923f-40c45405a658}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A}.check.100
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{341CFE70-1D51-4898-9779-76DEBEA64EBC}_is1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\setup.tmp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3416602863-1947377224-293699093-1003
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\RestartManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\PropertyBag
HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}
HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.tmp
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{341CFE70-1D51-4898-9779-76DEBEA64EBC}_is1
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.tmp
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\setup.tmp

Registry Key-Read

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_CURRENT_USER\Local Settings\MuiCache\4A\52C64B7E\@C:\Windows\system32\netshell.dll,-1200
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{7007ACC7-3202-11D1-AAD2-00805FC1270E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1803
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{26EE0668-A00A-44D7-9371-BEB064C98683}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\InternetSettingsDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\NOLEGACYWEBVIEW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\NOTAFILESYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\NOIPROPERTYSTORE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\CallForAttributes
HKEY_CURRENT_USER\Local Settings\MuiCache\4A\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.106\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\SortOrderIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\InProcServer32\LoadWithoutCOM
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A}.check.100\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1806
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\SortOrderIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pptx\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\WantsUniversalDelegate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1804
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{2227A280-3AEA-1069-A2DE-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\HideOnDesktopPerUser
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{DAB69A6A-4D2A-4D44-94BF-E0091898C881}\LastKnownState
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\UseDropHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\QueryForOverlay
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1004
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{B155BDF8-02F0-451E-9A26-AE317CFD7779}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1001
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\CTXMENU_XPQCMFLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\QueryForInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1405
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{21EC2020-3AEA-1069-A2DD-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\OTNEEDSSFCACHE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.104\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2018
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\Attributes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{945a8954-c147-4acd-923f-40c45405a658}\LastKnownState
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\WantsFORPARSING
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\LastKnownState
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\CTXMENU_NOVERBS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\SortOrderIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\LocalizedString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\NEEDSFILESYSANCESTOR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.101\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{35786D3C-B075-49b9-88DD-029876E11C01}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\System.HideOnDesktop
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\InProcServer32\LoadWithoutCOM
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\{28636AA6-953D-11D2-B5D6-00C04FD918D0} 34
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\HideInWebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}.check.101\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\FriendlyTypeName
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LastQueuePesterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\HideOnDesktopPerUser
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{DAB69A6A-4D2A-4D44-94BF-E0091898C881}.check.100\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\LocalizedString
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\System.ItemNameDisplay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\WantsUniversalDelegate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{01979c6a-42fa-414c-b8aa-eee2c8202018}\LastKnownState
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{b155bdf8-02f0-451e-9a26-ae317cfd7779}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{35786D3C-B075-49B9-88DD-029876E11C01}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\CallForAttributes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.103\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{945a8954-c147-4acd-923f-40c45405a658}.check.42\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\MapNetDriveVerbs
HKEY_CURRENT_USER\Local Settings\MuiCache\4A\52C64B7E\@C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\EnableShareDenyNone
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\PINDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\VistaSp1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pptx\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pptx\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\CTXMENU_LIMITEDQI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\NO_WEBVIEW
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\NEEDSSTORAGEANCESTOR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\LoadWithoutCOM
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\COCREATESHELLFOLDERONLY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\WantsFORDISPLAY
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1806
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\UNBINDABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1201
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AutoUpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\System.ItemNameDisplay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PropertySystem\FormatForDisplayHelper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\SortOrderIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\HideInWebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A}\LastKnownState
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B155BDF8-02F0-451E-9A26-AE317CFD7779}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CYR,204
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CYR,204
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Miriam Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Name
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Stream
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Greek,161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\E53BE3F2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Roamable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman TUR,162
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CE,238
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma Armenian
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Greek,161
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Baltic,186
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CE,238
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Baltic,186
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CYR,204
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\David Transparent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Rod Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\FangSong_GB2312
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WaitToKillServiceTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial TUR,162
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\StreamResource
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Greek,161
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Fixed Miriam Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New TUR,162
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CE,238
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3416602863-1947377224-293699093-1003\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent,0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\Icon
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helvetica
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Baltic,186
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Description
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tms Rmn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold,0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\KaiTi_GB2312
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}

Registry Key-Written

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.103\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100\CheckSetting
HKEY_CURRENT_USER\Local Settings\MuiCache\4A\52C64B7E\@C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}.check.101\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.104\CheckSetting
HKEY_CURRENT_USER\Local Settings\MuiCache\4A\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.106\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\SessionHash
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Owner
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Sequence

Mutex-Accessed

Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Users\Harry Dresden\AppData\Local\Temp\setup.exe" PID: 1320, Parent PID: 572

"C:\Users\HARRYD~1\AppData\Local\Temp\is-PEPEH.tmp\setup.tmp" /SL5="$A016C,248672,57856,C:\Users\Harry Dresden\AppData\Local\Temp\setup.exe" PID: 3476, Parent PID: 1320

C:\Windows\Explorer.EXE PID: 1420, Parent PID: 1404

Volatility

Nothing to display.

Domain	IP Address
armmf.adobe.com	23.46.57.232
dns.msftncsi.com	131.107.255.255
nexusrules.officeapps.live.com	52.109.76.32
teredo.ipv6.microsoft.com	52.52.215.201
nexus.officeapps.live.com	52.109.124.22
ipv6.msftncsi.com
ctldl.windowsupdate.com	104.70.178.58

IP Address
104.75.133.129
137.116.74.190
23.101.14.229
23.99.109.44
52.109.120.17
52.109.120.20
70.186.27.24
70.186.27.9
8.8.8.8