g3log created log at: Thu Aug 09 10:06:53 2018 LOG format: [YYYY/MM/DD hh:mm:ss uuu* LEVEL FILE->FUNCTION:LINE] message (uuu*: microseconds fractions of the seconds value) 2018/08/09 10:06:53 306377 DEBUG [osforensics.cpp->CheckRunInUSBMode:1775] LOGGER NOT INITIALIZED: CheckRunInUSBMode: Not Running from Removable DriveCheckRunInUSBMode: Not Running from Removable Drive 2018/08/09 10:12:53 852579 DEBUG [osforensics.cpp->wWinMain:203] DEBUG: Starting... 2018/08/09 10:12:53 852606 DEBUG [osforensics.cpp->wWinMain:209] DEBUG: 2018/8/9, 10:12:53 2018/08/09 10:12:53 852621 DEBUG [osforensics.cpp->wWinMain:213] DEBUG: OSForensics 6.0 build 1004 64-bit 2018/08/09 10:12:53 852744 DEBUG [osforensics.cpp->wWinMain:221] DEBUG OS: Windows 7 Professional Edition Service Pack 1 build 7601 (64-bit) 2018/08/09 10:12:53 852759 DEBUG [osforensics.cpp->wWinMain:223] DEBUG Path: C:\Program Files\OSForensics 2018/08/09 10:12:53 852774 DEBUG [osforensics.cpp->wWinMain:231] Date: 08/09/18 10:12:53 2018/08/09 10:12:53 862055 DEBUG [osforensics.cpp->wWinMain:256] Main: Set security OK 2018/08/09 10:12:53 862130 DEBUG [osforensics.cpp->wWinMain:275] Main: Creating temp folder C:\ProgramData\PassMark\OSForensics\Temp\11652 2018/08/09 10:12:53 867050 DEBUG [osforensics.cpp->wWinMain:284] Main: Regproc check 2018/08/09 10:12:53 979332 DEBUG [osforensics.cpp->wWinMain:298] Main: Available phys mem: 27667103744 2018/08/09 10:12:53 979515 DEBUG [osforensics.cpp->wWinMain:334] Main: Load OSF config 2018/08/09 10:12:53 984631 DEBUG [osforensics.cpp->wWinMain:340] Main: Init OSFMount interface OK 2018/08/09 10:12:53 986020 DEBUG [osforensics.cpp->wWinMain:360] Main: Init direct access OK 2018/08/09 10:12:53 986448 DEBUG [osforensics.cpp->wWinMain:420] Main: Register disk events 2018/08/09 10:12:53 986508 DEBUG [osforensics.cpp->wWinMain:430] Main: init dialog 2018/08/09 10:12:54 000124 DEBUG [cfgmain.cpp->InitCfgMain:252] CfgMain: Creating start window 2018/08/09 10:12:56 442736 DEBUG [cfgmain.cpp->InitCfgMain:254] CfgMain: Creating hash set window 2018/08/09 10:12:56 450420 DEBUG [cfgmain.cpp->InitCfgMain:256] CfgMain: Creating create sig window 2018/08/09 10:12:56 455660 DEBUG [cfgmain.cpp->InitCfgMain:258] CfgMain: Creating compare sig window 2018/08/09 10:12:56 509822 DEBUG [cfgmain.cpp->InitCfgMain:260] CfgMain: Creating hash window 2018/08/09 10:12:56 516442 DEBUG [cfgmain.cpp->InitCfgMain:262] CfgMain: Creating file name search window 2018/08/09 10:12:56 536622 DEBUG [cfgmain.cpp->InitCfgMain:264] CfgMain: Creating mismatch search window 2018/08/09 10:12:56 545232 DEBUG [cfgmain.cpp->InitCfgMain:266] CfgMain: Creating create index window 2018/08/09 10:12:56 553697 DEBUG [cfgmain.cpp->InitCfgMain:268] CfgMain: Creating search index window 2018/08/09 10:12:56 561664 DEBUG [cfgmain.cpp->InitCfgMain:270] CfgMain: Creating recent activity window 2018/08/09 10:12:56 575528 DEBUG [cfgmain.cpp->InitCfgMain:272] CfgMain: Creating deleted file search window 2018/08/09 10:12:56 591470 DEBUG [filecarver.cpp->FileCarver::ParseFileFormats:4055] DEBUG: FileCarving: Parsing File Formats (File: C:\ProgramData\PassMark\OSForensics\osf_filecarve.conf) 2018/08/09 10:12:56 592053 DEBUG [cfgmain.cpp->InitCfgMain:274] CfgMain: Creating mem viewer window 2018/08/09 10:12:56 605918 DEBUG [cfgmain.cpp->InitCfgMain:276] CfgMain: Creating prefetch viewer window 2018/08/09 10:12:56 609629 DEBUG [cfgmain.cpp->InitCfgMain:278] CfgMain: Creating raw disk viewer window 2018/08/09 10:12:56 611176 DEBUG [filecarver.cpp->FileCarver::ParseFileFormats:4055] DEBUG: FileCarving: Parsing File Formats (File: C:\ProgramData\PassMark\OSForensics\osf_filecarve.conf) 2018/08/09 10:12:56 623577 DEBUG [cfgmain.cpp->InitCfgMain:280] CfgMain: Creating sys info window 2018/08/09 10:12:56 629318 DEBUG [cfgmain.cpp->InitCfgMain:282] CfgMain: Creating drive prep window 2018/08/09 10:12:57 747249 DEBUG [cfgmain.cpp->InitCfgMain:284] CfgMain: Creating password window 2018/08/09 10:12:57 751160 DEBUG [cfgcracking.cpp->CrackingWindow::InitWindow:403] Pswd: Creating Passwords & keys tab 2018/08/09 10:12:57 762760 DEBUG [cfgcracking.cpp->CrackingWindow::InitWindow:406] Pswd: Creating Windows Login tab 2018/08/09 10:12:57 773752 DEBUG [cfgcracking.cpp->CrackingWindow::InitWindow:408] Pswd: Initializing rainbow 2018/08/09 10:12:57 775426 DEBUG [main.cpp->initRainbowCrack:151] Rainbow: Loading charsets from C:\ProgramData\PassMark\OSForensics\RainbowTables\charset.txt 2018/08/09 10:12:57 775799 DEBUG [main.cpp->initRainbowCrack:157] Rainbow: Initializing SSL 2018/08/09 10:12:57 775806 DEBUG [main.cpp->initRainbowCrack:159] Rainbow: Initializing SSL 2018/08/09 10:12:57 776013 DEBUG [main.cpp->initRainbowCrack:172] Rainbow: Initializing Rainbow Table 2018/08/09 10:12:57 776020 DEBUG [main.cpp->initRainbowCrack:174] Rainbow: Initializing RainbowTable 2018/08/09 10:12:57 776028 DEBUG [cfgcracking.cpp->CrackingWindow::InitWindow:410] Pswd: Creating Rainbow Generate tab 2018/08/09 10:12:57 806131 DEBUG [cfgcracking.cpp->CrackingWindow::InitWindow:412] Pswd: Creating Rainbow Retrieval tab 2018/08/09 10:12:57 812664 DEBUG [cfgcracking.cpp->CrackingWindow::InitWindow:414] Pswd: Creating Decryption tab 2018/08/09 10:12:57 822447 DEBUG [cfgcracking.cpp->CrackingWindow::InitWindow:416] Pswd: Creating Install PFX tab 2018/08/09 10:12:57 823677 DEBUG [cfgmain.cpp->InitCfgMain:286] CfgMain: Creating forensic imaging window 2018/08/09 10:12:57 855450 DEBUG [cfgmain.cpp->InitCfgMain:288] CfgMain: Creating SQLite browser window 2018/08/09 10:12:57 859343 DEBUG [cfgmain.cpp->InitCfgMain:296] CfgMain: Creating manage case window 2018/08/09 10:12:57 861996 DEBUG [cfgcase.cpp->CaseManagementInitWindow:1353] CaseManagementInitWindow: start 2018/08/09 10:12:57 866606 DEBUG [cfgcase.cpp->initCaseSelectionListWnd:6579] initCaseSelectionListWnd: start 2018/08/09 10:12:57 866901 DEBUG [cfgcase.cpp->initCaseSelectionListWnd:6612] initCaseSelectionListWnd: add mydocs 2018/08/09 10:12:57 869890 DEBUG [cfgcase.cpp->initCaseSelectionListWnd:6616] initCaseSelectionListWnd: add cases 2018/08/09 10:12:57 869982 DEBUG [cfgcase.cpp->initCaseSelectionListWnd:6619] initCaseSelectionListWnd: end 2018/08/09 10:12:57 869985 DEBUG [cfgcase.cpp->initCaseManagementListWnd:6496] initCaseManagementListWnd: start 2018/08/09 10:12:57 870391 DEBUG [cfgcase.cpp->initCaseManagementListWnd:6561] initCaseManagementListWnd: end 2018/08/09 10:12:57 870394 DEBUG [cfgcase.cpp->CaseManagementInitWindow:1387] CaseManagementInitWindow: Open last used case 2018/08/09 10:12:57 953117 DEBUG [zoomsearch.cpp->PrintUserDebug:496] Zoom Search: Cleaning up... 2018/08/09 10:12:57 953124 DEBUG [zoomsearch.cpp->PrintUserDebug:496] Zoom Search: Cleanup finished. 2018/08/09 10:12:59 115364 DEBUG [cfgcase.cpp->CfgCaseAddDevice:1712] CfgCaseAddDevice: Type: 1 - Path: N:\K3\94_31\Klaus\Kubrakow\Desktop_Medion.E01 - Title: Desktop_Medion-0 2018/08/09 10:12:59 116135 DEBUG [cfgcase.cpp->CfgCaseAddDevice:1712] CfgCaseAddDevice: Type: 1 - Path: N:\K3\94_31\Klaus\Kubrakow\Desktop_Medion.E01 - Title: Desktop_Medion-1 2018/08/09 10:12:59 116719 DEBUG [cfgcase.cpp->CfgCaseAddDevice:1712] CfgCaseAddDevice: Type: 1 - Path: N:\K3\94_31\Klaus\Kubrakow\Desktop_Medion.E01 - Title: Desktop_Medion-2 2018/08/09 10:12:59 142159 DEBUG [cfgcase.cpp->CaseManagementInitWindow:1401] CaseManagementInitWindow: end 2018/08/09 10:13:30 060007 DEBUG [zoomsearch.cpp->PrintUserDebug:496] Zoom Search: Cleaning up... 2018/08/09 10:13:30 060015 DEBUG [zoomsearch.cpp->PrintUserDebug:496] Zoom Search: Cleanup finished. 2018/08/09 10:13:31 651254 DEBUG [cfgcase.cpp->CfgCaseAddDevice:1712] CfgCaseAddDevice: Type: 1 - Path: N:\K3\94_31\GoersK\90088-2018\Toshiba_Satellite.E01 - Title: Toshiba_Satellite-0 2018/08/09 10:13:31 652856 DEBUG [cfgcase.cpp->CfgCaseAddDevice:1712] CfgCaseAddDevice: Type: 1 - Path: N:\K3\94_31\GoersK\90088-2018\Toshiba_Satellite.E01 - Title: Toshiba_Satellite-1 2018/08/09 10:13:31 654694 DEBUG [cfgcase.cpp->CfgCaseAddDevice:1712] CfgCaseAddDevice: Type: 1 - Path: N:\K3\94_31\GoersK\90088-2018\Toshiba_Satellite.E01 - Title: Toshiba_Satellite-2 2018/08/09 10:13:31 656500 DEBUG [cfgcase.cpp->CfgCaseAddDevice:1712] CfgCaseAddDevice: Type: 1 - Path: N:\K3\94_31\GoersK\90088-2018\Toshiba_Satellite.E01 - Title: Toshiba_Satellite-3 2018/08/09 10:13:31 658177 DEBUG [cfgcase.cpp->CfgCaseAddDevice:1712] CfgCaseAddDevice: Type: 1 - Path: N:\K3\94_31\GoersK\90088-2018\Toshiba_Satellite.E01 - Title: Toshiba_Satellite-4 2018/08/09 10:13:31 659964 DEBUG [cfgcase.cpp->CfgCaseAddDevice:1712] CfgCaseAddDevice: Type: 1 - Path: N:\K3\94_31\GoersK\90088-2018\Toshiba_Satellite.E01 - Title: Toshiba_Satellite-5 2018/08/09 10:13:31 661646 DEBUG [cfgcase.cpp->CfgCaseAddDevice:1712] CfgCaseAddDevice: Type: 1 - Path: N:\K3\94_31\GoersK\90088-2018\Toshiba_Satellite.E01 - Title: Toshiba_Satellite-6 2018/08/09 10:13:57 430282 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter 2018/08/09 10:13:57 431962 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::GetMFTFileInfo:538] GetMFTFileInfo(): Read MFT record for $MFT at offset 158330880 2018/08/09 10:13:57 431980 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2018/08/09 10:13:57 435598 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "." (type=3) in FILE_NAME attribute 2018/08/09 10:13:57 437079 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:13:57 437095 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:13:57 437152 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \* 2018/08/09 10:13:57 437199 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2018/08/09 10:13:57 437205 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:13:57 451665 DEBUG [fileio_direct_fat.cpp->FindFirstFile_direct_FAT:620] FindFirstFile direct FAT enter : 2018/08/09 10:13:57 456295 DEBUG [fat_direct.cpp->Search_directory_FAT_direct:68] Search dir FAT direct enter 2018/08/09 10:13:57 456303 DEBUG [fat_direct.cpp->FATDirTreeBuilder_direct::BuildRootTree_FindFirst:298] BuildRootTree_FindFirst - WARNING root directory cluster is not 2 (6253). 2018/08/09 10:13:57 456308 DEBUG [fat_direct.cpp->FATDirTreeBuilder_direct::BuildDirectory:646] BuildDirectory - Reading dir cluster 6253 at offset 502706176 2018/08/09 10:13:57 466391 DEBUG [fat_direct.cpp->Search_directory_FAT_direct:267] Search dir FAT direct exit 2018/08/09 10:13:57 466397 DEBUG [fileio_direct_fat.cpp->FindFirstFile_direct_FAT:756] FindFirstFile direct FAT exit 2018/08/09 10:13:57 466408 DEBUG [fileio_direct_fat.cpp->FindFirstFile_direct_FAT:620] FindFirstFile direct FAT enter :\* 2018/08/09 10:13:57 466410 DEBUG [fat_direct.cpp->Search_directory_FAT_direct:68] Search dir FAT direct enter \* 2018/08/09 10:13:57 466414 DEBUG [fat_direct.cpp->FATDirTreeBuilder_direct::BuildRootTree_FindFirst:298] BuildRootTree_FindFirst - WARNING root directory cluster is not 2 (6253). 2018/08/09 10:13:57 466417 DEBUG [fat_direct.cpp->FATDirTreeBuilder_direct::BuildDirectory:646] BuildDirectory - Reading dir cluster 6253 at offset 502706176 2018/08/09 10:13:57 466465 DEBUG [fat_direct.cpp->Search_directory_FAT_direct:267] Search dir FAT direct exit 2018/08/09 10:13:57 466469 DEBUG [fileio_direct_fat.cpp->FindFirstFile_direct_FAT:756] FindFirstFile direct FAT exit 2018/08/09 10:13:57 479513 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter 2018/08/09 10:13:57 485091 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::GetMFTFileInfo:538] GetMFTFileInfo(): Read MFT record for $MFT at offset 790274048 2018/08/09 10:13:57 485103 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2018/08/09 10:13:57 487784 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "." (type=3) in FILE_NAME attribute 2018/08/09 10:13:57 490604 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:13:57 490626 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:13:57 490694 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \* 2018/08/09 10:13:57 490704 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2018/08/09 10:13:57 490708 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:13:57 504023 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter 2018/08/09 10:13:57 508956 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::GetMFTFileInfo:538] GetMFTFileInfo(): Read MFT record for $MFT at offset 4100980736 2018/08/09 10:13:57 508965 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2018/08/09 10:13:57 622349 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "." (type=3) in FILE_NAME attribute 2018/08/09 10:13:57 625658 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:13:57 625671 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:13:57 625684 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \* 2018/08/09 10:13:57 625697 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2018/08/09 10:13:57 625701 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:13:57 635053 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter 2018/08/09 10:13:57 636459 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::GetMFTFileInfo:538] GetMFTFileInfo(): Read MFT record for $MFT at offset 488803835904 2018/08/09 10:13:57 636469 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2018/08/09 10:13:57 639368 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "." (type=3) in FILE_NAME attribute 2018/08/09 10:13:57 640526 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:13:57 640534 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:13:57 640582 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \* 2018/08/09 10:13:57 640623 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2018/08/09 10:13:57 640626 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:13:57 653130 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter 2018/08/09 10:13:57 654674 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::GetMFTFileInfo:538] GetMFTFileInfo(): Read MFT record for $MFT at offset 489495896064 2018/08/09 10:13:57 654684 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2018/08/09 10:13:57 657319 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "." (type=3) in FILE_NAME attribute 2018/08/09 10:13:57 677715 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:13:57 677723 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:13:57 677748 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \* 2018/08/09 10:13:57 677763 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2018/08/09 10:13:57 677765 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:13:57 690147 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter 2018/08/09 10:13:57 694266 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::GetMFTFileInfo:538] GetMFTFileInfo(): Read MFT record for $MFT at offset 492961792000 2018/08/09 10:13:57 694276 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2018/08/09 10:13:57 696203 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "." (type=3) in FILE_NAME attribute 2018/08/09 10:13:57 709558 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:13:57 709567 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:13:57 712543 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \* 2018/08/09 10:13:57 712557 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2018/08/09 10:13:57 712560 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:13:57 731213 DEBUG [cfgcase.cpp->EditCaseProc2:7765] DEBUG: Edit Case - Creating Basic Case Data Tab 2018/08/09 10:13:59 290347 DEBUG [cfgcase.cpp->EditCaseProc2:7851] DEBUG: Edit Case - Creating Case Narrative Tab 2018/08/09 10:14:09 881039 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \* 2018/08/09 10:14:09 881141 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2018/08/09 10:14:09 881171 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:09 881369 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Dokumente und Einstellungen\* 2018/08/09 10:14:09 881417 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 232672 (Search string: *) 2018/08/09 10:14:09 901281 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "DOKUME~1" (type=2) in FILE_NAME attribute 2018/08/09 10:14:09 901303 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "Dokumente und Einstellungen" (type=1) in FILE_NAME attribute 2018/08/09 10:14:09 901315 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:778] Search btree direct: Could not find child node (dwRet=2) 2018/08/09 10:14:09 901325 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:09 913865 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \$Extend\* 2018/08/09 10:14:09 913879 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 11 (Search string: *) 2018/08/09 10:14:09 913885 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "$Extend" (type=3) in FILE_NAME attribute 2018/08/09 10:14:09 913892 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:09 913900 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:09 914023 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \$Recycle.Bin\* 2018/08/09 10:14:09 914033 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 98590 (Search string: *) 2018/08/09 10:14:09 917942 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "$Recycle.Bin" (type=0) in FILE_NAME attribute 2018/08/09 10:14:09 917954 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:09 917960 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:09 917988 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2498] GetFile - Found ATTRIBUTE_LIST (length=344, # attributes=12) 2018/08/09 10:14:09 917993 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2539] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 6102 (1 found) 2018/08/09 10:14:09 917996 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2554] GetFile - Finished getting ATTRIBUTE_LIST 2018/08/09 10:14:09 921183 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \$SysReset\* 2018/08/09 10:14:09 921197 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 196528 (Search string: *) 2018/08/09 10:14:09 924695 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "$SYSRE~1" (type=2) in FILE_NAME attribute 2018/08/09 10:14:09 924704 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "$SysReset" (type=1) in FILE_NAME attribute 2018/08/09 10:14:09 933511 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:09 933521 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:09 933576 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Documents and Settings\* 2018/08/09 10:14:09 933588 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 340709 (Search string: *) 2018/08/09 10:14:09 944649 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "DOCUME~1" (type=2) in FILE_NAME attribute 2018/08/09 10:14:09 944654 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "Documents and Settings" (type=1) in FILE_NAME attribute 2018/08/09 10:14:09 944658 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:778] Search btree direct: Could not find child node (dwRet=2) 2018/08/09 10:14:09 944660 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:09 944691 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Intel\* 2018/08/09 10:14:09 944698 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 4931 (Search string: *) 2018/08/09 10:14:09 952417 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "Intel" (type=3) in FILE_NAME attribute 2018/08/09 10:14:09 952424 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:09 952482 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:09 952543 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \OneDriveTemp\* 2018/08/09 10:14:09 952551 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 191347 (Search string: *) 2018/08/09 10:14:09 955475 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "ONEDRI~1" (type=2) in FILE_NAME attribute 2018/08/09 10:14:09 955481 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "OneDriveTemp" (type=1) in FILE_NAME attribute 2018/08/09 10:14:09 955486 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:09 955489 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:09 955516 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \PerfLogs\* 2018/08/09 10:14:09 955522 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 232304 (Search string: *) 2018/08/09 10:14:09 958217 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "PerfLogs" (type=0) in FILE_NAME attribute 2018/08/09 10:14:09 958223 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:778] Search btree direct: Could not find child node (dwRet=2) 2018/08/09 10:14:09 958226 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:09 958281 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Program Files\* 2018/08/09 10:14:09 958288 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 232306 (Search string: *) 2018/08/09 10:14:09 958291 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "PROGRA~1" (type=2) in FILE_NAME attribute 2018/08/09 10:14:09 958294 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "Program Files" (type=1) in FILE_NAME attribute 2018/08/09 10:14:09 963683 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:09 963700 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:09 963770 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Program Files (x86)\* 2018/08/09 10:14:09 963778 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 235280 (Search string: *) 2018/08/09 10:14:09 971576 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "PROGRA~2" (type=2) in FILE_NAME attribute 2018/08/09 10:14:09 971582 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "Program Files (x86)" (type=1) in FILE_NAME attribute 2018/08/09 10:14:09 977021 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:09 977039 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:09 977099 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \ProgramData\* 2018/08/09 10:14:09 977109 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 235794 (Search string: *) 2018/08/09 10:14:09 984665 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "PROGRA~3" (type=2) in FILE_NAME attribute 2018/08/09 10:14:09 984671 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "ProgramData" (type=1) in FILE_NAME attribute 2018/08/09 10:14:09 990172 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:09 990187 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:09 990241 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Programme\* 2018/08/09 10:14:09 990249 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 233879 (Search string: *) 2018/08/09 10:14:09 999091 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "PROGRA~4" (type=2) in FILE_NAME attribute 2018/08/09 10:14:09 999097 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "Programme" (type=1) in FILE_NAME attribute 2018/08/09 10:14:09 999105 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:778] Search btree direct: Could not find child node (dwRet=2) 2018/08/09 10:14:09 999108 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:09 999146 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Programs\* 2018/08/09 10:14:09 999152 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 50714 (Search string: *) 2018/08/09 10:14:10 005732 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "Programs" (type=3) in FILE_NAME attribute 2018/08/09 10:14:10 005737 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:10 005740 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:10 005780 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Recovery\* 2018/08/09 10:14:10 005784 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 243 (Search string: *) 2018/08/09 10:14:10 008866 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "Recovery" (type=3) in FILE_NAME attribute 2018/08/09 10:14:10 008872 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:10 008875 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:10 008900 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \rei\* 2018/08/09 10:14:10 008905 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 3349 (Search string: *) 2018/08/09 10:14:10 011798 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "rei" (type=3) in FILE_NAME attribute 2018/08/09 10:14:10 016048 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:10 016056 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:10 016081 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \sources\* 2018/08/09 10:14:10 016086 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 114949 (Search string: *) 2018/08/09 10:14:10 021977 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "sources" (type=3) in FILE_NAME attribute 2018/08/09 10:14:10 021983 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:10 021986 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:10 022007 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \System Volume Information\* 2018/08/09 10:14:10 022012 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 39 (Search string: *) 2018/08/09 10:14:10 022016 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "SYSTEM~1" (type=2) in FILE_NAME attribute 2018/08/09 10:14:10 022018 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "System Volume Information" (type=1) in FILE_NAME attribute 2018/08/09 10:14:10 026586 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:10 026595 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:10 026632 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Toshiba\* 2018/08/09 10:14:10 026637 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 6136 (Search string: *) 2018/08/09 10:14:10 026640 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "Toshiba" (type=0) in FILE_NAME attribute 2018/08/09 10:14:10 026644 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:10 026668 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:10 026697 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Users\* 2018/08/09 10:14:10 026700 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 236919 (Search string: *) 2018/08/09 10:14:10 032442 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "Users" (type=0) in FILE_NAME attribute 2018/08/09 10:14:10 036633 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:10 036640 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:10 036679 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Windows\* 2018/08/09 10:14:10 036685 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 237084 (Search string: *) 2018/08/09 10:14:10 041322 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3599] Found directory name "Windows" (type=0) in FILE_NAME attribute 2018/08/09 10:14:10 046249 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:473] Search btree direct: found search directory 2018/08/09 10:14:10 046283 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:24 657586 DEBUG [osfactivitymonitor.cpp->OSFActivityMonitor::StartTask:172] Activity Monitor: Task Started (System Information) 2018/08/09 10:14:24 661855 DEBUG [cfgsysinfowindow.cpp->SysInfoWindow::ExecuteAllCmds:3302] SysInfo: System Information collection started on "Toshiba_Satellite-3" 2018/08/09 10:14:24 671651 DEBUG [cfgsysinfowindow.cpp->SysInfoWindow::ExecuteAllCmds:3346] SysInfo: Launching internal command "" 2018/08/09 10:14:24 676092 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1432] CreateTempRegFileIfNeeded: A 2018/08/09 10:14:26 020010 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Windows\System32\Config\SYSTEM 2018/08/09 10:14:26 047039 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "config" found at MFT record 242122 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:26 052820 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "SYSTEM" found at MFT record 337065 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:26 052827 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 337065 (Search string: ) 2018/08/09 10:14:26 052829 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:388] Search btree direct: found leaf file 2018/08/09 10:14:26 055353 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:26 055360 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1437] CreateTempRegFileIfNeeded: B 2018/08/09 10:14:26 055365 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1477] CreateTempRegFileIfNeeded: E 2018/08/09 10:14:26 055378 DEBUG [regviewer.cpp->RegViewer::OpenRegFile:3247] RegViewer::OpenRegFile Toshiba_Satellite-3:\Windows\System32\Config\SYSTEM (Displayname Toshiba_Satellite-3:\Windows\System32\Config\SYSTEM, showDialog 0) 2018/08/09 10:14:26 055383 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3413] RegViewer::AddRegFile start 2018/08/09 10:14:26 055482 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Windows\System32\Config\SYSTEM 2018/08/09 10:14:26 055515 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "config" found at MFT record 242122 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:26 055536 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "SYSTEM" found at MFT record 337065 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:26 055538 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 337065 (Search string: ) 2018/08/09 10:14:26 055541 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:388] Search btree direct: found leaf file 2018/08/09 10:14:26 055563 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:26 419423 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord DriverDatabase\DeviceIds\PCI BlockType invalid: \x72\x69 2018/08/09 10:14:26 524725 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3571] RegViewer::AddRegFile finish 2018/08/09 10:14:26 554002 DEBUG [cfgsysinfowindow.cpp->SysInfoWindow::ExecuteAllCmds:3346] SysInfo: Launching internal command "" 2018/08/09 10:14:26 556963 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1432] CreateTempRegFileIfNeeded: A 2018/08/09 10:14:26 556979 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Windows\System32\Config\SYSTEM 2018/08/09 10:14:26 557017 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "config" found at MFT record 242122 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:26 557023 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "SYSTEM" found at MFT record 337065 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:26 557026 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 337065 (Search string: ) 2018/08/09 10:14:26 557028 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:388] Search btree direct: found leaf file 2018/08/09 10:14:26 557059 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:26 557063 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1437] CreateTempRegFileIfNeeded: B 2018/08/09 10:14:26 557065 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1477] CreateTempRegFileIfNeeded: E 2018/08/09 10:14:26 557075 DEBUG [regviewer.cpp->RegViewer::OpenRegFile:3247] RegViewer::OpenRegFile Toshiba_Satellite-3:\Windows\System32\Config\SYSTEM (Displayname Toshiba_Satellite-3:\Windows\System32\Config\SYSTEM, showDialog 0) 2018/08/09 10:14:26 557095 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3413] RegViewer::AddRegFile start 2018/08/09 10:14:26 557123 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Windows\System32\Config\SYSTEM 2018/08/09 10:14:26 557149 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "config" found at MFT record 242122 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:26 557153 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "SYSTEM" found at MFT record 337065 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:26 557156 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 337065 (Search string: ) 2018/08/09 10:14:26 557175 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:388] Search btree direct: found leaf file 2018/08/09 10:14:26 557178 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:26 670445 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord DriverDatabase\DeviceIds\PCI BlockType invalid: \x72\x69 2018/08/09 10:14:26 775494 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3571] RegViewer::AddRegFile finish 2018/08/09 10:14:26 804519 DEBUG [cfgsysinfowindow.cpp->SysInfoWindow::ExecuteAllCmds:3346] SysInfo: Launching internal command "" 2018/08/09 10:14:26 806993 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1432] CreateTempRegFileIfNeeded: A 2018/08/09 10:14:26 807009 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Windows\System32\Config\SYSTEM 2018/08/09 10:14:26 807051 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "config" found at MFT record 242122 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:26 807058 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "SYSTEM" found at MFT record 337065 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:26 807085 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 337065 (Search string: ) 2018/08/09 10:14:26 807088 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:388] Search btree direct: found leaf file 2018/08/09 10:14:26 807092 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:26 807116 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1437] CreateTempRegFileIfNeeded: B 2018/08/09 10:14:26 807118 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1477] CreateTempRegFileIfNeeded: E 2018/08/09 10:14:26 807127 DEBUG [regviewer.cpp->RegViewer::OpenRegFile:3247] RegViewer::OpenRegFile Toshiba_Satellite-3:\Windows\System32\Config\SYSTEM (Displayname Toshiba_Satellite-3:\Windows\System32\Config\SYSTEM, showDialog 0) 2018/08/09 10:14:26 807150 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3413] RegViewer::AddRegFile start 2018/08/09 10:14:26 807179 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Windows\System32\Config\SYSTEM 2018/08/09 10:14:26 807205 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "config" found at MFT record 242122 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:26 807209 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "SYSTEM" found at MFT record 337065 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:26 807211 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 337065 (Search string: ) 2018/08/09 10:14:26 807213 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:388] Search btree direct: found leaf file 2018/08/09 10:14:26 807235 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:26 920043 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord DriverDatabase\DeviceIds\PCI BlockType invalid: \x72\x69 2018/08/09 10:14:27 025338 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3571] RegViewer::AddRegFile finish 2018/08/09 10:14:27 055529 DEBUG [cfgsysinfowindow.cpp->SysInfoWindow::ExecuteAllCmds:3346] SysInfo: Launching internal command "" 2018/08/09 10:14:27 058420 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1432] CreateTempRegFileIfNeeded: A 2018/08/09 10:14:27 058435 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Windows\System32\Config\SAM 2018/08/09 10:14:27 058495 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "config" found at MFT record 242122 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:27 058502 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "SAM" found at MFT record 337054 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:27 058504 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 337054 (Search string: ) 2018/08/09 10:14:27 058526 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:388] Search btree direct: found leaf file 2018/08/09 10:14:27 063640 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:27 063648 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1437] CreateTempRegFileIfNeeded: B 2018/08/09 10:14:27 063650 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1477] CreateTempRegFileIfNeeded: E 2018/08/09 10:14:27 063665 DEBUG [regviewer.cpp->RegViewer::OpenRegFile:3247] RegViewer::OpenRegFile Toshiba_Satellite-3:\Windows\System32\Config\SAM (Displayname Toshiba_Satellite-3:\Windows\System32\Config\SAM, showDialog 0) 2018/08/09 10:14:27 063668 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3413] RegViewer::AddRegFile start 2018/08/09 10:14:27 063696 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Windows\System32\Config\SAM 2018/08/09 10:14:27 063753 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "config" found at MFT record 242122 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:27 063759 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "SAM" found at MFT record 337054 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:27 063781 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 337054 (Search string: ) 2018/08/09 10:14:27 063783 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:388] Search btree direct: found leaf file 2018/08/09 10:14:27 063786 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:27 066206 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3571] RegViewer::AddRegFile finish 2018/08/09 10:14:27 069999 DEBUG [cfgsysinfowindow.cpp->SysInfoWindow::GetUserRegistryInfo:1934] System info: GetWindowsPasswordHashes registryFile: Toshiba_Satellite-3Windows\System32\Config\SYSTEM 2018/08/09 10:14:27 070003 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1432] CreateTempRegFileIfNeeded: A 2018/08/09 10:14:27 070009 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1437] CreateTempRegFileIfNeeded: B 2018/08/09 10:14:27 070011 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1477] CreateTempRegFileIfNeeded: E 2018/08/09 10:14:27 070013 DEBUG [regviewer.cpp->RegViewer::OpenRegFile:3247] RegViewer::OpenRegFile Toshiba_Satellite-3Windows\System32\Config\SYSTEM (Displayname Toshiba_Satellite-3Windows\System32\Config\SYSTEM, showDialog 0) 2018/08/09 10:14:27 070015 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3413] RegViewer::AddRegFile start 2018/08/09 10:14:27 070029 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3430] Could not open file, error: 3 2018/08/09 10:14:27 070031 DEBUG [cfgsysinfowindow.cpp->SysInfoWindow::GetUserRegistryInfo:1944] System info: Could not load Toshiba_Satellite-3Windows\System32\Config\SYSTEM 2018/08/09 10:14:27 070038 DEBUG [cfgsysinfowindow.cpp->SysInfoWindow::GetUserRegistryInfo:1947] Could not open file, error: 3 2018/08/09 10:14:27 070040 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1432] CreateTempRegFileIfNeeded: A 2018/08/09 10:14:27 070049 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1437] CreateTempRegFileIfNeeded: B 2018/08/09 10:14:27 070051 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1477] CreateTempRegFileIfNeeded: E 2018/08/09 10:14:27 070053 DEBUG [regviewer.cpp->RegViewer::OpenRegFile:3247] RegViewer::OpenRegFile Toshiba_Satellite-3SYSTEM (Displayname Toshiba_Satellite-3SYSTEM, showDialog 0) 2018/08/09 10:14:27 070055 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3413] RegViewer::AddRegFile start 2018/08/09 10:14:27 070059 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3430] Could not open file, error: 2 2018/08/09 10:14:27 070061 DEBUG [cfgsysinfowindow.cpp->SysInfoWindow::GetUserRegistryInfo:1955] System info: Could not load Toshiba_Satellite-3SYSTEM 2018/08/09 10:14:27 070063 DEBUG [cfgsysinfowindow.cpp->SysInfoWindow::GetUserRegistryInfo:1958] Could not open file, error: 2 2018/08/09 10:14:27 070445 DEBUG [cfgsysinfowindow.cpp->SysInfoWindow::ExecuteAllCmds:3346] SysInfo: Launching internal command "" 2018/08/09 10:14:27 073193 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1432] CreateTempRegFileIfNeeded: A 2018/08/09 10:14:27 073204 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Windows\System32\Config\SYSTEM 2018/08/09 10:14:27 073257 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "config" found at MFT record 242122 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:27 073283 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "SYSTEM" found at MFT record 337065 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:27 073286 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 337065 (Search string: ) 2018/08/09 10:14:27 073287 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:388] Search btree direct: found leaf file 2018/08/09 10:14:27 073292 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:27 073315 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1437] CreateTempRegFileIfNeeded: B 2018/08/09 10:14:27 073317 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1477] CreateTempRegFileIfNeeded: E 2018/08/09 10:14:27 073326 DEBUG [regviewer.cpp->RegViewer::OpenRegFile:3247] RegViewer::OpenRegFile Toshiba_Satellite-3:\Windows\System32\Config\SYSTEM (Displayname Toshiba_Satellite-3:\Windows\System32\Config\SYSTEM, showDialog 0) 2018/08/09 10:14:27 073345 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3413] RegViewer::AddRegFile start 2018/08/09 10:14:27 073372 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Windows\System32\Config\SYSTEM 2018/08/09 10:14:27 073398 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "config" found at MFT record 242122 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:27 073402 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "SYSTEM" found at MFT record 337065 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:27 073404 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 337065 (Search string: ) 2018/08/09 10:14:27 073425 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:388] Search btree direct: found leaf file 2018/08/09 10:14:27 073427 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:27 191237 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord DriverDatabase\DeviceIds\PCI BlockType invalid: \x72\x69 2018/08/09 10:14:27 296905 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3571] RegViewer::AddRegFile finish 2018/08/09 10:14:27 299981 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1432] CreateTempRegFileIfNeeded: A 2018/08/09 10:14:27 300021 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Windows\System32\Config\SOFTWARE 2018/08/09 10:14:27 300064 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "config" found at MFT record 242122 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:27 300070 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "SOFTWARE" found at MFT record 337056 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:27 300092 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 337056 (Search string: ) 2018/08/09 10:14:27 300094 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:388] Search btree direct: found leaf file 2018/08/09 10:14:27 300098 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:27 300118 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1437] CreateTempRegFileIfNeeded: B 2018/08/09 10:14:27 300120 DEBUG [cfgstart.cpp->CreateTempRegFileIfNeeded:1477] CreateTempRegFileIfNeeded: E 2018/08/09 10:14:27 300146 DEBUG [regviewer.cpp->RegViewer::OpenRegFile:3247] RegViewer::OpenRegFile Toshiba_Satellite-3:\Windows\System32\Config\SOFTWARE (Displayname Toshiba_Satellite-3:\Windows\System32\Config\SOFTWARE, showDialog 0) 2018/08/09 10:14:27 326368 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3413] RegViewer::AddRegFile start 2018/08/09 10:14:27 326424 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:248] Search btree direct enter \Windows\System32\Config\SOFTWARE 2018/08/09 10:14:27 326521 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "config" found at MFT record 242122 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:27 326527 DEBUG [mftrecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4478] Filename "SOFTWARE" found at MFT record 337056 in INDEX_ATTRIBUTE attribute. 2018/08/09 10:14:27 326529 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:375] Search btree direct: Parsing child node at MFT record 337056 (Search string: ) 2018/08/09 10:14:27 326532 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:388] Search btree direct: found leaf file 2018/08/09 10:14:27 326538 DEBUG [ntfsdrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:789] Search btree direct exit 2018/08/09 10:14:28 589337 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord Classes BlockType invalid: \x72\x69 2018/08/09 10:14:28 645734 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord Microsoft\Windows\CurrentVersion\Component Based Servicing\ComponentDetect BlockType invalid: \x72\x69 2018/08/09 10:14:28 646056 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect BlockType invalid: \x72\x69 2018/08/09 10:14:28 646063 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageIndex BlockType invalid: \x72\x69 2018/08/09 10:14:28 646067 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages BlockType invalid: \x72\x69 2018/08/09 10:14:28 654633 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components BlockType invalid: \x72\x69 2018/08/09 10:14:28 675558 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord Microsoft\Windows\CurrentVersion\SideBySide\Winners BlockType invalid: \x72\x69 2018/08/09 10:14:28 676479 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord Microsoft\Windows\CurrentVersion\WINEVT\Channels BlockType invalid: \x72\x69 2018/08/09 10:14:28 703956 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord Microsoft\WindowsRuntime\ActivatableClassId BlockType invalid: \x72\x69 2018/08/09 10:14:28 704302 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord Microsoft\WindowsRuntime\CLSID BlockType invalid: \x72\x69 2018/08/09 10:14:28 750057 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord WOW6432Node\Microsoft\WindowsRuntime\ActivatableClassId BlockType invalid: \x72\x69 2018/08/09 10:14:28 750095 DEBUG [regviewer.cpp->RegViewer::ProcessKeyRecord:3229] RegView::ProcessKeyRecord WOW6432Node\Microsoft\WindowsRuntime\CLSID BlockType invalid: \x72\x69 2018/08/09 10:14:28 757222 DEBUG [regviewer.cpp->RegViewer::AddRegFile:3571] RegViewer::AddRegFile finish 2018/08/09 10:14:28 784791 DEBUG [cfgsysinfowindow.cpp->SysInfoWindow::ExecuteAllCmds:3610] SysInfo: System Information collection on "Toshiba_Satellite-3" complete 2018/08/09 10:14:28 787812 DEBUG [osfactivitymonitor.cpp->OSFActivityMonitor::StopTask:235] Activity Monitor: Task Stopped (System Information)