g3log created log at: Sat Jul 01 22:50:00 2023 LOG format: [YYYY/MM/DD hh:mm:ss uuu* LEVEL FILE->FUNCTION:LINE] message (uuu*: microseconds fractions of the seconds value) 2023/07/01 22:50:00 939873 DEBUG [OSForensics.cpp->CheckRunInUSBMode:2748] LOGGER NOT INITIALIZED: CheckRunInUSBMode: Not Running from Removable DriveCheckRunInUSBMode: Not Running from Removable Drive 2023/07/01 22:50:36 850917 DEBUG [OSForensics.cpp->wWinMain:231] DEBUG: Starting... 2023/07/01 22:50:36 850929 DEBUG [OSForensics.cpp->wWinMain:237] DEBUG: 2023/7/1, 22:50:36 2023/07/01 22:50:36 850934 DEBUG [OSForensics.cpp->wWinMain:241] DEBUG: OSForensics 10.0 build 1014 64-bit 2023/07/01 22:50:36 851097 DEBUG [OSForensics.cpp->wWinMain:249] DEBUG OS: Windows 10 Home build 19045 (64-bit) 2023/07/01 22:50:36 851177 DEBUG [OSForensics.cpp->wWinMain:251] DEBUG Path: C:\Program Files\OSForensics 2023/07/01 22:50:36 851181 DEBUG [OSForensics.cpp->wWinMain:259] Date: 07/01/23 22:50:36 2023/07/01 22:50:36 852404 DEBUG [OSForensics.cpp->wWinMain:275] Main: Regproc check 2023/07/01 22:50:36 965534 DEBUG [OSForensics.cpp->wWinMain:315] Main: Set security OK 2023/07/01 22:50:36 965547 DEBUG [OSForensics.cpp->wWinMain:327] Main: Creating temp folder C:\ProgramData\PassMark\OSForensics\Temp\8872 2023/07/01 22:50:36 968791 DEBUG [OSForensics.cpp->wWinMain:344] Main: Available phys mem: 10586296320 2023/07/01 22:50:36 968976 DEBUG [OSForensics.cpp->wWinMain:385] Main: Load OSF config 2023/07/01 22:50:37 010248 DEBUG [OSForensics.cpp->wWinMain:422] Main: Init OSFMount interface OK 2023/07/01 22:50:37 016735 DEBUG [OSForensics.cpp->wWinMain:453] Main: Init direct access OK 2023/07/01 22:50:37 130679 DEBUG [OSForensics.cpp->wWinMain:513] Main: Register disk events 2023/07/01 22:50:37 130773 DEBUG [OSForensics.cpp->wWinMain:523] Main: init dialog 2023/07/01 22:50:37 130780 DEBUG [OSForensics.cpp->InitDialog:1225] Init main dialog 2023/07/01 22:50:37 208024 DEBUG [CfgMain.cpp->InitCfgMain:399] CfgMain: Creating start window 2023/07/01 22:50:37 223558 DEBUG [CfgMain.cpp->InitCfgMain:402] CfgMain: Creating signature window 2023/07/01 22:50:37 226210 DEBUG [CfgMain.cpp->InitCfgMain:411] CfgMain: Creating FileHashing window 2023/07/01 22:50:37 230748 DEBUG [CfgFileHashing.cpp->FileHashingWindow::InitWindow:259] FileHashing: Creating Hash Sets Tab 2023/07/01 22:50:37 251168 DEBUG [CfgFileHashing.cpp->FileHashingWindow::InitWindow:261] FileHashing: Creating Create Hash Tab 2023/07/01 22:50:37 316780 DEBUG [CfgMain.cpp->InitCfgMain:424] CfgMain: Creating file name search window 2023/07/01 22:50:37 400982 DEBUG [CfgMain.cpp->InitCfgMain:426] CfgMain: Creating mismatch search window 2023/07/01 22:50:37 423073 DEBUG [CfgMain.cpp->InitCfgMain:428] CfgMain: Creating create index window 2023/07/01 22:50:37 424188 DEBUG [CfgMain.cpp->InitCfgMain:430] CfgMain: Creating search index window 2023/07/01 22:50:37 434390 DEBUG [CfgMain.cpp->InitCfgMain:432] CfgMain: Creating user activity window 2023/07/01 22:50:37 449693 DEBUG [CfgMain.cpp->InitCfgMain:434] CfgMain: Creating deleted file search window 2023/07/01 22:50:37 474694 DEBUG [CfgMain.cpp->InitCfgMain:436] CfgMain: Creating mem viewer window 2023/07/01 22:50:37 476170 DEBUG [CfgMain.cpp->InitCfgMain:438] CfgMain: Creating prefetch viewer window 2023/07/01 22:50:37 479390 DEBUG [CfgMain.cpp->InitCfgMain:441] CfgMain: Creating raw disk viewer window 2023/07/01 22:50:37 485260 DEBUG [CfgMain.cpp->InitCfgMain:443] CfgMain: Creating sys info window 2023/07/01 22:50:37 499726 DEBUG [CfgMain.cpp->InitCfgMain:445] CfgMain: Creating drive prep window 2023/07/01 22:50:37 516731 DEBUG [CfgMain.cpp->InitCfgMain:447] CfgMain: Creating password window 2023/07/01 22:50:37 526863 DEBUG [CfgMain.cpp->InitCfgMain:449] CfgMain: Creating forensic imaging window 2023/07/01 22:50:37 528923 DEBUG [CfgMain.cpp->InitCfgMain:451] CfgMain: Creating boot virtual machine window 2023/07/01 22:50:37 530392 DEBUG [CfgMain.cpp->InitCfgMain:455] CfgMain: Creating Mobile Artifact window 2023/07/01 22:50:37 537433 DEBUG [CfgMain.cpp->InitCfgMain:457] CfgMain: Creating remote acquisition window 2023/07/01 22:50:37 553491 DEBUG [CfgMain.cpp->InitCfgMain:465] CfgMain: Creating manage case window 2023/07/01 22:50:37 572065 DEBUG [CfgMain.cpp->InitCfgMain:469] CfgMain: Creating triage window 2023/07/01 22:50:37 598129 DEBUG [CfgMain.cpp->InitCfgMain:472] CfgMain: set focus 2023/07/01 22:50:37 632216 DEBUG [OSForensics.cpp->InitDialog:1245] Init main dialog finished 2023/07/01 22:50:37 632223 DEBUG [OSForensics.cpp->wWinMain:527] Main: show window 2023/07/01 22:50:37 692179 DEBUG [OSForensics.cpp->wWinMain:546] Main: set Foreground 2023/07/01 22:50:37 692222 DEBUG [OSForensics.cpp->wWinMain:557] Main: PopFileInitialize 2023/07/01 22:50:37 692328 DEBUG [OSForensics.cpp->wWinMain:575] Main: Display welcome 2023/07/01 22:50:37 697012 DEBUG [OSForensics.cpp->wWinMain:589] Main: SubCheck 2023/07/01 22:50:39 037673 DEBUG [OSForensics.cpp->wWinMain:839] CaseManagementInitWindow: No case successfully loaded. Setting default drive to C:\ 2023/07/01 22:50:39 039498 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:419] Pswd: Creating Passwords & keys tab 2023/07/01 22:50:39 039504 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:421] Pswd: Creating Windows Login tab 2023/07/01 22:50:39 059579 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:423] Pswd: Initializing rainbow 2023/07/01 22:50:39 059684 DEBUG [main.cpp->initRainbowCrack:152] Rainbow: Loading charsets from C:\ProgramData\PassMark\OSForensics\RainbowTables\charset.txt 2023/07/01 22:50:39 059824 DEBUG [main.cpp->initRainbowCrack:158] Rainbow: Initializing SSL 2023/07/01 22:50:39 059827 DEBUG [main.cpp->initRainbowCrack:160] Rainbow: Initializing SSL 2023/07/01 22:50:39 060577 DEBUG [main.cpp->initRainbowCrack:173] Rainbow: Initializing Rainbow Table 2023/07/01 22:50:39 060582 DEBUG [main.cpp->initRainbowCrack:175] Rainbow: Initializing RainbowTable 2023/07/01 22:50:39 060586 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:425] Pswd: Creating Rainbow Generate tab 2023/07/01 22:50:39 141177 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:427] Pswd: Creating Rainbow Retrieval tab 2023/07/01 22:50:39 157063 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:429] Pswd: Creating Decryption tab 2023/07/01 22:50:39 182045 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:431] Pswd: Creating Install PFX tab 2023/07/01 22:50:39 197228 DEBUG [CfgSignature.cpp->SignatureWindow::InitWindow:200] Sig: Creating create sig tab 2023/07/01 22:50:39 211070 DEBUG [CfgSignature.cpp->SignatureWindow::InitWindow:202] Sig: Creating compare sig tab 2023/07/01 22:50:39 233945 DEBUG [OSForensics.cpp->wWinMain:853] CaseManagementInitWindow: Message loop 2023/07/01 22:50:41 737937 DEBUG [misc.cpp->RefreshPhysicalDisks:5478] Refresh Disks: sysinfo get partition info 2023/07/01 22:50:43 132240 DEBUG [misc.cpp->RefreshPhysicalDisks:5490] Refresh Disks: Open device: \\.\PhysicalDrive0 2023/07/01 22:50:43 132761 DEBUG [misc.cpp->RefreshPhysicalDisks:5496] Refresh Disks: Scan part table 2023/07/01 22:50:43 137634 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2102] Scanning for recovered file systems (StartSec=0,NumSec=2048) 2023/07/01 22:50:43 142823 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2110] Scanning for recovered file systems (StartSec=234438656,NumSec=2992) 2023/07/01 22:50:43 148849 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2113] Found 0 recovered file systems 2023/07/01 22:50:43 148902 DEBUG [misc.cpp->RefreshPhysicalDisks:5490] Refresh Disks: Open device: \\.\PhysicalDrive1 2023/07/01 22:50:43 149491 DEBUG [misc.cpp->RefreshPhysicalDisks:5496] Refresh Disks: Scan part table 2023/07/01 22:50:43 150932 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2102] Scanning for recovered file systems (StartSec=0,NumSec=34) 2023/07/01 22:50:43 153790 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2110] Scanning for recovered file systems (StartSec=1953521664,NumSec=3504) 2023/07/01 22:50:43 197297 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2113] Found 0 recovered file systems 2023/07/01 22:50:43 217382 DEBUG [CfgRecent.cpp->DoSort:2850] User Activity Scan: Sorting 2023/07/01 22:50:45 865608 DEBUG [CfgRecent.cpp->OnScan:3516] User Activity Scan: Begin 2023/07/01 22:50:45 865645 DEBUG [OSFActivityMonitor.cpp->OSFActivityMonitor::StartTask:198] Activity Monitor: Task Started (User Activity) 2023/07/01 22:50:45 865660 DEBUG [CfgRecent.cpp->OnScan:3523] User Activity Scan started on live machine 2023/07/01 22:50:45 881641 DEBUG [CfgRecent.cpp->OnScan:3665] User Activity Scan: Available phys mem: 10554789888 2023/07/01 22:50:45 881647 DEBUG [CfgRecent.cpp->OnScan:3672] User Activity Scan: Allocating MRUList 2023/07/01 22:50:45 881675 DEBUG [CfgRecent.cpp->OnScan:3674] User Activity Scan: Allocating installList 2023/07/01 22:50:45 881687 DEBUG [CfgRecent.cpp->OnScan:3676] User Activity Scan: Allocating autoRunList 2023/07/01 22:50:45 881758 DEBUG [CfgRecent.cpp->OnScan:3678] User Activity Scan: Allocating ClipboardList 2023/07/01 22:50:45 881771 DEBUG [CfgRecent.cpp->OnScan:3680] User Activity Scan: Allocating EventList 2023/07/01 22:50:45 881822 DEBUG [CfgRecent.cpp->OnScan:3682] User Activity Scan: Allocating userAssistList 2023/07/01 22:50:45 881867 DEBUG [CfgRecent.cpp->OnScan:3684] User Activity Scan: Allocating jumpListList 2023/07/01 22:50:45 881906 DEBUG [CfgRecent.cpp->OnScan:3686] User Activity Scan: Allocating shellBagList 2023/07/01 22:50:45 881946 DEBUG [CfgRecent.cpp->OnScan:3688] User Activity Scan: Allocating TimelineDBList 2023/07/01 22:50:45 881987 DEBUG [CfgRecent.cpp->OnScan:3690] User Activity Scan: Allocating CortanaList 2023/07/01 22:50:45 881996 DEBUG [CfgRecent.cpp->OnScan:3692] User Activity Scan: Allocating RecycleBinList 2023/07/01 22:50:45 882027 DEBUG [CfgRecent.cpp->OnScan:3694] User Activity Scan: Allocating ShimCacheList 2023/07/01 22:50:45 882066 DEBUG [CfgRecent.cpp->OnScan:3696] User Activity Scan: Allocating SRUMDBList 2023/07/01 22:50:45 882104 DEBUG [CfgRecent.cpp->OnScan:3698] User Activity Scan: Allocating prefetchList 2023/07/01 22:50:45 882142 DEBUG [CfgRecent.cpp->OnScan:3700] User Activity Scan: Allocating winsearchList 2023/07/01 22:50:45 882180 DEBUG [CfgRecent.cpp->OnScan:3702] User Activity Scan: Allocating gBAMList 2023/07/01 22:50:45 882218 DEBUG [CfgRecent.cpp->OnScan:3704] User Activity Scan: Allocating gAntiForensicsList 2023/07/01 22:50:45 882257 DEBUG [CfgRecent.cpp->OnScan:3709] User Activity Scan: Available phys mem: 10554740736 2023/07/01 22:50:45 882261 DEBUG [CfgRecent.cpp->OnScan:3711] User Activity Scan: Allocating downloadList 2023/07/01 22:50:45 882296 DEBUG [CfgRecent.cpp->OnScan:3713] User Activity Scan: Allocating urlList 2023/07/01 22:50:45 882336 DEBUG [CfgRecent.cpp->OnScan:3715] User Activity Scan: Allocating SearchTermList 2023/07/01 22:50:45 882375 DEBUG [CfgRecent.cpp->OnScan:3717] User Activity Scan: Allocating LoginList 2023/07/01 22:50:45 882559 DEBUG [CfgRecent.cpp->OnScan:3719] User Activity Scan: Allocating formList 2023/07/01 22:50:45 882595 DEBUG [CfgRecent.cpp->OnScan:3721] User Activity Scan: Allocating bookmarkList 2023/07/01 22:50:45 882633 DEBUG [CfgRecent.cpp->OnScan:3723] User Activity Scan: Allocating ChatList 2023/07/01 22:50:45 882671 DEBUG [CfgRecent.cpp->OnScan:3725] User Activity Scan: Allocating P2PList 2023/07/01 22:50:45 882711 DEBUG [CfgRecent.cpp->OnScan:3727] User Activity Scan: Allocating wlanList 2023/07/01 22:50:45 882750 DEBUG [CfgRecent.cpp->OnScan:3729] User Activity Scan: Allocating gCryptocurrencyList 2023/07/01 22:50:45 882804 DEBUG [CfgRecent.cpp->OnScan:3731] User Activity Scan: Allocating cookieList 2023/07/01 22:50:45 882826 DEBUG [CfgRecent.cpp->OnScan:3733] User Activity Scan: Allocating Custom Dictionary List 2023/07/01 22:50:45 882869 DEBUG [CfgRecent.cpp->OnScan:3738] User Activity Scan: Available phys mem: 10554617856 2023/07/01 22:50:45 882872 DEBUG [CfgRecent.cpp->OnScan:3740] User Activity Scan: Allocating UsbList 2023/07/01 22:50:45 882920 DEBUG [CfgRecent.cpp->OnScan:3742] User Activity Scan: Allocating mountedVolList 2023/07/01 22:50:45 882965 DEBUG [CfgRecent.cpp->OnScan:3744] User Activity Scan: Allocating MobileBackupList 2023/07/01 22:50:45 885366 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7597] GetLocalFolderNames: check SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 2023/07/01 22:50:45 885371 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7601] GetLocalFolderNames: Key loaded successfully 2023/07/01 22:50:45 885385 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7621] GetLocaFolderNames: DocumentsAndSettingsLocalName Users 2023/07/01 22:50:45 885392 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7643] GetLocaFolderNames: CommonAppDataLocalName ProgramData 2023/07/01 22:50:45 885399 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7670] GetLocalFolderNames: Could not query "{374DE290-123F-4565-9164-39C4925E467B}" 2023/07/01 22:50:45 885406 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7692] GetLocalFolderNames: Could not query "{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" 2023/07/01 22:50:45 885413 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7714] GetLocalFolderNames: Could not query "{FDD39AD0-238F-46AF-ADB4-6C85480369C7}" 2023/07/01 22:50:45 885421 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3133] CreateTempRegFileIfNeeded: A 2023/07/01 22:50:45 885475 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3138] CreateTempRegFileIfNeeded: B 2023/07/01 22:50:45 885479 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3212] CreateTempRegFileIfNeeded: Error - file handle invalid (3) 2023/07/01 22:50:45 885485 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7792] GetLocaFolderNames: Registry Info: Could not load C:\Windows.old\Windows\System32\Config\SOFTWARE 2023/07/01 22:50:45 885530 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8255] GetLocaFolderNames: Getting folder locations based on current user C:\Users\User 2023/07/01 22:50:45 885574 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8274] GetLocaFolderNames: AppDataLocalName AppData\Roaming 2023/07/01 22:50:45 885581 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8293] GetLocaFolderNames: LocalAppDataLocalName AppData\Local 2023/07/01 22:50:45 885611 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8313] GetLocaFolderNames: HistoryLocalName AppData\Local\Microsoft\Windows\History 2023/07/01 22:50:45 885656 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8334] GetLocaFolderNames: RecentLocalName AppData\Roaming\Microsoft\Windows\Recent 2023/07/01 22:50:45 885690 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8345] GetLocalFolderNames: check local registry for "Local Settings" 2023/07/01 22:50:45 885782 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8759] LocalOSEnv::GetNextUser_Windows_Old start 2023/07/01 22:50:45 885814 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8885] LocalOSEnv::GetNextUser_Windows_Old get appdata dir 2023/07/01 22:50:45 885854 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8895] LocalOSEnv::GetNextUser_Windows_Old C:\Users\User\AppData\Local 2023/07/01 22:50:45 885936 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8920] LocalOSEnv::GetNextUser_Windows_Old Could not find Windows.old directory 2023/07/01 22:50:45 885969 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8514] GetLocalFolderNames end (detected OS: WinXP) 2023/07/01 22:50:45 886044 DEBUG [RegistryPasswords.cpp->GetWindowsPasswordHashes:642] Password recovery: GetWindowsPasswordHashes start 2023/07/01 22:50:45 886051 DEBUG [RegistryPasswords.cpp->GetWindowsPasswordHashes:826] Password recovery: GetWindowsPasswordHashes Live system drive 2023/07/01 22:50:45 886527 DEBUG [RegistryPasswords.cpp->DecryptHashes:2248] Password recovery: DecryptHashes start 2023/07/01 22:50:50 598744 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:227] Password recovery: GetCachedDomainUsers open C:\Windows\System32\Config\security 2023/07/01 22:50:50 598751 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3133] CreateTempRegFileIfNeeded: A 2023/07/01 22:50:50 598815 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3138] CreateTempRegFileIfNeeded: B 2023/07/01 22:50:50 598819 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3143] CreateTempRegFileIfNeeded: C 2023/07/01 22:50:50 598991 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3152] CreateTempRegFileIfNeeded: DA 2023/07/01 22:50:50 598997 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3160] CreateTempRegFileIfNeeded: DB 2023/07/01 22:50:50 598999 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3165] CreateTempRegFileIfNeeded: DC 2023/07/01 22:50:50 599010 DEBUG [RegViewer.cpp->ShadowCopyFiles:182] ShadowCopyFiles entry 2023/07/01 22:50:50 599013 DEBUG [RegViewer.cpp->ShadowCopyFiles:186] ShadowCopyFiles: Trying to create shadow volume 2023/07/01 22:50:50 599020 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:72] CreateShadowVolumeForFC entry 2023/07/01 22:50:50 599021 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:83] CreateShadowVolumeForFC Initialize VSS client 2023/07/01 22:50:50 633646 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:88] CreateShadowVolumeForFC Get unique vol name for: C:\ 2023/07/01 22:50:50 635637 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:92] unique vol name: \\?\Volume{7ca98c3f-915d-4b9b-af94-0c1461c57887}\ 2023/07/01 22:50:50 635647 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:100] CreateShadowVolumeForFC create snapshot set 2023/07/01 22:50:52 132430 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:109] CreateShadowVolumeForFC getLatestSnapshotIdListt 2023/07/01 22:50:52 132437 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:114] CreateShadowVolumeForFC GetSnapshotDeviceName 2023/07/01 22:50:52 132929 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:123] CreateShadowVolumeForFC exit 2023/07/01 22:50:52 132936 DEBUG [RegViewer.cpp->ShadowCopyFiles:208] ShadowCopyFiles: created shadow volume 2023/07/01 22:50:52 132939 DEBUG [RegViewer.cpp->ShadowCopyFiles:213] ShadowCopyFiles: 1 files to copy 2023/07/01 22:50:52 132942 DEBUG [RegViewer.cpp->ShadowCopyFiles:220] ShadowCopyFiles: curent file: C:\Windows\System32\Config\security 2023/07/01 22:50:52 132945 DEBUG [RegViewer.cpp->ShadowCopyFiles:225] ShadowCopyFiles: SourceFile: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy13\Windows\System32\Config\security 2023/07/01 22:50:52 132956 DEBUG [RegViewer.cpp->ShadowCopyFiles:238] ShadowCopyFiles: DestFile: C:\ProgramData\PassMark\OSForensics\Temp\8872\7BF3CE7C9DC6F1EC11D70AC3ADB400B8 2023/07/01 22:50:52 616291 DEBUG [RegViewer.cpp->ShadowCopyFiles:275] ShadowCopyFiles done 2023/07/01 22:50:52 620207 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3177] CreateTempRegFileIfNeeded check temp file access 2023/07/01 22:50:52 623963 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3223] CreateTempRegFileIfNeeded: finished 2023/07/01 22:50:52 624098 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:263] Password recovery: GetCachedDomainUsers 1 2023/07/01 22:50:52 624116 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:303] Password recovery: GetCachedDomainUsers 2 2023/07/01 22:50:52 624258 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:331] Password recovery: GetCachedDomainUsers 3 2023/07/01 22:50:52 624277 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:375] Password recovery: GetCachedDomainUsers 4 2023/07/01 22:50:52 624408 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:409] Password recovery: GetCachedDomainUsers 5 2023/07/01 22:50:52 624418 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:436] Password recovery: GetCachedDomainUsers 6 2023/07/01 22:50:52 624421 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:561] Password recovery: GetCachedDomainUsers done 2023/07/01 22:50:52 624425 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:568] Password recovery: GetCachedDomainUsers cleaned up 2023/07/01 22:50:52 624702 DEBUG [RegistryPasswords.cpp->GetWindowsPasswordHashes:915] Password recovery: GetWindowsPasswordHashes end 2023/07/01 22:50:52 624710 DEBUG [RegistryPasswords.cpp->GetWindowsPasswordHashes:642] Password recovery: GetWindowsPasswordHashes start 2023/07/01 22:50:52 624716 DEBUG [RegistryPasswords.cpp->GetWindowsPasswordHashes:698] Password recovery: GetWindowsPasswordHashes registryFile: C:\Windows.old\Windows\System32\Config\SYSTEM 2023/07/01 22:50:52 624784 DEBUG [RegistryPasswords.cpp->GetWindowsPasswordHashes:703] User Activity Scan: GetWindowsPasswordHashes file not found 2023/07/01 22:50:52 624874 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:39] GetSystemPWfromLSASecrets start 2023/07/01 22:50:52 624987 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3133] CreateTempRegFileIfNeeded: A 2023/07/01 22:50:52 625038 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3138] CreateTempRegFileIfNeeded: B 2023/07/01 22:50:52 625042 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3143] CreateTempRegFileIfNeeded: C 2023/07/01 22:50:52 625075 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3152] CreateTempRegFileIfNeeded: DA 2023/07/01 22:50:52 625079 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3160] CreateTempRegFileIfNeeded: DB 2023/07/01 22:50:52 625080 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3165] CreateTempRegFileIfNeeded: DC 2023/07/01 22:50:52 625118 DEBUG [RegViewer.cpp->ShadowCopyFiles:182] ShadowCopyFiles entry 2023/07/01 22:50:52 625121 DEBUG [RegViewer.cpp->ShadowCopyFiles:186] ShadowCopyFiles: Trying to create shadow volume 2023/07/01 22:50:52 625155 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:72] CreateShadowVolumeForFC entry 2023/07/01 22:50:52 625159 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:83] CreateShadowVolumeForFC Initialize VSS client 2023/07/01 22:50:52 627722 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:88] CreateShadowVolumeForFC Get unique vol name for: C:\ 2023/07/01 22:50:52 627889 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:92] unique vol name: \\?\Volume{7ca98c3f-915d-4b9b-af94-0c1461c57887}\ 2023/07/01 22:50:52 627894 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:100] CreateShadowVolumeForFC create snapshot set 2023/07/01 22:50:53 840025 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:109] CreateShadowVolumeForFC getLatestSnapshotIdListt 2023/07/01 22:50:53 840031 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:114] CreateShadowVolumeForFC GetSnapshotDeviceName 2023/07/01 22:50:53 840479 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:123] CreateShadowVolumeForFC exit 2023/07/01 22:50:53 840484 DEBUG [RegViewer.cpp->ShadowCopyFiles:208] ShadowCopyFiles: created shadow volume 2023/07/01 22:50:53 840488 DEBUG [RegViewer.cpp->ShadowCopyFiles:213] ShadowCopyFiles: 1 files to copy 2023/07/01 22:50:53 840490 DEBUG [RegViewer.cpp->ShadowCopyFiles:220] ShadowCopyFiles: curent file: C:\Windows\System32\config\SYSTEM 2023/07/01 22:50:53 840494 DEBUG [RegViewer.cpp->ShadowCopyFiles:225] ShadowCopyFiles: SourceFile: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy14\Windows\System32\config\SYSTEM 2023/07/01 22:50:53 840504 DEBUG [RegViewer.cpp->ShadowCopyFiles:238] ShadowCopyFiles: DestFile: C:\ProgramData\PassMark\OSForensics\Temp\8872\8F337D42B54B75C4007A892D5DDC3F83 2023/07/01 22:50:54 466922 DEBUG [RegViewer.cpp->ShadowCopyFiles:275] ShadowCopyFiles done 2023/07/01 22:50:54 471796 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3177] CreateTempRegFileIfNeeded check temp file access 2023/07/01 22:50:54 475362 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3223] CreateTempRegFileIfNeeded: finished 2023/07/01 22:50:54 475369 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3133] CreateTempRegFileIfNeeded: A 2023/07/01 22:50:54 475475 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3138] CreateTempRegFileIfNeeded: B 2023/07/01 22:50:54 475512 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3143] CreateTempRegFileIfNeeded: C 2023/07/01 22:50:54 475562 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3152] CreateTempRegFileIfNeeded: DA 2023/07/01 22:50:54 475595 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3160] CreateTempRegFileIfNeeded: DB 2023/07/01 22:50:54 475599 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3165] CreateTempRegFileIfNeeded: DC 2023/07/01 22:50:54 475669 DEBUG [RegViewer.cpp->ShadowCopyFiles:182] ShadowCopyFiles entry 2023/07/01 22:50:54 475675 DEBUG [RegViewer.cpp->ShadowCopyFiles:186] ShadowCopyFiles: Trying to create shadow volume 2023/07/01 22:50:54 475747 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:72] CreateShadowVolumeForFC entry 2023/07/01 22:50:54 475753 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:83] CreateShadowVolumeForFC Initialize VSS client 2023/07/01 22:50:54 478534 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:88] CreateShadowVolumeForFC Get unique vol name for: C:\ 2023/07/01 22:50:54 478734 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:92] unique vol name: \\?\Volume{7ca98c3f-915d-4b9b-af94-0c1461c57887}\ 2023/07/01 22:50:54 478739 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:100] CreateShadowVolumeForFC create snapshot set 2023/07/01 22:50:55 693417 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:109] CreateShadowVolumeForFC getLatestSnapshotIdListt 2023/07/01 22:50:55 693425 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:114] CreateShadowVolumeForFC GetSnapshotDeviceName 2023/07/01 22:50:55 693893 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:123] CreateShadowVolumeForFC exit 2023/07/01 22:50:55 693899 DEBUG [RegViewer.cpp->ShadowCopyFiles:208] ShadowCopyFiles: created shadow volume 2023/07/01 22:50:55 693902 DEBUG [RegViewer.cpp->ShadowCopyFiles:213] ShadowCopyFiles: 1 files to copy 2023/07/01 22:50:55 693905 DEBUG [RegViewer.cpp->ShadowCopyFiles:220] ShadowCopyFiles: curent file: C:\Windows\System32\config\SECURITY 2023/07/01 22:50:55 693907 DEBUG [RegViewer.cpp->ShadowCopyFiles:225] ShadowCopyFiles: SourceFile: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy15\Windows\System32\config\SECURITY 2023/07/01 22:50:55 693919 DEBUG [RegViewer.cpp->ShadowCopyFiles:238] ShadowCopyFiles: DestFile: C:\ProgramData\PassMark\OSForensics\Temp\8872\9252EB97A379014387027E5488A602AC 2023/07/01 22:50:56 164122 DEBUG [RegViewer.cpp->ShadowCopyFiles:275] ShadowCopyFiles done 2023/07/01 22:50:56 168065 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3177] CreateTempRegFileIfNeeded check temp file access 2023/07/01 22:50:56 171697 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3223] CreateTempRegFileIfNeeded: finished 2023/07/01 22:50:56 178311 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:181] Opening keys in : ControlSet001\Control\Lsa 2023/07/01 22:50:56 178515 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:244] Opening key: Policy\PolRevision 2023/07/01 22:50:56 178532 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:279] Policy revision: 1.2 2023/07/01 22:50:56 178535 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:287] Opening key: Policy\PolEKList 2023/07/01 22:50:56 178544 DEBUG [LSASecrets.cpp->decryptLSAKeyNT6:645] decryptLSAKeyNT6 start (lsa len: 172, syskey len: 16) 2023/07/01 22:50:56 178650 DEBUG [LSASecrets.cpp->decryptLSAKeyNT6:739] pt len = 96 2023/07/01 22:50:56 178653 DEBUG [LSASecrets.cpp->decryptLSAKeyNT6:750] key size = 84 2023/07/01 22:50:56 178734 DEBUG [LSASecrets.cpp->decryptLSAKeyNT6:784] nb = 1 2023/07/01 22:50:56 178741 DEBUG [LSASecrets.cpp->decryptLSAKeyNT6:816] [0] t = 3, l = 32 2023/07/01 22:50:56 178810 DEBUG [LSASecrets.cpp->decryptLSAKeyNT6:837] decryptLSAKeyNT6 end 2023/07/01 22:50:56 178927 DEBUG [LSASecrets.cpp->decryptLSASecret:525] decryptLSASecret start 2023/07/01 22:50:56 179003 DEBUG [LSASecrets.cpp->decryptLSASecret:639] decryptLSASecret end 2023/07/01 22:50:56 179014 DEBUG [LSASecrets.cpp->decryptLSASecret:525] decryptLSASecret start 2023/07/01 22:50:56 179084 DEBUG [LSASecrets.cpp->decryptLSASecret:639] decryptLSASecret end 2023/07/01 22:50:56 179198 DEBUG [LSASecrets.cpp->decryptLSASecret:525] decryptLSASecret start 2023/07/01 22:50:56 179274 DEBUG [LSASecrets.cpp->decryptLSASecret:639] decryptLSASecret end 2023/07/01 22:50:56 179350 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:517] GetSystemPWfromLSASecrets end 2023/07/01 22:50:56 180146 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:39] GetSystemPWfromLSASecrets start 2023/07/01 22:50:56 180313 DEBUG [RegViewer.cpp->RegViewer::LoadFile:2838] Could not open file, error: 3 2023/07/01 22:50:56 180318 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:129] GetSystemPWfromLSASecrets end - Couldn't open registry hive 2023/07/01 22:50:56 180330 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::DPAPIEmulator:99] using DPAPISystemToken (0) 2023/07/01 22:50:56 180336 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/07/01 22:50:56 180339 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8559] LocalOSEnv::GetNextUser xp check 2023/07/01 22:50:56 180412 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8566] LocalOSEnv::GetNextUser cleanup profile path 2023/07/01 22:50:56 180418 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8594] LocalOSEnv::GetNextUser Drive != 0 2023/07/01 22:50:56 180421 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8602] LocalOSEnv::GetNextUser GetVolumeInformation C:\ 2023/07/01 22:50:56 180473 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8611] LocalOSEnv::GetNextUser win7/mac check 2023/07/01 22:50:56 180513 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8642] LocalOSEnv::GetNextUser cleanup profile path C:\Users\* 2023/07/01 22:50:56 180517 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8648] LocalOSEnv::GetNextUser next 2023/07/01 22:50:56 180519 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/07/01 22:50:56 180521 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/01 22:50:56 180594 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] . 2023/07/01 22:50:56 180629 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/01 22:50:56 180632 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] .. 2023/07/01 22:50:56 180634 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/01 22:50:56 180637 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] All Users 2023/07/01 22:50:56 180708 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/07/01 22:50:56 180847 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/07/01 22:50:56 180854 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/07/01 22:50:56 180856 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/01 22:50:56 180858 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] Default 2023/07/01 22:50:56 180895 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/07/01 22:50:56 180967 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/07/01 22:50:56 180972 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/07/01 22:50:56 180974 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/01 22:50:56 181014 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] Default User 2023/07/01 22:50:56 181080 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/07/01 22:50:56 181158 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/07/01 22:50:56 181191 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/07/01 22:50:56 181194 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/01 22:50:56 181265 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] desktop.ini 2023/07/01 22:50:56 181336 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/01 22:50:56 181341 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] Public 2023/07/01 22:50:56 181343 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/07/01 22:50:56 181446 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/07/01 22:50:56 181515 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/07/01 22:50:56 181520 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/01 22:50:56 181522 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] User 2023/07/01 22:50:56 181658 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/07/01 22:50:56 181806 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\1364fb9a-90d0-49d6-9cde-0680120fe0af 2023/07/01 22:50:56 181961 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\204e7ad4-f85d-48d8-8dcb-54b860a55f81 2023/07/01 22:50:56 182120 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\4838034f-dd34-4293-829b-99f75b0608c0 2023/07/01 22:50:56 182292 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\5baba3fc-72fc-4c20-82f6-806eefb9ca37 2023/07/01 22:50:56 182496 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\6149bc79-de93-4f07-a8c1-40fd701bba95 2023/07/01 22:50:56 182727 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\61775497-a204-41de-bf98-0e5880e7a6f2 2023/07/01 22:50:56 182839 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\646e1ef2-d412-4012-acf5-5fa1674979cf 2023/07/01 22:50:56 183125 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\813ac69a-15e8-4c95-8c7b-14b0fc71605a 2023/07/01 22:50:56 183246 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\95eb7a08-b147-48b4-8300-b5aa4b43d9af 2023/07/01 22:50:56 183357 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\9e6ae495-a7f3-4eda-aec8-907d779d75aa 2023/07/01 22:50:56 183718 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\f46b943c-dfe2-4aea-a69b-aa9d731511e6 2023/07/01 22:50:56 183927 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\f5a23ee7-1eb4-46dd-b17e-8f63726cde65 2023/07/01 22:50:56 184089 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/07/01 22:50:56 184100 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8586] LocalOSEnv::GetNextUser close handle 2023/07/01 22:50:56 184187 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8594] LocalOSEnv::GetNextUser Drive != 0 2023/07/01 22:50:56 184192 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8602] LocalOSEnv::GetNextUser GetVolumeInformation C:\ 2023/07/01 22:50:56 184305 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8626] LocalOSEnv::GetNextUser ubununtu check 2023/07/01 22:50:56 184349 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8642] LocalOSEnv::GetNextUser cleanup profile path C:\home\* 2023/07/01 22:50:56 184353 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8648] LocalOSEnv::GetNextUser next 2023/07/01 22:50:56 184355 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8594] LocalOSEnv::GetNextUser Drive != 0 2023/07/01 22:50:56 184358 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8602] LocalOSEnv::GetNextUser GetVolumeInformation C:\ 2023/07/01 22:50:56 184464 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8642] LocalOSEnv::GetNextUser cleanup profile path 2023/07/01 22:50:56 184469 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8648] LocalOSEnv::GetNextUser next 2023/07/01 22:50:56 184472 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8743] LocalOSEnv::GetNextUser end 2023/07/01 22:50:56 184575 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\03f95ae3-6db4-4482-b476-e89db1f73808 2023/07/01 22:50:56 184661 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 184696 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\19fe09c1-04a2-4ddd-bdff-03f493f410e1 2023/07/01 22:50:56 184782 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 185121 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\1cb44743-fed7-4fb5-be5b-364d20be132f 2023/07/01 22:50:56 185212 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 185237 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\3d5f12eb-2a33-4361-9674-b1098b1fad81 2023/07/01 22:50:56 185314 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 185342 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\5a9cafc1-139a-468f-81b1-7a815726efb5 2023/07/01 22:50:56 185470 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 185501 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\61363162-2599-48cd-81fe-85fa20b9c0f0 2023/07/01 22:50:56 185604 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 185695 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\66447004-a0e5-4a56-bade-d9200d4fe823 2023/07/01 22:50:56 185794 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 185839 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\7621f9b8-0ed0-423e-b192-01001ee54211 2023/07/01 22:50:56 185950 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 186343 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\90dc85cd-4fce-4eac-99cd-ca86c2c064d7 2023/07/01 22:50:56 186443 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 186469 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\b3497bb5-9fe2-456b-9f73-d749acf416fc 2023/07/01 22:50:56 186582 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 186609 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\cd95054d-8c0e-4f26-a42b-4d45cde7073e 2023/07/01 22:50:56 186711 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 186763 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\d9fd3abf-b694-46bf-9563-e1a3139fb5e9 2023/07/01 22:50:56 186871 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 186927 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\fec2c25a-e53e-4b3c-9461-4e0b769a29d7 2023/07/01 22:50:56 187017 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 187162 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\25f362bb-240b-49de-bfb0-702dce299208 2023/07/01 22:50:56 187238 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 187265 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\3411840e-c54e-464e-8e1a-bdd1e0d2a755 2023/07/01 22:50:56 187395 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 187445 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\37305382-59b1-48c8-ab7e-2b1ae7487c47 2023/07/01 22:50:56 187552 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 187576 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\4ded6254-7a79-494f-9281-1cd1ce58094a 2023/07/01 22:50:56 187662 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 188229 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\5812b1c1-e9aa-4e4b-bddf-1a45f61c0104 2023/07/01 22:50:56 188367 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 188430 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\5ac75647-5556-44eb-af54-98ca59c1fc6b 2023/07/01 22:50:56 188514 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 188564 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\83d03260-0b4a-447d-8281-306f3ff71553 2023/07/01 22:50:56 188644 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 188694 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\a4ab9305-1480-45dc-8769-640a3f7aba3f 2023/07/01 22:50:56 188774 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 188861 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\aac7f893-1c8b-4e2c-9d40-95dba8b94cdb 2023/07/01 22:50:56 188963 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 188989 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e31136dc-f5b0-4cf7-9c5e-6abd56fc6c8f 2023/07/01 22:50:56 189080 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 189125 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e4c77d25-4d09-4543-817d-dbd31abf03e8 2023/07/01 22:50:56 189202 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 189232 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f482c7a6-e354-4812-941f-77321ddefe5d 2023/07/01 22:50:56 189327 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 189363 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f87b443f-06d6-42cd-8b7e-14e9da15b7c0 2023/07/01 22:50:56 189435 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/01 22:50:56 189521 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8759] LocalOSEnv::GetNextUser_Windows_Old start 2023/07/01 22:50:56 189524 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8779] LocalOSEnv::GetNextUser_Windows_Old xp check 2023/07/01 22:50:56 189561 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8786] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path 2023/07/01 22:50:56 189564 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8814] LocalOSEnv::GetNextUser_Windows_Old Drive != 0 2023/07/01 22:50:56 189570 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8822] LocalOSEnv::GetNextUser_Windows_Old GetVolumeInformation C:\ 2023/07/01 22:50:56 189610 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8831] LocalOSEnv::GetNextUser_Windows_Old win7/mac check 2023/07/01 22:50:56 189640 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8863] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path C:\Windows.old\Users\* 2023/07/01 22:50:56 189643 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8869] LocalOSEnv::GetNextUser_Windows_Old next 2023/07/01 22:50:56 189646 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8814] LocalOSEnv::GetNextUser_Windows_Old Drive != 0 2023/07/01 22:50:56 189648 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8822] LocalOSEnv::GetNextUser_Windows_Old GetVolumeInformation C:\ 2023/07/01 22:50:56 189680 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8846] LocalOSEnv::GetNextUser_Windows_Old ubununtu check 2023/07/01 22:50:56 189713 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8863] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path C:\old\home\* 2023/07/01 22:50:56 189717 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8869] LocalOSEnv::GetNextUser_Windows_Old next 2023/07/01 22:50:56 189719 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8814] LocalOSEnv::GetNextUser_Windows_Old Drive != 0 2023/07/01 22:50:56 189721 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8822] LocalOSEnv::GetNextUser_Windows_Old GetVolumeInformation C:\ 2023/07/01 22:50:56 189753 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8863] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path 2023/07/01 22:50:56 189756 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8869] LocalOSEnv::GetNextUser_Windows_Old next 2023/07/01 22:50:56 189759 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8987] LocalOSEnv::GetNextUser_Windows_Old end 2023/07/01 22:50:56 189786 DEBUG [CfgRecent.cpp->UserActivityScanThread:4058] User Activity Scan: Registry 2023/07/01 22:50:56 189874 DEBUG [RegistryInfo.cpp->IsWindowsVistaOrHigher:3931] IsWindowsVistaOrHigher start 2023/07/01 22:50:56 189910 DEBUG [RegistryInfo.cpp->IsWindowsVistaOrHigher:4072] IsWindowsVistaOrHigher finished 2023/07/01 22:50:56 189941 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9250] User Activity Scan: Registry Info live system 2023/07/01 22:50:56 190197 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9255] User Activity Scan: Registry Info: User User 2023/07/01 22:50:56 190233 DEBUG [RegistryInfo.cpp->GetLastVisitedMRU:4361] User Activity Scan: GetLastVisitedMRU: Number of subkeys: 1 2023/07/01 22:50:56 190268 DEBUG [RegistryInfo.cpp->GetMRUInfo:8721] User Activity Scan: Got GetLastVisited MRUs: new total 0 2023/07/01 22:50:56 190347 DEBUG [RegistryInfo.cpp->GetMRUInfo:8725] User Activity Scan: Got GetOpenSBave MRUs: new total 0 2023/07/01 22:50:56 190458 DEBUG [RegistryInfo.cpp->GetMRUInfo:8729] User Activity Scan: Got GetRecentDocs MRUs: new total 0 2023/07/01 22:50:56 193864 DEBUG [RegistryInfo.cpp->GetMRUInfo:8733] User Activity Scan: Got Office MRUs: new total 234 2023/07/01 22:50:56 193882 DEBUG [RegistryInfo.cpp->GetMRUInfo:8737] User Activity Scan: Got Run MRUs: new total 234 2023/07/01 22:50:56 193902 DEBUG [RegistryInfo.cpp->GetMRUInfo:8741] User Activity Scan: Got Network Drive MRUs: new total 234 2023/07/01 22:50:56 193924 DEBUG [RegistryInfo.cpp->GetMRUInfo:8745] User Activity Scan: Got Search MRUs: new total 234 2023/07/01 22:50:56 193934 DEBUG [RegistryInfo.cpp->GetMRUInfo:8749] User Activity Scan: Got PMV Search MRUs: new total 234 2023/07/01 22:50:56 193942 DEBUG [RegistryInfo.cpp->GetMRUInfo:8753] User Activity Scan: Got Internet Search MRUs: new total 234 2023/07/01 22:50:56 193950 DEBUG [RegistryInfo.cpp->GetMRUInfo:8757] User Activity Scan: Got PCP Search MRUs: new total 234 2023/07/01 22:50:56 194055 DEBUG [RegistryInfo.cpp->GetMRUInfo:8761] User Activity Scan: Got Wordpad MRUs: new total 235 2023/07/01 22:50:56 194094 DEBUG [RegistryInfo.cpp->GetMRUInfo:8765] User Activity Scan: Got Paint MRUs: new total 235 2023/07/01 22:50:56 194139 DEBUG [RegistryInfo.cpp->GetMRUInfo:8769] User Activity Scan: Got Windows Media Player MRUs: new total 235 2023/07/01 22:50:56 194436 DEBUG [RegistryInfo.cpp->GetMRUInfo:8773] User Activity Scan: Got Adobe Acrobat Reader MRUs: new total 239 2023/07/01 22:50:56 194901 DEBUG [RegistryInfo.cpp->GetMRUInfo:8777] User Activity Scan: Got Adobe Acrobat MRUs: new total 246 2023/07/01 22:50:56 194905 DEBUG [RegistryInfo.cpp->GetTypedIEURLS:3260] User Activity Scan: GetTypedIEURLS Start [Local] 2023/07/01 22:50:56 194918 DEBUG [RegistryInfo.cpp->GetTypedIEURLS:3323] User Activity Scan: GetTypedIEURLS finish no key found 2023/07/01 22:50:56 194922 DEBUG [RegistryInfo.cpp->GetMountPointsSystem:330] GetMountPointsSystem Start [Local] 2023/07/01 22:50:56 194935 DEBUG [RegistryInfo.cpp->GetMountPointsSystem:468] GetMountPointsSystem - enum live systems results 2023/07/01 22:50:56 196321 DEBUG [RegistryInfo.cpp->GetMountPointsSystem:551] GetMountPointsSystem - finished 2023/07/01 22:50:56 196330 DEBUG [RegistryInfo.cpp->GetOnceConnectedUSBStorage:7130] User Activity Scan: GetOnceConnectedUSBStorage Start [Local] 2023/07/01 22:50:56 196349 DEBUG [RegistryInfo.cpp->GetOnceConnectedUSBStorage:7324] User Activity Scan: GetOnceConnectedUSBStorage couldn't open key 2023/07/01 22:50:56 196352 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9264] User Activity Scan: Got connected USB 2023/07/01 22:50:56 196357 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5175] User Activity Scan: GetOtherConnectedUSB [Local] 2023/07/01 22:50:56 196358 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5206] GetOtherConnectedUSB() - Parsing Vendor ID file. 2023/07/01 22:50:56 198124 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5243] Found 844 VIDs in file C:\ProgramData\PassMark\OSForensics\usb.if. 2023/07/01 22:50:56 228903 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5326] Found 3411 VIDs 2951 PIDs in file C:\ProgramData\PassMark\OSForensics\usb.ids. 2023/07/01 22:50:56 228911 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5339] Open SYSTEM\CurrentControlSet\Enum\USB 2023/07/01 22:50:56 228956 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = _HUB30 2023/07/01 22:50:56 228961 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5632] Count < 2 2023/07/01 22:50:56 228968 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 03F0 2023/07/01 22:50:56 228981 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 229080 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 229086 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (03F0) 2023/07/01 22:50:56 229091 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 229094 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: HP Inc. (VID_03F0) 2023/07/01 22:50:56 229133 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = HP Inc. (VID_03F0) 2023/07/01 22:50:56 229138 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 229175 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 03F0 2023/07/01 22:50:56 229251 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 229363 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 229443 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (03F0) 2023/07/01 22:50:56 229512 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 229519 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: HP Inc. (VID_03F0) 2023/07/01 22:50:56 229591 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = HP Inc. (VID_03F0) 2023/07/01 22:50:56 229695 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 229734 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 03F0 2023/07/01 22:50:56 229810 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 229903 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 229908 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (03F0) 2023/07/01 22:50:56 229911 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 229913 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: HP Inc. (VID_03F0) 2023/07/01 22:50:56 229915 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = HP Inc. (VID_03F0) 2023/07/01 22:50:56 229917 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 229929 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 03F0 2023/07/01 22:50:56 229939 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 230012 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 230017 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (03F0) 2023/07/01 22:50:56 230019 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 230022 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: HP Inc. (VID_03F0) 2023/07/01 22:50:56 230023 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = HP Inc. (VID_03F0) 2023/07/01 22:50:56 230025 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 230108 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 03F0 2023/07/01 22:50:56 230184 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 230298 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 230302 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (03F0) 2023/07/01 22:50:56 230374 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 230443 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: HP Inc. (VID_03F0) 2023/07/01 22:50:56 230448 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = HP Inc. (VID_03F0) 2023/07/01 22:50:56 230450 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 230477 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 09DA 2023/07/01 22:50:56 230490 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 230591 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 230596 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (09DA) 2023/07/01 22:50:56 230666 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 230672 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: A-FOUR TECH CO., LTD. (VID_09DA) 2023/07/01 22:50:56 230676 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = A-FOUR TECH CO., LTD. (VID_09DA) 2023/07/01 22:50:56 230740 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 230778 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 09DA 2023/07/01 22:50:56 230816 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 230924 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 230931 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (09DA) 2023/07/01 22:50:56 230998 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 231003 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: A-FOUR TECH CO., LTD. (VID_09DA) 2023/07/01 22:50:56 231006 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = A-FOUR TECH CO., LTD. (VID_09DA) 2023/07/01 22:50:56 231067 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 231143 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 09DA 2023/07/01 22:50:56 231215 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 231297 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 231326 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (09DA) 2023/07/01 22:50:56 231330 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 231333 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: A-FOUR TECH CO., LTD. (VID_09DA) 2023/07/01 22:50:56 231363 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = A-FOUR TECH CO., LTD. (VID_09DA) 2023/07/01 22:50:56 231366 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 231400 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 0C45 2023/07/01 22:50:56 231407 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 231507 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 231514 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (0C45) 2023/07/01 22:50:56 231544 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 231547 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 231551 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 231553 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 231656 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 231662 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (0C45) 2023/07/01 22:50:56 231668 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 231694 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 231697 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 231699 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 231802 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 231808 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (0C45) 2023/07/01 22:50:56 231839 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 231842 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 231844 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 231846 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 231876 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 0C45 2023/07/01 22:50:56 231913 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 231992 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 232024 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (0C45) 2023/07/01 22:50:56 232028 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 232030 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 232033 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 232061 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 232143 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 232172 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (0C45) 2023/07/01 22:50:56 232176 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 232179 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 232182 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 232211 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 232357 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 232361 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (0C45) 2023/07/01 22:50:56 232365 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 232394 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 232397 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 232399 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 232431 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 0C45 2023/07/01 22:50:56 232438 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 232572 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 232580 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (0C45) 2023/07/01 22:50:56 232608 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 232612 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 232614 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 232620 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 232720 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 232725 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (0C45) 2023/07/01 22:50:56 232728 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 232758 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 232761 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 232763 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 232866 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 232872 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (0C45) 2023/07/01 22:50:56 232875 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 232904 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 232907 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/01 22:50:56 232909 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 232941 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 1532 2023/07/01 22:50:56 232948 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 233051 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 233057 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (1532) 2023/07/01 22:50:56 233089 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 233092 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 233095 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 233097 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 233197 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 233200 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (1532) 2023/07/01 22:50:56 233204 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 233233 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 233236 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 233239 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 233270 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 1532 2023/07/01 22:50:56 233277 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 233380 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 233384 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (1532) 2023/07/01 22:50:56 233387 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 233418 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 233421 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 233423 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 233526 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 233530 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (1532) 2023/07/01 22:50:56 233533 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 233535 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 233537 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 233542 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 233554 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 1532 2023/07/01 22:50:56 233561 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 233686 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 233715 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (1532) 2023/07/01 22:50:56 233719 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 233722 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 233757 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 233761 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 233860 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 233864 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (1532) 2023/07/01 22:50:56 233867 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 233870 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 233872 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 233901 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 233938 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 1532 2023/07/01 22:50:56 233946 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 234046 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 234050 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (1532) 2023/07/01 22:50:56 234053 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 234083 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 234086 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 234088 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 234193 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 234197 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (1532) 2023/07/01 22:50:56 234200 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 234229 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 234232 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/01 22:50:56 234234 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 234266 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 1C4F 2023/07/01 22:50:56 234303 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 234382 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 234411 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (1C4F) 2023/07/01 22:50:56 234416 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 234419 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: SiGma Micro (VID_1C4F) 2023/07/01 22:50:56 234450 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = SiGma Micro (VID_1C4F) 2023/07/01 22:50:56 234453 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 234487 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 1C4F 2023/07/01 22:50:56 234524 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 234632 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 234638 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (1C4F) 2023/07/01 22:50:56 234669 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 234672 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: SiGma Micro (VID_1C4F) 2023/07/01 22:50:56 234674 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = SiGma Micro (VID_1C4F) 2023/07/01 22:50:56 234677 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 234706 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5618] tmpVID = 1C4F 2023/07/01 22:50:56 234744 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5643] Find unique IDs 2023/07/01 22:50:56 234822 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5713] Look up product 2023/07/01 22:50:56 234830 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5750] Look up vendor (1C4F) 2023/07/01 22:50:56 234855 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5755] Found: vendor 2023/07/01 22:50:56 234857 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5760] Found: SiGma Micro (VID_1C4F) 2023/07/01 22:50:56 234859 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5768] tmpVID 2 = SiGma Micro (VID_1C4F) 2023/07/01 22:50:56 234861 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5772] Add USB entry 2023/07/01 22:50:56 234892 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5800] User Activity Scan: GetOtherConnectedUSB end 2023/07/01 22:50:56 236918 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9267] User Activity Scan: Got other connected USB 2023/07/01 22:50:56 237066 DEBUG [RegistryInfo.cpp->GetConnectedUSBasSCSI:5805] User Activity Scan: GetConnectedUSBasSCSI Start [Local] 2023/07/01 22:50:56 237071 DEBUG [RegistryInfo.cpp->GetConnectedUSBasSCSI:5839] Open SYSTEM\CurrentControlSet\Enum\SCSI 2023/07/01 22:50:56 237115 DEBUG [RegistryInfo.cpp->GetConnectedUSBasSCSI:6086] Find unique IDs 2023/07/01 22:50:56 237219 DEBUG [RegistryInfo.cpp->GetConnectedUSBasSCSI:6086] Find unique IDs 2023/07/01 22:50:56 237301 DEBUG [RegistryInfo.cpp->GetConnectedUSBasSCSI:6216] User Activity Scan: GetConnectedUSBasSCSI end 2023/07/01 22:50:56 237307 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9270] User Activity Scan: Got connected USB as SCSI device 2023/07/01 22:50:56 237312 DEBUG [RegistryInfo.cpp->IsWindowsVistaOrHigher:3931] IsWindowsVistaOrHigher start 2023/07/01 22:50:56 237339 DEBUG [RegistryInfo.cpp->IsWindowsVistaOrHigher:4072] IsWindowsVistaOrHigher finished 2023/07/01 22:50:56 237343 DEBUG [RegistryInfo.cpp->GetShimCacheInfo:1809] GetShimCacheInfo local 2023/07/01 22:50:56 237346 DEBUG [RegistryInfo.cpp->GetShimCacheInfo:1818] User Activity Scan: GetShimCacheInfo opening key SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache 2023/07/01 22:50:56 237990 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 0000000b 00720000071f003a 000a00004a610000 8664 Microsoft.MicrosoftEdge.Stable 8wekyb3d8bbwe 2023/07/01 22:50:56 238083 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 0002000447940000 000a000042ee0000 8664 Microsoft.Wallet 8wekyb3d8bbwe 2023/07/01 22:50:56 238793 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 0000000b 000a0000000203e8 000a000047ba0001 8664 windows.immersivecontrolpanel cw5n1h2txyewy neutral 2023/07/01 22:50:56 238880 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 00015a0c00790000 000a0000585d0000 8664 Microsoft.YourPhone 8wekyb3d8bbwe 2023/07/01 22:50:56 238886 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 0bb80372089f0000 000c000000000000 8664 Microsoft.WindowsAppRuntime.1.3 8wekyb3d8bbwe 2023/07/01 22:50:56 238891 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 3e8537f653f20000 000a00004c610000 8664 microsoft.windowscommunicationsapps 8wekyb3d8bbwe 2023/07/01 22:50:56 238932 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 5721057900020000 000a000047ba0000 8664 Microsoft.StorePurchaseApp 8wekyb3d8bbwe 2023/07/01 22:50:56 238937 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000000 0bb80372089f0000 000c000000000000 8664 Microsoft.WindowsAppRuntime.1.3 8wekyb3d8bbwe 2023/07/01 22:50:56 239446 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 0004089c33f70000 000a00004a610000 8664 Microsoft.549981C3F5F10 8wekyb3d8bbwe 2023/07/01 22:50:56 239488 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 0000000b 000a00004a610749 000a00004a610749 8664 Microsoft.Windows.SecHealthUI cw5n1h2txyewy 2023/07/01 22:50:56 239492 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 03e84a6103e80000 000a00007fff0000 8664 MicrosoftWindows.Client.CBS cw5n1h2txyewy 2023/07/01 22:50:56 239630 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000000 000100d6047d0000 000a0000585d0000 014c SpotifyAB.SpotifyMusic zpdnekdrzrea0 2023/07/01 22:50:56 239635 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000000 000100d6047d0000 000a0000585d0000 8664 SpotifyAB.SpotifyMusic zpdnekdrzrea0 2023/07/01 22:50:56 239639 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 5721057900010000 000a0000585d0000 8664 Microsoft.WindowsStore 8wekyb3d8bbwe 2023/07/01 22:50:56 239713 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 00010000f0970000 000a0000585d0000 8664 Microsoft.WebMediaExtensions 8wekyb3d8bbwe 2023/07/01 22:50:56 239877 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 07e7272e697a0000 000a00004a650000 8664 Microsoft.Windows.Photos 8wekyb3d8bbwe 2023/07/01 22:50:56 240044 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 00920003043f0000 000a000047ba0000 8664 AD2F1837.HPPrinterControl v10z8vjag6ke6 2023/07/01 22:50:56 240048 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000a564b27390000 000a00004bc80000 8664 Microsoft.ZuneVideo 8wekyb3d8bbwe 2023/07/01 22:50:56 240052 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000b090000000000 000a000055f00000 8664 Microsoft.WindowsAlarms 8wekyb3d8bbwe 2023/07/01 22:50:56 240628 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 3e8137f653cc0000 000a000047ba0000 8664 Microsoft.Office.OneNote 8wekyb3d8bbwe 2023/07/01 22:50:56 240633 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000609013ed70000 000a000047ba0000 8664 Microsoft.MSPaint 8wekyb3d8bbwe 2023/07/01 22:50:56 241328 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 07e7272e697a0000 000a000055f00000 8664 Microsoft.Windows.Photos 8wekyb3d8bbwe 2023/07/01 22:50:56 241345 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000503370cbd0000 000a000055f00000 8664 Microsoft.XboxGamingOverlay 8wekyb3d8bbwe 2023/07/01 22:50:56 241424 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 0000000b 0001000e000a4a61 000a00004a610000 8664 Microsoft.Windows.Search cw5n1h2txyewy neutral 2023/07/01 22:50:56 241458 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 3e8537f653e80000 000a00004c610000 8664 microsoft.windowscommunicationsapps 8wekyb3d8bbwe 2023/07/01 22:50:56 241513 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 00920002041f0000 000a000047ba0000 8664 AD2F1837.HPPrinterControl v10z8vjag6ke6 2023/07/01 22:50:56 241973 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 0000000b 03e84a6103ff0000 000a0000295b0000 8664 Microsoft.AAD.BrokerPlugin cw5n1h2txyewy neutral 2023/07/01 22:50:56 242603 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000000 000100d502950000 000a0000585d0000 014c SpotifyAB.SpotifyMusic zpdnekdrzrea0 2023/07/01 22:50:56 242758 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 0000000b 000a00004a6103ff 000a000000000000 8664 Microsoft.Windows.ContentDeliveryManager cw5n1h2txyewy neutral 2023/07/01 22:50:56 242996 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 0000000b 000a00004a6103ff 000a00004a6103ff 8664 Microsoft.Windows.StartMenuExperienceHost cw5n1h2txyewy neutral 2023/07/01 22:50:56 243209 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000000 000100d502950000 000a0000585d0000 8664 SpotifyAB.SpotifyMusic zpdnekdrzrea0 2023/07/01 22:50:56 243213 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 00920001043a0000 000a000047ba0000 8664 AD2F1837.HPPrinterControl v10z8vjag6ke6 2023/07/01 22:50:56 243364 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 00010000a4d00000 000a00004a610000 8664 Microsoft.WebMediaExtensions 8wekyb3d8bbwe 2023/07/01 22:50:56 243457 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 3e8537f653e00000 000a00004c610000 8664 microsoft.windowscommunicationsapps 8wekyb3d8bbwe 2023/07/01 22:50:56 243461 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 00015a02006c0000 000a0000585d0000 8664 Microsoft.YourPhone 8wekyb3d8bbwe 2023/07/01 22:50:56 243465 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000000 000e00007f120000 000a0000273a0000 8664 Microsoft.VCLibs.140.00.UWPDesktop 8wekyb3d8bbwe 2023/07/01 22:50:56 243470 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000e00007f120000 000a0000273a0000 8664 Microsoft.VCLibs.140.00.UWPDesktop 8wekyb3d8bbwe 2023/07/01 22:50:56 243474 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000000 000e00007f120000 000a0000273a0000 8664 Microsoft.VCLibs.140.00 8wekyb3d8bbwe 2023/07/01 22:50:56 243479 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000e00007f120000 000a0000273a0000 8664 Microsoft.VCLibs.140.00 8wekyb3d8bbwe 2023/07/01 22:50:56 243483 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 0012090104c60000 000a00004a610000 8664 Microsoft.MicrosoftOfficeHub 8wekyb3d8bbwe 2023/07/01 22:50:56 243488 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 0bb8035306b00000 000c000000000000 8664 Microsoft.WindowsAppRuntime.1.3 8wekyb3d8bbwe 2023/07/01 22:50:56 243492 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 0066090136b20000 000a00004a610000 8664 Microsoft.6365217CE6EB4 8wekyb3d8bbwe 2023/07/01 22:50:56 243497 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000000 0bb8035306b00000 000c000000000000 8664 Microsoft.WindowsAppRuntime.1.3 8wekyb3d8bbwe 2023/07/01 22:50:56 244217 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 5720057900030000 000a00004a650000 8664 Microsoft.WindowsStore 8wekyb3d8bbwe 2023/07/01 22:50:56 244408 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 3e8537f653d80000 000a00004c610000 8664 microsoft.windowscommunicationsapps 8wekyb3d8bbwe 2023/07/01 22:50:56 244596 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 0000000b 00720000071f0025 000a00004a610000 8664 Microsoft.MicrosoftEdge.Stable 8wekyb3d8bbwe 2023/07/01 22:50:56 245197 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 0000000b 03e84a6103ff0000 000a000000000000 8664 Microsoft.Windows.Apprep.ChxApp cw5n1h2txyewy neutral 2023/07/01 22:50:56 245227 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 0000000b 0001000e00094a61 000a00004a610000 8664 Microsoft.Windows.Search cw5n1h2txyewy neutral 2023/07/01 22:50:56 245347 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 07e70900000b0000 000a000055f00000 8664 Microsoft.WindowsCamera 8wekyb3d8bbwe 2023/07/01 22:50:56 245357 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 5720057900030000 000a0000585d0000 8664 Microsoft.WindowsStore 8wekyb3d8bbwe 2023/07/01 22:50:56 245362 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000100132b3f0000 000a000062200000 8664 Microsoft.DesktopAppInstaller 8wekyb3d8bbwe 2023/07/01 22:50:56 245437 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000b090000020000 000a000055f0015a 8664 Microsoft.ZuneMusic 8wekyb3d8bbwe 2023/07/01 22:50:56 245444 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000a089a001e0000 000a000045630000 8664 Microsoft.People 8wekyb3d8bbwe 2023/07/01 22:50:56 245514 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 300f057900010000 000a000047ba0000 8664 Microsoft.StorePurchaseApp 8wekyb3d8bbwe 2023/07/01 22:50:56 245521 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000a089a001f0000 000a000045630000 8664 Microsoft.People 8wekyb3d8bbwe 2023/07/01 22:50:56 247710 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000000 000100d403860000 000a0000585d0000 014c SpotifyAB.SpotifyMusic zpdnekdrzrea0 2023/07/01 22:50:56 247860 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 0000000b 0071000006ee0039 000a00004a610000 8664 Microsoft.MicrosoftEdge.Stable 8wekyb3d8bbwe 2023/07/01 22:50:56 248051 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000000 000100d403860000 000a0000585d0000 8664 SpotifyAB.SpotifyMusic zpdnekdrzrea0 2023/07/01 22:50:56 248068 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 3e8537f653c60000 000a00004c610000 8664 microsoft.windowscommunicationsapps 8wekyb3d8bbwe 2023/07/01 22:50:56 248073 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 00040035c9050000 000a00004a610000 8664 Microsoft.BingWeather 8wekyb3d8bbwe 2023/07/01 22:50:56 248322 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 0000000b 000a00004a61079d 000a00004a61079d 8664 Microsoft.Windows.ShellExperienceHost cw5n1h2txyewy neutral 2023/07/01 22:50:56 248658 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 0030005961a90000 000a00003ad70000 8664 Microsoft.XboxApp 8wekyb3d8bbwe 2023/07/01 22:50:56 248662 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 300d057900080000 000a000047ba0000 8664 Microsoft.StorePurchaseApp 8wekyb3d8bbwe 2023/07/01 22:50:56 248666 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 07d0523b05020000 000a000045180000 8664 Microsoft.MixedReality.Portal 8wekyb3d8bbwe 2023/07/01 22:50:56 248670 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000c005f0bb90000 000a000045630000 8664 Microsoft.XboxIdentityProvider 8wekyb3d8bbwe 2023/07/01 22:50:56 248676 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 0004000600000000 000a000047ba0000 8664 Microsoft.MicrosoftStickyNotes 8wekyb3d8bbwe 2023/07/01 22:50:56 248680 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000400100c440000 000a00004a610000 8664 Microsoft.MicrosoftSolitaireCollection 8wekyb3d8bbwe 2023/07/01 22:50:56 248685 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 07e708fe000e0000 000a000055f00000 8664 Microsoft.WindowsCamera 8wekyb3d8bbwe 2023/07/01 22:50:56 248689 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000b08ff00050000 000a000055f00000 8664 Microsoft.WindowsMaps 8wekyb3d8bbwe 2023/07/01 22:50:56 249322 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000a07d80bb90000 000a000047ba0000 8664 Microsoft.ScreenSketch 8wekyb3d8bbwe 2023/07/01 22:50:56 249585 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 00910003043e0000 000a000047ba0000 8664 AD2F1837.HPPrinterControl v10z8vjag6ke6 2023/07/01 22:50:56 249589 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000159f800ba0000 000a0000585d0000 8664 Microsoft.YourPhone 8wekyb3d8bbwe 2023/07/01 22:50:56 249593 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000159f800c40000 000a0000585d0000 8664 Microsoft.YourPhone 8wekyb3d8bbwe 2023/07/01 22:50:56 249598 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 571f057900070000 000a0000585d0000 8664 Microsoft.WindowsStore 8wekyb3d8bbwe 2023/07/01 22:50:56 249647 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 0012090004b20000 000a00004a610000 8664 Microsoft.MicrosoftOfficeHub 8wekyb3d8bbwe 2023/07/01 22:50:56 249734 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 00040035c8350000 000a00004a610000 8664 Microsoft.BingWeather 8wekyb3d8bbwe 2023/07/01 22:50:56 249741 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 00040035c8a10000 000a00004a610000 8664 Microsoft.BingWeather 8wekyb3d8bbwe 2023/07/01 22:50:56 249813 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 00010000eef30000 000a0000585d0000 8664 Microsoft.HEIFImageExtension 8wekyb3d8bbwe 2023/07/01 22:50:56 249820 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 0000000b 0071000006ee0032 000a00004a610000 8664 Microsoft.MicrosoftEdge.Stable 8wekyb3d8bbwe 2023/07/01 22:50:56 250177 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1770] Unknown Shim Entry - App Name: 00000009 000a08ff2ad10000 000a000055f00000 8664 Microsoft.GetHelp 8wekyb3d8bbwe 2023/07/01 22:50:56 250337 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9273] User Activity Scan: Got Shim Cache 2023/07/01 22:50:56 250346 DEBUG [RegistryInfo.cpp->GetBAMInfo:1934] GetBAMInfo local 2023/07/01 22:50:56 250349 DEBUG [RegistryInfo.cpp->GetBAMInfo:1942] User Activity Scan: GetBAMInfo opening key SYSTEM\CurrentControlSet\Services\bam\State\UserSettings 2023/07/01 22:50:56 256673 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-2): 1332 2023/07/01 22:50:56 256808 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-3): 1332 2023/07/01 22:50:56 256959 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-4): 1332 2023/07/01 22:50:56 257082 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-5): 1332 2023/07/01 22:50:56 257245 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-6): 1332 2023/07/01 22:50:56 257368 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-7): 1332 2023/07/01 22:50:56 257491 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-8): 1332 2023/07/01 22:50:56 257644 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-9): 1332 2023/07/01 22:50:56 257667 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9276] User Activity Scan: Got BAM 2023/07/01 22:50:56 257671 DEBUG [RegistryInfo.cpp->GetBAMInfo:1934] GetBAMInfo local 2023/07/01 22:50:56 257674 DEBUG [RegistryInfo.cpp->GetBAMInfo:1942] User Activity Scan: GetBAMInfo opening key SYSTEM\CurrentControlSet\Services\dam\State\UserSettings 2023/07/01 22:50:56 257690 DEBUG [RegistryInfo.cpp->GetBAMInfo:1948] User Activity Scan: GetBAMInfo opening key SYSTEM\CurrentControlSet\Services\dam\UserSettings 2023/07/01 22:50:56 257701 DEBUG [RegistryInfo.cpp->GetBAMInfo:1954] User Activity Scan: GetBAMInfo couldn't open key 2023/07/01 22:50:56 257704 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9279] User Activity Scan: Got DAM 2023/07/01 22:50:56 258994 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::CustomCryptUnprotectData:615] DPAPI emulator: using master key 34 : Blob GUID e31136dc-f5b0-4cf7-9c5e-6abd56fc6c8f 2023/07/01 22:50:56 258999 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::CustomCryptUnprotectData:649] DPAPI emulator: useHashAlgo 32782 2023/07/01 22:50:56 259001 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::CustomCryptUnprotectData:657] DPAPI emulator: DPAPIMasterkey not decrypted 2023/07/01 22:50:56 259736 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::CustomCryptUnprotectData:765] DPAPI emulator: sha1 key FDAC2380CE5C61A51DC504E852CA6279C0712BB7 2023/07/01 22:50:56 273953 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::CustomCryptUnprotectData:777] DPAPI emulator: pbkdf2hmac 33BD1C51E176227EA5F368F18B34EB5AB8C6CF6578E8AAC21B498100839BFCF5DC7C90C4F07F3D4726CB1F7F144335A3 2023/07/01 22:50:56 273984 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::CustomCryptUnprotectData:997] DPAPI emulator: Data blob decryption successful with Masterkey 34: 4143493139313631303031414C00 2023/07/01 22:50:56 274080 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9283] User Activity Scan: Got connected Wireless 2023/07/01 22:50:56 274084 DEBUG [RegistryInfo.cpp->GetAmCacheInfo:6285] User Activity Scan: GetAmCacheInfo Start [local] 2023/07/01 22:50:56 274170 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3133] CreateTempRegFileIfNeeded: A 2023/07/01 22:50:56 274212 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3138] CreateTempRegFileIfNeeded: B 2023/07/01 22:50:56 274215 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3143] CreateTempRegFileIfNeeded: C 2023/07/01 22:50:56 274250 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3152] CreateTempRegFileIfNeeded: DA 2023/07/01 22:50:56 274255 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3160] CreateTempRegFileIfNeeded: DB 2023/07/01 22:50:56 274256 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3165] CreateTempRegFileIfNeeded: DC 2023/07/01 22:50:56 274326 DEBUG [RegViewer.cpp->ShadowCopyFiles:182] ShadowCopyFiles entry 2023/07/01 22:50:56 274331 DEBUG [RegViewer.cpp->ShadowCopyFiles:186] ShadowCopyFiles: Trying to create shadow volume 2023/07/01 22:50:56 274401 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:72] CreateShadowVolumeForFC entry 2023/07/01 22:50:56 274406 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:83] CreateShadowVolumeForFC Initialize VSS client 2023/07/01 22:50:56 277453 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:88] CreateShadowVolumeForFC Get unique vol name for: C:\ 2023/07/01 22:50:56 277626 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:92] unique vol name: \\?\Volume{7ca98c3f-915d-4b9b-af94-0c1461c57887}\ 2023/07/01 22:50:56 277631 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:100] CreateShadowVolumeForFC create snapshot set 2023/07/01 22:50:57 441364 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:109] CreateShadowVolumeForFC getLatestSnapshotIdListt 2023/07/01 22:50:57 441371 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:114] CreateShadowVolumeForFC GetSnapshotDeviceName 2023/07/01 22:50:57 441833 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:123] CreateShadowVolumeForFC exit 2023/07/01 22:50:57 441838 DEBUG [RegViewer.cpp->ShadowCopyFiles:208] ShadowCopyFiles: created shadow volume 2023/07/01 22:50:57 441842 DEBUG [RegViewer.cpp->ShadowCopyFiles:213] ShadowCopyFiles: 1 files to copy 2023/07/01 22:50:57 441845 DEBUG [RegViewer.cpp->ShadowCopyFiles:220] ShadowCopyFiles: curent file: C:\WINDOWS\appcompat\Programs\AmCache.hve 2023/07/01 22:50:57 441848 DEBUG [RegViewer.cpp->ShadowCopyFiles:225] ShadowCopyFiles: SourceFile: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy16\WINDOWS\appcompat\Programs\AmCache.hve 2023/07/01 22:50:57 441858 DEBUG [RegViewer.cpp->ShadowCopyFiles:238] ShadowCopyFiles: DestFile: C:\ProgramData\PassMark\OSForensics\Temp\8872\932723935BBEACA7AF94DA0223C32809 2023/07/01 22:50:58 037526 DEBUG [RegViewer.cpp->ShadowCopyFiles:275] ShadowCopyFiles done 2023/07/01 22:50:58 047561 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3177] CreateTempRegFileIfNeeded check temp file access 2023/07/01 22:50:58 051174 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3223] CreateTempRegFileIfNeeded: finished 2023/07/01 22:50:58 109830 DEBUG [RegistryInfo.cpp->GetAmCacheInfo:6527] User Activity Scan: GetAmCacheInfo Finish [OK] 2023/07/01 22:50:58 109841 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9288] User Activity Scan: Got AmCache 2023/07/01 22:50:58 109847 DEBUG [RegistryInfo.cpp->GetInstalledProgramsSystem:6534] User Activity Scan: GetInstalledPrograms Start [Local] 2023/07/01 22:50:58 126153 DEBUG [RegistryInfo.cpp->GetInstalledProgramsSystem:6741] User Activity Scan: GetInstalledPrograms done 2023/07/01 22:50:58 126160 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9291] User Activity Scan: Got installed programs system 2023/07/01 22:50:58 126163 DEBUG [RegistryInfo.cpp->GetInstalledProgramsUser:7096] User Activity Scan: GetInstalledProgramsUser Start [Local] 2023/07/01 22:50:58 126576 DEBUG [RegistryInfo.cpp->GetInstalledProgramsUser_Local:6760] User Activity Scan: GetInstalledProgramsUser couldn't open key [Software\Microsoft\Installer\Products] 2023/07/01 22:50:58 126588 DEBUG [RegistryInfo.cpp->GetInstalledProgramsUser_Local:6760] User Activity Scan: GetInstalledProgramsUser couldn't open key [Software\Microsoft\Windows\ShellNoRoam\MuiCache] 2023/07/01 22:50:58 128162 DEBUG [RegistryInfo.cpp->GetInstalledProgramsUser:7117] User Activity Scan: GetInstalledProgramsUser Finish [OK] 2023/07/01 22:50:58 128166 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9294] User Activity Scan: Got installed programs user 2023/07/01 22:50:58 128171 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1214] User Activity Scan: GetAppCompatFlagsInfo Start [Local] 2023/07/01 22:50:58 128175 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1233] User Activity Scan: GetAppCompatFlagsInfo opening key SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers 2023/07/01 22:50:58 128196 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1291] User Activity Scan: GetAppCompatFlagsInfo done 2023/07/01 22:50:58 128199 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9306] User Activity Scan: Got AppCompatFlags system 2023/07/01 22:50:58 128201 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1214] User Activity Scan: GetAppCompatFlagsInfo Start [Local] 2023/07/01 22:50:58 128205 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1225] User Activity Scan: GetAppCompatFlagsInfo opening key Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers 2023/07/01 22:50:58 128620 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1291] User Activity Scan: GetAppCompatFlagsInfo done 2023/07/01 22:50:58 128623 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9301] User Activity Scan: Got AppCompatFlags user 2023/07/01 22:50:58 128625 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1214] User Activity Scan: GetAppCompatFlagsInfo Start [Local] 2023/07/01 22:50:58 128629 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1225] User Activity Scan: GetAppCompatFlagsInfo opening key Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted 2023/07/01 22:50:58 128641 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1239] User Activity Scan: GetAppCompatFlagsInfo couldn't open key 2023/07/01 22:50:58 128644 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9301] User Activity Scan: Got AppCompatFlags user 2023/07/01 22:50:58 128646 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1214] User Activity Scan: GetAppCompatFlagsInfo Start [Local] 2023/07/01 22:50:58 128651 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1225] User Activity Scan: GetAppCompatFlagsInfo opening key Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store 2023/07/01 22:50:58 150648 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1291] User Activity Scan: GetAppCompatFlagsInfo done 2023/07/01 22:50:58 150655 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9301] User Activity Scan: Got AppCompatFlags user 2023/07/01 22:50:58 150659 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:574] User Activity Scan: GetAutoRunEntriesSystem Start [Local] 2023/07/01 22:50:58 150687 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:595] User Activity Scan: GetAutoRunEntriesSystem Open Software\Microsoft\Windows\CurrentVersion\Run 2023/07/01 22:50:58 150690 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:647] User Activity Scan: GetAutoRunEntriesSystem scan values local 2023/07/01 22:50:58 150736 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:682] User Activity Scan: GetAutoRunEntriesSystem scan values done 2023/07/01 22:50:58 150825 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:690] User Activity Scan: GetAutoRunEntriesSystem Open Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run 2023/07/01 22:50:58 150865 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:780] User Activity Scan: GetAutoRunEntriesSystem Open Software\Microsoft\Windows\CurrentVersion\RunOnce 2023/07/01 22:50:58 150868 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:829] User Activity Scan: GetAutoRunEntriesSystem scan values local 2023/07/01 22:50:58 150950 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:864] User Activity Scan: GetAutoRunEntriesSystem scan values done 2023/07/01 22:50:58 150956 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:870] User Activity Scan: GetAutoRunEntriesSystem done 2023/07/01 22:50:58 150990 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9312] User Activity Scan: Got autorun entries system 2023/07/01 22:50:58 150994 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesUser:893] User Activity Scan: GetAutoRunEntriesUser Start [Local] 2023/07/01 22:50:58 151032 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesUser:913] User Activity Scan: GetAutoRunEntriesUser Open Software\Microsoft\Windows NT\CurrentVersion\Run 2023/07/01 22:50:58 151110 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesUser:1008] User Activity Scan: GetAutoRunEntriesUser Open Software\Microsoft\Windows\CurrentVersion\Run 2023/07/01 22:50:58 151115 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesUser:1059] User Activity Scan: GetAutoRunEntriesUser scan values local 2023/07/01 22:50:58 151221 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesUser:1092] User Activity Scan: GetAutoRunEntriesUser scan values done