g3log created log at: Thu Jul 13 13:02:38 2023 LOG format: [YYYY/MM/DD hh:mm:ss uuu* LEVEL FILE->FUNCTION:LINE] message (uuu*: microseconds fractions of the seconds value) 2023/07/13 13:02:38 195643 DEBUG [OSForensics.cpp->CheckRunInUSBMode:2748] LOGGER NOT INITIALIZED: CheckRunInUSBMode: Not Running from Removable DriveCheckRunInUSBMode: Not Running from Removable Drive 2023/07/13 13:03:08 878935 DEBUG [OSForensics.cpp->wWinMain:231] DEBUG: Starting... 2023/07/13 13:03:08 879007 DEBUG [OSForensics.cpp->wWinMain:237] DEBUG: 2023/7/13, 13:3:8 2023/07/13 13:03:08 879011 DEBUG [OSForensics.cpp->wWinMain:241] DEBUG: OSForensics 10.0 build 1014 64-bit 2023/07/13 13:03:08 879231 DEBUG [OSForensics.cpp->wWinMain:249] DEBUG OS: Windows 10 Home build 19045 (64-bit) 2023/07/13 13:03:08 879239 DEBUG [OSForensics.cpp->wWinMain:251] DEBUG Path: F:\OSForensics 2023/07/13 13:03:08 879242 DEBUG [OSForensics.cpp->wWinMain:259] Date: 07/13/23 13:03:08 2023/07/13 13:03:08 881325 DEBUG [OSForensics.cpp->wWinMain:275] Main: Regproc check 2023/07/13 13:03:09 011268 DEBUG [OSForensics.cpp->wWinMain:315] Main: Set security OK 2023/07/13 13:03:09 011281 DEBUG [OSForensics.cpp->wWinMain:327] Main: Creating temp folder C:\ProgramData\PassMark\OSForensics\Temp\6108 2023/07/13 13:03:09 014706 DEBUG [OSForensics.cpp->wWinMain:344] Main: Available phys mem: 10459971584 2023/07/13 13:03:09 014884 DEBUG [OSForensics.cpp->wWinMain:385] Main: Load OSF config 2023/07/13 13:03:09 057118 DEBUG [OSForensics.cpp->wWinMain:422] Main: Init OSFMount interface OK 2023/07/13 13:03:09 063884 DEBUG [OSForensics.cpp->wWinMain:453] Main: Init direct access OK 2023/07/13 13:03:09 193648 DEBUG [OSForensics.cpp->wWinMain:513] Main: Register disk events 2023/07/13 13:03:09 193790 DEBUG [OSForensics.cpp->wWinMain:523] Main: init dialog 2023/07/13 13:03:09 193795 DEBUG [OSForensics.cpp->InitDialog:1225] Init main dialog 2023/07/13 13:03:09 272125 DEBUG [CfgMain.cpp->InitCfgMain:399] CfgMain: Creating start window 2023/07/13 13:03:09 286160 DEBUG [CfgMain.cpp->InitCfgMain:402] CfgMain: Creating signature window 2023/07/13 13:03:09 288552 DEBUG [CfgMain.cpp->InitCfgMain:411] CfgMain: Creating FileHashing window 2023/07/13 13:03:09 292993 DEBUG [CfgFileHashing.cpp->FileHashingWindow::InitWindow:259] FileHashing: Creating Hash Sets Tab 2023/07/13 13:03:09 308761 DEBUG [CfgFileHashing.cpp->FileHashingWindow::InitWindow:261] FileHashing: Creating Create Hash Tab 2023/07/13 13:03:09 354394 DEBUG [CfgMain.cpp->InitCfgMain:424] CfgMain: Creating file name search window 2023/07/13 13:03:09 444349 DEBUG [CfgMain.cpp->InitCfgMain:426] CfgMain: Creating mismatch search window 2023/07/13 13:03:09 468154 DEBUG [CfgMain.cpp->InitCfgMain:428] CfgMain: Creating create index window 2023/07/13 13:03:09 469227 DEBUG [CfgMain.cpp->InitCfgMain:430] CfgMain: Creating search index window 2023/07/13 13:03:09 479947 DEBUG [CfgMain.cpp->InitCfgMain:432] CfgMain: Creating user activity window 2023/07/13 13:03:09 492678 DEBUG [CfgMain.cpp->InitCfgMain:434] CfgMain: Creating deleted file search window 2023/07/13 13:03:09 516461 DEBUG [CfgMain.cpp->InitCfgMain:436] CfgMain: Creating mem viewer window 2023/07/13 13:03:09 517844 DEBUG [CfgMain.cpp->InitCfgMain:438] CfgMain: Creating prefetch viewer window 2023/07/13 13:03:09 519846 DEBUG [CfgMain.cpp->InitCfgMain:441] CfgMain: Creating raw disk viewer window 2023/07/13 13:03:09 525373 DEBUG [CfgMain.cpp->InitCfgMain:443] CfgMain: Creating sys info window 2023/07/13 13:03:09 536861 DEBUG [CfgMain.cpp->InitCfgMain:445] CfgMain: Creating drive prep window 2023/07/13 13:03:09 552003 DEBUG [CfgMain.cpp->InitCfgMain:447] CfgMain: Creating password window 2023/07/13 13:03:09 562379 DEBUG [CfgMain.cpp->InitCfgMain:449] CfgMain: Creating forensic imaging window 2023/07/13 13:03:09 563891 DEBUG [CfgMain.cpp->InitCfgMain:451] CfgMain: Creating boot virtual machine window 2023/07/13 13:03:09 565329 DEBUG [CfgMain.cpp->InitCfgMain:455] CfgMain: Creating Mobile Artifact window 2023/07/13 13:03:09 572118 DEBUG [CfgMain.cpp->InitCfgMain:457] CfgMain: Creating remote acquisition window 2023/07/13 13:03:09 586283 DEBUG [CfgMain.cpp->InitCfgMain:465] CfgMain: Creating manage case window 2023/07/13 13:03:09 604279 DEBUG [CfgMain.cpp->InitCfgMain:469] CfgMain: Creating triage window 2023/07/13 13:03:09 626982 DEBUG [CfgMain.cpp->InitCfgMain:472] CfgMain: set focus 2023/07/13 13:03:09 650507 DEBUG [OSForensics.cpp->InitDialog:1245] Init main dialog finished 2023/07/13 13:03:09 650514 DEBUG [OSForensics.cpp->wWinMain:527] Main: show window 2023/07/13 13:03:09 704198 DEBUG [OSForensics.cpp->wWinMain:546] Main: set Foreground 2023/07/13 13:03:09 704234 DEBUG [OSForensics.cpp->wWinMain:557] Main: PopFileInitialize 2023/07/13 13:03:09 704342 DEBUG [OSForensics.cpp->wWinMain:575] Main: Display welcome 2023/07/13 13:03:09 708856 DEBUG [OSForensics.cpp->wWinMain:589] Main: SubCheck 2023/07/13 13:03:12 149146 DEBUG [OSForensics.cpp->wWinMain:839] CaseManagementInitWindow: No case successfully loaded. Setting default drive to C:\ 2023/07/13 13:03:12 151270 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:419] Pswd: Creating Passwords & keys tab 2023/07/13 13:03:12 151275 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:421] Pswd: Creating Windows Login tab 2023/07/13 13:03:12 166537 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:423] Pswd: Initializing rainbow 2023/07/13 13:03:12 166668 DEBUG [main.cpp->initRainbowCrack:152] Rainbow: Loading charsets from C:\ProgramData\PassMark\OSForensics\RainbowTables\charset.txt 2023/07/13 13:03:12 166797 DEBUG [main.cpp->initRainbowCrack:158] Rainbow: Initializing SSL 2023/07/13 13:03:12 166800 DEBUG [main.cpp->initRainbowCrack:160] Rainbow: Initializing SSL 2023/07/13 13:03:12 167567 DEBUG [main.cpp->initRainbowCrack:173] Rainbow: Initializing Rainbow Table 2023/07/13 13:03:12 167571 DEBUG [main.cpp->initRainbowCrack:175] Rainbow: Initializing RainbowTable 2023/07/13 13:03:12 167575 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:425] Pswd: Creating Rainbow Generate tab 2023/07/13 13:03:12 240877 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:427] Pswd: Creating Rainbow Retrieval tab 2023/07/13 13:03:12 255540 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:429] Pswd: Creating Decryption tab 2023/07/13 13:03:12 278247 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:431] Pswd: Creating Install PFX tab 2023/07/13 13:03:12 293311 DEBUG [CfgSignature.cpp->SignatureWindow::InitWindow:200] Sig: Creating create sig tab 2023/07/13 13:03:12 306671 DEBUG [CfgSignature.cpp->SignatureWindow::InitWindow:202] Sig: Creating compare sig tab 2023/07/13 13:03:12 327970 DEBUG [OSForensics.cpp->wWinMain:853] CaseManagementInitWindow: Message loop 2023/07/13 13:03:21 298050 DEBUG [misc.cpp->RefreshPhysicalDisks:5478] Refresh Disks: sysinfo get partition info 2023/07/13 13:03:21 758974 DEBUG [misc.cpp->RefreshPhysicalDisks:5490] Refresh Disks: Open device: \\.\PhysicalDrive0 2023/07/13 13:03:21 759544 DEBUG [misc.cpp->RefreshPhysicalDisks:5496] Refresh Disks: Scan part table 2023/07/13 13:03:21 763934 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2102] Scanning for recovered file systems (StartSec=0,NumSec=2048) 2023/07/13 13:03:21 768994 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2110] Scanning for recovered file systems (StartSec=234438656,NumSec=2992) 2023/07/13 13:03:21 775013 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2113] Found 0 recovered file systems 2023/07/13 13:03:21 775063 DEBUG [misc.cpp->RefreshPhysicalDisks:5490] Refresh Disks: Open device: \\.\PhysicalDrive1 2023/07/13 13:03:21 775783 DEBUG [misc.cpp->RefreshPhysicalDisks:5496] Refresh Disks: Scan part table 2023/07/13 13:03:21 777211 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2102] Scanning for recovered file systems (StartSec=0,NumSec=34) 2023/07/13 13:03:21 780139 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2110] Scanning for recovered file systems (StartSec=1953521664,NumSec=3504) 2023/07/13 13:03:21 831175 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2113] Found 0 recovered file systems 2023/07/13 13:03:21 854968 DEBUG [CfgRecent.cpp->DoSort:2850] User Activity Scan: Sorting 2023/07/13 13:03:26 791735 DEBUG [CfgRecent.cpp->OnScan:3516] User Activity Scan: Begin 2023/07/13 13:03:26 791774 DEBUG [OSFActivityMonitor.cpp->OSFActivityMonitor::StartTask:198] Activity Monitor: Task Started (User Activity) 2023/07/13 13:03:26 791789 DEBUG [CfgRecent.cpp->OnScan:3523] User Activity Scan started on live machine 2023/07/13 13:03:26 809551 DEBUG [CfgRecent.cpp->OnScan:3665] User Activity Scan: Available phys mem: 10444394496 2023/07/13 13:03:26 809558 DEBUG [CfgRecent.cpp->OnScan:3672] User Activity Scan: Allocating MRUList 2023/07/13 13:03:26 809590 DEBUG [CfgRecent.cpp->OnScan:3674] User Activity Scan: Allocating installList 2023/07/13 13:03:26 809602 DEBUG [CfgRecent.cpp->OnScan:3676] User Activity Scan: Allocating autoRunList 2023/07/13 13:03:26 809671 DEBUG [CfgRecent.cpp->OnScan:3678] User Activity Scan: Allocating ClipboardList 2023/07/13 13:03:26 809686 DEBUG [CfgRecent.cpp->OnScan:3680] User Activity Scan: Allocating EventList 2023/07/13 13:03:26 809699 DEBUG [CfgRecent.cpp->OnScan:3682] User Activity Scan: Allocating userAssistList 2023/07/13 13:03:26 809737 DEBUG [CfgRecent.cpp->OnScan:3684] User Activity Scan: Allocating jumpListList 2023/07/13 13:03:26 809781 DEBUG [CfgRecent.cpp->OnScan:3686] User Activity Scan: Allocating shellBagList 2023/07/13 13:03:26 809823 DEBUG [CfgRecent.cpp->OnScan:3688] User Activity Scan: Allocating TimelineDBList 2023/07/13 13:03:26 809864 DEBUG [CfgRecent.cpp->OnScan:3690] User Activity Scan: Allocating CortanaList 2023/07/13 13:03:26 809906 DEBUG [CfgRecent.cpp->OnScan:3692] User Activity Scan: Allocating RecycleBinList 2023/07/13 13:03:26 809946 DEBUG [CfgRecent.cpp->OnScan:3694] User Activity Scan: Allocating ShimCacheList 2023/07/13 13:03:26 809987 DEBUG [CfgRecent.cpp->OnScan:3696] User Activity Scan: Allocating SRUMDBList 2023/07/13 13:03:26 810026 DEBUG [CfgRecent.cpp->OnScan:3698] User Activity Scan: Allocating prefetchList 2023/07/13 13:03:26 810068 DEBUG [CfgRecent.cpp->OnScan:3700] User Activity Scan: Allocating winsearchList 2023/07/13 13:03:26 810109 DEBUG [CfgRecent.cpp->OnScan:3702] User Activity Scan: Allocating gBAMList 2023/07/13 13:03:26 810149 DEBUG [CfgRecent.cpp->OnScan:3704] User Activity Scan: Allocating gAntiForensicsList 2023/07/13 13:03:26 810189 DEBUG [CfgRecent.cpp->OnScan:3709] User Activity Scan: Available phys mem: 10444390400 2023/07/13 13:03:26 810192 DEBUG [CfgRecent.cpp->OnScan:3711] User Activity Scan: Allocating downloadList 2023/07/13 13:03:26 810233 DEBUG [CfgRecent.cpp->OnScan:3713] User Activity Scan: Allocating urlList 2023/07/13 13:03:26 810268 DEBUG [CfgRecent.cpp->OnScan:3715] User Activity Scan: Allocating SearchTermList 2023/07/13 13:03:26 810308 DEBUG [CfgRecent.cpp->OnScan:3717] User Activity Scan: Allocating LoginList 2023/07/13 13:03:26 810531 DEBUG [CfgRecent.cpp->OnScan:3719] User Activity Scan: Allocating formList 2023/07/13 13:03:26 810572 DEBUG [CfgRecent.cpp->OnScan:3721] User Activity Scan: Allocating bookmarkList 2023/07/13 13:03:26 810610 DEBUG [CfgRecent.cpp->OnScan:3723] User Activity Scan: Allocating ChatList 2023/07/13 13:03:26 810649 DEBUG [CfgRecent.cpp->OnScan:3725] User Activity Scan: Allocating P2PList 2023/07/13 13:03:26 810688 DEBUG [CfgRecent.cpp->OnScan:3727] User Activity Scan: Allocating wlanList 2023/07/13 13:03:26 810728 DEBUG [CfgRecent.cpp->OnScan:3729] User Activity Scan: Allocating gCryptocurrencyList 2023/07/13 13:03:26 810769 DEBUG [CfgRecent.cpp->OnScan:3731] User Activity Scan: Allocating cookieList 2023/07/13 13:03:26 810805 DEBUG [CfgRecent.cpp->OnScan:3733] User Activity Scan: Allocating Custom Dictionary List 2023/07/13 13:03:26 810845 DEBUG [CfgRecent.cpp->OnScan:3738] User Activity Scan: Available phys mem: 10444390400 2023/07/13 13:03:26 810848 DEBUG [CfgRecent.cpp->OnScan:3740] User Activity Scan: Allocating UsbList 2023/07/13 13:03:26 810884 DEBUG [CfgRecent.cpp->OnScan:3742] User Activity Scan: Allocating mountedVolList 2023/07/13 13:03:26 810924 DEBUG [CfgRecent.cpp->OnScan:3744] User Activity Scan: Allocating MobileBackupList 2023/07/13 13:03:26 813184 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7597] GetLocalFolderNames: check SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 2023/07/13 13:03:26 813193 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7601] GetLocalFolderNames: Key loaded successfully 2023/07/13 13:03:26 813206 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7621] GetLocaFolderNames: DocumentsAndSettingsLocalName Users 2023/07/13 13:03:26 813214 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7643] GetLocaFolderNames: CommonAppDataLocalName ProgramData 2023/07/13 13:03:26 813223 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7670] GetLocalFolderNames: Could not query "{374DE290-123F-4565-9164-39C4925E467B}" 2023/07/13 13:03:26 813230 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7692] GetLocalFolderNames: Could not query "{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" 2023/07/13 13:03:26 813242 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7714] GetLocalFolderNames: Could not query "{FDD39AD0-238F-46AF-ADB4-6C85480369C7}" 2023/07/13 13:03:26 813252 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3133] CreateTempRegFileIfNeeded: A 2023/07/13 13:03:26 813314 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3138] CreateTempRegFileIfNeeded: B 2023/07/13 13:03:26 813318 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3212] CreateTempRegFileIfNeeded: Error - file handle invalid (3) 2023/07/13 13:03:26 813330 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7792] GetLocaFolderNames: Registry Info: Could not load C:\Windows.old\Windows\System32\Config\SOFTWARE 2023/07/13 13:03:26 813378 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8255] GetLocaFolderNames: Getting folder locations based on current user C:\Users\User 2023/07/13 13:03:26 813460 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8274] GetLocaFolderNames: AppDataLocalName AppData\Roaming 2023/07/13 13:03:26 813468 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8293] GetLocaFolderNames: LocalAppDataLocalName AppData\Local 2023/07/13 13:03:26 813539 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8313] GetLocaFolderNames: HistoryLocalName AppData\Local\Microsoft\Windows\History 2023/07/13 13:03:26 813576 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8334] GetLocaFolderNames: RecentLocalName AppData\Roaming\Microsoft\Windows\Recent 2023/07/13 13:03:26 813615 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8345] GetLocalFolderNames: check local registry for "Local Settings" 2023/07/13 13:03:26 813694 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8759] LocalOSEnv::GetNextUser_Windows_Old start 2023/07/13 13:03:26 813730 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8885] LocalOSEnv::GetNextUser_Windows_Old get appdata dir 2023/07/13 13:03:26 813737 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8895] LocalOSEnv::GetNextUser_Windows_Old C:\Users\User\AppData\Local 2023/07/13 13:03:26 813845 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8920] LocalOSEnv::GetNextUser_Windows_Old Could not find Windows.old directory 2023/07/13 13:03:26 813883 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8514] GetLocalFolderNames end (detected OS: WinXP) 2023/07/13 13:03:26 813969 DEBUG [RegistryPasswords.cpp->GetWindowsPasswordHashes:642] Password recovery: GetWindowsPasswordHashes start 2023/07/13 13:03:26 814013 DEBUG [RegistryPasswords.cpp->GetWindowsPasswordHashes:826] Password recovery: GetWindowsPasswordHashes Live system drive 2023/07/13 13:03:26 814590 DEBUG [RegistryPasswords.cpp->DecryptHashes:2248] Password recovery: DecryptHashes start 2023/07/13 13:03:31 429671 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:227] Password recovery: GetCachedDomainUsers open C:\Windows\System32\Config\security 2023/07/13 13:03:31 429680 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3133] CreateTempRegFileIfNeeded: A 2023/07/13 13:03:31 429750 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3138] CreateTempRegFileIfNeeded: B 2023/07/13 13:03:31 429754 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3143] CreateTempRegFileIfNeeded: C 2023/07/13 13:03:31 429816 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3152] CreateTempRegFileIfNeeded: DA 2023/07/13 13:03:31 429821 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3160] CreateTempRegFileIfNeeded: DB 2023/07/13 13:03:31 429823 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3165] CreateTempRegFileIfNeeded: DC 2023/07/13 13:03:31 429844 DEBUG [RegViewer.cpp->ShadowCopyFiles:182] ShadowCopyFiles entry 2023/07/13 13:03:31 429920 DEBUG [RegViewer.cpp->ShadowCopyFiles:186] ShadowCopyFiles: Trying to create shadow volume 2023/07/13 13:03:31 429934 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:72] CreateShadowVolumeForFC entry 2023/07/13 13:03:31 429938 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:83] CreateShadowVolumeForFC Initialize VSS client 2023/07/13 13:03:31 535558 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:88] CreateShadowVolumeForFC Get unique vol name for: C:\ 2023/07/13 13:03:31 540419 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:92] unique vol name: \\?\Volume{7ca98c3f-915d-4b9b-af94-0c1461c57887}\ 2023/07/13 13:03:31 540432 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:100] CreateShadowVolumeForFC create snapshot set 2023/07/13 13:03:33 091252 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:109] CreateShadowVolumeForFC getLatestSnapshotIdListt 2023/07/13 13:03:33 091269 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:114] CreateShadowVolumeForFC GetSnapshotDeviceName 2023/07/13 13:03:33 092195 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:123] CreateShadowVolumeForFC exit 2023/07/13 13:03:33 092202 DEBUG [RegViewer.cpp->ShadowCopyFiles:208] ShadowCopyFiles: created shadow volume 2023/07/13 13:03:33 092205 DEBUG [RegViewer.cpp->ShadowCopyFiles:213] ShadowCopyFiles: 1 files to copy 2023/07/13 13:03:33 092208 DEBUG [RegViewer.cpp->ShadowCopyFiles:220] ShadowCopyFiles: curent file: C:\Windows\System32\Config\security 2023/07/13 13:03:33 092218 DEBUG [RegViewer.cpp->ShadowCopyFiles:225] ShadowCopyFiles: SourceFile: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\Config\security 2023/07/13 13:03:33 092229 DEBUG [RegViewer.cpp->ShadowCopyFiles:238] ShadowCopyFiles: DestFile: C:\ProgramData\PassMark\OSForensics\Temp\6108\7BF3CE7C9DC6F1EC11D70AC3ADB400B8 2023/07/13 13:03:33 109144 DEBUG [RegViewer.cpp->ShadowCopyFiles:275] ShadowCopyFiles done 2023/07/13 13:03:33 113786 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3177] CreateTempRegFileIfNeeded check temp file access 2023/07/13 13:03:33 113907 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3223] CreateTempRegFileIfNeeded: finished 2023/07/13 13:03:33 114025 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:263] Password recovery: GetCachedDomainUsers 1 2023/07/13 13:03:33 114061 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:303] Password recovery: GetCachedDomainUsers 2 2023/07/13 13:03:33 114218 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:331] Password recovery: GetCachedDomainUsers 3 2023/07/13 13:03:33 114242 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:375] Password recovery: GetCachedDomainUsers 4 2023/07/13 13:03:33 114372 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:409] Password recovery: GetCachedDomainUsers 5 2023/07/13 13:03:33 114382 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:436] Password recovery: GetCachedDomainUsers 6 2023/07/13 13:03:33 114385 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:561] Password recovery: GetCachedDomainUsers done 2023/07/13 13:03:33 114388 DEBUG [RegistryPasswords.cpp->GetCachedDomainUsers:568] Password recovery: GetCachedDomainUsers cleaned up 2023/07/13 13:03:33 114683 DEBUG [RegistryPasswords.cpp->GetWindowsPasswordHashes:915] Password recovery: GetWindowsPasswordHashes end 2023/07/13 13:03:33 114690 DEBUG [RegistryPasswords.cpp->GetWindowsPasswordHashes:642] Password recovery: GetWindowsPasswordHashes start 2023/07/13 13:03:33 114701 DEBUG [RegistryPasswords.cpp->GetWindowsPasswordHashes:698] Password recovery: GetWindowsPasswordHashes registryFile: C:\Windows.old\Windows\System32\Config\SYSTEM 2023/07/13 13:03:33 114752 DEBUG [RegistryPasswords.cpp->GetWindowsPasswordHashes:703] User Activity Scan: GetWindowsPasswordHashes file not found 2023/07/13 13:03:33 114836 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:39] GetSystemPWfromLSASecrets start 2023/07/13 13:03:33 114959 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3133] CreateTempRegFileIfNeeded: A 2023/07/13 13:03:33 115053 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3138] CreateTempRegFileIfNeeded: B 2023/07/13 13:03:33 115058 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3143] CreateTempRegFileIfNeeded: C 2023/07/13 13:03:33 115099 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3152] CreateTempRegFileIfNeeded: DA 2023/07/13 13:03:33 115104 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3160] CreateTempRegFileIfNeeded: DB 2023/07/13 13:03:33 115107 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3165] CreateTempRegFileIfNeeded: DC 2023/07/13 13:03:33 115144 DEBUG [RegViewer.cpp->ShadowCopyFiles:182] ShadowCopyFiles entry 2023/07/13 13:03:33 115148 DEBUG [RegViewer.cpp->ShadowCopyFiles:186] ShadowCopyFiles: Trying to create shadow volume 2023/07/13 13:03:33 115224 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:72] CreateShadowVolumeForFC entry 2023/07/13 13:03:33 115297 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:83] CreateShadowVolumeForFC Initialize VSS client 2023/07/13 13:03:33 118548 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:88] CreateShadowVolumeForFC Get unique vol name for: C:\ 2023/07/13 13:03:33 118751 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:92] unique vol name: \\?\Volume{7ca98c3f-915d-4b9b-af94-0c1461c57887}\ 2023/07/13 13:03:33 118757 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:100] CreateShadowVolumeForFC create snapshot set 2023/07/13 13:03:33 932887 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:109] CreateShadowVolumeForFC getLatestSnapshotIdListt 2023/07/13 13:03:33 932896 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:114] CreateShadowVolumeForFC GetSnapshotDeviceName 2023/07/13 13:03:33 933850 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:123] CreateShadowVolumeForFC exit 2023/07/13 13:03:33 933857 DEBUG [RegViewer.cpp->ShadowCopyFiles:208] ShadowCopyFiles: created shadow volume 2023/07/13 13:03:33 933861 DEBUG [RegViewer.cpp->ShadowCopyFiles:213] ShadowCopyFiles: 1 files to copy 2023/07/13 13:03:33 933864 DEBUG [RegViewer.cpp->ShadowCopyFiles:220] ShadowCopyFiles: curent file: C:\Windows\System32\config\SYSTEM 2023/07/13 13:03:33 933867 DEBUG [RegViewer.cpp->ShadowCopyFiles:225] ShadowCopyFiles: SourceFile: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM 2023/07/13 13:03:33 933878 DEBUG [RegViewer.cpp->ShadowCopyFiles:238] ShadowCopyFiles: DestFile: C:\ProgramData\PassMark\OSForensics\Temp\6108\8F337D42B54B75C4007A892D5DDC3F83 2023/07/13 13:03:34 102283 DEBUG [RegViewer.cpp->ShadowCopyFiles:275] ShadowCopyFiles done 2023/07/13 13:03:34 107152 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3177] CreateTempRegFileIfNeeded check temp file access 2023/07/13 13:03:34 107265 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3223] CreateTempRegFileIfNeeded: finished 2023/07/13 13:03:34 107272 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3133] CreateTempRegFileIfNeeded: A 2023/07/13 13:03:34 107327 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3138] CreateTempRegFileIfNeeded: B 2023/07/13 13:03:34 107330 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3143] CreateTempRegFileIfNeeded: C 2023/07/13 13:03:34 107373 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3152] CreateTempRegFileIfNeeded: DA 2023/07/13 13:03:34 107377 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3160] CreateTempRegFileIfNeeded: DB 2023/07/13 13:03:34 107380 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3165] CreateTempRegFileIfNeeded: DC 2023/07/13 13:03:34 107413 DEBUG [RegViewer.cpp->ShadowCopyFiles:182] ShadowCopyFiles entry 2023/07/13 13:03:34 107417 DEBUG [RegViewer.cpp->ShadowCopyFiles:186] ShadowCopyFiles: Trying to create shadow volume 2023/07/13 13:03:34 107422 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:72] CreateShadowVolumeForFC entry 2023/07/13 13:03:34 107453 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:83] CreateShadowVolumeForFC Initialize VSS client 2023/07/13 13:03:34 110057 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:88] CreateShadowVolumeForFC Get unique vol name for: C:\ 2023/07/13 13:03:34 110248 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:92] unique vol name: \\?\Volume{7ca98c3f-915d-4b9b-af94-0c1461c57887}\ 2023/07/13 13:03:34 110254 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:100] CreateShadowVolumeForFC create snapshot set 2023/07/13 13:03:34 950612 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:109] CreateShadowVolumeForFC getLatestSnapshotIdListt 2023/07/13 13:03:34 950619 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:114] CreateShadowVolumeForFC GetSnapshotDeviceName 2023/07/13 13:03:34 951569 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:123] CreateShadowVolumeForFC exit 2023/07/13 13:03:34 951574 DEBUG [RegViewer.cpp->ShadowCopyFiles:208] ShadowCopyFiles: created shadow volume 2023/07/13 13:03:34 951578 DEBUG [RegViewer.cpp->ShadowCopyFiles:213] ShadowCopyFiles: 1 files to copy 2023/07/13 13:03:34 951581 DEBUG [RegViewer.cpp->ShadowCopyFiles:220] ShadowCopyFiles: curent file: C:\Windows\System32\config\SECURITY 2023/07/13 13:03:34 951584 DEBUG [RegViewer.cpp->ShadowCopyFiles:225] ShadowCopyFiles: SourceFile: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SECURITY 2023/07/13 13:03:34 951596 DEBUG [RegViewer.cpp->ShadowCopyFiles:238] ShadowCopyFiles: DestFile: C:\ProgramData\PassMark\OSForensics\Temp\6108\9252EB97A379014387027E5488A602AC 2023/07/13 13:03:34 968714 DEBUG [RegViewer.cpp->ShadowCopyFiles:275] ShadowCopyFiles done 2023/07/13 13:03:34 972680 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3177] CreateTempRegFileIfNeeded check temp file access 2023/07/13 13:03:34 972806 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3223] CreateTempRegFileIfNeeded: finished 2023/07/13 13:03:34 979444 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:181] Opening keys in : ControlSet001\Control\Lsa 2023/07/13 13:03:34 979662 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:244] Opening key: Policy\PolRevision 2023/07/13 13:03:34 979682 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:279] Policy revision: 1.2 2023/07/13 13:03:34 979685 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:287] Opening key: Policy\PolEKList 2023/07/13 13:03:34 979695 DEBUG [LSASecrets.cpp->decryptLSAKeyNT6:645] decryptLSAKeyNT6 start (lsa len: 172, syskey len: 16) 2023/07/13 13:03:34 979804 DEBUG [LSASecrets.cpp->decryptLSAKeyNT6:739] pt len = 96 2023/07/13 13:03:34 979806 DEBUG [LSASecrets.cpp->decryptLSAKeyNT6:750] key size = 84 2023/07/13 13:03:34 979813 DEBUG [LSASecrets.cpp->decryptLSAKeyNT6:784] nb = 1 2023/07/13 13:03:34 980029 DEBUG [LSASecrets.cpp->decryptLSAKeyNT6:816] [0] t = 3, l = 32 2023/07/13 13:03:34 980120 DEBUG [LSASecrets.cpp->decryptLSAKeyNT6:837] decryptLSAKeyNT6 end 2023/07/13 13:03:34 980172 DEBUG [LSASecrets.cpp->decryptLSASecret:525] decryptLSASecret start 2023/07/13 13:03:34 980247 DEBUG [LSASecrets.cpp->decryptLSASecret:639] decryptLSASecret end 2023/07/13 13:03:34 980256 DEBUG [LSASecrets.cpp->decryptLSASecret:525] decryptLSASecret start 2023/07/13 13:03:34 980325 DEBUG [LSASecrets.cpp->decryptLSASecret:639] decryptLSASecret end 2023/07/13 13:03:34 980382 DEBUG [LSASecrets.cpp->decryptLSASecret:525] decryptLSASecret start 2023/07/13 13:03:34 980470 DEBUG [LSASecrets.cpp->decryptLSASecret:639] decryptLSASecret end 2023/07/13 13:03:34 980544 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:517] GetSystemPWfromLSASecrets end 2023/07/13 13:03:34 981209 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:39] GetSystemPWfromLSASecrets start 2023/07/13 13:03:34 981401 DEBUG [RegViewer.cpp->RegViewer::LoadFile:2838] Could not open file, error: 3 2023/07/13 13:03:34 981406 DEBUG [LSASecrets.cpp->GetSystemPWfromLSASecrets:129] GetSystemPWfromLSASecrets end - Couldn't open registry hive 2023/07/13 13:03:34 981423 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::DPAPIEmulator:99] using DPAPISystemToken (0) 2023/07/13 13:03:34 981432 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/07/13 13:03:34 981435 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8559] LocalOSEnv::GetNextUser xp check 2023/07/13 13:03:34 981510 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8566] LocalOSEnv::GetNextUser cleanup profile path 2023/07/13 13:03:34 981519 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8594] LocalOSEnv::GetNextUser Drive != 0 2023/07/13 13:03:34 981521 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8602] LocalOSEnv::GetNextUser GetVolumeInformation C:\ 2023/07/13 13:03:34 981577 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8611] LocalOSEnv::GetNextUser win7/mac check 2023/07/13 13:03:34 981631 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8642] LocalOSEnv::GetNextUser cleanup profile path C:\Users\* 2023/07/13 13:03:34 981634 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8648] LocalOSEnv::GetNextUser next 2023/07/13 13:03:34 981706 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/07/13 13:03:34 981712 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/13 13:03:34 981714 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] . 2023/07/13 13:03:34 981751 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/13 13:03:34 981822 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] .. 2023/07/13 13:03:34 981829 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/13 13:03:34 981899 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] All Users 2023/07/13 13:03:34 981905 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/07/13 13:03:34 982048 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/07/13 13:03:34 982055 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/07/13 13:03:34 982125 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/13 13:03:34 982130 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] Default 2023/07/13 13:03:34 982133 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/07/13 13:03:34 982203 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/07/13 13:03:34 982208 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/07/13 13:03:34 982277 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/13 13:03:34 982283 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] Default User 2023/07/13 13:03:34 982286 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/07/13 13:03:34 982359 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/07/13 13:03:34 982429 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/07/13 13:03:34 982434 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/13 13:03:34 982437 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] desktop.ini 2023/07/13 13:03:34 982466 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/13 13:03:34 982469 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] Public 2023/07/13 13:03:34 982471 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/07/13 13:03:34 982543 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/07/13 13:03:34 982547 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/07/13 13:03:34 982549 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/07/13 13:03:34 982556 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] User 2023/07/13 13:03:34 982581 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/07/13 13:03:34 982788 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\1364fb9a-90d0-49d6-9cde-0680120fe0af 2023/07/13 13:03:34 985454 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\204e7ad4-f85d-48d8-8dcb-54b860a55f81 2023/07/13 13:03:34 986156 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\4838034f-dd34-4293-829b-99f75b0608c0 2023/07/13 13:03:34 987159 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\5baba3fc-72fc-4c20-82f6-806eefb9ca37 2023/07/13 13:03:34 987873 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\6149bc79-de93-4f07-a8c1-40fd701bba95 2023/07/13 13:03:34 988586 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\61775497-a204-41de-bf98-0e5880e7a6f2 2023/07/13 13:03:34 989196 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\646e1ef2-d412-4012-acf5-5fa1674979cf 2023/07/13 13:03:34 990045 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\813ac69a-15e8-4c95-8c7b-14b0fc71605a 2023/07/13 13:03:34 990766 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\95eb7a08-b147-48b4-8300-b5aa4b43d9af 2023/07/13 13:03:34 991360 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\9e6ae495-a7f3-4eda-aec8-907d779d75aa 2023/07/13 13:03:34 993786 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\f46b943c-dfe2-4aea-a69b-aa9d731511e6 2023/07/13 13:03:34 996271 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-3433735131-2610830180-146811263-1001\f5a23ee7-1eb4-46dd-b17e-8f63726cde65 2023/07/13 13:03:34 997189 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/07/13 13:03:34 997204 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8586] LocalOSEnv::GetNextUser close handle 2023/07/13 13:03:34 997223 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8594] LocalOSEnv::GetNextUser Drive != 0 2023/07/13 13:03:34 997227 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8602] LocalOSEnv::GetNextUser GetVolumeInformation C:\ 2023/07/13 13:03:34 997398 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8626] LocalOSEnv::GetNextUser ubununtu check 2023/07/13 13:03:34 997478 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8642] LocalOSEnv::GetNextUser cleanup profile path C:\home\* 2023/07/13 13:03:34 997481 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8648] LocalOSEnv::GetNextUser next 2023/07/13 13:03:34 997484 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8594] LocalOSEnv::GetNextUser Drive != 0 2023/07/13 13:03:34 997486 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8602] LocalOSEnv::GetNextUser GetVolumeInformation C:\ 2023/07/13 13:03:34 997558 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8642] LocalOSEnv::GetNextUser cleanup profile path 2023/07/13 13:03:34 997561 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8648] LocalOSEnv::GetNextUser next 2023/07/13 13:03:34 997564 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8743] LocalOSEnv::GetNextUser end 2023/07/13 13:03:34 997711 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\03f95ae3-6db4-4482-b476-e89db1f73808 2023/07/13 13:03:34 998285 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:34 998312 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\19fe09c1-04a2-4ddd-bdff-03f493f410e1 2023/07/13 13:03:35 000968 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 001315 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\1cb44743-fed7-4fb5-be5b-364d20be132f 2023/07/13 13:03:35 002016 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 002048 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\3d5f12eb-2a33-4361-9674-b1098b1fad81 2023/07/13 13:03:35 004317 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 004350 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\5a9cafc1-139a-468f-81b1-7a815726efb5 2023/07/13 13:03:35 004941 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 004973 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\61363162-2599-48cd-81fe-85fa20b9c0f0 2023/07/13 13:03:35 007091 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 007124 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\66447004-a0e5-4a56-bade-d9200d4fe823 2023/07/13 13:03:35 007700 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 007733 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\7621f9b8-0ed0-423e-b192-01001ee54211 2023/07/13 13:03:35 009813 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 010244 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\90dc85cd-4fce-4eac-99cd-ca86c2c064d7 2023/07/13 13:03:35 012877 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 012917 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\b3497bb5-9fe2-456b-9f73-d749acf416fc 2023/07/13 13:03:35 015575 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 015610 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\cd95054d-8c0e-4f26-a42b-4d45cde7073e 2023/07/13 13:03:35 018279 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 018314 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\d9fd3abf-b694-46bf-9563-e1a3139fb5e9 2023/07/13 13:03:35 020491 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 020539 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\fec2c25a-e53e-4b3c-9461-4e0b769a29d7 2023/07/13 13:03:35 022997 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 023182 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\25f362bb-240b-49de-bfb0-702dce299208 2023/07/13 13:03:35 023762 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 023795 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\3411840e-c54e-464e-8e1a-bdd1e0d2a755 2023/07/13 13:03:35 024334 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 024361 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\37305382-59b1-48c8-ab7e-2b1ae7487c47 2023/07/13 13:03:35 492969 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 493010 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\4ded6254-7a79-494f-9281-1cd1ce58094a 2023/07/13 13:03:35 495312 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 495896 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\5812b1c1-e9aa-4e4b-bddf-1a45f61c0104 2023/07/13 13:03:35 496659 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 496692 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\5ac75647-5556-44eb-af54-98ca59c1fc6b 2023/07/13 13:03:35 498998 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 499036 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\83d03260-0b4a-447d-8281-306f3ff71553 2023/07/13 13:03:35 659623 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 659661 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\a4ab9305-1480-45dc-8769-640a3f7aba3f 2023/07/13 13:03:35 661980 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 662016 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\aac7f893-1c8b-4e2c-9d40-95dba8b94cdb 2023/07/13 13:03:35 664900 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 664937 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e31136dc-f5b0-4cf7-9c5e-6abd56fc6c8f 2023/07/13 13:03:35 667306 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 667343 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e4c77d25-4d09-4543-817d-dbd31abf03e8 2023/07/13 13:03:35 667959 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 667989 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f482c7a6-e354-4812-941f-77321ddefe5d 2023/07/13 13:03:35 670476 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 670519 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f87b443f-06d6-42cd-8b7e-14e9da15b7c0 2023/07/13 13:03:35 671120 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/07/13 13:03:35 671245 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8759] LocalOSEnv::GetNextUser_Windows_Old start 2023/07/13 13:03:35 671249 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8779] LocalOSEnv::GetNextUser_Windows_Old xp check 2023/07/13 13:03:35 671296 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8786] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path 2023/07/13 13:03:35 671299 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8814] LocalOSEnv::GetNextUser_Windows_Old Drive != 0 2023/07/13 13:03:35 671301 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8822] LocalOSEnv::GetNextUser_Windows_Old GetVolumeInformation C:\ 2023/07/13 13:03:35 671373 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8831] LocalOSEnv::GetNextUser_Windows_Old win7/mac check 2023/07/13 13:03:35 671419 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8863] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path C:\Windows.old\Users\* 2023/07/13 13:03:35 671422 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8869] LocalOSEnv::GetNextUser_Windows_Old next 2023/07/13 13:03:35 671424 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8814] LocalOSEnv::GetNextUser_Windows_Old Drive != 0 2023/07/13 13:03:35 671426 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8822] LocalOSEnv::GetNextUser_Windows_Old GetVolumeInformation C:\ 2023/07/13 13:03:35 671465 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8846] LocalOSEnv::GetNextUser_Windows_Old ubununtu check 2023/07/13 13:03:35 671499 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8863] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path C:\old\home\* 2023/07/13 13:03:35 671503 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8869] LocalOSEnv::GetNextUser_Windows_Old next 2023/07/13 13:03:35 671504 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8814] LocalOSEnv::GetNextUser_Windows_Old Drive != 0 2023/07/13 13:03:35 671506 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8822] LocalOSEnv::GetNextUser_Windows_Old GetVolumeInformation C:\ 2023/07/13 13:03:35 671544 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8863] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path 2023/07/13 13:03:35 671547 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8869] LocalOSEnv::GetNextUser_Windows_Old next 2023/07/13 13:03:35 671549 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8987] LocalOSEnv::GetNextUser_Windows_Old end 2023/07/13 13:03:35 671579 DEBUG [CfgRecent.cpp->UserActivityScanThread:4058] User Activity Scan: Registry 2023/07/13 13:03:35 671618 DEBUG [RegistryInfo.cpp->IsWindowsVistaOrHigher:3947] IsWindowsVistaOrHigher start 2023/07/13 13:03:35 671658 DEBUG [RegistryInfo.cpp->IsWindowsVistaOrHigher:4088] IsWindowsVistaOrHigher finished 2023/07/13 13:03:35 671702 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9266] User Activity Scan: Registry Info live system 2023/07/13 13:03:35 672016 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9271] User Activity Scan: Registry Info: User User 2023/07/13 13:03:35 672052 DEBUG [RegistryInfo.cpp->GetLastVisitedMRU:4377] User Activity Scan: GetLastVisitedMRU: Number of subkeys: 3 2023/07/13 13:03:35 672181 DEBUG [RegistryInfo.cpp->GetLastVisitedMRU:4449] User Activity Scan: GetLastVisitedMRU: (2) 0 (Size: 159 Bytes) => brave.exe [F:\Downloads] 2023/07/13 13:03:35 672290 DEBUG [RegistryInfo.cpp->GetLastVisitedMRU:4449] User Activity Scan: GetLastVisitedMRU: (3) 1 (Size: 783 Bytes) => {D69A10A6-1120-4984-93DB-2F5CF606BB8D} [C:\Users\User\OneDrive\Documents\Lupa\Claudia Bonalos, Aurelliano Bonalos] 2023/07/13 13:03:35 672326 DEBUG [RegistryInfo.cpp->GetMRUInfo:8737] User Activity Scan: Got GetLastVisited MRUs: new total 2 2023/07/13 13:03:35 673233 DEBUG [RegistryInfo.cpp->GetMRUInfo:8741] User Activity Scan: Got GetOpenSBave MRUs: new total 12 2023/07/13 13:03:35 673472 DEBUG [RegistryInfo.cpp->GetMRUInfo:8745] User Activity Scan: Got GetRecentDocs MRUs: new total 24 2023/07/13 13:03:35 676901 DEBUG [RegistryInfo.cpp->GetMRUInfo:8749] User Activity Scan: Got Office MRUs: new total 255 2023/07/13 13:03:35 676922 DEBUG [RegistryInfo.cpp->GetMRUInfo:8753] User Activity Scan: Got Run MRUs: new total 255 2023/07/13 13:03:35 676952 DEBUG [RegistryInfo.cpp->GetMRUInfo:8757] User Activity Scan: Got Network Drive MRUs: new total 255 2023/07/13 13:03:35 676962 DEBUG [RegistryInfo.cpp->GetMRUInfo:8761] User Activity Scan: Got Search MRUs: new total 255 2023/07/13 13:03:35 676971 DEBUG [RegistryInfo.cpp->GetMRUInfo:8765] User Activity Scan: Got PMV Search MRUs: new total 255 2023/07/13 13:03:35 677113 DEBUG [RegistryInfo.cpp->GetMRUInfo:8769] User Activity Scan: Got Internet Search MRUs: new total 255 2023/07/13 13:03:35 677193 DEBUG [RegistryInfo.cpp->GetMRUInfo:8773] User Activity Scan: Got PCP Search MRUs: new total 255 2023/07/13 13:03:35 677269 DEBUG [RegistryInfo.cpp->GetMRUInfo:8777] User Activity Scan: Got Wordpad MRUs: new total 256 2023/07/13 13:03:35 677297 DEBUG [RegistryInfo.cpp->GetMRUInfo:8781] User Activity Scan: Got Paint MRUs: new total 256 2023/07/13 13:03:35 677321 DEBUG [RegistryInfo.cpp->GetMRUInfo:8785] User Activity Scan: Got Windows Media Player MRUs: new total 256 2023/07/13 13:03:35 677650 DEBUG [RegistryInfo.cpp->GetMRUInfo:8789] User Activity Scan: Got Adobe Acrobat Reader MRUs: new total 260 2023/07/13 13:03:35 678143 DEBUG [RegistryInfo.cpp->GetMRUInfo:8793] User Activity Scan: Got Adobe Acrobat MRUs: new total 267 2023/07/13 13:03:35 678147 DEBUG [RegistryInfo.cpp->GetTypedIEURLS:3276] User Activity Scan: GetTypedIEURLS Start [Local] 2023/07/13 13:03:35 678163 DEBUG [RegistryInfo.cpp->GetTypedIEURLS:3339] User Activity Scan: GetTypedIEURLS finish no key found 2023/07/13 13:03:35 678165 DEBUG [RegistryInfo.cpp->GetMountPointsSystem:330] GetMountPointsSystem Start [Local] 2023/07/13 13:03:35 678179 DEBUG [RegistryInfo.cpp->GetMountPointsSystem:468] GetMountPointsSystem - enum live systems results 2023/07/13 13:03:35 679601 DEBUG [RegistryInfo.cpp->GetMountPointsSystem:551] GetMountPointsSystem - finished 2023/07/13 13:03:35 679604 DEBUG [RegistryInfo.cpp->GetOnceConnectedUSBStorage:7146] User Activity Scan: GetOnceConnectedUSBStorage Start [Local] 2023/07/13 13:03:35 679624 DEBUG [RegistryInfo.cpp->GetOnceConnectedUSBStorage:7340] User Activity Scan: GetOnceConnectedUSBStorage couldn't open key 2023/07/13 13:03:35 679629 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9280] User Activity Scan: Got connected USB 2023/07/13 13:03:35 679632 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5191] User Activity Scan: GetOtherConnectedUSB [Local] 2023/07/13 13:03:35 679635 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5222] GetOtherConnectedUSB() - Parsing Vendor ID file. 2023/07/13 13:03:35 681344 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5259] Found 844 VIDs in file C:\ProgramData\PassMark\OSForensics\usb.if. 2023/07/13 13:03:35 711829 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5342] Found 3411 VIDs 2951 PIDs in file C:\ProgramData\PassMark\OSForensics\usb.ids. 2023/07/13 13:03:35 711835 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5355] Open SYSTEM\CurrentControlSet\Enum\USB 2023/07/13 13:03:35 711885 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = _HUB30 2023/07/13 13:03:35 711888 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5648] Count < 2 2023/07/13 13:03:35 711894 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 03F0 2023/07/13 13:03:35 711903 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 711996 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 712077 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (03F0) 2023/07/13 13:03:35 712084 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 712156 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: HP Inc. (VID_03F0) 2023/07/13 13:03:35 712161 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = HP Inc. (VID_03F0) 2023/07/13 13:03:35 712163 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 712192 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 03F0 2023/07/13 13:03:35 712203 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 712345 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 712351 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (03F0) 2023/07/13 13:03:35 712421 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 712427 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: HP Inc. (VID_03F0) 2023/07/13 13:03:35 712429 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = HP Inc. (VID_03F0) 2023/07/13 13:03:35 712458 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 712497 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 03F0 2023/07/13 13:03:35 712535 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 712646 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 712651 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (03F0) 2023/07/13 13:03:35 712654 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 712656 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: HP Inc. (VID_03F0) 2023/07/13 13:03:35 712659 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = HP Inc. (VID_03F0) 2023/07/13 13:03:35 712730 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 712772 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 03F0 2023/07/13 13:03:35 712845 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 712953 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 712998 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (03F0) 2023/07/13 13:03:35 713003 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 713006 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: HP Inc. (VID_03F0) 2023/07/13 13:03:35 713008 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = HP Inc. (VID_03F0) 2023/07/13 13:03:35 713083 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 713125 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 03F0 2023/07/13 13:03:35 713200 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 713314 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 713319 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (03F0) 2023/07/13 13:03:35 713387 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 713393 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: HP Inc. (VID_03F0) 2023/07/13 13:03:35 713424 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = HP Inc. (VID_03F0) 2023/07/13 13:03:35 713427 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 713464 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 09DA 2023/07/13 13:03:35 713474 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 713584 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 713590 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (09DA) 2023/07/13 13:03:35 713665 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 713737 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: A-FOUR TECH CO., LTD. (VID_09DA) 2023/07/13 13:03:35 713742 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = A-FOUR TECH CO., LTD. (VID_09DA) 2023/07/13 13:03:35 713748 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 713771 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 09DA 2023/07/13 13:03:35 713781 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 713881 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 713886 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (09DA) 2023/07/13 13:03:35 713889 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 713960 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: A-FOUR TECH CO., LTD. (VID_09DA) 2023/07/13 13:03:35 713965 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = A-FOUR TECH CO., LTD. (VID_09DA) 2023/07/13 13:03:35 714031 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 714108 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 09DA 2023/07/13 13:03:35 714182 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 714264 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 714326 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (09DA) 2023/07/13 13:03:35 714331 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 714334 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: A-FOUR TECH CO., LTD. (VID_09DA) 2023/07/13 13:03:35 714337 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = A-FOUR TECH CO., LTD. (VID_09DA) 2023/07/13 13:03:35 714339 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 714369 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 0C45 2023/07/13 13:03:35 714377 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 714480 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 714486 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (0C45) 2023/07/13 13:03:35 714518 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 714521 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 714524 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 714526 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 714665 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 714670 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (0C45) 2023/07/13 13:03:35 714673 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 714676 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 714678 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 714744 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 714822 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 714855 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (0C45) 2023/07/13 13:03:35 714859 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 714862 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 714864 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 714894 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 714933 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 0C45 2023/07/13 13:03:35 714941 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 715015 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 715047 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (0C45) 2023/07/13 13:03:35 715051 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 715054 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 715056 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 715086 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 715198 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 715203 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (0C45) 2023/07/13 13:03:35 715207 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 715236 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 715239 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 715241 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 715323 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 715347 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (0C45) 2023/07/13 13:03:35 715351 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 715353 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 715356 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 715386 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 715425 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 0C45 2023/07/13 13:03:35 715434 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 715507 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 715536 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (0C45) 2023/07/13 13:03:35 715540 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 715545 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 715548 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 715577 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 715658 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 715689 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (0C45) 2023/07/13 13:03:35 715693 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 715696 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 715698 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 715728 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 715806 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 715839 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (0C45) 2023/07/13 13:03:35 715842 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 715845 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 715847 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Sonix Technology Co., Ltd. (VID_0C45) 2023/07/13 13:03:35 715877 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 715916 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 1532 2023/07/13 13:03:35 715925 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 716028 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 716032 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (1532) 2023/07/13 13:03:35 716036 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 716066 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 716068 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 716071 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 716177 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 716181 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (1532) 2023/07/13 13:03:35 716184 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 716186 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 716220 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 716224 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 716254 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 1532 2023/07/13 13:03:35 716292 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 716371 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 716403 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (1532) 2023/07/13 13:03:35 716407 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 716410 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 716413 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 716442 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 716523 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 716527 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (1532) 2023/07/13 13:03:35 716530 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 716533 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 716535 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 716576 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 716617 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 1532 2023/07/13 13:03:35 716625 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 716727 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 716731 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (1532) 2023/07/13 13:03:35 716734 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 716737 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 716766 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 716769 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 716878 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 716881 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (1532) 2023/07/13 13:03:35 716885 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 716915 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 716918 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 716920 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 716954 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 1532 2023/07/13 13:03:35 716962 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 717041 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 717065 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (1532) 2023/07/13 13:03:35 717069 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 717072 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 717074 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 717103 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 717214 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 717218 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (1532) 2023/07/13 13:03:35 717222 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 717252 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 717255 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = Razer USA, Ltd (VID_1532) 2023/07/13 13:03:35 717257 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 717292 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 1C4F 2023/07/13 13:03:35 717300 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 717403 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 717409 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (1C4F) 2023/07/13 13:03:35 717441 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 717444 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: SiGma Micro (VID_1C4F) 2023/07/13 13:03:35 717446 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = SiGma Micro (VID_1C4F) 2023/07/13 13:03:35 717449 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 717480 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 1C4F 2023/07/13 13:03:35 717488 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 717592 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 717597 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (1C4F) 2023/07/13 13:03:35 717600 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 717630 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: SiGma Micro (VID_1C4F) 2023/07/13 13:03:35 717633 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = SiGma Micro (VID_1C4F) 2023/07/13 13:03:35 717635 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 717668 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5634] tmpVID = 1C4F 2023/07/13 13:03:35 717676 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5659] Find unique IDs 2023/07/13 13:03:35 717749 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5729] Look up product 2023/07/13 13:03:35 717778 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5766] Look up vendor (1C4F) 2023/07/13 13:03:35 717782 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5771] Found: vendor 2023/07/13 13:03:35 717785 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5776] Found: SiGma Micro (VID_1C4F) 2023/07/13 13:03:35 717787 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5784] tmpVID 2 = SiGma Micro (VID_1C4F) 2023/07/13 13:03:35 717816 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5788] Add USB entry 2023/07/13 13:03:35 717855 DEBUG [RegistryInfo.cpp->GetOtherConnectedUSB:5816] User Activity Scan: GetOtherConnectedUSB end 2023/07/13 13:03:35 719830 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9283] User Activity Scan: Got other connected USB 2023/07/13 13:03:35 719933 DEBUG [RegistryInfo.cpp->GetConnectedUSBasSCSI:5821] User Activity Scan: GetConnectedUSBasSCSI Start [Local] 2023/07/13 13:03:35 719939 DEBUG [RegistryInfo.cpp->GetConnectedUSBasSCSI:5855] Open SYSTEM\CurrentControlSet\Enum\SCSI 2023/07/13 13:03:35 719974 DEBUG [RegistryInfo.cpp->GetConnectedUSBasSCSI:6102] Find unique IDs 2023/07/13 13:03:35 720082 DEBUG [RegistryInfo.cpp->GetConnectedUSBasSCSI:6102] Find unique IDs 2023/07/13 13:03:35 720163 DEBUG [RegistryInfo.cpp->GetConnectedUSBasSCSI:6232] User Activity Scan: GetConnectedUSBasSCSI end 2023/07/13 13:03:35 720194 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9286] User Activity Scan: Got connected USB as SCSI device 2023/07/13 13:03:35 720203 DEBUG [RegistryInfo.cpp->IsWindowsVistaOrHigher:3947] IsWindowsVistaOrHigher start 2023/07/13 13:03:35 720230 DEBUG [RegistryInfo.cpp->IsWindowsVistaOrHigher:4088] IsWindowsVistaOrHigher finished 2023/07/13 13:03:35 720234 DEBUG [RegistryInfo.cpp->GetShimCacheInfo:1825] GetShimCacheInfo local 2023/07/13 13:03:35 720237 DEBUG [RegistryInfo.cpp->GetShimCacheInfo:1834] User Activity Scan: GetShimCacheInfo opening key SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache 2023/07/13 13:03:35 720924 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000100d7033c0000 000a0000585d0000 8664 SpotifyAB.SpotifyMusic zpdnekdrzrea0 2023/07/13 13:03:35 721016 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000000 0008090255f10000 000a000047ba0000 8664 Microsoft.UI.Xaml.2.8 8wekyb3d8bbwe 2023/07/13 13:03:35 721022 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 0008090255f10000 000a000047ba0000 8664 Microsoft.UI.Xaml.2.8 8wekyb3d8bbwe 2023/07/13 13:03:35 721026 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000a000059e40000 000a000028000000 8664 Microsoft.Services.Store.Engagement 8wekyb3d8bbwe 2023/07/13 13:03:35 721031 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000000 000a000059e40000 000a000028000000 8664 Microsoft.Services.Store.Engagement 8wekyb3d8bbwe 2023/07/13 13:03:35 721035 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000a000059e30000 000a000028000000 8664 Microsoft.Services.Store.Engagement 8wekyb3d8bbwe 2023/07/13 13:03:35 721039 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000000 000a000059e30000 000a000028000000 8664 Microsoft.Services.Store.Engagement 8wekyb3d8bbwe 2023/07/13 13:03:35 721188 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 0001001406240000 000a000062200000 8664 Microsoft.DesktopAppInstaller 8wekyb3d8bbwe 2023/07/13 13:03:35 721278 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 0000000b 000a00004a61079d 000a00004a61079d 8664 Microsoft.Windows.ShellExperienceHost cw5n1h2txyewy neutral 2023/07/13 13:03:35 721775 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 00040035ca3f0000 000a00004a610000 8664 Microsoft.BingWeather 8wekyb3d8bbwe 2023/07/13 13:03:35 722314 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 00010000f0970000 000a0000585d0000 8664 Microsoft.VP9VideoExtensions 8wekyb3d8bbwe 2023/07/13 13:03:35 722318 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000a07d80bb90000 000a000047ba0000 8664 Microsoft.ScreenSketch 8wekyb3d8bbwe 2023/07/13 13:03:35 722518 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 0008000103c40000 000a0000585d04aa 8664 NVIDIACorp.NVIDIAControlPanel 56jybvy8sckqj 2023/07/13 13:03:35 723507 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 0000000b 00720000071f003a 000a00004a610000 8664 Microsoft.MicrosoftEdge.Stable 8wekyb3d8bbwe 2023/07/13 13:03:35 723637 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 0002000447940000 000a000042ee0000 8664 Microsoft.Wallet 8wekyb3d8bbwe 2023/07/13 13:03:35 724336 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 0000000b 000a0000000203e8 000a000047ba0001 8664 windows.immersivecontrolpanel cw5n1h2txyewy neutral 2023/07/13 13:03:35 724436 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 00015a0c00790000 000a0000585d0000 8664 Microsoft.YourPhone 8wekyb3d8bbwe 2023/07/13 13:03:35 724441 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 0bb80372089f0000 000c000000000000 8664 Microsoft.WindowsAppRuntime.1.3 8wekyb3d8bbwe 2023/07/13 13:03:35 724445 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 3e8537f653f20000 000a00004c610000 8664 microsoft.windowscommunicationsapps 8wekyb3d8bbwe 2023/07/13 13:03:35 724496 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 5721057900020000 000a000047ba0000 8664 Microsoft.StorePurchaseApp 8wekyb3d8bbwe 2023/07/13 13:03:35 724500 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000000 0bb80372089f0000 000c000000000000 8664 Microsoft.WindowsAppRuntime.1.3 8wekyb3d8bbwe 2023/07/13 13:03:35 725006 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 0004089c33f70000 000a00004a610000 8664 Microsoft.549981C3F5F10 8wekyb3d8bbwe 2023/07/13 13:03:35 725047 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 0000000b 000a00004a610749 000a00004a610749 8664 Microsoft.Windows.SecHealthUI cw5n1h2txyewy 2023/07/13 13:03:35 725052 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 03e84a6103e80000 000a00007fff0000 8664 MicrosoftWindows.Client.CBS cw5n1h2txyewy 2023/07/13 13:03:35 725228 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000000 000100d6047d0000 000a0000585d0000 014c SpotifyAB.SpotifyMusic zpdnekdrzrea0 2023/07/13 13:03:35 725235 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000000 000100d6047d0000 000a0000585d0000 8664 SpotifyAB.SpotifyMusic zpdnekdrzrea0 2023/07/13 13:03:35 725239 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 5721057900010000 000a0000585d0000 8664 Microsoft.WindowsStore 8wekyb3d8bbwe 2023/07/13 13:03:35 725244 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 00010000f0970000 000a0000585d0000 8664 Microsoft.WebMediaExtensions 8wekyb3d8bbwe 2023/07/13 13:03:35 725407 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 07e7272e697a0000 000a00004a650000 8664 Microsoft.Windows.Photos 8wekyb3d8bbwe 2023/07/13 13:03:35 725575 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 00920003043f0000 000a000047ba0000 8664 AD2F1837.HPPrinterControl v10z8vjag6ke6 2023/07/13 13:03:35 725580 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000a564b27390000 000a00004bc80000 8664 Microsoft.ZuneVideo 8wekyb3d8bbwe 2023/07/13 13:03:35 725584 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000b090000000000 000a000055f00000 8664 Microsoft.WindowsAlarms 8wekyb3d8bbwe 2023/07/13 13:03:35 726148 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 3e8137f653cc0000 000a000047ba0000 8664 Microsoft.Office.OneNote 8wekyb3d8bbwe 2023/07/13 13:03:35 726152 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000609013ed70000 000a000047ba0000 8664 Microsoft.MSPaint 8wekyb3d8bbwe 2023/07/13 13:03:35 726837 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 07e7272e697a0000 000a000055f00000 8664 Microsoft.Windows.Photos 8wekyb3d8bbwe 2023/07/13 13:03:35 726854 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000503370cbd0000 000a000055f00000 8664 Microsoft.XboxGamingOverlay 8wekyb3d8bbwe 2023/07/13 13:03:35 726934 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 0000000b 0001000e000a4a61 000a00004a610000 8664 Microsoft.Windows.Search cw5n1h2txyewy neutral 2023/07/13 13:03:35 727031 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 3e8537f653e80000 000a00004c610000 8664 microsoft.windowscommunicationsapps 8wekyb3d8bbwe 2023/07/13 13:03:35 727093 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 00920002041f0000 000a000047ba0000 8664 AD2F1837.HPPrinterControl v10z8vjag6ke6 2023/07/13 13:03:35 727554 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 0000000b 03e84a6103ff0000 000a0000295b0000 8664 Microsoft.AAD.BrokerPlugin cw5n1h2txyewy neutral 2023/07/13 13:03:35 728179 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000000 000100d502950000 000a0000585d0000 014c SpotifyAB.SpotifyMusic zpdnekdrzrea0 2023/07/13 13:03:35 728330 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 0000000b 000a00004a6103ff 000a000000000000 8664 Microsoft.Windows.ContentDeliveryManager cw5n1h2txyewy neutral 2023/07/13 13:03:35 728567 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 0000000b 000a00004a6103ff 000a00004a6103ff 8664 Microsoft.Windows.StartMenuExperienceHost cw5n1h2txyewy neutral 2023/07/13 13:03:35 728778 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000000 000100d502950000 000a0000585d0000 8664 SpotifyAB.SpotifyMusic zpdnekdrzrea0 2023/07/13 13:03:35 728783 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 00920001043a0000 000a000047ba0000 8664 AD2F1837.HPPrinterControl v10z8vjag6ke6 2023/07/13 13:03:35 728934 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 00010000a4d00000 000a00004a610000 8664 Microsoft.WebMediaExtensions 8wekyb3d8bbwe 2023/07/13 13:03:35 729024 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 3e8537f653e00000 000a00004c610000 8664 microsoft.windowscommunicationsapps 8wekyb3d8bbwe 2023/07/13 13:03:35 729029 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 00015a02006c0000 000a0000585d0000 8664 Microsoft.YourPhone 8wekyb3d8bbwe 2023/07/13 13:03:35 729033 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000000 000e00007f120000 000a0000273a0000 8664 Microsoft.VCLibs.140.00.UWPDesktop 8wekyb3d8bbwe 2023/07/13 13:03:35 729038 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000e00007f120000 000a0000273a0000 8664 Microsoft.VCLibs.140.00.UWPDesktop 8wekyb3d8bbwe 2023/07/13 13:03:35 729042 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000000 000e00007f120000 000a0000273a0000 8664 Microsoft.VCLibs.140.00 8wekyb3d8bbwe 2023/07/13 13:03:35 729130 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000e00007f120000 000a0000273a0000 8664 Microsoft.VCLibs.140.00 8wekyb3d8bbwe 2023/07/13 13:03:35 729205 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 0012090104c60000 000a00004a610000 8664 Microsoft.MicrosoftOfficeHub 8wekyb3d8bbwe 2023/07/13 13:03:35 729212 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 0bb8035306b00000 000c000000000000 8664 Microsoft.WindowsAppRuntime.1.3 8wekyb3d8bbwe 2023/07/13 13:03:35 729217 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 0066090136b20000 000a00004a610000 8664 Microsoft.6365217CE6EB4 8wekyb3d8bbwe 2023/07/13 13:03:35 729320 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000000 0bb8035306b00000 000c000000000000 8664 Microsoft.WindowsAppRuntime.1.3 8wekyb3d8bbwe 2023/07/13 13:03:35 730089 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 5720057900030000 000a00004a650000 8664 Microsoft.WindowsStore 8wekyb3d8bbwe 2023/07/13 13:03:35 730281 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 3e8537f653d80000 000a00004c610000 8664 microsoft.windowscommunicationsapps 8wekyb3d8bbwe 2023/07/13 13:03:35 730467 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 0000000b 00720000071f0025 000a00004a610000 8664 Microsoft.MicrosoftEdge.Stable 8wekyb3d8bbwe 2023/07/13 13:03:35 731056 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 0000000b 03e84a6103ff0000 000a000000000000 8664 Microsoft.Windows.Apprep.ChxApp cw5n1h2txyewy neutral 2023/07/13 13:03:35 731085 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 0000000b 0001000e00094a61 000a00004a610000 8664 Microsoft.Windows.Search cw5n1h2txyewy neutral 2023/07/13 13:03:35 731126 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 07e70900000b0000 000a000055f00000 8664 Microsoft.WindowsCamera 8wekyb3d8bbwe 2023/07/13 13:03:35 731130 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 5720057900030000 000a0000585d0000 8664 Microsoft.WindowsStore 8wekyb3d8bbwe 2023/07/13 13:03:35 731133 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000100132b3f0000 000a000062200000 8664 Microsoft.DesktopAppInstaller 8wekyb3d8bbwe 2023/07/13 13:03:35 731235 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000b090000020000 000a000055f0015a 8664 Microsoft.ZuneMusic 8wekyb3d8bbwe 2023/07/13 13:03:35 731243 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000a089a001e0000 000a000045630000 8664 Microsoft.People 8wekyb3d8bbwe 2023/07/13 13:03:35 731313 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 300f057900010000 000a000047ba0000 8664 Microsoft.StorePurchaseApp 8wekyb3d8bbwe 2023/07/13 13:03:35 731320 DEBUG [RegistryInfo.cpp->ParseShimEntries_Win10:1786] Unknown Shim Entry - App Name: 00000009 000a089a001f0000 000a000045630000 8664 Microsoft.People 8wekyb3d8bbwe 2023/07/13 13:03:35 733356 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9289] User Activity Scan: Got Shim Cache 2023/07/13 13:03:35 733372 DEBUG [RegistryInfo.cpp->GetBAMInfo:1950] GetBAMInfo local 2023/07/13 13:03:35 733376 DEBUG [RegistryInfo.cpp->GetBAMInfo:1958] User Activity Scan: GetBAMInfo opening key SYSTEM\CurrentControlSet\Services\bam\State\UserSettings 2023/07/13 13:03:35 740556 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-2): 1332 2023/07/13 13:03:35 740723 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-3): 1332 2023/07/13 13:03:35 740852 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-4): 1332 2023/07/13 13:03:35 741006 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-5): 1332 2023/07/13 13:03:35 741128 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-6): 1332 2023/07/13 13:03:35 741280 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-7): 1332 2023/07/13 13:03:35 741408 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-8): 1332 2023/07/13 13:03:35 741539 DEBUG [misc.cpp->GetUserFromSID:13501] Error: LookupAccountSid(S-1-5-90-0-9): 1332 2023/07/13 13:03:35 741560 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9292] User Activity Scan: Got BAM 2023/07/13 13:03:35 741564 DEBUG [RegistryInfo.cpp->GetBAMInfo:1950] GetBAMInfo local 2023/07/13 13:03:35 741567 DEBUG [RegistryInfo.cpp->GetBAMInfo:1958] User Activity Scan: GetBAMInfo opening key SYSTEM\CurrentControlSet\Services\dam\State\UserSettings 2023/07/13 13:03:35 741583 DEBUG [RegistryInfo.cpp->GetBAMInfo:1964] User Activity Scan: GetBAMInfo opening key SYSTEM\CurrentControlSet\Services\dam\UserSettings 2023/07/13 13:03:35 741594 DEBUG [RegistryInfo.cpp->GetBAMInfo:1970] User Activity Scan: GetBAMInfo couldn't open key 2023/07/13 13:03:35 741597 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9295] User Activity Scan: Got DAM 2023/07/13 13:03:35 747868 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::CustomCryptUnprotectData:615] DPAPI emulator: using master key 34 : Blob GUID e31136dc-f5b0-4cf7-9c5e-6abd56fc6c8f 2023/07/13 13:03:35 747876 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::CustomCryptUnprotectData:649] DPAPI emulator: useHashAlgo 32782 2023/07/13 13:03:35 747879 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::CustomCryptUnprotectData:657] DPAPI emulator: DPAPIMasterkey not decrypted 2023/07/13 13:03:35 748713 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::CustomCryptUnprotectData:765] DPAPI emulator: sha1 key FDAC2380CE5C61A51DC504E852CA6279C0712BB7 2023/07/13 13:03:35 762758 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::CustomCryptUnprotectData:777] DPAPI emulator: pbkdf2hmac 33BD1C51E176227EA5F368F18B34EB5AB8C6CF6578E8AAC21B498100839BFCF5DC7C90C4F07F3D4726CB1F7F144335A3 2023/07/13 13:03:35 762802 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::CustomCryptUnprotectData:997] DPAPI emulator: Data blob decryption successful with Masterkey 34: 4143493139313631303031414C00 2023/07/13 13:03:35 762932 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9299] User Activity Scan: Got connected Wireless 2023/07/13 13:03:35 762937 DEBUG [RegistryInfo.cpp->GetAmCacheInfo:6301] User Activity Scan: GetAmCacheInfo Start [local] 2023/07/13 13:03:35 763025 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3133] CreateTempRegFileIfNeeded: A 2023/07/13 13:03:35 763131 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3138] CreateTempRegFileIfNeeded: B 2023/07/13 13:03:35 763136 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3143] CreateTempRegFileIfNeeded: C 2023/07/13 13:03:35 763186 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3152] CreateTempRegFileIfNeeded: DA 2023/07/13 13:03:35 763191 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3160] CreateTempRegFileIfNeeded: DB 2023/07/13 13:03:35 763193 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3165] CreateTempRegFileIfNeeded: DC 2023/07/13 13:03:35 763196 DEBUG [RegViewer.cpp->ShadowCopyFiles:182] ShadowCopyFiles entry 2023/07/13 13:03:35 763198 DEBUG [RegViewer.cpp->ShadowCopyFiles:186] ShadowCopyFiles: Trying to create shadow volume 2023/07/13 13:03:35 763202 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:72] CreateShadowVolumeForFC entry 2023/07/13 13:03:35 763204 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:83] CreateShadowVolumeForFC Initialize VSS client 2023/07/13 13:03:35 766128 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:88] CreateShadowVolumeForFC Get unique vol name for: C:\ 2023/07/13 13:03:35 766314 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:92] unique vol name: \\?\Volume{7ca98c3f-915d-4b9b-af94-0c1461c57887}\ 2023/07/13 13:03:35 766318 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:100] CreateShadowVolumeForFC create snapshot set 2023/07/13 13:03:36 576977 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:109] CreateShadowVolumeForFC getLatestSnapshotIdListt 2023/07/13 13:03:36 576984 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:114] CreateShadowVolumeForFC GetSnapshotDeviceName 2023/07/13 13:03:36 577861 DEBUG [RegViewer.cpp->CreateShadowVolumeForFC:123] CreateShadowVolumeForFC exit 2023/07/13 13:03:36 577867 DEBUG [RegViewer.cpp->ShadowCopyFiles:208] ShadowCopyFiles: created shadow volume 2023/07/13 13:03:36 577871 DEBUG [RegViewer.cpp->ShadowCopyFiles:213] ShadowCopyFiles: 1 files to copy 2023/07/13 13:03:36 577874 DEBUG [RegViewer.cpp->ShadowCopyFiles:220] ShadowCopyFiles: curent file: C:\WINDOWS\appcompat\Programs\AmCache.hve 2023/07/13 13:03:36 577877 DEBUG [RegViewer.cpp->ShadowCopyFiles:225] ShadowCopyFiles: SourceFile: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\WINDOWS\appcompat\Programs\AmCache.hve 2023/07/13 13:03:36 577887 DEBUG [RegViewer.cpp->ShadowCopyFiles:238] ShadowCopyFiles: DestFile: C:\ProgramData\PassMark\OSForensics\Temp\6108\932723935BBEACA7AF94DA0223C32809 2023/07/13 13:03:36 712074 DEBUG [RegViewer.cpp->ShadowCopyFiles:275] ShadowCopyFiles done 2023/07/13 13:03:36 725268 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3177] CreateTempRegFileIfNeeded check temp file access 2023/07/13 13:03:36 725653 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3223] CreateTempRegFileIfNeeded: finished 2023/07/13 13:03:36 784397 DEBUG [RegistryInfo.cpp->GetAmCacheInfo:6543] User Activity Scan: GetAmCacheInfo Finish [OK] 2023/07/13 13:03:36 784412 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9304] User Activity Scan: Got AmCache 2023/07/13 13:03:36 784420 DEBUG [RegistryInfo.cpp->GetInstalledProgramsSystem:6550] User Activity Scan: GetInstalledPrograms Start [Local] 2023/07/13 13:03:36 800842 DEBUG [RegistryInfo.cpp->GetInstalledProgramsSystem:6757] User Activity Scan: GetInstalledPrograms done 2023/07/13 13:03:36 800859 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9307] User Activity Scan: Got installed programs system 2023/07/13 13:03:36 800862 DEBUG [RegistryInfo.cpp->GetInstalledProgramsUser:7112] User Activity Scan: GetInstalledProgramsUser Start [Local] 2023/07/13 13:03:36 801240 DEBUG [RegistryInfo.cpp->GetInstalledProgramsUser_Local:6776] User Activity Scan: GetInstalledProgramsUser couldn't open key [Software\Microsoft\Installer\Products] 2023/07/13 13:03:36 801256 DEBUG [RegistryInfo.cpp->GetInstalledProgramsUser_Local:6776] User Activity Scan: GetInstalledProgramsUser couldn't open key [Software\Microsoft\Windows\ShellNoRoam\MuiCache] 2023/07/13 13:03:36 803053 DEBUG [RegistryInfo.cpp->GetInstalledProgramsUser:7133] User Activity Scan: GetInstalledProgramsUser Finish [OK] 2023/07/13 13:03:36 803058 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9310] User Activity Scan: Got installed programs user 2023/07/13 13:03:36 803061 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1230] User Activity Scan: GetAppCompatFlagsInfo Start [Local] 2023/07/13 13:03:36 803064 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1249] User Activity Scan: GetAppCompatFlagsInfo opening key SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers 2023/07/13 13:03:36 803098 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1307] User Activity Scan: GetAppCompatFlagsInfo done 2023/07/13 13:03:36 803102 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9322] User Activity Scan: Got AppCompatFlags system 2023/07/13 13:03:36 803104 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1230] User Activity Scan: GetAppCompatFlagsInfo Start [Local] 2023/07/13 13:03:36 803108 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1241] User Activity Scan: GetAppCompatFlagsInfo opening key Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers 2023/07/13 13:03:36 803476 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1307] User Activity Scan: GetAppCompatFlagsInfo done 2023/07/13 13:03:36 803480 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9317] User Activity Scan: Got AppCompatFlags user 2023/07/13 13:03:36 803482 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1230] User Activity Scan: GetAppCompatFlagsInfo Start [Local] 2023/07/13 13:03:36 803485 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1241] User Activity Scan: GetAppCompatFlagsInfo opening key Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted 2023/07/13 13:03:36 803496 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1255] User Activity Scan: GetAppCompatFlagsInfo couldn't open key 2023/07/13 13:03:36 803499 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9317] User Activity Scan: Got AppCompatFlags user 2023/07/13 13:03:36 803501 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1230] User Activity Scan: GetAppCompatFlagsInfo Start [Local] 2023/07/13 13:03:36 803505 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1241] User Activity Scan: GetAppCompatFlagsInfo opening key Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store 2023/07/13 13:03:36 825545 DEBUG [RegistryInfo.cpp->GetAppCompatFlagsInfo:1307] User Activity Scan: GetAppCompatFlagsInfo done 2023/07/13 13:03:36 825552 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9317] User Activity Scan: Got AppCompatFlags user 2023/07/13 13:03:36 825556 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:574] User Activity Scan: GetAutoRunEntriesSystem Start [Local] 2023/07/13 13:03:36 825586 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:595] User Activity Scan: GetAutoRunEntriesSystem Open Software\Microsoft\Windows\CurrentVersion\Run 2023/07/13 13:03:36 825590 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:647] User Activity Scan: GetAutoRunEntriesSystem scan values local 2023/07/13 13:03:36 825763 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:682] User Activity Scan: GetAutoRunEntriesSystem scan values done 2023/07/13 13:03:36 825851 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:690] User Activity Scan: GetAutoRunEntriesSystem Open Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run 2023/07/13 13:03:36 825891 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:780] User Activity Scan: GetAutoRunEntriesSystem Open Software\Microsoft\Windows\CurrentVersion\RunOnce 2023/07/13 13:03:36 825895 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:829] User Activity Scan: GetAutoRunEntriesSystem scan values local 2023/07/13 13:03:36 825924 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:864] User Activity Scan: GetAutoRunEntriesSystem scan values done 2023/07/13 13:03:36 825928 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesSystem:870] User Activity Scan: GetAutoRunEntriesSystem done 2023/07/13 13:03:36 826010 DEBUG [RegistryInfo.cpp->GetRegistryInfo:9328] User Activity Scan: Got autorun entries system 2023/07/13 13:03:36 826015 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesUser:893] User Activity Scan: GetAutoRunEntriesUser Start [Local] 2023/07/13 13:03:36 826045 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesUser:913] User Activity Scan: GetAutoRunEntriesUser Open Software\Microsoft\Windows NT\CurrentVersion\Run 2023/07/13 13:03:36 826054 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesUser:1008] User Activity Scan: GetAutoRunEntriesUser Open Software\Microsoft\Windows\CurrentVersion\Run 2023/07/13 13:03:36 826057 DEBUG [RegistryInfo.cpp->GetAutoRunEntriesUser:1059] User Activity Scan: GetAutoRunEntriesUser scan values local