g3log created log at: Thu Sep 28 08:00:34 2023 LOG format: [YYYY/MM/DD hh:mm:ss uuu* LEVEL FILE->FUNCTION:LINE] message (uuu*: microseconds fractions of the seconds value) 2023/09/28 08:00:34 460262 DEBUG [OSForensics.cpp->CheckRunInUSBMode:2750] LOGGER NOT INITIALIZED: CheckRunInUSBMode: Not Running from Removable DriveCheckRunInUSBMode: Not Running from Removable Drive 2023/09/28 08:00:39 896041 DEBUG [OSForensics.cpp->wWinMain:231] DEBUG: Starting... 2023/09/28 08:00:39 896059 DEBUG [OSForensics.cpp->wWinMain:237] DEBUG: 2023/9/28, 8:0:39 2023/09/28 08:00:39 896071 DEBUG [OSForensics.cpp->wWinMain:241] DEBUG: OSForensics 10.0 build 1015 64-bit 2023/09/28 08:00:39 896331 DEBUG [OSForensics.cpp->wWinMain:249] DEBUG OS: Windows 10 Professional Edition build 19042 (64-bit) 2023/09/28 08:00:39 896345 DEBUG [OSForensics.cpp->wWinMain:251] DEBUG Path: C:\Program Files\OSForensics 2023/09/28 08:00:39 896352 DEBUG [OSForensics.cpp->wWinMain:259] Date: 09/28/23 08:00:39 2023/09/28 08:00:39 898887 DEBUG [OSForensics.cpp->wWinMain:275] Main: Regproc check 2023/09/28 08:00:40 041489 DEBUG [OSForensics.cpp->wWinMain:315] Main: Set security OK 2023/09/28 08:00:40 041520 DEBUG [OSForensics.cpp->wWinMain:327] Main: Creating temp folder C:\ProgramData\PassMark\OSForensics\Temp\23660 2023/09/28 08:00:40 046194 DEBUG [OSForensics.cpp->wWinMain:346] Main: Available phys mem: 78848454656 2023/09/28 08:00:40 046525 DEBUG [OSForensics.cpp->wWinMain:387] Main: Load OSF config 2023/09/28 08:00:40 105694 DEBUG [OSForensics.cpp->wWinMain:424] Main: Init OSFMount interface OK 2023/09/28 08:00:40 114416 DEBUG [OSForensics.cpp->wWinMain:455] Main: Init direct access OK 2023/09/28 08:00:40 270985 DEBUG [OSForensics.cpp->wWinMain:515] Main: Register disk events 2023/09/28 08:00:40 271223 DEBUG [OSForensics.cpp->wWinMain:525] Main: init dialog 2023/09/28 08:00:40 271247 DEBUG [OSForensics.cpp->InitDialog:1227] Init main dialog 2023/09/28 08:00:40 364270 DEBUG [CfgMain.cpp->InitCfgMain:399] CfgMain: Creating start window 2023/09/28 08:00:40 380585 DEBUG [CfgMain.cpp->InitCfgMain:402] CfgMain: Creating signature window 2023/09/28 08:00:40 383353 DEBUG [CfgMain.cpp->InitCfgMain:411] CfgMain: Creating FileHashing window 2023/09/28 08:00:40 386546 DEBUG [CfgFileHashing.cpp->FileHashingWindow::InitWindow:259] FileHashing: Creating Hash Sets Tab 2023/09/28 08:00:40 405797 DEBUG [CfgFileHashing.cpp->FileHashingWindow::InitWindow:261] FileHashing: Creating Create Hash Tab 2023/09/28 08:00:40 476310 DEBUG [CfgMain.cpp->InitCfgMain:424] CfgMain: Creating file name search window 2023/09/28 08:00:40 642073 DEBUG [CfgMain.cpp->InitCfgMain:426] CfgMain: Creating mismatch search window 2023/09/28 08:00:40 695610 DEBUG [CfgMain.cpp->InitCfgMain:428] CfgMain: Creating create index window 2023/09/28 08:00:40 698059 DEBUG [CfgMain.cpp->InitCfgMain:430] CfgMain: Creating search index window 2023/09/28 08:00:40 717652 DEBUG [CfgMain.cpp->InitCfgMain:432] CfgMain: Creating user activity window 2023/09/28 08:00:40 745415 DEBUG [CfgMain.cpp->InitCfgMain:434] CfgMain: Creating deleted file search window 2023/09/28 08:00:40 805652 DEBUG [CfgMain.cpp->InitCfgMain:436] CfgMain: Creating mem viewer window 2023/09/28 08:00:40 808732 DEBUG [CfgMain.cpp->InitCfgMain:438] CfgMain: Creating prefetch viewer window 2023/09/28 08:00:40 812999 DEBUG [CfgMain.cpp->InitCfgMain:441] CfgMain: Creating raw disk viewer window 2023/09/28 08:00:40 824745 DEBUG [CfgMain.cpp->InitCfgMain:443] CfgMain: Creating sys info window 2023/09/28 08:00:40 848902 DEBUG [CfgMain.cpp->InitCfgMain:445] CfgMain: Creating drive prep window 2023/09/28 08:00:40 879410 DEBUG [CfgMain.cpp->InitCfgMain:447] CfgMain: Creating password window 2023/09/28 08:00:40 899455 DEBUG [CfgMain.cpp->InitCfgMain:449] CfgMain: Creating forensic imaging window 2023/09/28 08:00:40 902624 DEBUG [CfgMain.cpp->InitCfgMain:451] CfgMain: Creating boot virtual machine window 2023/09/28 08:00:40 905568 DEBUG [CfgMain.cpp->InitCfgMain:455] CfgMain: Creating Mobile Artifact window 2023/09/28 08:00:40 921806 DEBUG [CfgMain.cpp->InitCfgMain:457] CfgMain: Creating remote acquisition window 2023/09/28 08:00:40 966765 DEBUG [CfgMain.cpp->InitCfgMain:465] CfgMain: Creating manage case window 2023/09/28 08:00:41 015746 DEBUG [CfgMain.cpp->InitCfgMain:469] CfgMain: Creating triage window 2023/09/28 08:00:41 043943 DEBUG [CfgMain.cpp->InitCfgMain:472] CfgMain: set focus 2023/09/28 08:00:41 103461 DEBUG [OSForensics.cpp->InitDialog:1247] Init main dialog finished 2023/09/28 08:00:41 103479 DEBUG [OSForensics.cpp->wWinMain:529] Main: show window 2023/09/28 08:00:41 178793 DEBUG [OSForensics.cpp->wWinMain:548] Main: set Foreground 2023/09/28 08:00:41 179040 DEBUG [OSForensics.cpp->wWinMain:559] Main: PopFileInitialize 2023/09/28 08:00:41 179382 DEBUG [OSForensics.cpp->wWinMain:577] Main: Display welcome 2023/09/28 08:00:41 190301 DEBUG [OSForensics.cpp->wWinMain:591] Main: SubCheck 2023/09/28 08:00:43 569682 DEBUG [OSForensics.cpp->wWinMain:831] CaseManagementInitWindow: Open last used case 2023/09/28 08:00:43 569801 DEBUG [CfgCase.cpp->LoadCase:9207] LoadCase: load from file: "D:\CaseFiles\OSF_DC1\CaseDetails.OSFCase" 2023/09/28 08:00:43 571244 DEBUG [CfgRecent.cpp->DoSort:2850] User Activity Scan: Sorting 2023/09/28 08:00:43 572879 DEBUG [zoomsearch.cpp->PrintUserDebug:519] Zoom Search: Cleaning up... 2023/09/28 08:00:43 572896 DEBUG [zoomsearch.cpp->PrintUserDebug:519] Zoom Search: Cleanup finished. 2023/09/28 08:00:43 577275 DEBUG [CfgCase.cpp->CloseCase:9090] Recreating password window 2023/09/28 08:00:43 605136 DEBUG [CaseManager.cpp->CaseActivityWithProgressDlg::OnCaseStatusDlgProc:20895] Case report progress dlg width 836 height 154 SM_CXSCREEN 2554 SM_CYSCREEN 944 2023/09/28 08:00:43 607052 DEBUG [CaseManager.cpp->CaseManager::Load:10272] LoadCase - thread: clear state 2023/09/28 08:00:43 607065 DEBUG [CaseManager.cpp->CaseManager::Load:10283] LoadCase - thread: load case metadata 2023/09/28 08:00:43 607560 DEBUG [CaseManager.cpp->CaseManager::Load:10287] LoadCase - thread: load path flags 2023/09/28 08:00:43 607770 DEBUG [CaseManager.cpp->CaseManager::Load:10291] LoadCase - thread: load exports 2023/09/28 08:00:43 607880 DEBUG [CaseManager.cpp->CaseManager::Load:10295] LoadCase - thread: load web snapshots 2023/09/28 08:00:43 607920 DEBUG [CaseManager.cpp->CaseManager::Load:10299] LoadCase - thread: load files 2023/09/28 08:00:43 608079 DEBUG [CaseManager.cpp->CaseManager::Load:10303] LoadCase - thread: load indices 2023/09/28 08:00:43 608713 DEBUG [CaseManager.cpp->CaseManager::Load:10307] LoadCase - thread: load attachments 2023/09/28 08:00:43 608756 DEBUG [CaseManager.cpp->CaseManager::Load:10311] LoadCase - thread: load notes 2023/09/28 08:00:43 608811 DEBUG [CaseManager.cpp->CaseManager::Load:10317] LoadCase - thread: load devices 2023/09/28 08:00:43 609277 DEBUG [CfgCase.cpp->CfgCaseAddDevice:1954] CfgCaseAddDevice: Type: 2 - Path: J: - Title: GHFSEA-VDI04 2023/09/28 08:00:43 609429 DEBUG [CfgCase.cpp->CfgCaseAddDevice:1954] CfgCaseAddDevice: Type: 2 - Path: F: - Title: VeeamSeattle 2023/09/28 08:00:43 609474 DEBUG [CaseManager.cpp->CaseManager::Load:10324] LoadCase - thread: load deleted files 2023/09/28 08:00:43 609597 DEBUG [CaseManager.cpp->CaseManager::Load:10331] LoadCase - thread: load emails 2023/09/28 08:00:43 609704 DEBUG [CaseManager.cpp->CaseManager::Load:10338] LoadCase - thread: load evidence images 2023/09/28 08:00:43 609801 DEBUG [CaseManager.cpp->CaseManager::Load:10345] LoadCase - thread: load memory dump 2023/09/28 08:00:43 609925 DEBUG [CaseManager.cpp->CaseManager::Load:10352] LoadCase - thread: load external reports 2023/09/28 08:00:43 610031 DEBUG [CaseManager.cpp->CaseManager::Load:10359] LoadCase - thread: load case reports 2023/09/28 08:00:43 610642 DEBUG [CaseManager.cpp->CaseManager::Load:10366] LoadCase - thread: load virtual machines 2023/09/28 08:00:43 610708 DEBUG [CaseManager.cpp->CaseManager::Load:10379] LoadCase - thread: case successfully opened 2023/09/28 08:00:43 644589 DEBUG [CfgCase.cpp->LoadCase:9300] LoadCase: loading case log 2023/09/28 08:00:43 651547 DEBUG [CfgCase.cpp->LoadCase:9317] LoadCase: sort case items 2023/09/28 08:00:43 653269 DEBUG [CfgCase.cpp->LoadCase:9325] LoadCase: update default drive to: DC1Seattle 2023/09/28 08:00:43 657293 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:419] Pswd: Creating Passwords & keys tab 2023/09/28 08:00:43 657336 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:421] Pswd: Creating Windows Login tab 2023/09/28 08:00:43 694649 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:423] Pswd: Initializing rainbow 2023/09/28 08:00:43 694908 DEBUG [main.cpp->initRainbowCrack:152] Rainbow: Loading charsets from C:\ProgramData\PassMark\OSForensics\RainbowTables\charset.txt 2023/09/28 08:00:43 695319 DEBUG [main.cpp->initRainbowCrack:158] Rainbow: Initializing SSL 2023/09/28 08:00:43 695333 DEBUG [main.cpp->initRainbowCrack:160] Rainbow: Initializing SSL 2023/09/28 08:00:43 697212 DEBUG [main.cpp->initRainbowCrack:173] Rainbow: Initializing Rainbow Table 2023/09/28 08:00:43 697226 DEBUG [main.cpp->initRainbowCrack:175] Rainbow: Initializing RainbowTable 2023/09/28 08:00:43 697238 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:425] Pswd: Creating Rainbow Generate tab 2023/09/28 08:00:43 848220 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:427] Pswd: Creating Rainbow Retrieval tab 2023/09/28 08:00:43 881651 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:429] Pswd: Creating Decryption tab 2023/09/28 08:00:43 938359 DEBUG [CfgCracking.cpp->CrackingWindow::InitWindow:431] Pswd: Creating Install PFX tab 2023/09/28 08:00:43 980968 DEBUG [CfgSignature.cpp->SignatureWindow::InitWindow:200] Sig: Creating create sig tab 2023/09/28 08:00:44 015888 DEBUG [CfgSignature.cpp->SignatureWindow::InitWindow:202] Sig: Creating compare sig tab 2023/09/28 08:00:44 074636 DEBUG [CfgCase.cpp->LoadCase:9328] LoadCase: reload index list 2023/09/28 08:00:44 079325 DEBUG [OSForensics.cpp->wWinMain:855] CaseManagementInitWindow: Message loop 2023/09/28 08:00:47 910622 DEBUG [misc.cpp->RefreshPhysicalDisks:5478] Refresh Disks: sysinfo get partition info 2023/09/28 08:00:48 968606 DEBUG [misc.cpp->RefreshPhysicalDisks:5490] Refresh Disks: Open device: \\.\PhysicalDrive0 2023/09/28 08:00:48 969574 DEBUG [misc.cpp->RefreshPhysicalDisks:5496] Refresh Disks: Scan part table 2023/09/28 08:00:48 978631 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2102] Scanning for recovered file systems (StartSec=0,NumSec=2048) 2023/09/28 08:00:48 989165 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2102] Scanning for recovered file systems (StartSec=265299017,NumSec=951) 2023/09/28 08:00:49 000409 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2110] Scanning for recovered file systems (StartSec=266334208,NumSec=211816448) 2023/09/28 08:00:49 500393 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2113] Found 0 recovered file systems 2023/09/28 08:00:49 500835 DEBUG [misc.cpp->RefreshPhysicalDisks:5490] Refresh Disks: Open device: \\.\PhysicalDrive1 2023/09/28 08:00:49 502783 DEBUG [misc.cpp->RefreshPhysicalDisks:5496] Refresh Disks: Scan part table 2023/09/28 08:00:49 504702 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2102] Scanning for recovered file systems (StartSec=0,NumSec=34) 2023/09/28 08:00:49 513295 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2110] Scanning for recovered file systems (StartSec=20967424,NumSec=4096) 2023/09/28 08:00:49 525395 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2113] Found 0 recovered file systems 2023/09/28 08:00:49 525485 DEBUG [misc.cpp->RefreshPhysicalDisks:5490] Refresh Disks: Open device: \\.\PhysicalDrive2 2023/09/28 08:00:49 526202 DEBUG [misc.cpp->RefreshPhysicalDisks:5496] Refresh Disks: Scan part table 2023/09/28 08:00:49 535591 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2102] Scanning for recovered file systems (StartSec=0,NumSec=2048) 2023/09/28 08:00:49 542864 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2110] Scanning for recovered file systems (StartSec=3907028992,NumSec=176) 2023/09/28 08:00:49 549405 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2113] Found 0 recovered file systems 2023/09/28 08:00:49 549471 DEBUG [misc.cpp->RefreshPhysicalDisks:5490] Refresh Disks: Open device: \\.\PhysicalDrive3 2023/09/28 08:00:49 550151 DEBUG [misc.cpp->RefreshPhysicalDisks:5496] Refresh Disks: Scan part table 2023/09/28 08:00:49 552545 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2102] Scanning for recovered file systems (StartSec=0,NumSec=2048) 2023/09/28 08:00:49 560369 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2110] Scanning for recovered file systems (StartSec=232779776,NumSec=4096) 2023/09/28 08:00:49 569867 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2113] Found 0 recovered file systems 2023/09/28 08:00:49 569972 DEBUG [misc.cpp->RefreshPhysicalDisks:5490] Refresh Disks: Open device: \\.\PhysicalDrive4 2023/09/28 08:00:49 570995 DEBUG [misc.cpp->RefreshPhysicalDisks:5496] Refresh Disks: Scan part table 2023/09/28 08:00:49 572058 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2113] Found 0 recovered file systems 2023/09/28 08:00:49 572117 DEBUG [misc.cpp->RefreshPhysicalDisks:5490] Refresh Disks: Open device: \\.\PhysicalDrive5 2023/09/28 08:00:49 573102 DEBUG [misc.cpp->RefreshPhysicalDisks:5496] Refresh Disks: Scan part table 2023/09/28 08:00:49 575038 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2102] Scanning for recovered file systems (StartSec=0,NumSec=2048) 2023/09/28 08:00:49 583987 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2110] Scanning for recovered file systems (StartSec=209713152,NumSec=2048) 2023/09/28 08:00:49 593875 DEBUG [DiskPartitionInfo.cpp->ScanAllDiskPartitions:2113] Found 0 recovered file systems 2023/09/28 08:00:49 642658 DEBUG [CfgRecent.cpp->DoSort:2850] User Activity Scan: Sorting 2023/09/28 08:01:02 648250 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::SetNTFSBootSectorInfo:100] NTFS Boot sector ("J:"): 2023/09/28 08:01:02 648268 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::SetNTFSBootSectorInfo:101] Bytes per cluster: 4096 2023/09/28 08:01:02 648276 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::SetNTFSBootSectorInfo:102] Bytes per sector: 512 2023/09/28 08:01:02 648286 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::SetNTFSBootSectorInfo:103] MFT record size: 1024 2023/09/28 08:01:02 648292 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::SetNTFSBootSectorInfo:104] Start cluster: 786432 2023/09/28 08:01:02 648298 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::SetNTFSBootSectorInfo:105] Total clusters: 231620607 2023/09/28 08:01:02 648313 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter 2023/09/28 08:01:02 830501 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::GetMFTFileInfo:539] GetMFTFileInfo(): Read MFT record for $MFT at offset 3221225472 2023/09/28 08:01:02 830592 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 5 (Search string: *) 2023/09/28 08:01:03 001309 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "." (type=3) in FILE_NAME attribute 2023/09/28 08:01:03 002116 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:03 002166 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:03 002243 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \. 2023/09/28 08:01:03 002263 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 5 (Search string: .) 2023/09/28 08:01:03 002348 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:03 002421 DEBUG [CfgRecent.cpp->OnScan:3516] User Activity Scan: Begin 2023/09/28 08:01:03 002523 DEBUG [OSFActivityMonitor.cpp->OSFActivityMonitor::StartTask:198] Activity Monitor: Task Started (User Activity) 2023/09/28 08:01:03 002846 DEBUG [CfgRecent.cpp->OnScan:3528] User Activity Scan started on "GHFSEA-VDI04:\" 2023/09/28 08:01:03 030020 DEBUG [CfgRecent.cpp->OnScan:3665] User Activity Scan: Available phys mem: 78201741312 2023/09/28 08:01:03 030038 DEBUG [CfgRecent.cpp->OnScan:3672] User Activity Scan: Allocating MRUList 2023/09/28 08:01:03 030073 DEBUG [CfgRecent.cpp->OnScan:3674] User Activity Scan: Allocating installList 2023/09/28 08:01:03 030094 DEBUG [CfgRecent.cpp->OnScan:3676] User Activity Scan: Allocating autoRunList 2023/09/28 08:01:03 030137 DEBUG [CfgRecent.cpp->OnScan:3678] User Activity Scan: Allocating ClipboardList 2023/09/28 08:01:03 030271 DEBUG [CfgRecent.cpp->OnScan:3680] User Activity Scan: Allocating EventList 2023/09/28 08:01:03 030296 DEBUG [CfgRecent.cpp->OnScan:3682] User Activity Scan: Allocating userAssistList 2023/09/28 08:01:03 030440 DEBUG [CfgRecent.cpp->OnScan:3684] User Activity Scan: Allocating jumpListList 2023/09/28 08:01:03 030476 DEBUG [CfgRecent.cpp->OnScan:3686] User Activity Scan: Allocating shellBagList 2023/09/28 08:01:03 030597 DEBUG [CfgRecent.cpp->OnScan:3688] User Activity Scan: Allocating TimelineDBList 2023/09/28 08:01:03 030897 DEBUG [CfgRecent.cpp->OnScan:3690] User Activity Scan: Allocating CortanaList 2023/09/28 08:01:03 030943 DEBUG [CfgRecent.cpp->OnScan:3692] User Activity Scan: Allocating RecycleBinList 2023/09/28 08:01:03 031061 DEBUG [CfgRecent.cpp->OnScan:3694] User Activity Scan: Allocating ShimCacheList 2023/09/28 08:01:03 031089 DEBUG [CfgRecent.cpp->OnScan:3696] User Activity Scan: Allocating SRUMDBList 2023/09/28 08:01:03 031219 DEBUG [CfgRecent.cpp->OnScan:3698] User Activity Scan: Allocating prefetchList 2023/09/28 08:01:03 031253 DEBUG [CfgRecent.cpp->OnScan:3700] User Activity Scan: Allocating winsearchList 2023/09/28 08:01:03 031372 DEBUG [CfgRecent.cpp->OnScan:3702] User Activity Scan: Allocating gBAMList 2023/09/28 08:01:03 031398 DEBUG [CfgRecent.cpp->OnScan:3704] User Activity Scan: Allocating gAntiForensicsList 2023/09/28 08:01:03 031529 DEBUG [CfgRecent.cpp->OnScan:3709] User Activity Scan: Available phys mem: 78201344000 2023/09/28 08:01:03 031539 DEBUG [CfgRecent.cpp->OnScan:3711] User Activity Scan: Allocating downloadList 2023/09/28 08:01:03 031675 DEBUG [CfgRecent.cpp->OnScan:3713] User Activity Scan: Allocating urlList 2023/09/28 08:01:03 031752 DEBUG [CfgRecent.cpp->OnScan:3715] User Activity Scan: Allocating SearchTermList 2023/09/28 08:01:03 031883 DEBUG [CfgRecent.cpp->OnScan:3717] User Activity Scan: Allocating LoginList 2023/09/28 08:01:03 032312 DEBUG [CfgRecent.cpp->OnScan:3719] User Activity Scan: Allocating formList 2023/09/28 08:01:03 032452 DEBUG [CfgRecent.cpp->OnScan:3721] User Activity Scan: Allocating bookmarkList 2023/09/28 08:01:03 032607 DEBUG [CfgRecent.cpp->OnScan:3723] User Activity Scan: Allocating ChatList 2023/09/28 08:01:03 032747 DEBUG [CfgRecent.cpp->OnScan:3725] User Activity Scan: Allocating P2PList 2023/09/28 08:01:03 032887 DEBUG [CfgRecent.cpp->OnScan:3727] User Activity Scan: Allocating wlanList 2023/09/28 08:01:03 033021 DEBUG [CfgRecent.cpp->OnScan:3729] User Activity Scan: Allocating gCryptocurrencyList 2023/09/28 08:01:03 033159 DEBUG [CfgRecent.cpp->OnScan:3731] User Activity Scan: Allocating cookieList 2023/09/28 08:01:03 033301 DEBUG [CfgRecent.cpp->OnScan:3733] User Activity Scan: Allocating Custom Dictionary List 2023/09/28 08:01:03 033329 DEBUG [CfgRecent.cpp->OnScan:3738] User Activity Scan: Available phys mem: 78200877056 2023/09/28 08:01:03 033442 DEBUG [CfgRecent.cpp->OnScan:3740] User Activity Scan: Allocating UsbList 2023/09/28 08:01:03 033481 DEBUG [CfgRecent.cpp->OnScan:3742] User Activity Scan: Allocating mountedVolList 2023/09/28 08:01:03 033594 DEBUG [CfgRecent.cpp->OnScan:3744] User Activity Scan: Allocating MobileBackupList 2023/09/28 08:01:03 074408 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7230] GetLocalFolderNames: DocumentsAndSettingsLocalName: Registry Info drive: GHFSEA-VDI04: 2023/09/28 08:01:03 074438 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3133] CreateTempRegFileIfNeeded: A 2023/09/28 08:01:03 074723 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::SetNTFSBootSectorInfo:100] NTFS Boot sector ("J:"): 2023/09/28 08:01:03 074735 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::SetNTFSBootSectorInfo:101] Bytes per cluster: 4096 2023/09/28 08:01:03 074739 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::SetNTFSBootSectorInfo:102] Bytes per sector: 512 2023/09/28 08:01:03 074744 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::SetNTFSBootSectorInfo:103] MFT record size: 1024 2023/09/28 08:01:03 074748 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::SetNTFSBootSectorInfo:104] Start cluster: 786432 2023/09/28 08:01:03 074753 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::SetNTFSBootSectorInfo:105] Total clusters: 231620607 2023/09/28 08:01:03 074759 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Config\SOFTWARE 2023/09/28 08:01:03 238276 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::GetMFTFileInfo:539] GetMFTFileInfo(): Read MFT record for $MFT at offset 3221225472 2023/09/28 08:01:03 415122 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:03 416767 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:03 421630 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "config" found at MFT record 3409 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:03 425386 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "SOFTWARE" found at MFT record 79633 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:03 425408 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 79633 (Search string: ) 2023/09/28 08:01:03 425416 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:03 425714 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2505] GetFile - Found ATTRIBUTE_LIST (length=320, # attributes=11) 2023/09/28 08:01:03 425819 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 131559 (1 found) 2023/09/28 08:01:03 425835 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 112585 (2 found) 2023/09/28 08:01:03 425842 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 261063 (3 found) 2023/09/28 08:01:03 425950 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 187070 (4 found) 2023/09/28 08:01:03 425967 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 370686 (5 found) 2023/09/28 08:01:03 426071 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 420799 (6 found) 2023/09/28 08:01:03 426084 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 431544 (7 found) 2023/09/28 08:01:03 426089 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 431546 (8 found) 2023/09/28 08:01:03 426188 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2561] GetFile - Finished getting ATTRIBUTE_LIST 2023/09/28 08:01:03 428423 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:03 428457 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3138] CreateTempRegFileIfNeeded: B 2023/09/28 08:01:03 428464 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3217] CreateTempRegFileIfNeeded: E 2023/09/28 08:01:03 428485 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3223] CreateTempRegFileIfNeeded: finished 2023/09/28 08:01:03 428601 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Config\SOFTWARE 2023/09/28 08:01:03 428626 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:03 428637 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:03 428738 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "config" found at MFT record 3409 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:03 428751 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "SOFTWARE" found at MFT record 79633 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:03 428757 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 79633 (Search string: ) 2023/09/28 08:01:03 428761 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:03 428858 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2505] GetFile - Found ATTRIBUTE_LIST (length=320, # attributes=11) 2023/09/28 08:01:03 428871 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 131559 (1 found) 2023/09/28 08:01:03 428875 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 112585 (2 found) 2023/09/28 08:01:03 428941 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 261063 (3 found) 2023/09/28 08:01:03 428951 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 187070 (4 found) 2023/09/28 08:01:03 429016 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 370686 (5 found) 2023/09/28 08:01:03 429025 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 420799 (6 found) 2023/09/28 08:01:03 429089 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 431544 (7 found) 2023/09/28 08:01:03 429149 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2546] GetFile - Found $MFT Attribute 0x80 in ATTRIBUTE_LIST at 431546 (8 found) 2023/09/28 08:01:03 429159 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetFile:2561] GetFile - Finished getting ATTRIBUTE_LIST 2023/09/28 08:01:03 429292 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 378454 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7247] GetLocalFolderNames: GHFSEA-VDI04:\Windows\System32\Config\SOFTWARE loaded successfully. Opening key: Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 2023/09/28 08:01:04 378745 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7251] GetLocalFolderNames: Key Microsoft\Windows\CurrentVersion\Explorer\Shell Folders found. Number of values: 12 2023/09/28 08:01:04 378757 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7257] GetLocalFolderNames: Found value: "Common Administrative Tools"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools" 2023/09/28 08:01:04 378765 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7257] GetLocalFolderNames: Found value: "Common AppData"="C:\ProgramData" 2023/09/28 08:01:04 378770 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7282] GetLocaFolderNames: Common AppData C:\ProgramData 2023/09/28 08:01:04 378777 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7294] GetLocaFolderNames: CommonAppDataLocalName ProgramData 2023/09/28 08:01:04 378782 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7257] GetLocalFolderNames: Found value: "Common Desktop"="C:\Users\Public\Desktop" 2023/09/28 08:01:04 378788 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7257] GetLocalFolderNames: Found value: "Common Documents"="C:\Users\Public\Documents" 2023/09/28 08:01:04 378792 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7262] GetLocaFolderNames: Common Documents C:\Users\Public\Documents 2023/09/28 08:01:04 378796 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7277] GetLocaFolderNames: DocumentsAndSettingsLocalName Users 2023/09/28 08:01:04 378802 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7257] GetLocalFolderNames: Found value: "Common Programs"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs" 2023/09/28 08:01:04 378932 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7257] GetLocalFolderNames: Found value: "Common Start Menu"="C:\ProgramData\Microsoft\Windows\Start Menu" 2023/09/28 08:01:04 378942 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7257] GetLocalFolderNames: Found value: "Common Startup"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" 2023/09/28 08:01:04 378947 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7257] GetLocalFolderNames: Found value: "Common Templates"="C:\ProgramData\Microsoft\Windows\Templates" 2023/09/28 08:01:04 378952 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7257] GetLocalFolderNames: Found value: "CommonMusic"="C:\Users\Public\Music" 2023/09/28 08:01:04 378957 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7257] GetLocalFolderNames: Found value: "CommonPictures"="C:\Users\Public\Pictures" 2023/09/28 08:01:04 378962 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7257] GetLocalFolderNames: Found value: "CommonVideo"="C:\Users\Public\Videos" 2023/09/28 08:01:04 378967 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7257] GetLocalFolderNames: Found value: "OEM Links"="C:\ProgramData\OEM\Links" 2023/09/28 08:01:04 379108 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7409] GetLocalFolderNames: DocumentsAndSettingsLocalName: Registry Info drive: GHFSEA-VDI04: 2023/09/28 08:01:04 379131 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3133] CreateTempRegFileIfNeeded: A 2023/09/28 08:01:04 379281 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows.old\Windows\System32\Config\SOFTWARE 2023/09/28 08:01:04 379308 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 379425 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 379442 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3138] CreateTempRegFileIfNeeded: B 2023/09/28 08:01:04 379447 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3212] CreateTempRegFileIfNeeded: Error - file handle invalid (2) 2023/09/28 08:01:04 379575 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7416] GetLocaFolderNames: Registry Info: Could not load GHFSEA-VDI04:\Windows.old\Windows\System32\Config\SOFTWARE 2023/09/28 08:01:04 379591 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7975] GetLocalFolderNames: Registry Info drive: GHFSEA-VDI04: 2023/09/28 08:01:04 379606 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 379711 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8559] LocalOSEnv::GetNextUser xp check 2023/09/28 08:01:04 379736 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Documents and Settings\* 2023/09/28 08:01:04 379751 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Documents and Settings" found at MFT record 67590 in INDEX_ROOT attribute. 2023/09/28 08:01:04 379758 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 67590 (Search string: *) 2023/09/28 08:01:04 380141 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "DOCUME~1" (type=2) in FILE_NAME attribute 2023/09/28 08:01:04 380155 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Documents and Settings" (type=1) in FILE_NAME attribute 2023/09/28 08:01:04 380161 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 380166 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 380176 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8566] LocalOSEnv::GetNextUser cleanup profile path 2023/09/28 08:01:04 380288 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8594] LocalOSEnv::GetNextUser Drive != 0 2023/09/28 08:01:04 380298 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8602] LocalOSEnv::GetNextUser GetVolumeInformation GHFSEA-VDI04:\ 2023/09/28 08:01:04 380315 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8611] LocalOSEnv::GetNextUser win7/mac check 2023/09/28 08:01:04 380327 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\* 2023/09/28 08:01:04 380438 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 380450 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 471 (Search string: *) 2023/09/28 08:01:04 380870 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Users" (type=0) in FILE_NAME attribute 2023/09/28 08:01:04 381162 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 381184 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 381197 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8642] LocalOSEnv::GetNextUser cleanup profile path GHFSEA-VDI04:\Users\* 2023/09/28 08:01:04 381329 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8648] LocalOSEnv::GetNextUser next 2023/09/28 08:01:04 381338 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 381342 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 381346 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] Administrator 2023/09/28 08:01:04 381351 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 381484 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:7986] GetLocalFolderNames: registryFile: GHFSEA-VDI04:\Users\Administrator\NTUSER.DAT 2023/09/28 08:01:04 381494 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3133] CreateTempRegFileIfNeeded: A 2023/09/28 08:01:04 381515 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\Administrator\NTUSER.DAT 2023/09/28 08:01:04 381641 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 381663 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Administrator" found at MFT record 96250 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 382025 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "ADMINI~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 382596 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "NTUSER.DAT" found at MFT record 96251 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 382610 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 96251 (Search string: ) 2023/09/28 08:01:04 382616 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 382732 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 382748 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3138] CreateTempRegFileIfNeeded: B 2023/09/28 08:01:04 382752 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3217] CreateTempRegFileIfNeeded: E 2023/09/28 08:01:04 387417 DEBUG [CfgStart.cpp->CreateTempRegFileIfNeeded:3223] CreateTempRegFileIfNeeded: finished 2023/09/28 08:01:04 387585 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\Administrator\NTUSER.DAT 2023/09/28 08:01:04 387609 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 387618 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Administrator" found at MFT record 96250 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 387747 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "ADMINI~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 387759 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "NTUSER.DAT" found at MFT record 96251 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 387767 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 96251 (Search string: ) 2023/09/28 08:01:04 387771 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 387781 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 413509 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8032] GetLocaFolderNames: AppDataLocalName AppData\Roaming 2023/09/28 08:01:04 413541 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8016] GetLocaFolderNames: LocalAppDataLocalName AppData\Local 2023/09/28 08:01:04 413547 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8044] GetLocaFolderNames: HistoryLocalName AppData\Local\Microsoft\Windows\History 2023/09/28 08:01:04 413553 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8068] GetLocaFolderNames: RecentLocalName AppData\Roaming\Microsoft\Windows\Recent 2023/09/28 08:01:04 413563 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 413589 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 413594 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 413598 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] All Users 2023/09/28 08:01:04 413603 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 413759 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8759] LocalOSEnv::GetNextUser_Windows_Old start 2023/09/28 08:01:04 413770 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8779] LocalOSEnv::GetNextUser_Windows_Old xp check 2023/09/28 08:01:04 413797 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows.old\Documents and Settings\* 2023/09/28 08:01:04 413888 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 413900 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 414190 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8786] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path 2023/09/28 08:01:04 414203 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8814] LocalOSEnv::GetNextUser_Windows_Old Drive != 0 2023/09/28 08:01:04 414319 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8822] LocalOSEnv::GetNextUser_Windows_Old GetVolumeInformation GHFSEA-VDI04:\ 2023/09/28 08:01:04 414414 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8831] LocalOSEnv::GetNextUser_Windows_Old win7/mac check 2023/09/28 08:01:04 414510 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows.old\Users\* 2023/09/28 08:01:04 414528 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 414605 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 414703 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8863] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path GHFSEA-VDI04:\Windows.old\Users\* 2023/09/28 08:01:04 414714 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8869] LocalOSEnv::GetNextUser_Windows_Old next 2023/09/28 08:01:04 414718 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8814] LocalOSEnv::GetNextUser_Windows_Old Drive != 0 2023/09/28 08:01:04 414799 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8822] LocalOSEnv::GetNextUser_Windows_Old GetVolumeInformation GHFSEA-VDI04:\ 2023/09/28 08:01:04 414819 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8846] LocalOSEnv::GetNextUser_Windows_Old ubununtu check 2023/09/28 08:01:04 414897 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \old\home\* 2023/09/28 08:01:04 414914 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 414919 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 414930 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8863] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path GHFSEA-VDI04:\old\home\* 2023/09/28 08:01:04 415008 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8869] LocalOSEnv::GetNextUser_Windows_Old next 2023/09/28 08:01:04 415017 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8814] LocalOSEnv::GetNextUser_Windows_Old Drive != 0 2023/09/28 08:01:04 415021 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8822] LocalOSEnv::GetNextUser_Windows_Old GetVolumeInformation GHFSEA-VDI04:\ 2023/09/28 08:01:04 415119 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8863] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path 2023/09/28 08:01:04 415128 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8869] LocalOSEnv::GetNextUser_Windows_Old next 2023/09/28 08:01:04 415133 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8987] LocalOSEnv::GetNextUser_Windows_Old end 2023/09/28 08:01:04 415143 DEBUG [misc.cpp->LocalOSEnv::GetLocalFolderNames:8514] GetLocalFolderNames end (detected OS: Unknown) 2023/09/28 08:01:04 415317 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows.old 2023/09/28 08:01:04 415344 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 5 (Search string: Windows.old) 2023/09/28 08:01:04 415428 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "." (type=3) in FILE_NAME attribute 2023/09/28 08:01:04 415490 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 415551 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 415726 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 415738 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8559] LocalOSEnv::GetNextUser xp check 2023/09/28 08:01:04 415802 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Documents and Settings\* 2023/09/28 08:01:04 415868 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Documents and Settings" found at MFT record 67590 in INDEX_ROOT attribute. 2023/09/28 08:01:04 415882 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 67590 (Search string: *) 2023/09/28 08:01:04 415953 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "DOCUME~1" (type=2) in FILE_NAME attribute 2023/09/28 08:01:04 415966 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Documents and Settings" (type=1) in FILE_NAME attribute 2023/09/28 08:01:04 416028 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 416046 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 416130 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8566] LocalOSEnv::GetNextUser cleanup profile path 2023/09/28 08:01:04 416190 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8594] LocalOSEnv::GetNextUser Drive != 0 2023/09/28 08:01:04 416204 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8602] LocalOSEnv::GetNextUser GetVolumeInformation GHFSEA-VDI04:\ 2023/09/28 08:01:04 416260 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8611] LocalOSEnv::GetNextUser win7/mac check 2023/09/28 08:01:04 416283 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\* 2023/09/28 08:01:04 416332 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 416346 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 471 (Search string: *) 2023/09/28 08:01:04 416398 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 416422 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8642] LocalOSEnv::GetNextUser cleanup profile path GHFSEA-VDI04:\Users\* 2023/09/28 08:01:04 416478 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8648] LocalOSEnv::GetNextUser next 2023/09/28 08:01:04 416489 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 416552 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 416562 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] Administrator 2023/09/28 08:01:04 416569 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 416706 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\Administrator\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 416759 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 416776 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Administrator" found at MFT record 96250 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 416843 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 96263 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 416915 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 96264 in INDEX_ROOT attribute. 2023/09/28 08:01:04 416986 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 96265 in INDEX_ROOT attribute. 2023/09/28 08:01:04 417364 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 96793 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 417429 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 96793 (Search string: *) 2023/09/28 08:01:04 417844 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Protect" (type=3) in FILE_NAME attribute 2023/09/28 08:01:04 417923 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 417998 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 418234 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2061763286-409968658-1781405307-500\* 2023/09/28 08:01:04 418294 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 418310 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Administrator" found at MFT record 96250 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 418377 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 96263 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 418449 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 96264 in INDEX_ROOT attribute. 2023/09/28 08:01:04 418527 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 96265 in INDEX_ROOT attribute. 2023/09/28 08:01:04 418612 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 96793 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 418672 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-2061763286-409968658-1781405307-500" found at MFT record 96820 in INDEX_ROOT attribute. 2023/09/28 08:01:04 418687 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 96820 (Search string: *) 2023/09/28 08:01:04 418734 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-~1" (type=2) in FILE_NAME attribute 2023/09/28 08:01:04 418746 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-21-2061763286-409968658-1781405307-500" (type=1) in FILE_NAME attribute 2023/09/28 08:01:04 418819 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 418905 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 419036 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2061763286-409968658-1781405307-500\afd17645-b6c0-4b51-b19d-16ebfd4f2b72 2023/09/28 08:01:04 419185 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2061763286-409968658-1781405307-500\afd17645-b6c0-4b51-b19d-16ebfd4f2b72 2023/09/28 08:01:04 419239 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 419255 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Administrator" found at MFT record 96250 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 419336 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "ADMINI~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 419395 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 96263 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 419481 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 96264 in INDEX_ROOT attribute. 2023/09/28 08:01:04 419557 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 96265 in INDEX_ROOT attribute. 2023/09/28 08:01:04 419572 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 419634 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 96793 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 419707 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-2061763286-409968658-1781405307-500" found at MFT record 96820 in INDEX_ROOT attribute. 2023/09/28 08:01:04 419783 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 419797 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "afd17645-b6c0-4b51-b19d-16ebfd4f2b72" found at MFT record 97076 in INDEX_ROOT attribute. 2023/09/28 08:01:04 419846 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 97076 (Search string: ) 2023/09/28 08:01:04 419857 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 420280 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 420595 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 420643 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 420652 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 420657 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] All Users 2023/09/28 08:01:04 420726 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 420789 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\All Users\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 420853 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 420868 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "All Users" found at MFT record 21755 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 421206 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 421283 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 421376 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 421432 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 421444 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 421503 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] CHillAdmin 2023/09/28 08:01:04 421514 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 421562 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\CHillAdmin\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 421601 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 421647 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "CHillAdmin" found at MFT record 47951 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 422520 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 68072 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 422887 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 85279 in INDEX_ROOT attribute. 2023/09/28 08:01:04 423165 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 85280 in INDEX_ROOT attribute. 2023/09/28 08:01:04 423221 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 423236 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 423299 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 423312 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 423372 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 423383 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] Default 2023/09/28 08:01:04 423455 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 423512 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\Default\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 423570 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 423586 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Default" found at MFT record 472 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 424016 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 473 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 424031 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 492 in INDEX_ROOT attribute. 2023/09/28 08:01:04 424039 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 493 in INDEX_ROOT attribute. 2023/09/28 08:01:04 424052 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 424059 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 424070 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 424076 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 424159 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 424168 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] Default User 2023/09/28 08:01:04 424172 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 424261 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\Default User\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 424278 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 424355 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Default User" found at MFT record 21756 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 424367 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 424448 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 424463 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 424468 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 424472 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 424548 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] desktop.ini 2023/09/28 08:01:04 424557 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 424560 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] DMARTIN 2023/09/28 08:01:04 424564 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 424648 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\DMARTIN\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 424664 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 424744 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "DMARTIN" found at MFT record 138082 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 425517 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 368322 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 425901 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 369317 in INDEX_ROOT attribute. 2023/09/28 08:01:04 426487 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 371016 in INDEX_ROOT attribute. 2023/09/28 08:01:04 427188 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 375857 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 427202 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 375857 (Search string: *) 2023/09/28 08:01:04 427668 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Protect" (type=3) in FILE_NAME attribute 2023/09/28 08:01:04 427693 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 427702 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 427814 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\DMARTIN\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7613\* 2023/09/28 08:01:04 427947 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 428055 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "DMARTIN" found at MFT record 138082 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 428072 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 368322 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 428084 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 369317 in INDEX_ROOT attribute. 2023/09/28 08:01:04 428096 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 371016 in INDEX_ROOT attribute. 2023/09/28 08:01:04 428121 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 375857 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 428130 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-7613" found at MFT record 375858 in INDEX_ROOT attribute. 2023/09/28 08:01:04 428136 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 375858 (Search string: *) 2023/09/28 08:01:04 428142 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-~1" (type=2) in FILE_NAME attribute 2023/09/28 08:01:04 428148 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-21-349233159-1990136952-1071972300-7613" (type=1) in FILE_NAME attribute 2023/09/28 08:01:04 428439 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 428522 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 428584 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\DMARTIN\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7613\630f30a6-cc73-4a0d-9470-a42ad4f6ad70 2023/09/28 08:01:04 428654 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\DMARTIN\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7613\630f30a6-cc73-4a0d-9470-a42ad4f6ad70 2023/09/28 08:01:04 428741 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 428792 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "DMARTIN" found at MFT record 138082 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 428803 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 368322 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 428809 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 369317 in INDEX_ROOT attribute. 2023/09/28 08:01:04 428816 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 371016 in INDEX_ROOT attribute. 2023/09/28 08:01:04 428881 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 428893 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 375857 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 428955 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-7613" found at MFT record 375858 in INDEX_ROOT attribute. 2023/09/28 08:01:04 429029 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 429044 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "630f30a6-cc73-4a0d-9470-a42ad4f6ad70" found at MFT record 226588 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 429118 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 226588 (Search string: ) 2023/09/28 08:01:04 429127 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 429511 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 430105 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\DMARTIN\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7613\c1008410-a097-447a-a80f-46591aec8bbf 2023/09/28 08:01:04 430160 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\DMARTIN\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7613\c1008410-a097-447a-a80f-46591aec8bbf 2023/09/28 08:01:04 430179 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 430248 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "DMARTIN" found at MFT record 138082 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 430324 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 368322 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 430337 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 369317 in INDEX_ROOT attribute. 2023/09/28 08:01:04 430404 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 371016 in INDEX_ROOT attribute. 2023/09/28 08:01:04 430416 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 430480 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 375857 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 430492 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-7613" found at MFT record 375858 in INDEX_ROOT attribute. 2023/09/28 08:01:04 430554 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 430565 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "c1008410-a097-447a-a80f-46591aec8bbf" found at MFT record 375875 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 430629 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 375875 (Search string: ) 2023/09/28 08:01:04 430638 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 430701 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 431328 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 431341 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 431344 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 431351 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] examine_ldap 2023/09/28 08:01:04 431355 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 431448 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\examine_ldap\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 431508 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 431520 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "examine_ldap" found at MFT record 227661 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 432377 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 297272 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 432849 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 298858 in INDEX_ROOT attribute. 2023/09/28 08:01:04 433244 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 298866 in INDEX_ROOT attribute. 2023/09/28 08:01:04 433488 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 480423 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 433501 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 480423 (Search string: *) 2023/09/28 08:01:04 433952 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Protect" (type=3) in FILE_NAME attribute 2023/09/28 08:01:04 433976 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 433995 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 434038 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\examine_ldap\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-17311\* 2023/09/28 08:01:04 434069 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 434165 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "examine_ldap" found at MFT record 227661 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 434180 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 297272 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 434187 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 298858 in INDEX_ROOT attribute. 2023/09/28 08:01:04 434258 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 298866 in INDEX_ROOT attribute. 2023/09/28 08:01:04 434270 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 480423 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 434345 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-17311" found at MFT record 480425 in INDEX_ROOT attribute. 2023/09/28 08:01:04 434357 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 480425 (Search string: *) 2023/09/28 08:01:04 434430 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-~1" (type=2) in FILE_NAME attribute 2023/09/28 08:01:04 434440 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-21-349233159-1990136952-1071972300-17311" (type=1) in FILE_NAME attribute 2023/09/28 08:01:04 434692 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 434766 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 434837 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\examine_ldap\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-17311\4bdcc91f-fc32-4e38-a129-0af6dd314348 2023/09/28 08:01:04 434900 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\examine_ldap\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-17311\4bdcc91f-fc32-4e38-a129-0af6dd314348 2023/09/28 08:01:04 434921 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 434988 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "examine_ldap" found at MFT record 227661 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 435001 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "EXAMIN~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 435080 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 297272 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 435093 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 298858 in INDEX_ROOT attribute. 2023/09/28 08:01:04 435159 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 298866 in INDEX_ROOT attribute. 2023/09/28 08:01:04 435171 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 435234 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 480423 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 435247 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-17311" found at MFT record 480425 in INDEX_ROOT attribute. 2023/09/28 08:01:04 435308 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 435319 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "4bdcc91f-fc32-4e38-a129-0af6dd314348" found at MFT record 480436 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 435386 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 480436 (Search string: ) 2023/09/28 08:01:04 435395 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 435462 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 436175 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 436244 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 436253 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 436318 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] fborja3 2023/09/28 08:01:04 436326 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 436377 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\fborja3\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 436400 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 436468 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "fborja3" found at MFT record 27269 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 437538 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 113930 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 437903 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 113932 in INDEX_ROOT attribute. 2023/09/28 08:01:04 438201 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 113943 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 438426 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 346681 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 438439 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 346681 (Search string: *) 2023/09/28 08:01:04 438953 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Protect" (type=3) in FILE_NAME attribute 2023/09/28 08:01:04 438975 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 438983 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 439013 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\* 2023/09/28 08:01:04 439031 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 439039 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "fborja3" found at MFT record 27269 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 439055 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 113930 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 439160 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 113932 in INDEX_ROOT attribute. 2023/09/28 08:01:04 439175 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 113943 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 439181 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 346681 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 439253 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3615" found at MFT record 346682 in INDEX_ROOT attribute. 2023/09/28 08:01:04 439264 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 346682 (Search string: *) 2023/09/28 08:01:04 439332 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-~1" (type=2) in FILE_NAME attribute 2023/09/28 08:01:04 439341 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-21-349233159-1990136952-1071972300-3615" (type=1) in FILE_NAME attribute 2023/09/28 08:01:04 439659 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 439724 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 439817 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\41efcfb3-2690-4e07-b940-e190510d35e2 2023/09/28 08:01:04 439885 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\41efcfb3-2690-4e07-b940-e190510d35e2 2023/09/28 08:01:04 439935 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 439954 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "fborja3" found at MFT record 27269 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 440029 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 113930 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 440114 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 113932 in INDEX_ROOT attribute. 2023/09/28 08:01:04 440128 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 113943 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 440191 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 440202 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 346681 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 440272 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3615" found at MFT record 346682 in INDEX_ROOT attribute. 2023/09/28 08:01:04 440335 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 440351 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "41efcfb3-2690-4e07-b940-e190510d35e2" found at MFT record 180882 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 440429 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 180882 (Search string: ) 2023/09/28 08:01:04 440495 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 441015 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 441806 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\4f97cc76-14f3-4e9d-917a-b5620c5c08cd 2023/09/28 08:01:04 442069 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\4f97cc76-14f3-4e9d-917a-b5620c5c08cd 2023/09/28 08:01:04 442094 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 442102 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "fborja3" found at MFT record 27269 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 442109 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 113930 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 442117 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 113932 in INDEX_ROOT attribute. 2023/09/28 08:01:04 442124 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 113943 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 442130 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 442136 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 346681 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 442239 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3615" found at MFT record 346682 in INDEX_ROOT attribute. 2023/09/28 08:01:04 442251 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 442257 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "4f97cc76-14f3-4e9d-917a-b5620c5c08cd" found at MFT record 205472 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 442262 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 205472 (Search string: ) 2023/09/28 08:01:04 442265 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 442753 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 443360 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\7b7c07f8-a329-4166-9c26-b4613a5f8e24 2023/09/28 08:01:04 443555 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\7b7c07f8-a329-4166-9c26-b4613a5f8e24 2023/09/28 08:01:04 443597 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 443612 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "fborja3" found at MFT record 27269 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 443624 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 113930 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 443643 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 113932 in INDEX_ROOT attribute. 2023/09/28 08:01:04 443701 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 113943 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 443715 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 443724 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 346681 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 443812 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3615" found at MFT record 346682 in INDEX_ROOT attribute. 2023/09/28 08:01:04 443885 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 443897 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "7b7c07f8-a329-4166-9c26-b4613a5f8e24" found at MFT record 205473 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 443960 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 205473 (Search string: ) 2023/09/28 08:01:04 443969 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 444031 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 444812 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\a8540384-b87a-4d59-ad81-ae4e1320920a 2023/09/28 08:01:04 444850 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\a8540384-b87a-4d59-ad81-ae4e1320920a 2023/09/28 08:01:04 444866 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 444959 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "fborja3" found at MFT record 27269 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 445057 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 113930 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 445257 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 113932 in INDEX_ROOT attribute. 2023/09/28 08:01:04 445283 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 113943 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 445348 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 445425 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 346681 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 445439 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3615" found at MFT record 346682 in INDEX_ROOT attribute. 2023/09/28 08:01:04 445503 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 445515 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "a8540384-b87a-4d59-ad81-ae4e1320920a" found at MFT record 346685 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 445581 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 346685 (Search string: ) 2023/09/28 08:01:04 445661 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 445711 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 446221 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\e40bdf3a-be31-440a-b019-4331fa2ed185 2023/09/28 08:01:04 446260 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\e40bdf3a-be31-440a-b019-4331fa2ed185 2023/09/28 08:01:04 446274 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 446283 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "fborja3" found at MFT record 27269 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 446290 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 113930 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 446372 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 113932 in INDEX_ROOT attribute. 2023/09/28 08:01:04 446386 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 113943 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 446457 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 446468 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 346681 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 446534 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3615" found at MFT record 346682 in INDEX_ROOT attribute. 2023/09/28 08:01:04 446547 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 446613 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "e40bdf3a-be31-440a-b019-4331fa2ed185" found at MFT record 200218 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 446761 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 200218 (Search string: ) 2023/09/28 08:01:04 446845 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 447288 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 447691 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\e4c56da9-ff65-43cc-bba9-527ee72fb9b4 2023/09/28 08:01:04 447726 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\e4c56da9-ff65-43cc-bba9-527ee72fb9b4 2023/09/28 08:01:04 447742 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 447841 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "fborja3" found at MFT record 27269 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 447858 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 113930 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 447927 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 113932 in INDEX_ROOT attribute. 2023/09/28 08:01:04 447940 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 113943 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 448003 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 448014 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 346681 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 448102 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3615" found at MFT record 346682 in INDEX_ROOT attribute. 2023/09/28 08:01:04 448166 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 448179 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "e4c56da9-ff65-43cc-bba9-527ee72fb9b4" found at MFT record 223715 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 448189 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 223715 (Search string: ) 2023/09/28 08:01:04 448265 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 448723 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 449677 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\f5384f44-261e-462d-a2f3-94104fcfb9f3 2023/09/28 08:01:04 449714 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\fborja3\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3615\f5384f44-261e-462d-a2f3-94104fcfb9f3 2023/09/28 08:01:04 449729 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 449737 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "fborja3" found at MFT record 27269 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 449743 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 113930 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 449750 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 113932 in INDEX_ROOT attribute. 2023/09/28 08:01:04 449757 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 113943 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 449765 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 449781 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 346681 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 449898 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3615" found at MFT record 346682 in INDEX_ROOT attribute. 2023/09/28 08:01:04 449913 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 449920 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "f5384f44-261e-462d-a2f3-94104fcfb9f3" found at MFT record 188711 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 449998 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 188711 (Search string: ) 2023/09/28 08:01:04 450008 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 450441 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 451255 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 451271 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 451277 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 451281 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] FrankBorja 2023/09/28 08:01:04 451285 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 451315 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 451417 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 451434 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 452462 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 452966 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 453246 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 453539 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 453553 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 111413 (Search string: *) 2023/09/28 08:01:04 453834 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Protect" (type=3) in FILE_NAME attribute 2023/09/28 08:01:04 453860 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 453868 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 453908 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\* 2023/09/28 08:01:04 453964 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 453982 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 453994 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 454083 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 454171 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 454186 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 454357 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 454368 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 111414 (Search string: *) 2023/09/28 08:01:04 454375 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-~1" (type=2) in FILE_NAME attribute 2023/09/28 08:01:04 454455 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-21-349233159-1990136952-1071972300-3096" (type=1) in FILE_NAME attribute 2023/09/28 08:01:04 455041 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 455160 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 455253 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\bbcb9f04-3cdb-43b5-91f1-b46ff50fb8ae 2023/09/28 08:01:04 455324 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\bbcb9f04-3cdb-43b5-91f1-b46ff50fb8ae 2023/09/28 08:01:04 455396 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 455414 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 455498 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 455575 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 455656 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 455670 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 455739 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 455751 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 455823 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 455889 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 455906 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "bbcb9f04-3cdb-43b5-91f1-b46ff50fb8ae" found at MFT record 202476 in INDEX_ROOT attribute. 2023/09/28 08:01:04 455976 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 202476 (Search string: ) 2023/09/28 08:01:04 455986 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 456418 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 456994 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\24b669d9-f7f8-45c7-9d40-c7bada5f4973 2023/09/28 08:01:04 457026 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\24b669d9-f7f8-45c7-9d40-c7bada5f4973 2023/09/28 08:01:04 457040 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 457050 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 457065 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 457071 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 457078 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 457183 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 457197 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 457203 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 457280 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 457294 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 457365 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "24b669d9-f7f8-45c7-9d40-c7bada5f4973" found at MFT record 65766 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 457376 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 65766 (Search string: ) 2023/09/28 08:01:04 457449 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 457899 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 458323 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\30e0f0e5-bd07-42d6-a249-ae5b6f39ad0c 2023/09/28 08:01:04 458380 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\30e0f0e5-bd07-42d6-a249-ae5b6f39ad0c 2023/09/28 08:01:04 458402 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 458461 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 458476 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 458485 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 458566 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 458583 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 458597 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 458656 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 458669 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 458742 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 458754 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "30e0f0e5-bd07-42d6-a249-ae5b6f39ad0c" found at MFT record 145585 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 458825 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 145585 (Search string: ) 2023/09/28 08:01:04 458834 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 459208 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 460338 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\354d9efc-1a9f-4875-80d9-7256c609d0cf 2023/09/28 08:01:04 460391 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\354d9efc-1a9f-4875-80d9-7256c609d0cf 2023/09/28 08:01:04 460405 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 460412 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 460420 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 460426 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 460436 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 460453 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 460589 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 460692 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 460777 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 460790 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 460860 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "354d9efc-1a9f-4875-80d9-7256c609d0cf" found at MFT record 111417 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 460871 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 111417 (Search string: ) 2023/09/28 08:01:04 460942 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 460956 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 461404 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\43aa6f2a-1122-4b88-aa62-f0b05f49821a 2023/09/28 08:01:04 461494 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\43aa6f2a-1122-4b88-aa62-f0b05f49821a 2023/09/28 08:01:04 461576 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 461656 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 461723 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 461736 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 461747 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 461827 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 461903 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 461915 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 461986 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 462076 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 462168 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "43aa6f2a-1122-4b88-aa62-f0b05f49821a" found at MFT record 300467 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 462226 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 300467 (Search string: ) 2023/09/28 08:01:04 462241 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 462716 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 463086 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\594c9292-0732-455c-9ff9-c5e116d9c6f6 2023/09/28 08:01:04 463121 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\594c9292-0732-455c-9ff9-c5e116d9c6f6 2023/09/28 08:01:04 463136 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 463145 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 463152 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 463247 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 463262 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 463340 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 463352 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 463424 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 463438 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 463507 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 463519 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "594c9292-0732-455c-9ff9-c5e116d9c6f6" found at MFT record 129165 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 463591 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 129165 (Search string: ) 2023/09/28 08:01:04 463658 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 464169 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 464618 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\740a9c5a-5b0c-4e1c-925d-f4768fee2967 2023/09/28 08:01:04 464653 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\740a9c5a-5b0c-4e1c-925d-f4768fee2967 2023/09/28 08:01:04 464668 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 464774 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 464861 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 464874 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 464881 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 464887 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 464894 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 464901 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 464910 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 464917 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 464924 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "740a9c5a-5b0c-4e1c-925d-f4768fee2967" found at MFT record 133249 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 464930 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 133249 (Search string: ) 2023/09/28 08:01:04 464935 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 465396 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 465830 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\8726ce2b-4475-4b4e-8e9c-ac2c1cae27ba 2023/09/28 08:01:04 465898 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\8726ce2b-4475-4b4e-8e9c-ac2c1cae27ba 2023/09/28 08:01:04 465927 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 465977 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 465992 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 466001 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 466074 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 466093 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 466168 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 466181 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 466251 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 466263 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 466332 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "8726ce2b-4475-4b4e-8e9c-ac2c1cae27ba" found at MFT record 188927 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 466343 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 188927 (Search string: ) 2023/09/28 08:01:04 466412 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 466944 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 467320 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\98fe75cb-6390-48ee-8e92-3e55c16bb692 2023/09/28 08:01:04 467370 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\98fe75cb-6390-48ee-8e92-3e55c16bb692 2023/09/28 08:01:04 467390 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 467480 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 467564 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 467577 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 467646 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 467668 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 467715 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 467724 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 467733 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 467739 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 467807 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "98fe75cb-6390-48ee-8e92-3e55c16bb692" found at MFT record 201287 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 467876 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 201287 (Search string: ) 2023/09/28 08:01:04 467889 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 468232 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 469335 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\bed5ce7f-f929-46f4-bda1-9a884545e85c 2023/09/28 08:01:04 469372 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\bed5ce7f-f929-46f4-bda1-9a884545e85c 2023/09/28 08:01:04 469386 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 469394 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 469400 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 469406 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 469413 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 469422 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 469429 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 469435 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 469553 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 469568 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 469574 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "bed5ce7f-f929-46f4-bda1-9a884545e85c" found at MFT record 133185 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 469579 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 133185 (Search string: ) 2023/09/28 08:01:04 469657 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 470170 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 470538 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\c1263776-6df8-4498-a911-f93f3dfbbeac 2023/09/28 08:01:04 470587 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\c1263776-6df8-4498-a911-f93f3dfbbeac 2023/09/28 08:01:04 470677 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 470768 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 470853 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 470865 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 470939 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 470953 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 471021 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 471033 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 471131 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 471144 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 471214 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "c1263776-6df8-4498-a911-f93f3dfbbeac" found at MFT record 132519 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 471282 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 132519 (Search string: ) 2023/09/28 08:01:04 471297 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 471716 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 472080 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\cdd640f5-3697-4d28-ba32-81a2c5b539c6 2023/09/28 08:01:04 472127 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\cdd640f5-3697-4d28-ba32-81a2c5b539c6 2023/09/28 08:01:04 472146 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 472160 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 472298 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 472312 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 472319 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 472330 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 472336 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 472427 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 472442 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 472456 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 472517 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "cdd640f5-3697-4d28-ba32-81a2c5b539c6" found at MFT record 189568 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 472528 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 189568 (Search string: ) 2023/09/28 08:01:04 472532 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 472901 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 473343 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\ec17bcb1-224f-42ae-8137-19335bc13823 2023/09/28 08:01:04 473403 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\ec17bcb1-224f-42ae-8137-19335bc13823 2023/09/28 08:01:04 473506 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 473561 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 473585 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 473637 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 473655 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 473726 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 473815 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 473884 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 473966 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 473979 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 474047 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "ec17bcb1-224f-42ae-8137-19335bc13823" found at MFT record 129144 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 474145 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 129144 (Search string: ) 2023/09/28 08:01:04 474202 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 474681 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 475035 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\f0fc9fcd-71ec-4541-b03f-23232672d614 2023/09/28 08:01:04 475077 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\FrankBorja\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-3096\f0fc9fcd-71ec-4541-b03f-23232672d614 2023/09/28 08:01:04 475094 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 475197 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "FrankBorja" found at MFT record 104414 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 475214 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "FRANKB~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 475286 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 104490 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 475368 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 104507 in INDEX_ROOT attribute. 2023/09/28 08:01:04 475382 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 104518 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 475449 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 475461 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 111413 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 475532 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-3096" found at MFT record 111414 in INDEX_ROOT attribute. 2023/09/28 08:01:04 475598 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 475617 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "f0fc9fcd-71ec-4541-b03f-23232672d614" found at MFT record 27571 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 475684 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 27571 (Search string: ) 2023/09/28 08:01:04 475693 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 476100 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 477355 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 477371 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 477375 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 477379 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] jhagins 2023/09/28 08:01:04 477383 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 477417 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\jhagins\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 477433 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 477542 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "jhagins" found at MFT record 182474 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 478449 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 184058 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 478843 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 184100 in INDEX_ROOT attribute. 2023/09/28 08:01:04 479133 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 184103 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 479414 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 406228 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 479428 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 406228 (Search string: *) 2023/09/28 08:01:04 479738 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Protect" (type=3) in FILE_NAME attribute 2023/09/28 08:01:04 479764 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 479771 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 479801 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\jhagins\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-21677\* 2023/09/28 08:01:04 479865 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 479883 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "jhagins" found at MFT record 182474 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 479894 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 184058 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 479979 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 184100 in INDEX_ROOT attribute. 2023/09/28 08:01:04 480044 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 184103 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 480056 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 406228 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 480143 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-21677" found at MFT record 406231 in INDEX_ROOT attribute. 2023/09/28 08:01:04 480156 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 406231 (Search string: *) 2023/09/28 08:01:04 480225 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-~1" (type=2) in FILE_NAME attribute 2023/09/28 08:01:04 480236 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-21-349233159-1990136952-1071972300-21677" (type=1) in FILE_NAME attribute 2023/09/28 08:01:04 480517 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 480571 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 480673 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\jhagins\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-21677\0e46f513-e4d2-451b-9674-02309cd90c34 2023/09/28 08:01:04 480827 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\jhagins\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-21677\0e46f513-e4d2-451b-9674-02309cd90c34 2023/09/28 08:01:04 480894 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 480929 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "jhagins" found at MFT record 182474 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 480967 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 184058 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 480984 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 184100 in INDEX_ROOT attribute. 2023/09/28 08:01:04 481059 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 184103 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 481077 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 481157 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 406228 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 481234 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-21677" found at MFT record 406231 in INDEX_ROOT attribute. 2023/09/28 08:01:04 481247 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 481254 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "0e46f513-e4d2-451b-9674-02309cd90c34" found at MFT record 406242 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 481259 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 406242 (Search string: ) 2023/09/28 08:01:04 481275 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 481372 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 482047 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 482128 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 482141 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 482147 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] Public 2023/09/28 08:01:04 482247 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 482348 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\Public\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 482725 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 482804 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Public" found at MFT record 520 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 483124 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 483139 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 483150 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 483155 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 483161 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 483165 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] testuser 2023/09/28 08:01:04 483170 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 483189 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\testuser\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 483258 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 483275 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "testuser" found at MFT record 199569 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 484314 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 199685 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 484686 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 199687 in INDEX_ROOT attribute. 2023/09/28 08:01:04 484703 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 199691 in INDEX_ROOT attribute. 2023/09/28 08:01:04 484963 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 352509 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 484978 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 352509 (Search string: *) 2023/09/28 08:01:04 485331 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Protect" (type=3) in FILE_NAME attribute 2023/09/28 08:01:04 485350 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 485357 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 485392 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\testuser\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-17312\* 2023/09/28 08:01:04 485463 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 485484 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "testuser" found at MFT record 199569 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 485571 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 199685 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 485668 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 199687 in INDEX_ROOT attribute. 2023/09/28 08:01:04 485755 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 199691 in INDEX_ROOT attribute. 2023/09/28 08:01:04 485769 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 352509 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 485841 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-17312" found at MFT record 352747 in INDEX_ROOT attribute. 2023/09/28 08:01:04 485853 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 352747 (Search string: *) 2023/09/28 08:01:04 486286 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-~1" (type=2) in FILE_NAME attribute 2023/09/28 08:01:04 486354 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-21-349233159-1990136952-1071972300-17312" (type=1) in FILE_NAME attribute 2023/09/28 08:01:04 486618 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 486633 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 486665 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\testuser\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-17312\f09bebf5-ebc8-4638-95d5-d3fb01b3bf17 2023/09/28 08:01:04 486762 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\testuser\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-17312\f09bebf5-ebc8-4638-95d5-d3fb01b3bf17 2023/09/28 08:01:04 486876 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 486959 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "testuser" found at MFT record 199569 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 487041 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 199685 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 487054 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 199687 in INDEX_ROOT attribute. 2023/09/28 08:01:04 487138 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 199691 in INDEX_ROOT attribute. 2023/09/28 08:01:04 487151 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 487220 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 352509 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 487234 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-17312" found at MFT record 352747 in INDEX_ROOT attribute. 2023/09/28 08:01:04 487302 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 487370 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "f09bebf5-ebc8-4638-95d5-d3fb01b3bf17" found at MFT record 352829 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 487388 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 352829 (Search string: ) 2023/09/28 08:01:04 487460 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 487986 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 488662 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 488676 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 488680 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 488684 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] veeambackup 2023/09/28 08:01:04 488688 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 488717 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\veeambackup\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 488734 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 488744 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "veeambackup" found at MFT record 29827 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 489605 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 137003 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 490001 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 137004 in INDEX_ROOT attribute. 2023/09/28 08:01:04 490016 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Microsoft" found at MFT record 137791 in INDEX_ROOT attribute. 2023/09/28 08:01:04 490365 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 490379 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 490391 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 490396 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 490401 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 490405 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] wowrack 2023/09/28 08:01:04 490410 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 490428 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\wowrack\AppData\Roaming\Microsoft\Protect\* 2023/09/28 08:01:04 490495 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 490512 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "wowrack" found at MFT record 97935 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 491327 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 97946 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 491343 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 97947 in INDEX_ROOT attribute. 2023/09/28 08:01:04 491579 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 97948 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 491817 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 98091 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 491830 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 98091 (Search string: *) 2023/09/28 08:01:04 492180 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Protect" (type=3) in FILE_NAME attribute 2023/09/28 08:01:04 492201 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 492209 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 492237 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\* 2023/09/28 08:01:04 492306 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 492322 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "wowrack" found at MFT record 97935 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 492333 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 97946 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 492411 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 97947 in INDEX_ROOT attribute. 2023/09/28 08:01:04 492494 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 97948 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 492508 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 98091 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 492578 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-7637" found at MFT record 98093 in INDEX_ROOT attribute. 2023/09/28 08:01:04 492590 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 98093 (Search string: *) 2023/09/28 08:01:04 492660 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-~1" (type=2) in FILE_NAME attribute 2023/09/28 08:01:04 492671 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-21-349233159-1990136952-1071972300-7637" (type=1) in FILE_NAME attribute 2023/09/28 08:01:04 492943 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 492999 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 493105 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\34c14836-f2cf-4575-abcc-75b9573ef9ac 2023/09/28 08:01:04 493253 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\34c14836-f2cf-4575-abcc-75b9573ef9ac 2023/09/28 08:01:04 493316 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 493409 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "wowrack" found at MFT record 97935 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 493497 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 97946 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 493554 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 97947 in INDEX_ROOT attribute. 2023/09/28 08:01:04 493580 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 97948 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 493629 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 493644 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 98091 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 493717 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-7637" found at MFT record 98093 in INDEX_ROOT attribute. 2023/09/28 08:01:04 493731 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 493801 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "34c14836-f2cf-4575-abcc-75b9573ef9ac" found at MFT record 373439 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 493813 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 373439 (Search string: ) 2023/09/28 08:01:04 493885 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 494375 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 494963 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\655802f6-888d-4e00-8e75-f970785dd559 2023/09/28 08:01:04 494997 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\655802f6-888d-4e00-8e75-f970785dd559 2023/09/28 08:01:04 495010 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 495019 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "wowrack" found at MFT record 97935 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 495027 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 97946 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 495034 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 97947 in INDEX_ROOT attribute. 2023/09/28 08:01:04 495042 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 97948 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 495150 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 495164 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 98091 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 495173 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-7637" found at MFT record 98093 in INDEX_ROOT attribute. 2023/09/28 08:01:04 495246 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 495258 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "655802f6-888d-4e00-8e75-f970785dd559" found at MFT record 206511 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 495330 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 206511 (Search string: ) 2023/09/28 08:01:04 495340 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 495788 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 497474 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\70ab4a5b-a8c7-4a23-8375-2dd176d8b293 2023/09/28 08:01:04 497530 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\70ab4a5b-a8c7-4a23-8375-2dd176d8b293 2023/09/28 08:01:04 497552 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 497566 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "wowrack" found at MFT record 97935 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 497578 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 97946 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 497697 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 97947 in INDEX_ROOT attribute. 2023/09/28 08:01:04 497719 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 97948 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 497819 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 497836 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 98091 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 497929 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-7637" found at MFT record 98093 in INDEX_ROOT attribute. 2023/09/28 08:01:04 497947 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 498042 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "70ab4a5b-a8c7-4a23-8375-2dd176d8b293" found at MFT record 29817 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 498058 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 29817 (Search string: ) 2023/09/28 08:01:04 498171 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 498651 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 499083 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\b4a00429-ab23-44fe-9d50-d7f0cf30b51b 2023/09/28 08:01:04 499126 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\b4a00429-ab23-44fe-9d50-d7f0cf30b51b 2023/09/28 08:01:04 499145 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 499254 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "wowrack" found at MFT record 97935 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 499271 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 97946 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 499358 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 97947 in INDEX_ROOT attribute. 2023/09/28 08:01:04 499440 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 97948 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 499521 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 499533 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 98091 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 499605 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-7637" found at MFT record 98093 in INDEX_ROOT attribute. 2023/09/28 08:01:04 499672 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 499690 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "b4a00429-ab23-44fe-9d50-d7f0cf30b51b" found at MFT record 98105 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 499763 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 98105 (Search string: ) 2023/09/28 08:01:04 499773 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 499842 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 500218 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\df553074-55d1-405e-a916-e95098571d2e 2023/09/28 08:01:04 500280 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\df553074-55d1-405e-a916-e95098571d2e 2023/09/28 08:01:04 500303 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 500353 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "wowrack" found at MFT record 97935 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 500368 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 97946 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 500448 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 97947 in INDEX_ROOT attribute. 2023/09/28 08:01:04 500532 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 97948 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 500545 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 500614 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 98091 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 500628 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-7637" found at MFT record 98093 in INDEX_ROOT attribute. 2023/09/28 08:01:04 500696 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 500707 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "df553074-55d1-405e-a916-e95098571d2e" found at MFT record 310127 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 500778 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 310127 (Search string: ) 2023/09/28 08:01:04 500800 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 501209 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 501590 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\ea95137b-351f-4d31-9f7a-2954a391cc08 2023/09/28 08:01:04 501623 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\ea95137b-351f-4d31-9f7a-2954a391cc08 2023/09/28 08:01:04 501636 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 501644 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "wowrack" found at MFT record 97935 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 501651 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 97946 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 501671 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 97947 in INDEX_ROOT attribute. 2023/09/28 08:01:04 501739 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 97948 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 501754 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 501763 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 98091 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 501774 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-7637" found at MFT record 98093 in INDEX_ROOT attribute. 2023/09/28 08:01:04 501845 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 501924 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "ea95137b-351f-4d31-9f7a-2954a391cc08" found at MFT record 206509 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 501935 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 206509 (Search string: ) 2023/09/28 08:01:04 502001 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 502296 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 502649 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\f0a7df52-6cae-4d69-bae8-ab9ec3cf7a97 2023/09/28 08:01:04 502693 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\f0a7df52-6cae-4d69-bae8-ab9ec3cf7a97 2023/09/28 08:01:04 502783 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 502859 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "wowrack" found at MFT record 97935 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 502880 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 97946 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 502923 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 97947 in INDEX_ROOT attribute. 2023/09/28 08:01:04 502948 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 97948 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 502996 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 503010 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 98091 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 503100 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-7637" found at MFT record 98093 in INDEX_ROOT attribute. 2023/09/28 08:01:04 503174 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 503251 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "f0a7df52-6cae-4d69-bae8-ab9ec3cf7a97" found at MFT record 30249 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 503261 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 30249 (Search string: ) 2023/09/28 08:01:04 503328 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 503653 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 503991 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\f2642005-e34a-455d-9e31-eda9479bb570 2023/09/28 08:01:04 504022 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\wowrack\AppData\Roaming\Microsoft\Protect\S-1-5-21-349233159-1990136952-1071972300-7637\f2642005-e34a-455d-9e31-eda9479bb570 2023/09/28 08:01:04 504035 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 504044 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "wowrack" found at MFT record 97935 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 504057 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "AppData" found at MFT record 97946 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 504159 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Roaming" found at MFT record 97947 in INDEX_ROOT attribute. 2023/09/28 08:01:04 504173 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 97948 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 504246 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 504256 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Protect" found at MFT record 98091 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 504327 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-21-349233159-1990136952-1071972300-7637" found at MFT record 98093 in INDEX_ROOT attribute. 2023/09/28 08:01:04 504339 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "S-1-5-~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 504404 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "f2642005-e34a-455d-9e31-eda9479bb570" found at MFT record 85611 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 504421 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 85611 (Search string: ) 2023/09/28 08:01:04 504428 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 504877 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 505377 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 505392 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8586] LocalOSEnv::GetNextUser close handle 2023/09/28 08:01:04 505405 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8594] LocalOSEnv::GetNextUser Drive != 0 2023/09/28 08:01:04 505409 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8602] LocalOSEnv::GetNextUser GetVolumeInformation GHFSEA-VDI04:\ 2023/09/28 08:01:04 505436 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8626] LocalOSEnv::GetNextUser ubununtu check 2023/09/28 08:01:04 505502 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \home\* 2023/09/28 08:01:04 505527 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 505609 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 505664 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8642] LocalOSEnv::GetNextUser cleanup profile path GHFSEA-VDI04:\home\* 2023/09/28 08:01:04 505672 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8648] LocalOSEnv::GetNextUser next 2023/09/28 08:01:04 505679 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8594] LocalOSEnv::GetNextUser Drive != 0 2023/09/28 08:01:04 505752 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8602] LocalOSEnv::GetNextUser GetVolumeInformation GHFSEA-VDI04:\ 2023/09/28 08:01:04 505814 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8642] LocalOSEnv::GetNextUser cleanup profile path 2023/09/28 08:01:04 505822 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8648] LocalOSEnv::GetNextUser next 2023/09/28 08:01:04 505827 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8743] LocalOSEnv::GetNextUser end 2023/09/28 08:01:04 505904 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\* 2023/09/28 08:01:04 505981 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 506056 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 506125 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 506537 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 506600 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 4282 (Search string: *) 2023/09/28 08:01:04 506613 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Protect" (type=0) in FILE_NAME attribute 2023/09/28 08:01:04 506681 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 506693 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 506748 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\* 2023/09/28 08:01:04 506773 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 506822 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 506905 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 506982 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 507059 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 507076 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 4283 (Search string: *) 2023/09/28 08:01:04 507142 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "S-1-5-18" (type=0) in FILE_NAME attribute 2023/09/28 08:01:04 507622 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 507672 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 507735 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\8546c843-1635-4f0e-a949-69c56de47652 2023/09/28 08:01:04 507810 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\8546c843-1635-4f0e-a949-69c56de47652 2023/09/28 08:01:04 507880 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 507945 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 508035 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 508123 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 508196 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 508272 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 508285 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "8546c843-1635-4f0e-a949-69c56de47652" found at MFT record 96094 in INDEX_ROOT attribute. 2023/09/28 08:01:04 508354 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 96094 (Search string: ) 2023/09/28 08:01:04 508375 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 508768 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 508802 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 508888 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\146ba34e-e34a-4ca0-8309-b2d72af7c694 2023/09/28 08:01:04 508992 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\146ba34e-e34a-4ca0-8309-b2d72af7c694 2023/09/28 08:01:04 509069 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 509153 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 509216 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 509235 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 509301 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 509313 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 509387 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "146ba34e-e34a-4ca0-8309-b2d72af7c694" found at MFT record 67642 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 509456 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 67642 (Search string: ) 2023/09/28 08:01:04 509519 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 509540 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 509587 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 509662 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\14d2c6a4-32d5-4487-8fe0-fae8bc3b9d26 2023/09/28 08:01:04 509721 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\14d2c6a4-32d5-4487-8fe0-fae8bc3b9d26 2023/09/28 08:01:04 509743 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 509808 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 509874 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 509885 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 509890 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 509967 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 510019 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "14d2c6a4-32d5-4487-8fe0-fae8bc3b9d26" found at MFT record 402641 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 510027 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 402641 (Search string: ) 2023/09/28 08:01:04 510031 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 510516 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 510577 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 510649 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\150176c6-4d79-428a-8c07-d8cefe08a249 2023/09/28 08:01:04 510711 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\150176c6-4d79-428a-8c07-d8cefe08a249 2023/09/28 08:01:04 510793 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 510872 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 510934 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 510944 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 510950 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 511024 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 511117 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "150176c6-4d79-428a-8c07-d8cefe08a249" found at MFT record 224808 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 511193 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 224808 (Search string: ) 2023/09/28 08:01:04 511268 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 511668 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 511715 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 511788 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\39a06422-a104-4137-b53e-e22034310b22 2023/09/28 08:01:04 511898 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\39a06422-a104-4137-b53e-e22034310b22 2023/09/28 08:01:04 511954 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 511967 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 512026 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 512051 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 512105 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 512121 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 512196 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "39a06422-a104-4137-b53e-e22034310b22" found at MFT record 183891 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 512214 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 183891 (Search string: ) 2023/09/28 08:01:04 512255 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 512592 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 512659 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 512736 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\3df2bbf5-f55d-4ab2-82c5-0ac49b519a6e 2023/09/28 08:01:04 512799 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\3df2bbf5-f55d-4ab2-82c5-0ac49b519a6e 2023/09/28 08:01:04 512820 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 512871 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 512962 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 513045 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 513122 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 513199 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 513277 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "3df2bbf5-f55d-4ab2-82c5-0ac49b519a6e" found at MFT record 48008 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 513288 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 48008 (Search string: ) 2023/09/28 08:01:04 513352 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 513424 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 513499 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 513577 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\4e5396ac-a5ac-4010-bbf0-0b43a3106789 2023/09/28 08:01:04 513641 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\4e5396ac-a5ac-4010-bbf0-0b43a3106789 2023/09/28 08:01:04 513664 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 513711 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 513810 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 513864 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 513873 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 513880 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 513954 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "4e5396ac-a5ac-4010-bbf0-0b43a3106789" found at MFT record 1774 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 514028 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 1774 (Search string: ) 2023/09/28 08:01:04 514036 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 514501 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 514566 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 514646 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\583703e1-feb2-4dab-9fdf-c3cb0edb438e 2023/09/28 08:01:04 514695 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\583703e1-feb2-4dab-9fdf-c3cb0edb438e 2023/09/28 08:01:04 514769 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 514789 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 514837 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 514853 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 514936 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 514986 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 514998 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "583703e1-feb2-4dab-9fdf-c3cb0edb438e" found at MFT record 135851 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 515003 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 135851 (Search string: ) 2023/09/28 08:01:04 515008 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 515339 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 515405 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 517263 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\63809960-3f67-4052-95c7-4f7d1d508024 2023/09/28 08:01:04 517301 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\63809960-3f67-4052-95c7-4f7d1d508024 2023/09/28 08:01:04 517314 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 517324 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 517426 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 517441 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 517446 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 517514 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 517589 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "63809960-3f67-4052-95c7-4f7d1d508024" found at MFT record 225817 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 517600 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 225817 (Search string: ) 2023/09/28 08:01:04 517665 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 518142 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 518177 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 518260 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\6d8d4142-2d1f-465f-997d-488ebb3efe8d 2023/09/28 08:01:04 518340 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\6d8d4142-2d1f-465f-997d-488ebb3efe8d 2023/09/28 08:01:04 518364 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 518411 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 518506 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 518581 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 518591 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 518655 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 518675 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "6d8d4142-2d1f-465f-997d-488ebb3efe8d" found at MFT record 366095 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 518716 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 366095 (Search string: ) 2023/09/28 08:01:04 518730 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 519117 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 519161 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 519228 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\74944073-c761-458c-9080-ded91c78543f 2023/09/28 08:01:04 519342 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\74944073-c761-458c-9080-ded91c78543f 2023/09/28 08:01:04 519446 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 519543 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 519609 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 519621 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 519628 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 519723 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 519779 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "74944073-c761-458c-9080-ded91c78543f" found at MFT record 218953 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 519788 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 218953 (Search string: ) 2023/09/28 08:01:04 519792 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 520240 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 520337 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 520478 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\79c19d99-9335-4c51-b326-ec4b7bcf8161 2023/09/28 08:01:04 520583 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\79c19d99-9335-4c51-b326-ec4b7bcf8161 2023/09/28 08:01:04 520616 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 520694 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 520848 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 520916 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 520932 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 520956 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 521012 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "79c19d99-9335-4c51-b326-ec4b7bcf8161" found at MFT record 114402 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 521024 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 114402 (Search string: ) 2023/09/28 08:01:04 521029 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 521535 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 521663 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 521752 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\a6ea4097-9cac-4778-9ab9-1007fcd23d7b 2023/09/28 08:01:04 521845 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\a6ea4097-9cac-4778-9ab9-1007fcd23d7b 2023/09/28 08:01:04 521947 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 521973 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 522049 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 522077 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 522100 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 522159 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 522181 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "a6ea4097-9cac-4778-9ab9-1007fcd23d7b" found at MFT record 96437 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 522312 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 96437 (Search string: ) 2023/09/28 08:01:04 522425 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 523019 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 523164 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 523311 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\b3c910c2-051d-4178-aa32-d51bd8c90ce3 2023/09/28 08:01:04 523452 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\b3c910c2-051d-4178-aa32-d51bd8c90ce3 2023/09/28 08:01:04 523482 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 523550 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 523711 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 523841 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 523861 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 523997 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 524156 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "b3c910c2-051d-4178-aa32-d51bd8c90ce3" found at MFT record 301970 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 524169 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 301970 (Search string: ) 2023/09/28 08:01:04 524248 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 524750 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 524825 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 524907 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\cd730c30-e17a-4399-b639-7ea1f9f5cb81 2023/09/28 08:01:04 524980 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\cd730c30-e17a-4399-b639-7ea1f9f5cb81 2023/09/28 08:01:04 525007 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 525073 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 525182 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 525273 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 525286 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 525371 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 525388 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "cd730c30-e17a-4399-b639-7ea1f9f5cb81" found at MFT record 79331 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 525467 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 79331 (Search string: ) 2023/09/28 08:01:04 525478 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 525860 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 525941 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 526029 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\d4444112-e1e7-4495-bde1-089a4c06c51d 2023/09/28 08:01:04 526116 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\d4444112-e1e7-4495-bde1-089a4c06c51d 2023/09/28 08:01:04 526142 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 526203 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 526322 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 526369 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 526378 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 526390 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 526405 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "d4444112-e1e7-4495-bde1-089a4c06c51d" found at MFT record 96179 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 526430 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 96179 (Search string: ) 2023/09/28 08:01:04 526447 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 527236 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 527314 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 527406 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\db5fd6ae-bdec-451a-82ff-ddf256c8193d 2023/09/28 08:01:04 527500 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\db5fd6ae-bdec-451a-82ff-ddf256c8193d 2023/09/28 08:01:04 527530 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 527593 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 527723 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 527818 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 527841 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 527894 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 527909 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "db5fd6ae-bdec-451a-82ff-ddf256c8193d" found at MFT record 132766 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 527919 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 132766 (Search string: ) 2023/09/28 08:01:04 528006 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 528431 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 528518 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 528614 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\e1bbb271-540f-4316-a7d2-5763e68183a0 2023/09/28 08:01:04 528689 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\e1bbb271-540f-4316-a7d2-5763e68183a0 2023/09/28 08:01:04 528717 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 528776 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 528901 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 528984 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 528997 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 529090 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 529108 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "e1bbb271-540f-4316-a7d2-5763e68183a0" found at MFT record 79332 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 529191 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 79332 (Search string: ) 2023/09/28 08:01:04 529203 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 529287 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 529368 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 529571 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\* 2023/09/28 08:01:04 529639 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 529655 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 529750 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 529848 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 529945 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 529961 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 530043 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 4284 (Search string: *) 2023/09/28 08:01:04 530058 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "User" (type=0) in FILE_NAME attribute 2023/09/28 08:01:04 530635 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 530716 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 530836 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\c1fe90e9-0393-4344-9235-2ead9833b4eb 2023/09/28 08:01:04 530916 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\c1fe90e9-0393-4344-9235-2ead9833b4eb 2023/09/28 08:01:04 530996 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 531142 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 531308 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 531325 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 531413 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 531429 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 531513 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 531529 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "c1fe90e9-0393-4344-9235-2ead9833b4eb" found at MFT record 48549 in INDEX_ROOT attribute. 2023/09/28 08:01:04 531612 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 48549 (Search string: ) 2023/09/28 08:01:04 531623 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 531989 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 532196 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 532388 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\197224ba-6bde-4388-ad74-9c2dcd9b2b9f 2023/09/28 08:01:04 532455 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\197224ba-6bde-4388-ad74-9c2dcd9b2b9f 2023/09/28 08:01:04 532477 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 532577 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 532661 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 532674 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 532681 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 532689 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 532778 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 532881 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "197224ba-6bde-4388-ad74-9c2dcd9b2b9f" found at MFT record 96180 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 532895 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 96180 (Search string: ) 2023/09/28 08:01:04 532982 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 533009 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 533071 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 533176 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\296420b0-a916-43b2-865c-2b5fd552ca92 2023/09/28 08:01:04 533258 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\296420b0-a916-43b2-865c-2b5fd552ca92 2023/09/28 08:01:04 533288 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 533351 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 533468 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 533580 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 533672 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 533773 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 533877 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 533894 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "296420b0-a916-43b2-865c-2b5fd552ca92" found at MFT record 30172 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 533982 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 30172 (Search string: ) 2023/09/28 08:01:04 533993 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 534366 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 534439 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 534535 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\365d970b-2bfd-42ff-a25b-b637cbbe4e38 2023/09/28 08:01:04 534620 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\365d970b-2bfd-42ff-a25b-b637cbbe4e38 2023/09/28 08:01:04 534648 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 534711 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 534821 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 534930 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 535027 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 535149 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 535317 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 535418 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "365d970b-2bfd-42ff-a25b-b637cbbe4e38" found at MFT record 228238 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 535432 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 228238 (Search string: ) 2023/09/28 08:01:04 535447 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 535880 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 535969 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 536067 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\63d8734b-f5a4-44c2-a28d-72f8215824a6 2023/09/28 08:01:04 536159 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\63d8734b-f5a4-44c2-a28d-72f8215824a6 2023/09/28 08:01:04 536187 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 536256 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 536465 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 536485 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 536493 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 536503 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 536513 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 536526 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "63d8734b-f5a4-44c2-a28d-72f8215824a6" found at MFT record 360759 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 536535 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 360759 (Search string: ) 2023/09/28 08:01:04 536543 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 536974 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 537048 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 537150 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\70210e75-cfb9-41b2-8e0e-66a855fd894f 2023/09/28 08:01:04 537278 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\70210e75-cfb9-41b2-8e0e-66a855fd894f 2023/09/28 08:01:04 537398 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 537467 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 537498 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 537583 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 537597 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 537683 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 537786 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 537897 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "70210e75-cfb9-41b2-8e0e-66a855fd894f" found at MFT record 381308 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 537910 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 381308 (Search string: ) 2023/09/28 08:01:04 537993 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 538562 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 538632 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 538719 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\724eff4b-56b2-4516-9565-3333a1bdae4a 2023/09/28 08:01:04 538798 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\724eff4b-56b2-4516-9565-3333a1bdae4a 2023/09/28 08:01:04 538826 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 538892 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 538982 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 539078 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 539153 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 539236 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 539258 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 539304 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "724eff4b-56b2-4516-9565-3333a1bdae4a" found at MFT record 79335 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 539327 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 79335 (Search string: ) 2023/09/28 08:01:04 539381 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 539402 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 539458 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 539532 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\8cc86ab0-17d0-431b-8499-cdb6af73938b 2023/09/28 08:01:04 539610 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\8cc86ab0-17d0-431b-8499-cdb6af73938b 2023/09/28 08:01:04 539632 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 539688 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 539777 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 539877 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 539952 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 540030 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 540044 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 540052 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "8cc86ab0-17d0-431b-8499-cdb6af73938b" found at MFT record 227497 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 540070 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 227497 (Search string: ) 2023/09/28 08:01:04 540149 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 540639 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 540712 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 540787 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\99c00245-63e5-49d7-a7f9-f0ac68c1302c 2023/09/28 08:01:04 540846 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\99c00245-63e5-49d7-a7f9-f0ac68c1302c 2023/09/28 08:01:04 540868 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 540915 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 541003 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 541092 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 541169 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 541246 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 541326 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 541409 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "99c00245-63e5-49d7-a7f9-f0ac68c1302c" found at MFT record 188082 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 541426 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 188082 (Search string: ) 2023/09/28 08:01:04 541483 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 541917 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 541979 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 542053 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\9b9914a3-f3f3-43b5-9b7e-f20458af0276 2023/09/28 08:01:04 542126 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\9b9914a3-f3f3-43b5-9b7e-f20458af0276 2023/09/28 08:01:04 542149 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 542198 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 542285 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 542299 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 542378 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 542433 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 542445 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 542453 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "9b9914a3-f3f3-43b5-9b7e-f20458af0276" found at MFT record 126684 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 542526 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 126684 (Search string: ) 2023/09/28 08:01:04 542601 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 542937 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 543006 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 543091 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\a3785b22-5232-4478-aa08-68b66d24aa1e 2023/09/28 08:01:04 543155 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\a3785b22-5232-4478-aa08-68b66d24aa1e 2023/09/28 08:01:04 543178 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 543227 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 543313 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 543398 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 543469 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 543547 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 543627 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 543701 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "a3785b22-5232-4478-aa08-68b66d24aa1e" found at MFT record 133816 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 543724 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 133816 (Search string: ) 2023/09/28 08:01:04 543765 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 544147 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 544192 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 547024 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\aff8c340-f5f3-43ef-b490-f44bce3521e2 2023/09/28 08:01:04 547116 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\aff8c340-f5f3-43ef-b490-f44bce3521e2 2023/09/28 08:01:04 547145 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 547247 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 547363 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 547383 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 547476 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 547495 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 547590 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 547674 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "aff8c340-f5f3-43ef-b490-f44bce3521e2" found at MFT record 179523 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 547755 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 179523 (Search string: ) 2023/09/28 08:01:04 547764 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 548128 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 548194 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 548279 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\bddf0444-366b-437d-9ce6-ad88b20590ac 2023/09/28 08:01:04 548338 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\bddf0444-366b-437d-9ce6-ad88b20590ac 2023/09/28 08:01:04 548371 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 548421 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 548510 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 548601 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 548611 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 548678 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 548754 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 548768 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "bddf0444-366b-437d-9ce6-ad88b20590ac" found at MFT record 185291 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 548832 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 185291 (Search string: ) 2023/09/28 08:01:04 548905 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 549286 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 549317 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 549410 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\cb9afa01-20b7-485c-a2f1-afc429cbfec7 2023/09/28 08:01:04 549510 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\cb9afa01-20b7-485c-a2f1-afc429cbfec7 2023/09/28 08:01:04 549578 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 549652 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 549711 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 549734 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 549778 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 549794 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 549805 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 549884 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "cb9afa01-20b7-485c-a2f1-afc429cbfec7" found at MFT record 111621 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 549896 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 111621 (Search string: ) 2023/09/28 08:01:04 549958 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 550384 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 550430 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 550504 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\ccad8e20-be8e-484d-9e7f-b9b645ffdf9d 2023/09/28 08:01:04 550618 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\ccad8e20-be8e-484d-9e7f-b9b645ffdf9d 2023/09/28 08:01:04 550676 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 550690 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 550752 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 550778 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 550830 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 550848 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 550919 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 551011 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "ccad8e20-be8e-484d-9e7f-b9b645ffdf9d" found at MFT record 297421 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 551115 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 297421 (Search string: ) 2023/09/28 08:01:04 551166 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 551561 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 551594 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 551684 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\d1f52058-ebf5-4f77-a0bc-a5ae58eddf05 2023/09/28 08:01:04 551788 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\d1f52058-ebf5-4f77-a0bc-a5ae58eddf05 2023/09/28 08:01:04 551882 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 551939 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 552019 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 552038 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 552121 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 552202 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 552284 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 552367 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "d1f52058-ebf5-4f77-a0bc-a5ae58eddf05" found at MFT record 254166 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 552378 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 254166 (Search string: ) 2023/09/28 08:01:04 552448 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 552824 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 552857 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 552950 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\d4f66cbd-3471-4065-b6b4-027d15bf2732 2023/09/28 08:01:04 553073 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\d4f66cbd-3471-4065-b6b4-027d15bf2732 2023/09/28 08:01:04 553133 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 553147 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 553214 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 553224 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 553229 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 553236 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 553308 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 553389 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "d4f66cbd-3471-4065-b6b4-027d15bf2732" found at MFT record 236780 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 553400 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 236780 (Search string: ) 2023/09/28 08:01:04 553474 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 553864 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 553928 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 554000 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e7433008-ccdb-4d28-8d91-65472ebe163e 2023/09/28 08:01:04 554087 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\e7433008-ccdb-4d28-8d91-65472ebe163e 2023/09/28 08:01:04 554172 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 554263 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 554324 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 554350 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 554401 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 554419 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 554587 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 554605 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "e7433008-ccdb-4d28-8d91-65472ebe163e" found at MFT record 1272 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 554690 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 1272 (Search string: ) 2023/09/28 08:01:04 554700 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 555175 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 555238 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 555317 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e9094029-526d-4b0e-9b8a-3c438f8adc97 2023/09/28 08:01:04 555385 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\e9094029-526d-4b0e-9b8a-3c438f8adc97 2023/09/28 08:01:04 555408 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 555462 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 555570 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 555647 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 555658 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 555730 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 555815 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 555909 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "e9094029-526d-4b0e-9b8a-3c438f8adc97" found at MFT record 96500 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 555920 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 96500 (Search string: ) 2023/09/28 08:01:04 555987 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 556070 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 556136 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 556206 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e949c687-6c11-4e9e-901d-d365fa6f6d24 2023/09/28 08:01:04 556280 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\e949c687-6c11-4e9e-901d-d365fa6f6d24 2023/09/28 08:01:04 556302 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 556362 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 556445 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 556649 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 556661 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 556669 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 556753 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 556768 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "e949c687-6c11-4e9e-901d-d365fa6f6d24" found at MFT record 387965 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 556842 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 387965 (Search string: ) 2023/09/28 08:01:04 556867 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 557304 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 557391 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 557464 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f2fa93d0-5618-43b2-a6ba-3bb06115f6bb 2023/09/28 08:01:04 557537 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\f2fa93d0-5618-43b2-a6ba-3bb06115f6bb 2023/09/28 08:01:04 557558 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 557626 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 557688 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 557698 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 557703 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 557709 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 557787 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 557857 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "f2fa93d0-5618-43b2-a6ba-3bb06115f6bb" found at MFT record 275263 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 557866 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 275263 (Search string: ) 2023/09/28 08:01:04 557871 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 558248 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 558302 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 558382 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:242] AddMasterKeyFileToPool - GHFSEA-VDI04:\Windows\System32\Microsoft\Protect\S-1-5-18\User\fb42c0b8-d09a-4b05-ae47-fb71632c3277 2023/09/28 08:01:04 558449 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\Microsoft\Protect\S-1-5-18\User\fb42c0b8-d09a-4b05-ae47-fb71632c3277 2023/09/28 08:01:04 558472 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 558526 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 558635 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Microsoft" found at MFT record 4278 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 558727 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3595] Found short form file name "MICROS~1" in FILE_NAME attribute, ignored. 2023/09/28 08:01:04 558807 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Protect" found at MFT record 4282 in INDEX_ROOT attribute. 2023/09/28 08:01:04 558895 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "S-1-5-18" found at MFT record 4283 in INDEX_ROOT attribute. 2023/09/28 08:01:04 558910 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "User" found at MFT record 4284 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 558985 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "fb42c0b8-d09a-4b05-ae47-fb71632c3277" found at MFT record 79336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 558997 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 79336 (Search string: ) 2023/09/28 08:01:04 559075 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 559173 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 559245 DEBUG [DPAPI_Emulator.cpp->DPAPIEmulator::AddMasterKeyFileToPool:411] AddMasterKeyFileToPool Found DECRYPT_TYPE_SYSTEM master key 2023/09/28 08:01:04 559451 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8759] LocalOSEnv::GetNextUser_Windows_Old start 2023/09/28 08:01:04 559510 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8779] LocalOSEnv::GetNextUser_Windows_Old xp check 2023/09/28 08:01:04 559591 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows.old\Documents and Settings\* 2023/09/28 08:01:04 559616 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 559670 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 559686 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8786] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path 2023/09/28 08:01:04 559695 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8814] LocalOSEnv::GetNextUser_Windows_Old Drive != 0 2023/09/28 08:01:04 559771 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8822] LocalOSEnv::GetNextUser_Windows_Old GetVolumeInformation GHFSEA-VDI04:\ 2023/09/28 08:01:04 559857 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8831] LocalOSEnv::GetNextUser_Windows_Old win7/mac check 2023/09/28 08:01:04 559943 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows.old\Users\* 2023/09/28 08:01:04 560030 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 560041 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 560123 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8863] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path GHFSEA-VDI04:\Windows.old\Users\* 2023/09/28 08:01:04 560133 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8869] LocalOSEnv::GetNextUser_Windows_Old next 2023/09/28 08:01:04 560145 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8814] LocalOSEnv::GetNextUser_Windows_Old Drive != 0 2023/09/28 08:01:04 560211 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8822] LocalOSEnv::GetNextUser_Windows_Old GetVolumeInformation GHFSEA-VDI04:\ 2023/09/28 08:01:04 560297 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8846] LocalOSEnv::GetNextUser_Windows_Old ubununtu check 2023/09/28 08:01:04 560367 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \old\home\* 2023/09/28 08:01:04 560389 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 560454 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 560468 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8863] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path GHFSEA-VDI04:\old\home\* 2023/09/28 08:01:04 560552 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8869] LocalOSEnv::GetNextUser_Windows_Old next 2023/09/28 08:01:04 560630 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8814] LocalOSEnv::GetNextUser_Windows_Old Drive != 0 2023/09/28 08:01:04 560640 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8822] LocalOSEnv::GetNextUser_Windows_Old GetVolumeInformation GHFSEA-VDI04:\ 2023/09/28 08:01:04 560700 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8863] LocalOSEnv::GetNextUser_Windows_Old cleanup profile path 2023/09/28 08:01:04 560722 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8869] LocalOSEnv::GetNextUser_Windows_Old next 2023/09/28 08:01:04 560781 DEBUG [misc.cpp->LocalOSEnv::GetNextUser_Windows_Old:8987] LocalOSEnv::GetNextUser_Windows_Old end 2023/09/28 08:01:04 560874 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows.old\Windows\System32\Microsoft\Protect\* 2023/09/28 08:01:04 560967 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 561042 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 561134 DEBUG [CfgRecent.cpp->UserActivityScanThread:4058] User Activity Scan: Registry 2023/09/28 08:01:04 561541 DEBUG [CfgRecent.cpp->UserActivityScanThread:4114] User Activity Scan: Jump lists 2023/09/28 08:01:04 561752 DEBUG [CfgRecent.cpp->UserActivityScanThread:4141] User Activity Scan: Chat Logs 2023/09/28 08:01:04 562001 DEBUG [CfgRecent.cpp->UserActivityScanThread:4170] User Activity Scan: Event Logs 2023/09/28 08:01:04 562141 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8539] LocalOSEnv::GetNextUser start 2023/09/28 08:01:04 562155 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8559] LocalOSEnv::GetNextUser xp check 2023/09/28 08:01:04 562219 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Documents and Settings\* 2023/09/28 08:01:04 562242 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Documents and Settings" found at MFT record 67590 in INDEX_ROOT attribute. 2023/09/28 08:01:04 562301 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 67590 (Search string: *) 2023/09/28 08:01:04 562313 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "DOCUME~1" (type=2) in FILE_NAME attribute 2023/09/28 08:01:04 562319 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Documents and Settings" (type=1) in FILE_NAME attribute 2023/09/28 08:01:04 562325 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:795] Search btree direct: Could not find child node (dwRet=2) 2023/09/28 08:01:04 562406 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 562490 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8566] LocalOSEnv::GetNextUser cleanup profile path 2023/09/28 08:01:04 562500 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8594] LocalOSEnv::GetNextUser Drive != 0 2023/09/28 08:01:04 562575 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8602] LocalOSEnv::GetNextUser GetVolumeInformation GHFSEA-VDI04:\ 2023/09/28 08:01:04 562661 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8611] LocalOSEnv::GetNextUser win7/mac check 2023/09/28 08:01:04 562745 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Users\* 2023/09/28 08:01:04 562830 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Users" found at MFT record 471 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 562909 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 471 (Search string: *) 2023/09/28 08:01:04 562977 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 563001 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8642] LocalOSEnv::GetNextUser cleanup profile path GHFSEA-VDI04:\Users\* 2023/09/28 08:01:04 563075 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8648] LocalOSEnv::GetNextUser next 2023/09/28 08:01:04 563086 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8712] LocalOSEnv::GetNextUser Search for users in this location 2023/09/28 08:01:04 563167 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8716] LocalOSEnv::GetNextUser next file 2023/09/28 08:01:04 563250 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8718] Administrator 2023/09/28 08:01:04 563259 DEBUG [misc.cpp->LocalOSEnv::GetNextUser:8726] LocalOSEnv::GetNextUser finish 2023/09/28 08:01:04 563319 DEBUG [EventInformation.cpp->GetEventLogInfoWindows:828] DEBUG: Scanning log file: GHFSEA-VDI04:\Windows\System32\winevt\Logs\Security.evtx 2023/09/28 08:01:04 563554 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\winevt\Logs\Security.evtx 2023/09/28 08:01:04 563627 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 563646 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 563700 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "winevt" found at MFT record 4716 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 564149 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Logs" found at MFT record 4717 in INDEX_ROOT attribute. 2023/09/28 08:01:04 564221 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 4717 (Search string: Security.evtx) 2023/09/28 08:01:04 564298 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:3621] Found directory name "Logs" (type=0) in FILE_NAME attribute 2023/09/28 08:01:04 567247 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4197] INDX marker NOK ( 2023/09/28 08:01:04 567297 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:489] Search btree direct: found search directory 2023/09/28 08:01:04 567637 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 568158 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\winevt\Logs\Security.evtx 2023/09/28 08:01:04 570765 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 570811 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 570876 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "winevt" found at MFT record 4716 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 570888 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Logs" found at MFT record 4717 in INDEX_ROOT attribute. 2023/09/28 08:01:04 570915 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Security.evtx" found at MFT record 96113 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 571097 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 96113 (Search string: ) 2023/09/28 08:01:04 571115 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 571152 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 571235 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\winevt\Logs\Security.evtx 2023/09/28 08:01:04 571279 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 571354 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 571494 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "winevt" found at MFT record 4716 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 571596 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Logs" found at MFT record 4717 in INDEX_ROOT attribute. 2023/09/28 08:01:04 571703 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Security.evtx" found at MFT record 96113 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 571799 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 96113 (Search string: ) 2023/09/28 08:01:04 571813 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:04 571879 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:04 571996 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\winevt\Logs\Security.evtx 2023/09/28 08:01:04 572087 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 572111 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 572154 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "winevt" found at MFT record 4716 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:04 572174 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Logs" found at MFT record 4717 in INDEX_ROOT attribute. 2023/09/28 08:01:04 572185 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 4717 (Search string: Security.evtx) 2023/09/28 08:01:04 572228 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:06 964018 DEBUG [EventInformation.cpp->GetEventLogInfoWindows:891] DEBUG: Scanning log file: GHFSEA-VDI04:\Windows\System32\winevt\Logs\System.evtx 2023/09/28 08:01:06 964212 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\winevt\Logs\System.evtx 2023/09/28 08:01:06 964241 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 964256 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 964313 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "winevt" found at MFT record 4716 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 964323 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Logs" found at MFT record 4717 in INDEX_ROOT attribute. 2023/09/28 08:01:06 964327 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 4717 (Search string: System.evtx) 2023/09/28 08:01:06 964429 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:06 964489 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\winevt\Logs\System.evtx 2023/09/28 08:01:06 964502 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 964567 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 964613 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "winevt" found at MFT record 4716 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 964623 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Logs" found at MFT record 4717 in INDEX_ROOT attribute. 2023/09/28 08:01:06 964671 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System.evtx" found at MFT record 96111 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 964684 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 96111 (Search string: ) 2023/09/28 08:01:06 964687 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:06 964753 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:06 964807 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\winevt\Logs\System.evtx 2023/09/28 08:01:06 964820 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 964880 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 964929 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "winevt" found at MFT record 4716 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 964938 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Logs" found at MFT record 4717 in INDEX_ROOT attribute. 2023/09/28 08:01:06 965002 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System.evtx" found at MFT record 96111 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 965063 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 96111 (Search string: ) 2023/09/28 08:01:06 965071 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:402] Search btree direct: found leaf file 2023/09/28 08:01:06 965126 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit 2023/09/28 08:01:06 965177 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:262] Search btree direct enter \Windows\System32\winevt\Logs\System.evtx 2023/09/28 08:01:06 965196 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "Windows" found at MFT record 529 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 965253 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "System32" found at MFT record 3336 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 965301 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4500] Filename "winevt" found at MFT record 4716 in INDEX_ATTRIBUTE attribute. 2023/09/28 08:01:06 965311 DEBUG [MFTRecord_direct.cpp->CMFTRecord_direct::ParseMFTRecord_GetChildNode:4007] Filename "Logs" found at MFT record 4717 in INDEX_ROOT attribute. 2023/09/28 08:01:06 965317 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:389] Search btree direct: Parsing child node at MFT record 4717 (Search string: System.evtx) 2023/09/28 08:01:06 965373 DEBUG [NTFSDrive_direct.cpp->CNTFSDrive_direct::Search_directory_btree_direct:806] Search btree direct exit