Пользователь
Сообщения: 117
Благодарности: 1
|
Профиль
|
Отправить PM
| Цитировать
Код:  C:\Windows\System32>reg query HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
ServiceDllUnloadOnStop REG_DWORD 0x1
ServiceMain REG_SZ SvchostEntry_W32Time
ServiceDll REG_EXPAND_SZ C:\Windows\System32\w32time.DLL
Type REG_SZ NTP
NtpServer REG_SZ 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org,0x8
C:\Windows\System32>reg query HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
Enabled REG_DWORD 0x1
InputProvider REG_DWORD 0x1
AllowNonstandardModeCombinations REG_DWORD 0x1
CrossSiteSyncFlags REG_DWORD 0x2
ResolvePeerBackoffMinutes REG_DWORD 0xf
ResolvePeerBackoffMaxTimes REG_DWORD 0x7
CompatibilityFlags REG_DWORD 0x80000000
EventLogFlags REG_DWORD 0x1
LargeSampleSkew REG_DWORD 0x3
DllName REG_EXPAND_SZ C:\Windows\System32\w32time.DLL
SpecialPollTimeRemaining REG_MULTI_SZ
SpecialPollInterval REG_DWORD 0xe10
C:\Windows\System32>reg query HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
InputProvider REG_DWORD 0x0
AllowNonstandardModeCombinations REG_DWORD 0x1
EventLogFlags REG_DWORD 0x0
DllName REG_EXPAND_SZ C:\Windows\System32\w32time.DLL
Enabled REG_DWORD 0x1
Цитата:
Цитата deem73:
Owner : BUILTIN\Administrators »
Цитата NickM:
Owner : NT AUTHORITY\СИСТЕМА »
|
Да, я вижу, что отличаются.
Настроил фильтры для procmon и промониторил выполнение команды C:\Windows\System32>w32tm /query /status
Код: The following error occurred: Access is denied. (0x80070005)
CSV файл (начало)
"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"17:09:29.7226551","CNABHSWD.EXE","7528","FileSystemControl","\\magnum\pipe\CanonCAPT40","SUCCESS"," Control: FSCTL_PIPE_TRANSCEIVE, WriteLength: 1*024, ReadLength: 228"
"17:09:29.7456873","BATReport.exe","9656","Thread Exit","","SUCCESS","Thread ID: 12836, User Time: 0.0000000, Kernel Time: 0.0000000"
"17:09:30.5565169","mfevtps.exe","2496","Thread Exit","","SUCCESS","Thread ID: 12428, User Time: 0.0000000, Kernel Time: 0.0000000"
"17:09:30.6635484","VsTskMgr.exe","2140","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"17:09:30.6635735","VsTskMgr.exe","2140","RegQueryKey","HKLM","SUCCESS","Query: Name"
"17:09:30.6636030","VsTskMgr.exe","2140","RegOpenKey","HKLM\Software\Wow6432Node","SUCCESS","Des ired Access: Read/Write"
"17:09:30.6637088","VsTskMgr.exe","2140","RegSetInfoKey","HKLM\SOFTWARE\Wow6432Node","SUCCESS","KeyS etInformationClass: KeySetHandleTagsInformation, Length: 0"
"17:09:30.6637297","VsTskMgr.exe","2140","RegCloseKey","HKLM\SOFTWARE\Wow6432Node","SUCCESS",""
"17:09:30.6637497","VsTskMgr.exe","2140","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"17:09:30.6637651","VsTskMgr.exe","2140","RegQueryKey","HKLM","SUCCESS","Query: Name"
"17:09:30.6637873","VsTskMgr.exe","2140","RegOpenKey","HKLM\Software\Wow6432Node","SUCCESS","Des ired Access: Read/Write"
"17:09:30.6638389","VsTskMgr.exe","2140","RegSetInfoKey","HKLM\SOFTWARE\Wow6432Node","SUCCESS","KeyS etInformationClass: KeySetHandleTagsInformation, Length: 0"
"17:09:30.6638577","VsTskMgr.exe","2140","RegCloseKey","HKLM\SOFTWARE\Wow6432Node","SUCCESS",""
"17:09:30.7291490","mfevtps.exe","2496","CreateFile","C:\Windows\System32\dhcpcore.dll","SUCCESS","D esired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"17:09:30.7293149","mfevtps.exe","2496","QueryStandardInformationFile","C:\Windows\System32\dhcpcore .dll","SUCCESS","AllocationSize: 319*488, EndOfFile: 318*976, NumberOfLinks: 4, DeletePending: False, Directory: False"
"17:09:30.7293636","mfevtps.exe","2496","CreateFileMapping","C:\Windows\System32\dhcpcore.dll"," FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"17:09:30.7293909","mfevtps.exe","2496","QueryStandardInformationFile","C:\Windows\System32\dhcpcore .dll","SUCCESS","AllocationSize: 319*488, EndOfFile: 318*976, NumberOfLinks: 4, DeletePending: False, Directory: False"
"17:09:30.7295842","mfevtps.exe","2496","Thread Create","","SUCCESS","Thread ID: 11920"
"17:09:30.7298414","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Providers","REPARSE","Desired Access: Read"
"17:09:30.7298943","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Providers","SUCCESS","Desired Access: Read"
"17:09:30.7299408","mfevtps.exe","2496","RegCloseKey","HKLM\System\CurrentControlSet\Control\Cryptog raphy\Providers","SUCCESS",""
"17:09:30.7299746","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Configuration","REPARSE","Desired Access: Read"
"17:09:30.7300100","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Configuration","SUCCESS","Desired Access: Read"
"17:09:30.7300488","mfevtps.exe","2496","RegCloseKey","HKLM\System\CurrentControlSet\Control\Cryptog raphy\Configuration","SUCCESS",""
"17:09:30.7301094","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Providers","REPARSE","Desired Access: Read"
"17:09:30.7301461","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Providers","SUCCESS","Desired Access: Read"
"17:09:30.7301845","mfevtps.exe","2496","RegCloseKey","HKLM\System\CurrentControlSet\Control\Cryptog raphy\Providers","SUCCESS",""
"17:09:30.7302169","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Configuration","REPARSE","Desired Access: Read"
"17:09:30.7302510","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Configuration","SUCCESS","Desired Access: Read"
"17:09:30.7302881","mfevtps.exe","2496","RegCloseKey","HKLM\System\CurrentControlSet\Control\Cryptog raphy\Configuration","SUCCESS",""
"17:09:30.7303385","mfevtps.exe","2496","QueryStandardInformationFile","C:\Windows\System32\dhcpcore .dll","SUCCESS","AllocationSize: 319*488, EndOfFile: 318*976, NumberOfLinks: 4, DeletePending: False, Directory: False"
"17:09:30.7303654","mfevtps.exe","2496","CreateFileMapping","C:\Windows\System32\dhcpcore.dll"," FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"17:09:30.7303927","mfevtps.exe","2496","QueryStandardInformationFile","C:\Windows\System32\dhcpcore .dll","SUCCESS","AllocationSize: 319*488, EndOfFile: 318*976, NumberOfLinks: 4, DeletePending: False, Directory: False"
"17:09:30.7317811","mfevtps.exe","2496","CloseFile","C:\Windows\System32\dhcpcore.dll","SUCCESS" ,""
"17:09:30.7425603","CNABHSWD.EXE","7528","FileSystemControl","\\magnum\pipe\CanonCAPT40","SUCCESS"," Control: FSCTL_PIPE_TRANSCEIVE, WriteLength: 1*024, ReadLength: 228"
"17:09:31.3571145","cmd.exe","6700","ReadFile","C:\Windows\System32\cmd.exe","SUCCESS","Offset: 300*032, Length: 10*240, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"17:09:31.3691025","cmd.exe","6700","ReadFile","C:\Windows\System32\cmd.exe","SUCCESS","Offset: 173*568, Length: 6*656, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"17:09:31.3806319","cmd.exe","6700","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"17:09:31.3807548","cmd.exe","6700","QueryDirectory","C:\Windows\System32\w32tm.*","SUCCESS","Filter : w32tm.*, 1: w32tm.exe"
"17:09:31.3808077","cmd.exe","6700","CloseFile","C:\Windows\System32","SUCCESS",""
"17:09:31.3809519","cmd.exe","6700","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"17:09:31.3810185","cmd.exe","6700","QueryDirectory","C:\Windows\System32\w32tm.COM","NO SUCH FILE","Filter: w32tm.COM"
"17:09:31.3810466","cmd.exe","6700","CloseFile","C:\Windows\System32","SUCCESS",""
"17:09:31.3811614","cmd.exe","6700","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"17:09:31.3812258","cmd.exe","6700","QueryDirectory","C:\Windows\System32\w32tm.EXE","SUCCESS","Filt er: w32tm.EXE, 1: w32tm.exe"
"17:09:31.3812578","cmd.exe","6700","CloseFile","C:\Windows\System32","SUCCESS",""
"17:09:31.3815637","cmd.exe","6700","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"17:09:31.3816162","cmd.exe","6700","QueryBasicInformationFile","C:\Windows\System32","SUCCESS","Cre ationTime: 14.07.2009 5:20:10, LastAccessTime: 09.11.2022 2:26:50, LastWriteTime: 09.11.2022 2:26:50, ChangeTime: 09.11.2022 2:26:50, FileAttributes: D"
"17:09:31.3816375","cmd.exe","6700","CloseFile","C:\Windows\System32","SUCCESS",""
"17:09:31.3817818","cmd.exe","6700","CreateFile","C:\Windows\System32\w32tm.exe","SUCCESS","Desi red Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"17:09:31.3820924","cmd.exe","6700","CreateFileMapping","C:\Windows\System32\w32tm.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"17:09:31.3821922","cmd.exe","6700","CreateFileMapping","C:\Windows\System32\w32tm.exe","SUCCESS","S yncType: SyncTypeOther"
"17:09:31.3822566","cmd.exe","6700","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32tm.exe","NAME NOT FOUND","Desired Access: Query Value, Enumerate Sub Keys"
"17:09:31.3822997","cmd.exe","6700","QuerySecurityFile","C:\Windows\System32\w32tm.exe","SUCCESS","I nformation: Label"
"17:09:31.3825523","cmd.exe","6700","Process Create","C:\Windows\System32\w32tm.exe","SUCCESS","PID: 10892, Command line: w32tm /query /status"
"17:09:31.3825651","w32tm.exe","10892","Process Start","","SUCCESS","Parent PID: 6700, Command line: w32tm /query /status, Current directory: C:\Windows\System32\, Environment:
; =C:=C:\Windows\System32
; =ExitCode=80070005
; ALLUSERSPROFILE=C:\ProgramData
; APPDATA=C:\Users\Administrator\AppData\Roaming
; CLIENTNAME=ADMIN
; CommonProgramFiles=C:\Program Files\Common Files
; CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
; CommonProgramW6432=C:\Program Files\Common Files
; COMPUTERNAME=SERVER
; ComSpec=C:\Windows\system32\cmd.exe
; DEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection
; FP_NO_HOST_CHECK=NO
; HOMEDRIVE=C:
; HOMEPATH=\Users\Administrator
; Isuser=C:\Users\ADMINI~1\AppData\Local\Temp\2\{B735D97E-0710-4FF9-8164-F61CC3A2E9FE}\{BCE9F441-9027-4911-82E0-5FB28057897D}\_isuser_0x0409.dll
; LOCALAPPDATA=C:\Users\Administrator\AppData\Local
; LOGONSERVER=\\SERVER
; MPosPath=C:\MPos3\
; NUMBER_OF_PROCESSORS=4
; OS=Windows_NT
; Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v 1.0\
; PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
; PROCESSOR_ARCHITECTURE=AMD64
; PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 30 Stepping 5, GenuineIntel
; PROCESSOR_LEVEL=6
; PROCESSOR_REVISION=1e05
; ProgramData=C:\ProgramData
; ProgramFiles=C:\Program Files
; ProgramFiles(x86)=C:\Program Files (x86)
; ProgramW6432=C:\Program Files
; PROMPT=$P$G
; PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
; PUBLIC=C:\Users\Public
; SESSIONNAME=ts#5
; SystemDrive=C:
; SystemRoot=C:\Windows
; TEMP=C:\Users\ADMINI~1\AppData\Local\Temp\1
; TMP=C:\Users\ADMINI~1\AppData\Local\Temp\1
; USERDNSDOMAIN=SYSTEMA.IF
; USERDOMAIN=SYSTEMA
; USERDOMAIN_ROAMINGPROFILE=SYSTEMA
; USERNAME=admin5
; USERPROFILE=C:\Users\Administrator
; VSEDEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection
; windir=C:\Windows
; windows_tracing_flags=3
; windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log"
"17:09:31.3825775","w32tm.exe","10892","Thread Create","","SUCCESS","Thread ID: 12616"
"17:09:31.3829094","cmd.exe","6700","QuerySecurityFile","C:\Windows\System32\w32tm.exe","SUCCESS","I nformation: Owner, Group, DACL, SACL, Label"
"17:09:31.3829338","cmd.exe","6700","QueryBasicInformationFile","C:\Windows\System32\w32tm.exe","SUC CESS","CreationTime: 05.09.2020 22:34:45, LastAccessTime: 05.09.2020 22:34:45, LastWriteTime: 05.09.2020 22:34:45, ChangeTime: 05.09.2020 22:47:47, FileAttributes: A"
"17:09:31.3829636","cmd.exe","6700","RegOpenKey","HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","SUCCESS","Desired Access: Query Value"
"17:09:31.3830007","cmd.exe","6700","RegQueryValue","HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Windows\System32\w32tm.exe","NAME NOT FOUND","Length: 16"
"17:09:31.3830212","cmd.exe","6700","RegCloseKey","HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","SUCCESS",""
"17:09:31.3830425","cmd.exe","6700","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\w32tm.exe","NAME NOT FOUND","Desired Access: Query Value"
"17:09:31.3830750","cmd.exe","6700","RegOpenKey","HKLM\Software\Microsoft\Windows\CurrentVersion\Sid eBySide","SUCCESS","Desired Access: Read"
"17:09:31.3830997","cmd.exe","6700","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ SideBySide\PreferExternalManifest","NAME NOT FOUND","Length: 20"
"17:09:31.3831168","cmd.exe","6700","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Si deBySide","SUCCESS",""
"17:09:31.3832448","csrss.exe","592","QuerySecurityFile","C:\Windows\System32\w32tm.exe","SUCCESS"," Information: Owner, Group, DACL, SACL, Label"
"17:09:31.3832670","csrss.exe","592","QueryBasicInformationFile","C:\Windows\System32\w32tm.exe","SU CCESS","CreationTime: 05.09.2020 22:34:45, LastAccessTime: 05.09.2020 22:34:45, LastWriteTime: 05.09.2020 22:34:45, ChangeTime: 05.09.2020 22:47:47, FileAttributes: A"
"17:09:31.3833647","csrss.exe","592","CreateFile","C:\Windows\System32\w32tm.exe.Config","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: SYSTEMA\admin5"
"17:09:31.3834402","csrss.exe","592","QueryBasicInformationFile","C:\Windows\System32\w32tm.exe","SU CCESS","CreationTime: 05.09.2020 22:34:45, LastAccessTime: 05.09.2020 22:34:45, LastWriteTime: 05.09.2020 22:34:45, ChangeTime: 05.09.2020 22:47:47, FileAttributes: A"
"17:09:31.3834577","csrss.exe","592","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion \SideBySide\PublisherPolicyChangeTime","SUCCESS","Type: REG_QWORD, Length: 8, Data: "
"17:09:31.3835912","cmd.exe","6700","CloseFile","C:\Windows\System32\w32tm.exe","SUCCESS",""
"17:09:31.3836066","w32tm.exe","10892","QueryNameInformationFile","C:\Windows\System32\w32tm.exe","S UCCESS","Name: \Windows\System32\w32tm.exe"
"17:09:31.3837291","w32tm.exe","10892","Load Image","C:\Windows\System32\w32tm.exe","SUCCESS","Image Base: 0xff880000, Image Size: 0x17000"
"17:09:31.3838302","w32tm.exe","10892","Load Image","C:\Windows\System32\ntdll.dll","SUCCESS","Image Base: 0x77430000, Image Size: 0x19f000"
"17:09:31.3839185","w32tm.exe","10892","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options","SUCCESS","Desired Access: Query Value, Enumerate Sub Keys"
"17:09:31.3839539","w32tm.exe","10892","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisableUserModeCallbackFilter","NAME NOT FOUND","Length: 1*024"
"17:09:31.3839795","w32tm.exe","10892","RegOpenKey","HKLM\System\CurrentControlSet\Control\Sessi on Manager","REPARSE","Desired Access: Read"
"17:09:31.3840043","w32tm.exe","10892","RegOpenKey","HKLM\System\CurrentControlSet\Control\Sessi on Manager","SUCCESS","Desired Access: Read"
"17:09:31.3840243","w32tm.exe","10892","RegQueryValue","HKLM\System\CurrentControlSet\Control\SESSIO N MANAGER\CWDIllegalInDLLSearch","NAME NOT FOUND","Length: 1*024"
"17:09:31.3840414","w32tm.exe","10892","RegCloseKey","HKLM\System\CurrentControlSet\Control\SESS ION MANAGER","SUCCESS",""
"17:09:31.3843089","w32tm.exe","10892","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"17:09:31.3846617","w32tm.exe","10892","Load Image","C:\Windows\System32\kernel32.dll","SUCCESS","Image Base: 0x77310000, Image Size: 0x11f000"
"17:09:31.3849843","w32tm.exe","10892","Load Image","C:\Windows\System32\KernelBase.dll","SUCCESS","Image Base: 0x7fefd4b0000, Image Size: 0x6a000"
"17:09:31.3861158","w32tm.exe","10892","RegOpenKey","HKLM\System\CurrentControlSet\Control\SafeBoot\ Option","REPARSE","Desired Access: Query Value, Set Value"
"17:09:31.3861713","w32tm.exe","10892","RegOpenKey","HKLM\System\CurrentControlSet\Control\SafeBoot\ Option","NAME NOT FOUND","Desired Access: Query Value, Set Value"
"17:09:31.3862105","w32tm.exe","10892","RegOpenKey","HKLM\System\CurrentControlSet\Control\Srp\GP\DL L","REPARSE","Desired Access: Read"
"17:09:31.3862310","w32tm.exe","10892","RegOpenKey","HKLM\System\CurrentControlSet\Control\Srp\GP\DL L","NAME NOT FOUND","Desired Access: Read"
"17:09:31.3862511","w32tm.exe","10892","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\ CodeIdentifiers","SUCCESS","Desired Access: Query Value"
"17:09:31.3862733","w32tm.exe","10892","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\saf er\codeidentifiers\TransparentEnabled","NAME NOT FOUND","Length: 80"
"17:09:31.3862890","w32tm.exe","10892","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\safer \codeidentifiers","SUCCESS",""
"17:09:31.3863215","w32tm.exe","10892","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\ CodeIdentifiers","NAME NOT FOUND","Desired Access: Query Value"
"17:09:31.3864584","w32tm.exe","10892","Load Image","C:\Windows\System32\advapi32.dll","SUCCESS","Image Base: 0x7fefeb00000, Image Size: 0xdb000"
"17:09:31.3866543","w32tm.exe","10892","Load Image","C:\Windows\System32\msvcrt.dll","SUCCESS","Image Base: 0x7fefd580000, Image Size: 0x9f000"
"17:09:31.3869755","w32tm.exe","10892","CreateFile","C:\Windows\System32\sechost.dll","SUCCESS","Des ired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
....
Файл целиком во вложении.
Что можно ещё посмотреть?
|
