[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1293
  • Last Modified:

2003 Server Standard x64 missing RDP server.

Windows Server 2003 X64 Standard is missing the ability to connect to it via RDP.  What do I need to install in order for this server to work.  I'd like the ability to manage this machine remotely using RDP.

Thanks.
0
norbs101
Asked:
norbs101
  • 20
  • 18
  • 3
1 Solution
 
norbs101Author Commented:
I am aware of the Remote Tab under system settings.  My problem is that it's not there.
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
Bird DogCommented:
install terminal services
0
 
dreamyguyCommented:
do you have a similar configured machine where this works fine? if yes,  then i'd suggest to export the hkey_local_machine\system\currentcontrolset\control\terminal server key from that machine into this machine. (take a backup of the present terminal server key first!)
0
 
norbs101Author Commented:
I'm finding an issue installing terminal services.   The dcom is messed up and doesn't allow to register the ts as a service.  I am working on fixing this now.  
0
 
dreamyguyCommented:
it would be very helpful if you could paste the relevant errors here. if you're getting any access denied errors in dcom mentioning a guid, then go to the registry and give the account for which you're getting the access denied read permissions for that key.
0
 
norbs101Author Commented:
Ok, I installed terminal server without any errors or events.  However, the service itself is missing from the services.msc and thus not started.  Any ideas?
0
 
dreamyguyCommented:
go to hkey_local_machine\system\currentcontrolset\services\termservice
expand it and in the right hand pane, the value of the imagepath should be as follows:

%SystemRoot%\System32\svchost -k DComLaunch
0
 
dreamyguyCommented:
else export the hkey_local_machine\system\currentcontrolset\services\termservice key from a working machine into the pc with the issue and reboot the machine. things should then be fine.
0
 
norbs101Author Commented:
It seems there is no keys in the termservice folder..   I will get a working key from a similiar system and try it now.
0
 
dreamyguyCommented:
basically there are three pairs of registry keys which need to be present for the terminal server to work.
under HKLM\system\currentcontrolset\services , the termdd and the termservice keys need to be present and under the HKLM\system\currentcontrolset\control, the terminalserver key should be present.  so make sure that these keys exist, otherwise you'll see weird issues with terminal server. ive seen many issues where even reinstalling doesnt work, so manual moving of these keys are the only way to make them work without having to do a complete re-install.
0
 
norbs101Author Commented:
Now the service is there, but it wont start and it's throwing the following event.

The Terminal Services service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Event ID: 7000
0
 
dreamyguyCommented:
did you reboot the box?
0
 
dreamyguyCommented:
or try installing it again now that we have the service back.
0
 
norbs101Author Commented:
Did a uninstall & install of terminal server with reboot between each.  The service still won't start.
0
 
dreamyguyCommented:
"The service did not respond to the start or control request in a timely fashion." can mean a lot of things. I would advice you to download and run filemon and regmon from www.sysinternals.com while trying to start the service manually from under the services.msc console. this way we can get some more information as to what's happening in the background. maybe its failing due to lack of sufficient permissions in any of the files and registry. after running filemon and regmon, look for "access denied" error messages in the respective logs and give the system account full permissions to those keys/files.

also check the following:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
under here, we must have a key called termsvcs with the value TermService
you can compare this with a working machine.
0
 
norbs101Author Commented:
I didn't get any access denied msgs...              Is there anyway i can post the filtered content out of these 2 utils. here?   I don't see an option to copy multiple rows.
0
 
dreamyguyCommented:
yes, there are two ways of doing this. 1>go to options--filters 2>save the output as a log, open the log in excel, select everything and then go to data-->filter-->autofilter. after that you can click on the dropdown of the process column and select any process after which it shall display results that are relevant to only that process.

or

you could just compress the logs and upload it to http://www.ee-stuff.com and we can review it.

Also go to the following keys and check for the values
HKLM\System\CurrentControlSet\Services\termdd

Name: Start
Type: REG_DWORD
Data: 0x1

Name: PortDriverEnable
Type: REG_DWORD
Data: 0x1

0
 
norbs101Author Commented:
Here's the Regmon.


1      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon      SUCCESS            
2      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\UserEnvDebugLevel      NOT FOUND            
3      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\RsopLogging      NOT FOUND            
4      9:16:28 AM      winlogon.exe:324      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon      SUCCESS            
5      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Policies\Microsoft\Windows\System      NOT FOUND            
6      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon      SUCCESS            
7      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\UserEnvDebugLevel      NOT FOUND            
8      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\RsopLogging      NOT FOUND            
9      9:16:28 AM      winlogon.exe:324      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon      SUCCESS            
10      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Policies\Microsoft\Windows\System      NOT FOUND            
11      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\System\Setup      SUCCESS            
12      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\System\Setup\SystemSetupInProgress      SUCCESS      0x0      
13      9:16:28 AM      winlogon.exe:324      CloseKey      HKLM\System\Setup      SUCCESS            
14      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
15      9:16:28 AM      winlogon.exe:324      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
16      9:16:28 AM      winlogon.exe:324      OpenKey      HKCU      SUCCESS            
17      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
18      9:16:28 AM      winlogon.exe:324      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
19      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
20      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\Flags      SUCCESS      0x0      
21      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\State      SUCCESS      0x100      
22      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\Preference      NOT FOUND            
23      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\CentralProfile      SUCCESS      ""      
24      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\ProfileImagePath      SUCCESS      "%SystemDrive%\Documents and Settings\Administrator"      
25      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\ProfileLoadTimeLow      SUCCESS      0xB8C3C42C      
26      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\ProfileLoadTimeHigh      SUCCESS      0x1C80F41      
27      9:16:28 AM      winlogon.exe:324      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
28      9:16:28 AM      winlogon.exe:324      OpenKey      HKCU\Software\Classes      SUCCESS            
29      9:16:28 AM      winlogon.exe:324      CloseKey      HKCU\Software\Classes      SUCCESS            
30      9:16:28 AM      winlogon.exe:324      CreateKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
31      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\RefCount      SUCCESS      0x1      
32      9:16:28 AM      winlogon.exe:324      SetValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\RefCount      SUCCESS      0x2      
33      9:16:28 AM      winlogon.exe:324      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
34      9:16:28 AM      winlogon.exe:324      CloseKey      HKCU      SUCCESS            
35      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon      SUCCESS            
36      9:16:28 AM      svchost.exe:4032      QueryValue      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LeakTrack      NOT FOUND            
37      9:16:28 AM      svchost.exe:4032      CloseKey      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon      SUCCESS            
38      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\System\Setup      SUCCESS            
39      9:16:28 AM      svchost.exe:4032      QueryValue      HKLM\System\Setup\SystemSetupInProgress      SUCCESS      0x0      
40      9:16:28 AM      svchost.exe:4032      CloseKey      HKLM\System\Setup      SUCCESS            
41      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM      SUCCESS            
42      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics      NOT FOUND            
43      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost      SUCCESS            
44      9:16:28 AM      svchost.exe:4032      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs      SUCCESS      "TermService"      
45      9:16:28 AM      svchost.exe:4032      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs      SUCCESS      "TermService"      
46      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs      NOT FOUND            
47      9:16:28 AM      svchost.exe:4032      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost      SUCCESS            
48      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\System\CurrentControlSet\Control\Session Manager      REPARSE            
49      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\SYSTEM\ControlSet001\Control\Session Manager      SUCCESS            
50      9:16:28 AM      svchost.exe:4032      QueryValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\SafeDllSearchMode      NOT FOUND            
51      9:16:28 AM      svchost.exe:4032      CloseKey      HKLM\SYSTEM\ControlSet001\Control\Session Manager      SUCCESS            
52      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\Software\Microsoft\Rpc      SUCCESS            
53      9:16:28 AM      svchost.exe:4032      QueryValue      HKLM\Software\Microsoft\Rpc\MaxRpcSize      NOT FOUND            
54      9:16:28 AM      svchost.exe:4032      CloseKey      HKLM\Software\Microsoft\Rpc      SUCCESS            
55      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\RpcThreadPoolThrottle      NOT FOUND            
56      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\System\CurrentControlSet\Control\ComputerName      REPARSE            
57      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName      SUCCESS            
58      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
59      9:16:28 AM      svchost.exe:4032      QueryValue      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName      SUCCESS      "TCGWEB-01"      
60      9:16:28 AM      svchost.exe:4032      CloseKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
61      9:16:28 AM      svchost.exe:4032      CloseKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName      SUCCESS            
62      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\Software\Policies\Microsoft\Windows NT\Rpc      NOT FOUND            
63      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\System\CurrentControlSet\Control\ServiceCurrent      REPARSE            
64      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent      SUCCESS            
65      9:16:28 AM      svchost.exe:4032      QueryValue      HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent\(Default)      SUCCESS      0x24      
66      9:16:28 AM      svchost.exe:4032      CloseKey      HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent      SUCCESS            
67      9:16:28 AM      svchost.exe:4032      SetValue      HKLM\SOFTWARE\MICROSOFT\Cryptography\RNG\Seed      SUCCESS      03 29 98 9C F0 14 89 3C ...      
68      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\System\CurrentControlSet\Services      REPARSE            
69      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
70      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
71      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Parameters      SUCCESS            
72      9:16:28 AM      svchost.exe:4032      CloseKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
73      9:16:28 AM      svchost.exe:4032      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
74      9:16:28 AM      svchost.exe:4032      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll      SUCCESS      "%SystemRoot%\System32\termsrv.dll"      
75      9:16:28 AM      svchost.exe:4032      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceManifest      NOT FOUND            
76      9:16:28 AM      svchost.exe:4032      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceMain      NOT FOUND            
77      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\System\CurrentControlSet\Control\SafeBoot\Option      REPARSE            
78      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Option      NOT FOUND            
79      9:16:28 AM      svchost.exe:4032      OpenKey      HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers      SUCCESS            
80      9:16:28 AM      svchost.exe:4032      QueryValue      HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled      NOT FOUND            
81      9:16:28 AM      svchost.exe:4032      CloseKey      HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers      SUCCESS            
82      9:16:28 AM      svchost.exe:4032      OpenKey      HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers      NOT FOUND            
83      9:16:28 AM      svchost.exe:4032      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Parameters      SUCCESS            
84      9:16:28 AM      svchost.exe:4032      CloseKey      HKLM      SUCCESS            
85      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon      SUCCESS            
86      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\UserEnvDebugLevel      NOT FOUND            
87      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\RsopLogging      NOT FOUND            
88      9:16:28 AM      winlogon.exe:324      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon      SUCCESS            
89      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Policies\Microsoft\Windows\System      NOT FOUND            
90      9:16:28 AM      winlogon.exe:324      OpenKey      HKCU      SUCCESS            
91      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
92      9:16:28 AM      winlogon.exe:324      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
93      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
94      9:16:28 AM      winlogon.exe:324      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
95      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
96      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\Flags      SUCCESS      0x0      
97      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\State      SUCCESS      0x100      
98      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\Preference      NOT FOUND            
99      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\CentralProfile      SUCCESS      ""      
100      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\ProfileImagePath      SUCCESS      "%SystemDrive%\Documents and Settings\Administrator"      
101      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\ProfileLoadTimeLow      SUCCESS      0xB8C3C42C      
102      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\ProfileLoadTimeHigh      SUCCESS      0x1C80F41      
103      9:16:28 AM      winlogon.exe:324      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
104      9:16:28 AM      winlogon.exe:324      OpenKey      HKCU\Software\Policies\Microsoft\Windows\System      NOT FOUND            
105      9:16:28 AM      winlogon.exe:324      OpenKey      HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon      SUCCESS            
106      9:16:28 AM      winlogon.exe:324      QueryValue      HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ExcludeProfileDirs      SUCCESS      "Local Settings;Temporary Internet Files;History;Temp"      
107      9:16:28 AM      winlogon.exe:324      QueryValue      HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ExcludeProfileDirs      SUCCESS      "Local Settings;Temporary Internet Files;History;Temp"      
108      9:16:28 AM      winlogon.exe:324      CloseKey      HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon      SUCCESS            
109      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon      SUCCESS            
110      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DeleteRoamingCache      NOT FOUND            
111      9:16:28 AM      winlogon.exe:324      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon      SUCCESS            
112      9:16:28 AM      winlogon.exe:324      OpenKey      HKLM\Software\Policies\Microsoft\Windows\System      NOT FOUND            
113      9:16:28 AM      winlogon.exe:324      CloseKey      HKCU      SUCCESS            
114      9:16:28 AM      winlogon.exe:324      CreateKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
115      9:16:28 AM      winlogon.exe:324      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\RefCount      SUCCESS      0x2      
116      9:16:28 AM      winlogon.exe:324      SetValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500\RefCount      SUCCESS      0x1      
117      9:16:28 AM      winlogon.exe:324      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3573764306-4011981353-2826648252-500      SUCCESS            
118      9:16:28 AM      svchost.exe:780      CreateKey      HKLM\Software\Microsoft\WBEM\CIMOM      SUCCESS            
119      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\WBEM\CIMOM\Logging      SUCCESS      "1"      
120      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\WBEM\CIMOM\Log File Max Size      SUCCESS      "65536"      
121      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\Software\Microsoft\WBEM\CIMOM      SUCCESS            
122      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
123      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
124      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
125      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
126      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
127      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
128      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
129      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
130      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
131      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
132      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
133      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
134      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
135      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
136      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
137      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
138      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
139      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
140      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
141      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
142      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
143      9:16:28 AM      svchost.exe:780      CloseKey      HKCR      SUCCESS            
144      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\Software\Microsoft\COM3      SUCCESS            
145      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\COM3\REGDBVersion      SUCCESS      03 00 00 00 00 00 00 00       
146      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\Software\Microsoft\COM3      SUCCESS            
147      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\Software\Microsoft\COM3      SUCCESS            
148      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\COM3\REGDBVersion      SUCCESS      03 00 00 00 00 00 00 00       
149      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\Software\Microsoft\COM3      SUCCESS            
150      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}      SUCCESS            
151      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\TreatAs      NOT FOUND            
152      9:16:28 AM      svchost.exe:780      OpenKey      HKCR      SUCCESS            
153      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}      SUCCESS            
154      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}      SUCCESS            
155      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32      SUCCESS            
156      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\InprocServer32      NOT FOUND            
157      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32      SUCCESS            
158      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\LocalServer32      NOT FOUND            
159      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32      SUCCESS            
160      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)      SUCCESS      "C:\WINDOWS\system32\wbem\wmiutils.dll"      
161      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32      SUCCESS            
162      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocHandler32      NOT FOUND            
163      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\LocalServer32      NOT FOUND            
164      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\LocalServer      NOT FOUND            
165      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}      SUCCESS            
166      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\AppID      NOT FOUND            
167      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}      SUCCESS            
168      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}      SUCCESS            
169      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\Software\Microsoft\COM3      SUCCESS            
170      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\COM3\REGDBVersion      SUCCESS      03 00 00 00 00 00 00 00       
171      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\Software\Microsoft\COM3      SUCCESS            
172      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\Software\Microsoft\COM3      SUCCESS            
173      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\COM3\REGDBVersion      SUCCESS      03 00 00 00 00 00 00 00       
174      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\Software\Microsoft\COM3      SUCCESS            
175      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}      SUCCESS            
176      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\TreatAs      NOT FOUND            
177      9:16:28 AM      svchost.exe:780      OpenKey      HKCR      SUCCESS            
178      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}      SUCCESS            
179      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}      SUCCESS            
180      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32      SUCCESS            
181      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32\InprocServer32      NOT FOUND            
182      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32      SUCCESS            
183      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\LocalServer32      NOT FOUND            
184      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32      SUCCESS            
185      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32\(Default)      SUCCESS      "C:\WINDOWS\system32\wbem\fastprox.dll"      
186      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32      SUCCESS            
187      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocHandler32      NOT FOUND            
188      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\LocalServer32      NOT FOUND            
189      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\LocalServer      NOT FOUND            
190      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}      SUCCESS            
191      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\AppID      NOT FOUND            
192      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}      SUCCESS            
193      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}      SUCCESS            
194      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\system\Setup      SUCCESS            
195      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\system\Setup\SystemSetupInProgress      SUCCESS      0x0      
196      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\system\Setup      SUCCESS            
197      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\system\currentcontrolset\control\minint      REPARSE            
198      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\SYSTEM\ControlSet001\control\minint      NOT FOUND            
199      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32      SUCCESS            
200      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32\(Default)      SUCCESS      "C:\WINDOWS\system32\wbem\wbemcons.dll"      
201      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32      SUCCESS            
202      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\LocalServer32      NOT FOUND            
203      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32      SUCCESS            
204      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32\ThreadingModel      SUCCESS      "Both"      
205      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32\Synchronization      NOT FOUND            
206      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32\(Default)      SUCCESS      "C:\WINDOWS\system32\wbem\wbemcons.dll"      
207      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32      SUCCESS            
208      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\LocalServer32      NOT FOUND            
209      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}      SUCCESS            
210      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\(Default)      SUCCESS      "Microsoft WBEM NT Event Log Event Consumer Provider"      
211      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\AppId      NOT FOUND            
212      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}      SUCCESS            
213      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName      REPARSE            
214      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
215      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName      SUCCESS      "TCGWEB-01"      
216      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
217      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName      REPARSE            
218      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
219      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName      SUCCESS      "TCGWEB-01"      
220      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
221      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\system\currentcontrolset\control\minint      REPARSE            
222      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\SYSTEM\ControlSet001\control\minint      NOT FOUND            
223      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\Software\Microsoft\COM3      SUCCESS            
224      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\COM3\REGDBVersion      SUCCESS      03 00 00 00 00 00 00 00       
225      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\Software\Microsoft\COM3      SUCCESS            
226      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\Software\Microsoft\COM3      SUCCESS            
227      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\COM3\REGDBVersion      SUCCESS      03 00 00 00 00 00 00 00       
228      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\Software\Microsoft\COM3      SUCCESS            
229      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}      SUCCESS            
230      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\TreatAs      NOT FOUND            
231      9:16:28 AM      svchost.exe:780      OpenKey      HKCR      SUCCESS            
232      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}      SUCCESS            
233      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}      SUCCESS            
234      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\InprocServer32      SUCCESS            
235      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\InprocServer32\InprocServer32      NOT FOUND            
236      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\InprocServer32      SUCCESS            
237      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\LocalServer32      NOT FOUND            
238      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\InprocServer32      SUCCESS            
239      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\InprocServer32\(Default)      SUCCESS      "C:\WINDOWS\system32\wbem\wmiprvsd.dll"      
240      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\InprocServer32      SUCCESS            
241      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\InprocHandler32      NOT FOUND            
242      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\LocalServer32      NOT FOUND            
243      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\LocalServer      NOT FOUND            
244      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}      SUCCESS            
245      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}\AppID      NOT FOUND            
246      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}      SUCCESS            
247      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{8BEBCE8B-1AF0-4323-8B4D-36994567CAE1}      SUCCESS            
248      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\Software\Microsoft\COM3      SUCCESS            
249      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\COM3\REGDBVersion      SUCCESS      03 00 00 00 00 00 00 00       
250      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\Software\Microsoft\COM3      SUCCESS            
251      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\Software\Microsoft\COM3      SUCCESS            
252      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\COM3\REGDBVersion      SUCCESS      03 00 00 00 00 00 00 00       
253      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\Software\Microsoft\COM3      SUCCESS            
254      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}      SUCCESS            
255      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}\TreatAs      NOT FOUND            
256      9:16:28 AM      svchost.exe:780      OpenKey      HKCR      SUCCESS            
257      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}      SUCCESS            
258      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}      SUCCESS            
259      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}\InprocServer32      SUCCESS            
260      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}\InprocServer32\InprocServer32      NOT FOUND            
261      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}\InprocServer32      SUCCESS            
262      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}\LocalServer32      NOT FOUND            
263      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}\InprocServer32      SUCCESS            
264      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}\InprocServer32\(Default)      SUCCESS      "C:\WINDOWS\system32\wbem\fastprox.dll"      
265      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}\InprocServer32      SUCCESS            
266      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}\InprocHandler32      NOT FOUND            
267      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}\LocalServer32      NOT FOUND            
268      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}\LocalServer      NOT FOUND            
269      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}      SUCCESS            
270      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}\AppID      NOT FOUND            
271      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}      SUCCESS            
272      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D}      SUCCESS            
273      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\Software\Microsoft\COM3      SUCCESS            
274      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\COM3\REGDBVersion      SUCCESS      03 00 00 00 00 00 00 00       
275      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\Software\Microsoft\COM3      SUCCESS            
276      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\Software\Microsoft\COM3      SUCCESS            
277      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\COM3\REGDBVersion      SUCCESS      03 00 00 00 00 00 00 00       
278      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\Software\Microsoft\COM3      SUCCESS            
279      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}      SUCCESS            
280      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\TreatAs      NOT FOUND            
281      9:16:28 AM      svchost.exe:780      OpenKey      HKCR      SUCCESS            
282      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}      SUCCESS            
283      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}      SUCCESS            
284      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\InprocServer32      SUCCESS            
285      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\InprocServer32\InprocServer32      NOT FOUND            
286      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\InprocServer32      SUCCESS            
287      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\LocalServer32      NOT FOUND            
288      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\InprocServer32      SUCCESS            
289      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\InprocServer32\(Default)      SUCCESS      "C:\WINDOWS\system32\wbem\fastprox.dll"      
290      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\InprocServer32      SUCCESS            
291      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\InprocHandler32      NOT FOUND            
292      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\LocalServer32      NOT FOUND            
293      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\LocalServer      NOT FOUND            
294      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}      SUCCESS            
295      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}\AppID      NOT FOUND            
296      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}      SUCCESS            
297      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{1108BE51-F58A-4CDA-BB99-7A0227D11D5E}      SUCCESS            
298      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\system\Setup      SUCCESS            
299      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\system\Setup\SystemSetupInProgress      SUCCESS      0x0      
300      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\system\Setup      SUCCESS            
301      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\system\currentcontrolset\control\minint      REPARSE            
302      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\SYSTEM\ControlSet001\control\minint      NOT FOUND            
303      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32      SUCCESS            
304      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32\(Default)      SUCCESS      "C:\WINDOWS\system32\wbem\wbemcons.dll"      
305      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32      SUCCESS            
306      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\LocalServer32      NOT FOUND            
307      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32      SUCCESS            
308      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32\ThreadingModel      SUCCESS      "Both"      
309      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32\Synchronization      NOT FOUND            
310      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32\(Default)      SUCCESS      "C:\WINDOWS\system32\wbem\wbemcons.dll"      
311      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\InProcServer32      SUCCESS            
312      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\LocalServer32      NOT FOUND            
313      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}      SUCCESS            
314      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\(Default)      SUCCESS      "Microsoft WBEM NT Event Log Event Consumer Provider"      
315      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}\AppId      NOT FOUND            
316      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{266c72e6-62e8-11d1-ad89-00c04fd8fdff}      SUCCESS            
317      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName      REPARSE            
318      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
319      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName      SUCCESS      "TCGWEB-01"      
320      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
321      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName      REPARSE            
322      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
323      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName      SUCCESS      "TCGWEB-01"      
324      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
325      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\Software\Microsoft\COM3      SUCCESS            
326      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\COM3\REGDBVersion      SUCCESS      03 00 00 00 00 00 00 00       
327      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\Software\Microsoft\COM3      SUCCESS            
328      9:16:28 AM      svchost.exe:780      OpenKey      HKLM\Software\Microsoft\COM3      SUCCESS            
329      9:16:28 AM      svchost.exe:780      QueryValue      HKLM\Software\Microsoft\COM3\REGDBVersion      SUCCESS      03 00 00 00 00 00 00 00       
330      9:16:28 AM      svchost.exe:780      CloseKey      HKLM\Software\Microsoft\COM3      SUCCESS            
331      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}      SUCCESS            
332      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\TreatAs      NOT FOUND            
333      9:16:28 AM      svchost.exe:780      OpenKey      HKCR      SUCCESS            
334      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}      SUCCESS            
335      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}      SUCCESS            
336      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32      SUCCESS            
337      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32\InprocServer32      NOT FOUND            
338      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32      SUCCESS            
339      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\LocalServer32      NOT FOUND            
340      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32      SUCCESS            
341      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32\(Default)      SUCCESS      "C:\WINDOWS\system32\wbem\wbemcons.dll"      
342      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32      SUCCESS            
343      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\InprocHandler32      NOT FOUND            
344      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\LocalServer32      NOT FOUND            
345      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\LocalServer      NOT FOUND            
346      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}      SUCCESS            
347      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\AppID      NOT FOUND            
348      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}      SUCCESS            
349      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}      SUCCESS            
350      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}      SUCCESS            
351      9:16:28 AM      svchost.exe:780      OpenKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32      SUCCESS            
352      9:16:28 AM      svchost.exe:780      QueryValue      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32\ThreadingModel      SUCCESS      "Both"      
353      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}\InprocServer32      SUCCESS            
354      9:16:28 AM      svchost.exe:780      CloseKey      HKCR\CLSID\{266C72E6-62E8-11D1-AD89-00C04FD8FDFF}      SUCCESS            
0
 
norbs101Author Commented:
Here's the filemon:

1      9:16:28 AM      lsass.exe:384      SET INFORMATION       C:\WINDOWS\system32\config\SAM.LOG      SUCCESS      Length: 8192      
2      9:16:28 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      SUCCESS      Change Notify      
3      9:16:28 AM      lsass.exe:384      SET INFORMATION       C:\WINDOWS\system32\config\SAM.LOG      SUCCESS      Length: 8192      
4      9:16:28 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      NOTIFY ENUM DIR      Change Notify      
5      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SecEvent.Evt      SUCCESS      Offset: 25948 Length: 264      
6      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SecEvent.Evt      SUCCESS      Offset: 26212 Length: 40      
7      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SecEvent.Evt      SUCCESS      Offset: 26212 Length: 292      
8      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SecEvent.Evt      SUCCESS      Offset: 26504 Length: 40      
9      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SecEvent.Evt      SUCCESS      Offset: 26504 Length: 360      
10      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SecEvent.Evt      SUCCESS      Offset: 26864 Length: 40      
11      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SecEvent.Evt      SUCCESS      Offset: 26864 Length: 568      
12      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SecEvent.Evt      SUCCESS      Offset: 27432 Length: 40      
13      9:16:28 AM      winlogon.exe:324      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 12288      
14      9:16:28 AM      winlogon.exe:324      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 12288      
15      9:16:28 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      NOTIFY ENUM DIR      Change Notify      
16      9:16:28 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      NOTIFY ENUM DIR      Change Notify      
17      9:16:28 AM      services.exe:372      QUERY INFORMATION      C:\WINDOWS\TEMP      SUCCESS      Attributes: D      
18      9:16:28 AM      services.exe:372      QUERY INFORMATION      C:\WINDOWS\TEMP      SUCCESS      Attributes: D      
19      9:16:28 AM      services.exe:372      QUERY INFORMATION      C:\autoexec.bat      SUCCESS      Attributes: A      
20      9:16:28 AM      services.exe:372      OPEN      C:\autoexec.bat      SUCCESS      Options: Open  Access: Read      
21      9:16:28 AM      services.exe:372      QUERY INFORMATION      C:\autoexec.bat      SUCCESS      Length: 0      
22      9:16:28 AM      services.exe:372      READ       C:\autoexec.bat      SUCCESS      Offset: 0 Length: 0      
23      9:16:28 AM      services.exe:372      CLOSE      C:\autoexec.bat      SUCCESS            
24      9:16:28 AM      services.exe:372      QUERY INFORMATION      C:\Documents and Settings\Administrator\Local Settings\Temp      SUCCESS      Attributes: D      
25      9:16:28 AM      services.exe:372      OPEN      C:\      SUCCESS      Options: Open Directory  Access: 00100001      
26      9:16:28 AM      services.exe:372      DIRECTORY      C:\      SUCCESS      FileBothDirectoryInformation: Documents and Settings      
27      9:16:28 AM      services.exe:372      CLOSE      C:\      SUCCESS            
28      9:16:28 AM      services.exe:372      OPEN      C:\Documents and Settings\      SUCCESS      Options: Open Directory  Access: 00100001      
29      9:16:28 AM      services.exe:372      DIRECTORY      C:\Documents and Settings\      SUCCESS      FileBothDirectoryInformation: Administrator      
30      9:16:28 AM      services.exe:372      CLOSE      C:\Documents and Settings\      SUCCESS            
31      9:16:28 AM      services.exe:372      OPEN      C:\Documents and Settings\Administrator\      SUCCESS      Options: Open Directory  Access: 00100001      
32      9:16:28 AM      services.exe:372      DIRECTORY      C:\Documents and Settings\Administrator\      SUCCESS      FileBothDirectoryInformation: Local Settings      
33      9:16:28 AM      services.exe:372      CLOSE      C:\Documents and Settings\Administrator\      SUCCESS            
34      9:16:28 AM      services.exe:372      QUERY INFORMATION      C:\Documents and Settings\Administrator\Local Settings\Temp      SUCCESS      Attributes: D      
35      9:16:28 AM      services.exe:372      OPEN      C:\      SUCCESS      Options: Open Directory  Access: 00100001      
36      9:16:28 AM      services.exe:372      DIRECTORY      C:\      SUCCESS      FileBothDirectoryInformation: Documents and Settings      
37      9:16:28 AM      services.exe:372      CLOSE      C:\      SUCCESS            
38      9:16:28 AM      services.exe:372      OPEN      C:\Documents and Settings\      SUCCESS      Options: Open Directory  Access: 00100001      
39      9:16:28 AM      services.exe:372      DIRECTORY      C:\Documents and Settings\      SUCCESS      FileBothDirectoryInformation: Administrator      
40      9:16:28 AM      services.exe:372      CLOSE      C:\Documents and Settings\      SUCCESS            
41      9:16:28 AM      services.exe:372      OPEN      C:\Documents and Settings\Administrator\      SUCCESS      Options: Open Directory  Access: 00100001      
42      9:16:28 AM      services.exe:372      DIRECTORY      C:\Documents and Settings\Administrator\      SUCCESS      FileBothDirectoryInformation: Local Settings      
43      9:16:28 AM      services.exe:372      CLOSE      C:\Documents and Settings\Administrator\      SUCCESS            
44      9:16:28 AM      services.exe:372      QUERY INFORMATION      C:\WINDOWS\System32\svchost.exe      SUCCESS      Attributes: A      
45      9:16:28 AM      services.exe:372      QUERY INFORMATION      C:\WINDOWS\System32\svchost.exe      SUCCESS      Attributes: A      
46      9:16:28 AM      services.exe:372      OPEN      C:\WINDOWS\System32\svchost.exe      SUCCESS      Options: Open  Access: 001000A1      
47      9:16:28 AM      services.exe:372      QUERY INFORMATION      C:\WINDOWS\System32\svchost.exe      SUCCESS      Attributes: A      
48      9:16:28 AM      services.exe:372      QUERY INFORMATION      C:\WINDOWS\System32\svchost.exe      SUCCESS      Length: 25600      
49      9:16:28 AM      services.exe:372      OPEN      C:\WINDOWS\System32\svchost.exe.Manifest      NOT FOUND      Options: Open  Access: 001200A9      
50      9:16:28 AM      services.exe:372      CLOSE      C:\WINDOWS\System32\svchost.exe      SUCCESS            
51      9:16:28 AM      svchost.exe:4032      OPEN      C:\WINDOWS\system32\      SUCCESS      Options: Open Directory  Access: 00100020      
52      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\System32\svchost.exe.Local      NOT FOUND      Attributes: Error      
53      9:16:28 AM      svchost.exe:4032      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 20480      
54      9:16:28 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      NOTIFY ENUM DIR      Change Notify      
55      9:16:28 AM      svchost.exe:4032      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 24576      
56      9:16:28 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      SUCCESS      Change Notify      
57      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\windows\system32\termsrv.dll      SUCCESS      Attributes: A      
58      9:16:28 AM      svchost.exe:4032      OPEN      C:\windows\system32\termsrv.dll      SUCCESS      Options: Open  Access: 00100020      
59      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\windows\system32\termsrv.dll      SUCCESS      Length: 364032      
60      9:16:28 AM      svchost.exe:4032      CLOSE      C:\windows\system32\termsrv.dll      SUCCESS            
61      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\windows\system32\termsrv.dll      SUCCESS      Attributes: A      
62      9:16:28 AM      svchost.exe:4032      OPEN      C:\windows\system32\termsrv.dll      SUCCESS      Options: Open  Access: 00100021      
63      9:16:28 AM      svchost.exe:4032      CLOSE      C:\windows\system32\termsrv.dll      SUCCESS            
64      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\windows\system32\ICAAPI.dll      NOT FOUND      Attributes: Error      
65      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\system32\ICAAPI.dll      NOT FOUND      Attributes: Error      
66      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\system\ICAAPI.dll      NOT FOUND      Attributes: Error      
67      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\ICAAPI.dll      NOT FOUND      Attributes: Error      
68      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\system32\ICAAPI.dll      NOT FOUND      Attributes: Error      
69      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\Program Files\Support Tools\ICAAPI.dll      NOT FOUND      Attributes: Error      
70      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\Program Files (x86)\PHP\ICAAPI.dll      NOT FOUND      Attributes: Error      
71      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\system32\ICAAPI.dll      NOT FOUND      Attributes: Error      
72      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\ICAAPI.dll      NOT FOUND      Attributes: Error      
73      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\System32\Wbem\ICAAPI.dll      NOT FOUND      Attributes: Error      
74      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\sysWOW64\ICAAPI.dll      NOT FOUND      Attributes: Error      
75      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\windows\system32\termsrv.dll      SUCCESS      Attributes: A      
76      9:16:28 AM      svchost.exe:4032      OPEN      C:\windows\system32\termsrv.dll      SUCCESS      Options: Open  Access: 00100020      
77      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\windows\system32\termsrv.dll      SUCCESS      Length: 364032      
78      9:16:28 AM      svchost.exe:4032      CLOSE      C:\windows\system32\termsrv.dll      SUCCESS            
79      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\windows\system32\termsrv.dll      SUCCESS      Attributes: A      
80      9:16:28 AM      svchost.exe:4032      OPEN      C:\windows\system32\termsrv.dll      SUCCESS      Options: Open  Access: 00100021      
81      9:16:28 AM      svchost.exe:4032      CLOSE      C:\windows\system32\termsrv.dll      SUCCESS            
82      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\windows\system32\ICAAPI.dll      NOT FOUND      Attributes: Error      
83      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\system32\ICAAPI.dll      NOT FOUND      Attributes: Error      
84      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\system\ICAAPI.dll      NOT FOUND      Attributes: Error      
85      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\ICAAPI.dll      NOT FOUND      Attributes: Error      
86      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\system32\ICAAPI.dll      NOT FOUND      Attributes: Error      
87      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\Program Files\Support Tools\ICAAPI.dll      NOT FOUND      Attributes: Error      
88      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\Program Files (x86)\PHP\ICAAPI.dll      NOT FOUND      Attributes: Error      
89      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\system32\ICAAPI.dll      NOT FOUND      Attributes: Error      
90      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\ICAAPI.dll      NOT FOUND      Attributes: Error      
91      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\System32\Wbem\ICAAPI.dll      NOT FOUND      Attributes: Error      
92      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\WINDOWS\sysWOW64\ICAAPI.dll      NOT FOUND      Attributes: Error      
93      9:16:28 AM      svchost.exe:4032      CLOSE      C:\WINDOWS\system32\      SUCCESS            
94      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SecEvent.Evt      SUCCESS      Offset: 27432 Length: 212      
95      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SecEvent.Evt      SUCCESS      Offset: 27644 Length: 40      
96      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR      SUCCESS      Offset: 884736 Length: 8192      
97      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR      SUCCESS      Offset: 81920 Length: 8192      
98      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR      SUCCESS      Offset: 196608 Length: 8192      
99      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA      SUCCESS      Offset: 5414912 Length: 8192      
100      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA      SUCCESS      Offset: 6553600 Length: 8192      
101      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA      SUCCESS      Offset: 1753088 Length: 8192      
102      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR      SUCCESS      Offset: 32768 Length: 8192      
103      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA      SUCCESS      Offset: 0 Length: 8192      
104      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA      SUCCESS      Offset: 65536 Length: 8192      
105      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR      SUCCESS      Offset: 933888 Length: 8192      
106      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA      SUCCESS      Offset: 712704 Length: 8192      
107      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR      SUCCESS      Offset: 49152 Length: 8192      
108      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR      SUCCESS      Offset: 409600 Length: 8192      
109      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR      SUCCESS      Offset: 974848 Length: 8192      
110      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR      SUCCESS      Offset: 1286144 Length: 8192      
111      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA      SUCCESS      Offset: 2547712 Length: 8192      
112      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA      SUCCESS      Offset: 2539520 Length: 8192      
113      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA      SUCCESS      Offset: 32768 Length: 8192      
114      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA      SUCCESS      Offset: 40960 Length: 8192      
115      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR      SUCCESS      Offset: 819200 Length: 8192      
116      9:16:28 AM      svchost.exe:780      READ      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR      SUCCESS      Offset: 1212416 Length: 8192      
117      9:16:28 AM      svchost.exe:780      QUERY INFORMATION      C:\WINDOWS\system32\wbem\wbemcons.dll      SUCCESS      Attributes: A      
118      9:16:28 AM      svchost.exe:780      OPEN      C:\WINDOWS\system32\wbem\wbemcons.dll      SUCCESS      Options: Open  Access: 00100020      
119      9:16:28 AM      svchost.exe:780      QUERY INFORMATION      C:\WINDOWS\system32\wbem\wbemcons.dll      SUCCESS      Length: 67072      
120      9:16:28 AM      svchost.exe:780      CLOSE      C:\WINDOWS\system32\wbem\wbemcons.dll      SUCCESS            
121      9:16:28 AM      svchost.exe:780      QUERY INFORMATION      C:\WINDOWS\system32\wbem\wbemcons.dll      SUCCESS      Attributes: A      
122      9:16:28 AM      svchost.exe:780      OPEN      C:\WINDOWS\system32\wbem\wbemcons.dll      SUCCESS      Options: Open  Access: 00100021      
123      9:16:28 AM      svchost.exe:780      CLOSE      C:\WINDOWS\system32\wbem\wbemcons.dll      SUCCESS            
124      9:16:28 AM      lsass.exe:384      SET INFORMATION       C:\WINDOWS\system32\config\SAM.LOG      SUCCESS      Length: 12288      
125      9:16:28 AM      lsass.exe:384      WRITE       C:\WINDOWS\system32\config\SAM.LOG      SUCCESS      Offset: 0 Length: 512      
126      9:16:28 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      SUCCESS      Change Notify      
127      9:16:28 AM      lsass.exe:384      FLUSH      C:\WINDOWS\system32\config\SAM.LOG      SUCCESS            
128      9:16:28 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      SUCCESS      Change Notify      
129      9:16:28 AM      lsass.exe:384      WRITE       C:\WINDOWS\system32\config\SAM.LOG      SUCCESS      Offset: 512 Length: 512      
130      9:16:28 AM      lsass.exe:384      WRITE       C:\WINDOWS\system32\config\SAM.LOG      SUCCESS      Offset: 1024 Length: 4096      
131      9:16:28 AM      lsass.exe:384      WRITE       C:\WINDOWS\system32\config\SAM.LOG      SUCCESS      Offset: 5120 Length: 4096      
132      9:16:28 AM      lsass.exe:384      FLUSH      C:\WINDOWS\system32\config\SAM.LOG      SUCCESS            
133      9:16:28 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      SUCCESS      Change Notify      
134      9:16:28 AM      lsass.exe:384      WRITE       C:\WINDOWS\system32\config\SAM.LOG      SUCCESS      Offset: 0 Length: 512      
135      9:16:28 AM      lsass.exe:384      FLUSH      C:\WINDOWS\system32\config\SAM.LOG      SUCCESS            
136      9:16:28 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      SUCCESS      Change Notify      
137      9:16:28 AM      lsass.exe:384      FLUSH      C:\WINDOWS\system32\config\SAM      SUCCESS            
138      9:16:28 AM      lsass.exe:384      WRITE       C:\WINDOWS\system32\config\SAM      SUCCESS      Offset: 0 Length: 16384      
139      9:16:28 AM      lsass.exe:384      FLUSH      C:\WINDOWS\system32\config\SAM      SUCCESS            
140      9:16:28 AM      lsass.exe:384      WRITE       C:\WINDOWS\system32\config\SAM      SUCCESS      Offset: 0 Length: 16384      
141      9:16:28 AM      lsass.exe:384      FLUSH      C:\WINDOWS\system32\config\SAM      SUCCESS            
142      9:16:28 AM      lsass.exe:384      WRITE       C:\WINDOWS\system32\config\SAM      SUCCESS      Offset: 0 Length: 4096      
143      9:16:28 AM      lsass.exe:384      FLUSH      C:\WINDOWS\system32\config\SAM      SUCCESS            
144      9:16:28 AM      lsass.exe:384      SET INFORMATION       C:\WINDOWS\system32\config\SAM.LOG      SUCCESS      Length: 1024      
145      9:16:28 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      NOTIFY ENUM DIR      Change Notify      
146      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SysEvent.Evt      SUCCESS      Offset: 8380 Length: 212      
147      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SysEvent.Evt      SUCCESS      Offset: 8592 Length: 40      
148      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SysEvent.Evt      SUCCESS      Offset: 8592 Length: 188      
149      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SysEvent.Evt      SUCCESS      Offset: 8780 Length: 40      
150      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SysEvent.Evt      SUCCESS      Offset: 8780 Length: 184      
151      9:16:28 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SysEvent.Evt      SUCCESS      Offset: 8964 Length: 40      
152      9:16:30 AM      explorer.exe:2788      OPEN      C:\WINDOWS\system32\      SUCCESS      Options: Open Directory  Access: 00100001      
153      9:16:30 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\      SUCCESS      FileBothDirectoryInformation: config      
154      9:16:30 AM      explorer.exe:2788      CLOSE      C:\WINDOWS\system32\      SUCCESS            
155      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\config      SUCCESS      Attributes: D      
156      9:16:30 AM      explorer.exe:2788      OPEN      C:\WINDOWS\system32\config\      SUCCESS      Options: Open Directory  Access: 00100001      
157      9:16:30 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config\      SUCCESS      FileBothDirectoryInformation: *      
158      9:16:30 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config\      SUCCESS      FileBothDirectoryInformation      
159      9:16:30 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config\      NO MORE FILES      FileBothDirectoryInformation      
160      9:16:30 AM      explorer.exe:2788      CLOSE      C:\WINDOWS\system32\config\      SUCCESS            
161      9:16:30 AM      explorer.exe:2788      OPEN      C:\WINDOWS\system32\config\      SUCCESS      Options: Open Directory  Access: 00100001      
162      9:16:30 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config\      SUCCESS      FileBothDirectoryInformation: *      
163      9:16:30 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config\      SUCCESS      FileBothDirectoryInformation      
164      9:16:30 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config\      NO MORE FILES      FileBothDirectoryInformation      
165      9:16:30 AM      explorer.exe:2788      CLOSE      C:\WINDOWS\system32\config\      SUCCESS            
166      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\      SUCCESS      Attributes: DHS      
167      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
168      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
169      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
170      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
171      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
172      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
173      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
174      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
175      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
176      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
177      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
178      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
179      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
180      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
181      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
182      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
183      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
184      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
185      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
186      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
187      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
188      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
189      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
190      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
191      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
192      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
193      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
194      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
195      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
196      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
197      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
198      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
199      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
200      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
201      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
202      9:16:30 AM      explorer.exe:2788      OPEN      C:\WINDOWS\system32\config\system.LOG      SHARING VIOLATION      Options: Open  Access: Read      
203      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
204      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
205      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
206      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
207      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
208      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
209      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
210      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
211      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
212      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
213      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
214      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
215      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
216      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
217      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
218      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
219      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
220      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
221      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
222      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
223      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
224      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
225      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
226      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
227      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
228      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
229      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
230      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
231      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
232      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
233      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
234      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
235      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
236      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
237      9:16:30 AM      explorer.exe:2788      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Attributes: A      
238      9:16:30 AM      explorer.exe:2788      OPEN      C:\WINDOWS\system32\config\system.LOG      SHARING VIOLATION      Options: Open  Access: Read      
239      9:16:33 AM      explorer.exe:2788      OPEN      C:\      SUCCESS      Options: Open Directory  Access: 00100000      
240      9:16:33 AM      explorer.exe:2788      QUERY INFORMATION      C:\      SUCCESS      FileFsFullSizeInformation      
241      9:16:33 AM      explorer.exe:2788      CLOSE      C:\      SUCCESS            
242      9:16:33 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      NOTIFY ENUM DIR      Change Notify      
243      9:16:33 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      NOTIFY ENUM DIR      Change Notify      
244      9:16:33 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config      NOTIFY ENUM DIR      Change Notify      
245      9:16:33 AM      explorer.exe:2788      DIRECTORY      C:\WINDOWS\system32\config            Change Notify      
0
 
dreamyguyCommented:
I did not find anything relavent in the log files. Since we've tried all possible options, only option left is to run an sfc scan by going to start-->run-->sfc /scannow
0
 
norbs101Author Commented:
That was the first thing I tried, before posting here...

On one note..   I am now getting Error 126: The specific module could not be found.   When attempting to start the service..   It was something different prior to the registry `fixes`.
0
 
dreamyguyCommented:
really? I just went through the filemon log again and found this.

64      9:16:28 AM      svchost.exe:4032      QUERY INFORMATION      C:\windows\system32\ICAAPI.dll      NOT FOUND      Attributes: Error      
see if this file exists on your machine, else copy it from a working machine.
0
 
norbs101Author Commented:
Some progess...  Now the TS service is throwing this event when starting..  I did a reboot also and got the same msg.

Event ID 1036:  Terminal Server session creation failed. The relevant status code was 0xC0000034.
0
 
dreamyguyCommented:
could you create a filemon and regmon log once again while trying to reproduce the issue just like how you did the last time? maybe this time it will catch something new.
0
 
norbs101Author Commented:
filemon:

1      10:46:03 AM      services.exe:372      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 12288      
2      10:46:03 AM      services.exe:372      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 12288      
3      10:46:03 AM      services.exe:372      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 20480      
4      10:46:03 AM      services.exe:372      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 24576      
5      10:46:03 AM      services.exe:372      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 28672      
6      10:46:03 AM      mmc.exe:3664      QUERY INFORMATION      C:\WINDOWS\System32\mmcndmgr.dll      SUCCESS      Attributes: A      
7      10:46:03 AM      mmc.exe:3664      QUERY INFORMATION      C:\WINDOWS\System32\mmcndmgr.dll      SUCCESS      Attributes: A      
8      10:46:03 AM      mmc.exe:3664      OPEN      C:\      SUCCESS      Options: Open Directory  Access: 00100001      
9      10:46:03 AM      mmc.exe:3664      DIRECTORY      C:\      SUCCESS      FileBothDirectoryInformation: WINDOWS      
10      10:46:03 AM      mmc.exe:3664      CLOSE      C:\      SUCCESS            
11      10:46:03 AM      mmc.exe:3664      OPEN      C:\WINDOWS\      SUCCESS      Options: Open Directory  Access: 00100001      
12      10:46:03 AM      mmc.exe:3664      DIRECTORY      C:\WINDOWS\      SUCCESS      FileBothDirectoryInformation: System32      
13      10:46:03 AM      mmc.exe:3664      CLOSE      C:\WINDOWS\      SUCCESS            
14      10:46:03 AM      mmc.exe:3664      OPEN      C:\WINDOWS\System32\      SUCCESS      Options: Open Directory  Access: 00100001      
15      10:46:03 AM      mmc.exe:3664      DIRECTORY      C:\WINDOWS\System32\      SUCCESS      FileBothDirectoryInformation: mmcndmgr.dll      
16      10:46:03 AM      mmc.exe:3664      CLOSE      C:\WINDOWS\System32\      SUCCESS            
17      10:46:03 AM      mmc.exe:3664      QUERY INFORMATION      C:\WINDOWS\System32\mmcndmgr.dll      SUCCESS      Attributes: A      
18      10:46:03 AM      mmc.exe:3664      OPEN      C:\      SUCCESS      Options: Open Directory  Access: 00100001      
19      10:46:03 AM      mmc.exe:3664      DIRECTORY      C:\      SUCCESS      FileBothDirectoryInformation: WINDOWS      
20      10:46:03 AM      mmc.exe:3664      CLOSE      C:\      SUCCESS            
21      10:46:03 AM      mmc.exe:3664      OPEN      C:\WINDOWS\      SUCCESS      Options: Open Directory  Access: 00100001      
22      10:46:03 AM      mmc.exe:3664      DIRECTORY      C:\WINDOWS\      SUCCESS      FileBothDirectoryInformation: System32      
23      10:46:03 AM      mmc.exe:3664      CLOSE      C:\WINDOWS\      SUCCESS            
24      10:46:03 AM      mmc.exe:3664      OPEN      C:\WINDOWS\System32\      SUCCESS      Options: Open Directory  Access: 00100001      
25      10:46:03 AM      mmc.exe:3664      DIRECTORY      C:\WINDOWS\System32\      SUCCESS      FileBothDirectoryInformation: mmcndmgr.dll      
26      10:46:03 AM      mmc.exe:3664      CLOSE      C:\WINDOWS\System32\      SUCCESS            
27      10:46:03 AM      mmc.exe:3664      QUERY INFORMATION      C:\WINDOWS\System32\mmcndmgr.dll      SUCCESS      Attributes: A      
28      10:46:03 AM      mmc.exe:3664      QUERY INFORMATION      C:\WINDOWS\System32\mmcndmgr.dll      SUCCESS      Attributes: A      
29      10:46:03 AM      mmc.exe:3664      QUERY INFORMATION      C:\WINDOWS\System32\mmcndmgr.dll:Zone.Identifier      NOT FOUND      Attributes: Error      
30      10:46:03 AM      services.exe:372      QUERY INFORMATION      C:\WINDOWS\TEMP      SUCCESS      Attributes: D      
31      10:46:03 AM      services.exe:372      QUERY INFORMATION      C:\WINDOWS\TEMP      SUCCESS      Attributes: D      
32      10:46:03 AM      services.exe:372      QUERY INFORMATION      C:\WINDOWS\System32\svchost.exe      SUCCESS      Attributes: A      
33      10:46:03 AM      services.exe:372      QUERY INFORMATION      C:\WINDOWS\System32\svchost.exe      SUCCESS      Attributes: A      
34      10:46:03 AM      services.exe:372      OPEN      C:\WINDOWS\System32\svchost.exe      SUCCESS      Options: Open  Access: 001000A1      
35      10:46:03 AM      services.exe:372      QUERY INFORMATION      C:\WINDOWS\System32\svchost.exe      SUCCESS      Attributes: A      
36      10:46:03 AM      services.exe:372      QUERY INFORMATION      C:\WINDOWS\System32\svchost.exe      SUCCESS      Length: 25600      
37      10:46:03 AM      services.exe:372      OPEN      C:\WINDOWS\System32\svchost.exe.Manifest      NOT FOUND      Options: Open  Access: 001200A9      
38      10:46:03 AM      services.exe:372      CLOSE      C:\WINDOWS\System32\svchost.exe      SUCCESS            
39      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\system32\      SUCCESS      Options: Open Directory  Access: 00100020      
40      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\svchost.exe.Local      NOT FOUND      Attributes: Error      
41      10:46:03 AM      svchost.exe:2824      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 32768      
42      10:46:03 AM      svchost.exe:2824      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 36864      
43      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\windows\system32\termsrv.dll      SUCCESS      Attributes: A      
44      10:46:03 AM      svchost.exe:2824      OPEN      C:\windows\system32\termsrv.dll      SUCCESS      Options: Open  Access: 00100020      
45      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\windows\system32\termsrv.dll      SUCCESS      Length: 364032      
46      10:46:03 AM      svchost.exe:2824      CLOSE      C:\windows\system32\termsrv.dll      SUCCESS            
47      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\windows\system32\termsrv.dll      SUCCESS      Attributes: A      
48      10:46:03 AM      svchost.exe:2824      OPEN      C:\windows\system32\termsrv.dll      SUCCESS      Options: Open  Access: 00100021      
49      10:46:03 AM      svchost.exe:2824      CLOSE      C:\windows\system32\termsrv.dll      SUCCESS            
50      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\windows\system32\ICAAPI.dll      SUCCESS      Attributes: A      
51      10:46:03 AM      svchost.exe:2824      OPEN      C:\windows\system32\ICAAPI.dll      SUCCESS      Options: Open  Access: 00100021      
52      10:46:03 AM      svchost.exe:2824      CLOSE      C:\windows\system32\ICAAPI.dll      SUCCESS            
53      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\windows\system32\WS2_32.dll      SUCCESS      Attributes: A      
54      10:46:03 AM      svchost.exe:2824      OPEN      C:\windows\system32\WS2_32.dll      SUCCESS      Options: Open  Access: 00100021      
55      10:46:03 AM      svchost.exe:2824      CLOSE      C:\windows\system32\WS2_32.dll      SUCCESS            
56      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\windows\system32\WS2HELP.dll      SUCCESS      Attributes: A      
57      10:46:03 AM      svchost.exe:2824      OPEN      C:\windows\system32\WS2HELP.dll      SUCCESS      Options: Open  Access: 00100021      
58      10:46:03 AM      svchost.exe:2824      CLOSE      C:\windows\system32\WS2HELP.dll      SUCCESS            
59      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\windows\system32\AUTHZ.dll      SUCCESS      Attributes: A      
60      10:46:03 AM      svchost.exe:2824      OPEN      C:\windows\system32\AUTHZ.dll      SUCCESS      Options: Open  Access: 00100021      
61      10:46:03 AM      svchost.exe:2824      CLOSE      C:\windows\system32\AUTHZ.dll      SUCCESS            
62      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\windows\system32\mstlsapi.dll      SUCCESS      Attributes: A      
63      10:46:03 AM      svchost.exe:2824      OPEN      C:\windows\system32\mstlsapi.dll      SUCCESS      Options: Open  Access: 00100021      
64      10:46:03 AM      svchost.exe:2824      CLOSE      C:\windows\system32\mstlsapi.dll      SUCCESS            
65      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\windows\system32\ACTIVEDS.dll      SUCCESS      Attributes: A      
66      10:46:03 AM      svchost.exe:2824      OPEN      C:\windows\system32\ACTIVEDS.dll      SUCCESS      Options: Open  Access: 00100021      
67      10:46:03 AM      svchost.exe:2824      CLOSE      C:\windows\system32\ACTIVEDS.dll      SUCCESS            
68      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\windows\system32\adsldpc.dll      SUCCESS      Attributes: A      
69      10:46:03 AM      svchost.exe:2824      OPEN      C:\windows\system32\adsldpc.dll      SUCCESS      Options: Open  Access: 00100021      
70      10:46:03 AM      svchost.exe:2824      CLOSE      C:\windows\system32\adsldpc.dll      SUCCESS            
71      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\windows\system32\credui.dll      SUCCESS      Attributes: A      
72      10:46:03 AM      svchost.exe:2824      OPEN      C:\windows\system32\credui.dll      SUCCESS      Options: Open  Access: 00100021      
73      10:46:03 AM      svchost.exe:2824      CLOSE      C:\windows\system32\credui.dll      SUCCESS            
74      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\windows\system32\ATL.DLL      SUCCESS      Attributes: A      
75      10:46:03 AM      svchost.exe:2824      OPEN      C:\windows\system32\ATL.DLL      SUCCESS      Options: Open  Access: 00100021      
76      10:46:03 AM      svchost.exe:2824      CLOSE      C:\windows\system32\ATL.DLL      SUCCESS            
77      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\windows\system32\REGAPI.dll      SUCCESS      Attributes: A      
78      10:46:03 AM      svchost.exe:2824      OPEN      C:\windows\system32\REGAPI.dll      SUCCESS      Options: Open  Access: 00100021      
79      10:46:03 AM      svchost.exe:2824      CLOSE      C:\windows\system32\REGAPI.dll      SUCCESS            
80      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\IMM32.DLL      SUCCESS      Attributes: A      
81      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\system32\IMM32.DLL      SUCCESS      Options: Open  Access: 00100020      
82      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\IMM32.DLL      SUCCESS      Length: 212992      
83      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\system32\IMM32.DLL      SUCCESS            
84      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\IMM32.DLL      SUCCESS      Attributes: A      
85      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\system32\IMM32.DLL      SUCCESS      Options: Open  Access: 00100020      
86      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\IMM32.DLL      SUCCESS      Length: 212992      
87      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\system32\IMM32.DLL      SUCCESS            
88      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\IMM32.DLL      SUCCESS      Attributes: A      
89      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\system32\IMM32.DLL      SUCCESS      Options: Open  Access: 00100021      
90      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\system32\IMM32.DLL      SUCCESS            
91      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\IMM32.DLL      SUCCESS      Attributes: A      
92      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\IMM32.DLL      SUCCESS      Attributes: A      
93      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Options: Open  Access: 001200A9      
94      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\SHELL32.dll      SUCCESS      Length: 10505728      
95      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\system32\SHELL32.dll.124.Config      NOT FOUND      Options: Open  Access: 001200A9      
96      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en-US_B7C8CB1F\      NOT FOUND      Options: Open Directory  Access: 00100001      
97      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en-US_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll      PATH NOT FOUND      Attributes: Error      
98      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en-US      SUCCESS      Attributes: D      
99      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en      SUCCESS      Attributes: D      
100      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\      SUCCESS      Attributes: D      
101      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\      SUCCESS      Attributes: D      
102      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en-US_28BBCDE0.manifest      NOT FOUND      Attributes: Error      
103      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL      PATH NOT FOUND      Attributes: Error      
104      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en-US\Microsoft.Windows.Common-Controls.DLL      NOT FOUND      Attributes: Error      
105      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en-US\Microsoft.Windows.Common-Controls.MANIFEST      NOT FOUND      Attributes: Error      
106      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en-US\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.DLL      PATH NOT FOUND      Attributes: Error      
107      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en-US\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.MANIFEST      PATH NOT FOUND      Attributes: Error      
108      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en_C6849106\      NOT FOUND      Options: Open Directory  Access: 00100001      
109      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll      PATH NOT FOUND      Attributes: Error      
110      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en_8ED881B9.manifest      NOT FOUND      Attributes: Error      
111      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL      PATH NOT FOUND      Attributes: Error      
112      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.DLL      NOT FOUND      Attributes: Error      
113      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.MANIFEST      NOT FOUND      Attributes: Error      
114      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.DLL      PATH NOT FOUND      Attributes: Error      
115      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.MANIFEST      PATH NOT FOUND      Attributes: Error      
116      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\      SUCCESS      Options: Open Directory  Access: 00100001      
117      10:46:03 AM      csrss.exe:300      DIRECTORY      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\      SUCCESS      FileBothDirectoryInformation: *.policy      
118      10:46:03 AM      csrss.exe:300      DIRECTORY      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\      NO MORE FILES      FileBothDirectoryInformation      
119      10:46:03 AM      csrss.exe:300      CLOSE      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\      SUCCESS            
120      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      SUCCESS      Options: Open Sequential  Access: Read      
121      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      SUCCESS      FileFsVolumeInformation      
122      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      BUFFER OVERFLOW      FileAllInformation      
123      10:46:03 AM      csrss.exe:300      READ       C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      SUCCESS      Offset: 0 Length: 4095      
124      10:46:03 AM      csrss.exe:300      READ      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      END OF FILE      Offset: 625 Length: 8178      
125      10:46:03 AM      csrss.exe:300      CLOSE      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      SUCCESS            
126      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Attributes: A      
127      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Attributes: A      
128      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en-US_7823130C\      NOT FOUND      Options: Open Directory  Access: 00100001      
129      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\_en-US_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.mui.dll      PATH NOT FOUND      Attributes: Error      
130      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.3790.3959_en-US_F310567E.manifest      NOT FOUND      Attributes: Error      
131      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.3790.3959_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL      PATH NOT FOUND      Attributes: Error      
132      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en-US\Microsoft.Windows.Common-Controls.mui.DLL      NOT FOUND      Attributes: Error      
133      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en-US\Microsoft.Windows.Common-Controls.mui.MANIFEST      NOT FOUND      Attributes: Error      
134      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en-US\Microsoft.Windows.Common-Controls.mui\Microsoft.Windows.Common-Controls.mui.DLL      PATH NOT FOUND      Attributes: Error      
135      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en-US\Microsoft.Windows.Common-Controls.mui\Microsoft.Windows.Common-Controls.mui.MANIFEST      PATH NOT FOUND      Attributes: Error      
136      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en_86DED8F3\      NOT FOUND      Options: Open Directory  Access: 00100001      
137      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\_en_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.mui.dll      PATH NOT FOUND      Attributes: Error      
138      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.3790.3959_en_592D0A57.manifest      NOT FOUND      Attributes: Error      
139      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.3790.3959_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL      PATH NOT FOUND      Attributes: Error      
140      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.mui.DLL      NOT FOUND      Attributes: Error      
141      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.mui.MANIFEST      NOT FOUND      Attributes: Error      
142      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.mui\Microsoft.Windows.Common-Controls.mui.DLL      PATH NOT FOUND      Attributes: Error      
143      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.mui\Microsoft.Windows.Common-Controls.mui.MANIFEST      PATH NOT FOUND      Attributes: Error      
144      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Options: Open Sequential  Access: Read      
145      10:46:03 AM      csrss.exe:300      READ       C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Offset: 0 Length: 2      
146      10:46:03 AM      csrss.exe:300      CLOSE      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS            
147      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Options: Open Sequential  Access: Read      
148      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      FileFsVolumeInformation      
149      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      BUFFER OVERFLOW      FileAllInformation      
150      10:46:03 AM      csrss.exe:300      READ       C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Offset: 0 Length: 4095      
151      10:46:03 AM      csrss.exe:300      READ      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      END OF FILE      Offset: 1864 Length: 8178      
152      10:46:03 AM      csrss.exe:300      CLOSE      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS            
153      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\system32\SHELL32.dll      SUCCESS            
154      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\svchost.exe.Local\      NOT FOUND      Attributes: Error      
155      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WinSxS\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435      SUCCESS      Attributes: D      
156      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\WinSxS\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435      SUCCESS      Options: Open Directory  Access: 00100020      
157      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\WinSxS\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435\comctl32.dll      SUCCESS      Options: Open  Access: 00100020      
158      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WinSxS\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435\comctl32.dll      SUCCESS      Length: 1584640      
159      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\WinSxS\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435\comctl32.dll      SUCCESS            
160      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\WinSxS\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435\comctl32.dll      SUCCESS      Options: Open  Access: 00100021      
161      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\WinSxS\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435\comctl32.dll      SUCCESS            
162      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Attributes: RHA      
163      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Options: Open  Access: 00100020      
164      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Length: 749      
165      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\WindowsShell.Manifest      SUCCESS            
166      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Attributes: RHA      
167      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Options: Open  Access: Read      
168      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Length: 749      
169      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\WindowsShell.Manifest      SUCCESS            
170      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Options: Open  Access: 001200A9      
171      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Length: 749      
172      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Length: 749      
173      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\WindowsShell.Config      NOT FOUND      Options: Open  Access: 001200A9      
174      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Attributes: RHA      
175      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Attributes: RHA      
176      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en-US_B7C8CB1F\      NOT FOUND      Options: Open Directory  Access: 00100001      
177      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en-US_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll      PATH NOT FOUND      Attributes: Error      
178      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\en-US      NOT FOUND      Attributes: Error      
179      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\en      NOT FOUND      Attributes: Error      
180      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\      SUCCESS      Attributes: D      
181      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\      SUCCESS      Attributes: D      
182      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en-US_28BBCDE0.manifest      NOT FOUND      Attributes: Error      
183      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL      PATH NOT FOUND      Attributes: Error      
184      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en_C6849106\      NOT FOUND      Options: Open Directory  Access: 00100001      
185      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll      PATH NOT FOUND      Attributes: Error      
186      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en_8ED881B9.manifest      NOT FOUND      Attributes: Error      
187      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL      PATH NOT FOUND      Attributes: Error      
188      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\      SUCCESS      Options: Open Directory  Access: 00100001      
189      10:46:03 AM      csrss.exe:300      DIRECTORY      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\      SUCCESS      FileBothDirectoryInformation: *.policy      
190      10:46:03 AM      csrss.exe:300      DIRECTORY      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\      NO MORE FILES      FileBothDirectoryInformation      
191      10:46:03 AM      csrss.exe:300      CLOSE      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\      SUCCESS            
192      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      SUCCESS      Options: Open Sequential  Access: Read      
193      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      SUCCESS      FileFsVolumeInformation      
194      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      BUFFER OVERFLOW      FileAllInformation      
195      10:46:03 AM      csrss.exe:300      READ       C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      SUCCESS      Offset: 0 Length: 4095      
196      10:46:03 AM      csrss.exe:300      READ      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      END OF FILE      Offset: 625 Length: 8178      
197      10:46:03 AM      csrss.exe:300      CLOSE      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      SUCCESS            
198      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Attributes: A      
199      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Attributes: A      
200      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en-US_7823130C\      NOT FOUND      Options: Open Directory  Access: 00100001      
201      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\_en-US_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.mui.dll      PATH NOT FOUND      Attributes: Error      
202      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.3790.3959_en-US_F310567E.manifest      NOT FOUND      Attributes: Error      
203      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.3790.3959_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL      PATH NOT FOUND      Attributes: Error      
204      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en_86DED8F3\      NOT FOUND      Options: Open Directory  Access: 00100001      
205      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\_en_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.mui.dll      PATH NOT FOUND      Attributes: Error      
206      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.3790.3959_en_592D0A57.manifest      NOT FOUND      Attributes: Error      
207      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.3790.3959_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL      PATH NOT FOUND      Attributes: Error      
208      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Options: Open Sequential  Access: Read      
209      10:46:03 AM      csrss.exe:300      READ       C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Offset: 0 Length: 2      
210      10:46:03 AM      csrss.exe:300      CLOSE      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS            
211      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Options: Open Sequential  Access: Read      
212      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      FileFsVolumeInformation      
213      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      BUFFER OVERFLOW      FileAllInformation      
214      10:46:03 AM      csrss.exe:300      READ       C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Offset: 0 Length: 4095      
215      10:46:03 AM      csrss.exe:300      READ      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      END OF FILE      Offset: 1864 Length: 8178      
216      10:46:03 AM      csrss.exe:300      CLOSE      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS            
217      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\WindowsShell.Manifest      SUCCESS            
218      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Attributes: RHA      
219      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Options: Open  Access: 00100020      
220      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Length: 749      
221      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\WindowsShell.Manifest      SUCCESS            
222      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Attributes: RHA      
223      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Options: Open  Access: Read      
224      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Length: 749      
225      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\WindowsShell.Manifest      SUCCESS            
226      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Options: Open  Access: 001200A9      
227      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Length: 749      
228      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Length: 749      
229      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\WindowsShell.Config      NOT FOUND      Options: Open  Access: 001200A9      
230      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Attributes: RHA      
231      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WindowsShell.Manifest      SUCCESS      Attributes: RHA      
232      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en-US_B7C8CB1F\      NOT FOUND      Options: Open Directory  Access: 00100001      
233      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en-US_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll      PATH NOT FOUND      Attributes: Error      
234      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\en-US      NOT FOUND      Attributes: Error      
235      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\en      NOT FOUND      Attributes: Error      
236      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\      SUCCESS      Attributes: D      
237      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\      SUCCESS      Attributes: D      
238      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en-US_28BBCDE0.manifest      NOT FOUND      Attributes: Error      
239      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL      PATH NOT FOUND      Attributes: Error      
240      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en_C6849106\      NOT FOUND      Options: Open Directory  Access: 00100001      
241      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll      PATH NOT FOUND      Attributes: Error      
242      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en_8ED881B9.manifest      NOT FOUND      Attributes: Error      
243      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL      PATH NOT FOUND      Attributes: Error      
244      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\      SUCCESS      Options: Open Directory  Access: 00100001      
245      10:46:03 AM      csrss.exe:300      DIRECTORY      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\      SUCCESS      FileBothDirectoryInformation: *.policy      
246      10:46:03 AM      csrss.exe:300      DIRECTORY      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\      NO MORE FILES      FileBothDirectoryInformation      
247      10:46:03 AM      csrss.exe:300      CLOSE      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\      SUCCESS            
248      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      SUCCESS      Options: Open Sequential  Access: Read      
249      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      SUCCESS      FileFsVolumeInformation      
250      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      BUFFER OVERFLOW      FileAllInformation      
251      10:46:03 AM      csrss.exe:300      READ       C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      SUCCESS      Offset: 0 Length: 4095      
252      10:46:03 AM      csrss.exe:300      READ      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      END OF FILE      Offset: 625 Length: 8178      
253      10:46:03 AM      csrss.exe:300      CLOSE      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_BD997995\6.0.3790.3959.policy      SUCCESS            
254      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Attributes: A      
255      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Attributes: A      
256      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en-US_7823130C\      NOT FOUND      Options: Open Directory  Access: 00100001      
257      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\_en-US_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.mui.dll      PATH NOT FOUND      Attributes: Error      
258      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.3790.3959_en-US_F310567E.manifest      NOT FOUND      Attributes: Error      
259      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.3790.3959_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL      PATH NOT FOUND      Attributes: Error      
260      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\AMD64_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en_86DED8F3\      NOT FOUND      Options: Open Directory  Access: 00100001      
261      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\_en_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.mui.dll      PATH NOT FOUND      Attributes: Error      
262      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.3790.3959_en_592D0A57.manifest      NOT FOUND      Attributes: Error      
263      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.3790.3959_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL      PATH NOT FOUND      Attributes: Error      
264      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Options: Open Sequential  Access: Read      
265      10:46:03 AM      csrss.exe:300      READ       C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Offset: 0 Length: 2      
266      10:46:03 AM      csrss.exe:300      CLOSE      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS            
267      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Options: Open Sequential  Access: Read      
268      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      FileFsVolumeInformation      
269      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      BUFFER OVERFLOW      FileAllInformation      
270      10:46:03 AM      csrss.exe:300      READ       C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS      Offset: 0 Length: 4095      
271      10:46:03 AM      csrss.exe:300      READ      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      END OF FILE      Offset: 1864 Length: 8178      
272      10:46:03 AM      csrss.exe:300      CLOSE      C:\WINDOWS\WinSxS\manifests\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435.manifest      SUCCESS            
273      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\WindowsShell.Manifest      SUCCESS            
274      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\svchost.exe.Local\      NOT FOUND      Attributes: Error      
275      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\WinSxS\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435      SUCCESS      Attributes: D      
276      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\WinSxS\AMD64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_0A7B2435      SUCCESS      Options: Open Directory  Access: 00100020      
277      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\rsaenh.dll      SUCCESS      Attributes: A      
278      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\System32\rsaenh.dll      SUCCESS      Options: Open  Access: Read      
279      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\rsaenh.dll      SUCCESS      Length: 306008      
280      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\rsaenh.dll      SUCCESS      Length: 306008      
281      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\System32\rsaenh.dll      SUCCESS            
282      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\rsaenh.dll      SUCCESS      Attributes: A      
283      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\System32\rsaenh.dll      SUCCESS      Options: Open  Access: 00100021      
284      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\System32\rsaenh.dll      SUCCESS            
285      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\PSAPI.DLL      SUCCESS      Attributes: A      
286      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\System32\PSAPI.DLL      SUCCESS      Options: Open  Access: 00100021      
287      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\System32\PSAPI.DLL      SUCCESS            
288      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\rpcss.dll      SUCCESS      Attributes: A      
289      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\system32\rpcss.dll      SUCCESS      Options: Open  Access: 00100020      
290      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\rpcss.dll      SUCCESS      Length: 838656      
291      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\system32\rpcss.dll      SUCCESS            
292      10:46:03 AM      svchost.exe:2824      OPEN      \\*\mailslot\HydraLsServer      SUCCESS      Options: Open  Access: 00000196      
293      10:46:03 AM      svchost.exe:2824      WRITE       \\*\mailslot\HydraLsServer      SUCCESS      Offset: 0 Length: 56      
294      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\NTMARTA.DLL      SUCCESS      Attributes: A      
295      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\System32\NTMARTA.DLL      SUCCESS      Options: Open  Access: 00100021      
296      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\System32\NTMARTA.DLL      SUCCESS            
297      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\SAMLIB.dll      SUCCESS      Attributes: A      
298      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\System32\SAMLIB.dll      SUCCESS      Options: Open  Access: 00100021      
299      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\System32\SAMLIB.dll      SUCCESS            
300      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\USERENV.dll      SUCCESS      Attributes: A      
301      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\System32\USERENV.dll      SUCCESS      Options: Open  Access: 00100021      
302      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\System32\USERENV.dll      SUCCESS            
303      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\debug\UserMode\ChkAcc.log      SUCCESS      Options: Open  Access: 00110080      
304      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\debug\UserMode\ChkAcc.log      SUCCESS      FileAttributeTagInformation      
305      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\debug\UserMode\ChkAcc.log      SUCCESS      Attributes: A      
306      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\debug\UserMode\ChkAcc.bak      SUCCESS      Options: Open  Access: 00100002      
307      10:46:03 AM      svchost.exe:2824      SET INFORMATION       C:\WINDOWS\debug\UserMode\ChkAcc.log      SUCCESS      FileRenameInformation      
308      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\Debug\UserMode\ChkAcc.bak      SUCCESS            
309      10:46:03 AM      svchost.exe:2824      CREATE      C:\WINDOWS\debug\UserMode\ChkAcc.log      SUCCESS      Options: OverwriteIf  Access: 00120196      
310      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\debug\UserMode\ChkAcc.log      SUCCESS            
311      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\msapsspc.dll      NOT FOUND      Attributes: Error      
312      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\msapsspc.dll      NOT FOUND      Attributes: Error      
313      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\msapsspc.dll      NOT FOUND      Attributes: Error      
314      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system\msapsspc.dll      NOT FOUND      Attributes: Error      
315      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\msapsspc.dll      NOT FOUND      Attributes: Error      
316      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\Program Files\Support Tools\msapsspc.dll      NOT FOUND      Attributes: Error      
317      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\Program Files (x86)\PHP\msapsspc.dll      NOT FOUND      Attributes: Error      
318      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\msapsspc.dll      NOT FOUND      Attributes: Error      
319      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\msapsspc.dll      NOT FOUND      Attributes: Error      
320      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\Wbem\msapsspc.dll      NOT FOUND      Attributes: Error      
321      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Attributes: A      
322      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\schannel.dll      SUCCESS      Attributes: A      
323      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\digest.dll      SUCCESS      Attributes: A      
324      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\msnsspc.dll      NOT FOUND      Attributes: Error      
325      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\msnsspc.dll      NOT FOUND      Attributes: Error      
326      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\msnsspc.dll      NOT FOUND      Attributes: Error      
327      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system\msnsspc.dll      NOT FOUND      Attributes: Error      
328      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\msnsspc.dll      NOT FOUND      Attributes: Error      
329      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\Program Files\Support Tools\msnsspc.dll      NOT FOUND      Attributes: Error      
330      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\Program Files (x86)\PHP\msnsspc.dll      NOT FOUND      Attributes: Error      
331      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\msnsspc.dll      NOT FOUND      Attributes: Error      
332      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\msnsspc.dll      NOT FOUND      Attributes: Error      
333      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\Wbem\msnsspc.dll      NOT FOUND      Attributes: Error      
334      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS      Attributes: A      
335      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Attributes: A      
336      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Options: Open  Access: Read      
337      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Length: 80128      
338      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Length: 80128      
339      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS            
340      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Attributes: A      
341      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Options: Open  Access: Read      
342      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Length: 80128      
343      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS            
344      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Attributes: A      
345      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Options: Open  Access: 00100020      
346      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Length: 80128      
347      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS            
348      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Attributes: A      
349      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Options: Open  Access: 00100021      
350      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS      Length: 80128      
351      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\sysWOW64\msapsspc.dll      SUCCESS            
352      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS      Attributes: A      
353      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS      Options: Open  Access: Read      
354      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS      Length: 319760      
355      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS      Length: 319760      
356      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS            
357      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS      Attributes: A      
358      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS      Options: Open  Access: Read      
359      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS      Length: 319760      
360      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS            
361      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS      Attributes: A      
362      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS      Options: Open  Access: 00100020      
363      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS      Length: 319760      
364      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS            
365      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS      Attributes: A      
366      10:46:03 AM      svchost.exe:2824      OPEN      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS      Options: Open  Access: 00100021      
367      10:46:03 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\sysWOW64\msnsspc.dll      SUCCESS            
368      10:46:03 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SysEvent.Evt      SUCCESS      Offset: 7864 Length: 132      
369      10:46:03 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SysEvent.Evt      SUCCESS      Offset: 7996 Length: 40      
370      10:46:03 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SysEvent.Evt      SUCCESS      Offset: 7996 Length: 212      
371      10:46:03 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SysEvent.Evt      SUCCESS      Offset: 8208 Length: 40      
372      10:46:03 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SysEvent.Evt      SUCCESS      Offset: 8208 Length: 188      
373      10:46:03 AM      services.exe:372      WRITE      C:\WINDOWS\system32\config\SysEvent.Evt      SUCCESS      Offset: 8396 Length: 40      
374      10:46:08 AM      svchost.exe:2824      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 12288      
375      10:46:08 AM      svchost.exe:2824      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 12288      
376      10:46:08 AM      svchost.exe:2824      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 20480      
377      10:46:08 AM      svchost.exe:2824      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 24576      
378      10:46:08 AM      svchost.exe:2824      SET INFORMATION       C:\WINDOWS\system32\config\software.LOG      SUCCESS      Length: 28672      
379      10:46:08 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\msv1_0.dll      SUCCESS      Attributes: A      
380      10:46:08 AM      svchost.exe:2824      OPEN      C:\WINDOWS\system32\msv1_0.dll      SUCCESS      Options: Open  Access: 00100020      
381      10:46:08 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\msv1_0.dll      SUCCESS      Length: 259072      
382      10:46:08 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\system32\msv1_0.dll      SUCCESS            
383      10:46:08 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\system32\msv1_0.dll      SUCCESS      Attributes: A      
384      10:46:08 AM      svchost.exe:2824      OPEN      C:\WINDOWS\system32\msv1_0.dll      SUCCESS      Options: Open  Access: 00100021      
385      10:46:08 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\system32\msv1_0.dll      SUCCESS            
386      10:46:08 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\iphlpapi.dll      SUCCESS      Attributes: A      
387      10:46:08 AM      svchost.exe:2824      OPEN      C:\WINDOWS\System32\iphlpapi.dll      SUCCESS      Options: Open  Access: 00100021      
388      10:46:08 AM      svchost.exe:2824      CLOSE      C:\WINDOWS\System32\iphlpapi.dll      SUCCESS            
0
 
norbs101Author Commented:
Regmon:   this one is quite large...   i dont believe I filtered out as much as the last time.




















1      2.22944665      services.exe:372      CreateKey      HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability      SUCCESS            
2      2.22969913      services.exe:372      SetValue      HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability\LastAliveStamp      SUCCESS      D7 07 0A 00 02 00 10 00 ...      
3      2.22976184      services.exe:372      SetValue      HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability\LastAliveUptime      SUCCESS      0x5EF      
4      2.22977996      services.exe:372      CloseKey      HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability      SUCCESS            
5      2.22980094      services.exe:372      OpenKey      HKLM\Software\Policies\Microsoft\Windows NT\Reliability      NOT FOUND            
6      2.22982597      services.exe:372      OpenKey      HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability      SUCCESS            
7      2.22984195      services.exe:372      QueryValue      HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability\TimeStampInterval      SUCCESS      0x1      
8      2.22985244      services.exe:372      CloseKey      HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability      SUCCESS            
9      2.66032386      lsass.exe:384      OpenKey      HKLM\SECURITY\Policy      SUCCESS            
10      2.66033959      lsass.exe:384      OpenKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
11      2.66035604      lsass.exe:384      QueryValue      HKLM\SECURITY\Policy\SecDesc\(Default)      BUFFER OVERFLOW            
12      2.66036606      lsass.exe:384      CloseKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
13      2.66037822      lsass.exe:384      OpenKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
14      2.66039062      lsass.exe:384      QueryValue      HKLM\SECURITY\Policy\SecDesc\(Default)      SUCCESS      NONE      
15      2.66039872      lsass.exe:384      CloseKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
16      2.66056848      lsass.exe:384      CloseKey      HKLM\SECURITY\Policy      SUCCESS            
17      2.66073585      lsass.exe:384      OpenKey      HKLM\SECURITY\Policy      SUCCESS            
18      2.66074753      lsass.exe:384      OpenKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
19      2.66075969      lsass.exe:384      QueryValue      HKLM\SECURITY\Policy\SecDesc\(Default)      BUFFER OVERFLOW            
20      2.66076803      lsass.exe:384      CloseKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
21      2.66077924      lsass.exe:384      OpenKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
22      2.66079021      lsass.exe:384      QueryValue      HKLM\SECURITY\Policy\SecDesc\(Default)      SUCCESS      NONE      
23      2.66079855      lsass.exe:384      CloseKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
24      2.66093230      lsass.exe:384      CloseKey      HKLM\SECURITY\Policy      SUCCESS            
280      2.66854668      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Services      REPARSE            
281      2.66856551      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
282      2.66858435      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
283      2.66859531      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
284      2.66861010      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Services      REPARSE            
285      2.66862178      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
286      2.66863513      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
287      2.66864419      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
288      2.66866255      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\ImagePath      BUFFER OVERFLOW            
289      2.66868496      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\ImagePath      SUCCESS      "%SystemRoot%\System32\svchost.exe -k termsvcs"      
290      2.66870165      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
291      2.66871667      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Services      REPARSE            
292      2.66872811      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
293      2.66874123      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
294      2.66875029      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
295      2.66876268      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Type      SUCCESS      0x20      
296      2.66877365      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Start      SUCCESS      0x3      
297      2.66878510      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\ErrorControl      SUCCESS      0x1      
298      2.66879630      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Tag      NOT FOUND            
299      2.66880941      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\DependOnService      BUFFER OVERFLOW            
300      2.66882205      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\DependOnService      SUCCESS      "RPCSS"      
301      2.66883421      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\DependOnGroup      NOT FOUND            
302      2.66884589      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Group      NOT FOUND            
303      2.66885734      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\DisplayName      BUFFER OVERFLOW            
304      2.66886997      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\DisplayName      SUCCESS      "Terminal Services"      
305      2.66887951      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
306      2.66889095      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\ObjectName      BUFFER OVERFLOW            
307      2.66890311      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\ObjectName      SUCCESS      "LocalSystem"      
308      2.66891265      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
312      2.67161655      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
313      2.67163754      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\PlugPlayServiceType      NOT FOUND            
314      2.67165375      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS            
315      2.67166758      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum\Count      SUCCESS      0x1      
316      2.67168117      services.exe:372      QueryKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS      Subkeys = 0      
317      2.67169356      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS            
318      2.67170310      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
319      2.67172480      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
320      2.67173886      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\PlugPlayServiceType      NOT FOUND            
321      2.67175221      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS            
322      2.67176390      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum\Count      SUCCESS      0x1      
323      2.67178130      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum\0      SUCCESS      "Root\LEGACY_TERMSERVICE\0000"      
324      2.67179370      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS            
325      2.67180300      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
326      2.67183161      services.exe:372      OpenKey      HKCC\System\CurrentControlSet\Enum      REPARSE            
327      2.67185354      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current\System\CurrentControlSet\Enum      REPARSE            
328      2.67187071      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum      REPARSE            
329      2.67188716      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum      SUCCESS            
330      2.67190361      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000      NOT FOUND            
331      2.67191505      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum      SUCCESS            
332      2.67193413      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
333      2.67194819      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\PlugPlayServiceType      NOT FOUND            
334      2.67196107      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS            
335      2.67197323      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum\Count      SUCCESS      0x1      
336      2.67198348      services.exe:372      QueryKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS      Subkeys = 0      
337      2.67199326      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS            
338      2.67200208      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
339      2.67202044      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
340      2.67203426      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\PlugPlayServiceType      NOT FOUND            
341      2.67204714      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS            
342      2.67205882      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum\Count      SUCCESS      0x1      
343      2.67207193      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum\0      SUCCESS      "Root\LEGACY_TERMSERVICE\0000"      
344      2.67208195      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS            
345      2.67209077      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
346      2.67211342      services.exe:372      OpenKey      HKCC\System\CurrentControlSet\Enum      REPARSE            
347      2.67212963      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current\System\CurrentControlSet\Enum      REPARSE            
348      2.67214537      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum      REPARSE            
349      2.67216039      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum      SUCCESS            
350      2.67217565      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000      NOT FOUND            
351      2.67218685      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum      SUCCESS            
352      2.67220640      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\RpcSs      SUCCESS            
353      2.67222095      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\RpcSs\PlugPlayServiceType      NOT FOUND            
354      2.67223430      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\RpcSs\Enum      SUCCESS            
355      2.67224669      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\RpcSs\Enum\Count      SUCCESS      0x1      
356      2.67225671      services.exe:372      QueryKey      HKLM\SYSTEM\ControlSet001\Services\RpcSs\Enum      SUCCESS      Subkeys = 0      
357      2.67226648      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\RpcSs\Enum      SUCCESS            
358      2.67227745      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\RpcSs      SUCCESS            
359      2.67229581      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\RpcSs      SUCCESS            
360      2.67230892      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\RpcSs\PlugPlayServiceType      NOT FOUND            
361      2.67232180      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\RpcSs\Enum      SUCCESS            
362      2.67233348      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\RpcSs\Enum\Count      SUCCESS      0x1      
363      2.67234588      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\RpcSs\Enum\0      SUCCESS      "Root\LEGACY_RPCSS\0000"      
364      2.67235565      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\RpcSs\Enum      SUCCESS            
365      2.67236447      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\RpcSs      SUCCESS            
366      2.67238641      services.exe:372      OpenKey      HKCC\System\CurrentControlSet\Enum      REPARSE            
367      2.67240262      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current\System\CurrentControlSet\Enum      REPARSE            
368      2.67241836      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum      REPARSE            
369      2.67243338      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum      SUCCESS            
370      2.67244864      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\Root\LEGACY_RPCSS\0000      NOT FOUND            
371      2.67245984      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum      SUCCESS            
372      2.67247510      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Services      REPARSE            
373      2.67248750      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
374      2.67250013      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\RpcSs      SUCCESS            
375      2.67250943      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
376      2.67252183      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\RpcSs\ObjectName      BUFFER OVERFLOW            
377      2.67253518      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\RpcSs\ObjectName      SUCCESS      "NT AUTHORITY\NetworkService"      
378      2.67254424      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\RpcSs      SUCCESS            
379      2.67256165      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Services      REPARSE            
380      2.67257309      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
381      2.67258596      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
382      2.67259502      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
383      2.67260718      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\ObjectName      BUFFER OVERFLOW            
384      2.67261958      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\ObjectName      SUCCESS      "LocalSystem"      
385      2.67262888      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
386      2.67268753      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Services      REPARSE            
387      2.67269897      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
388      2.67271185      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
389      2.67272091      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
390      2.67273355      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\ImagePath      BUFFER OVERFLOW            
391      2.67274809      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\ImagePath      SUCCESS      "%SystemRoot%\System32\svchost.exe -k termsvcs"      
392      2.67276430      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
393      2.67277837      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Services      REPARSE            
394      2.67279005      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
395      2.67280555      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
396      2.67281437      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
397      2.67282557      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\WOW64      NOT FOUND            
398      2.67283511      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
399      2.67287922      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Services      REPARSE            
400      2.67289066      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
401      2.67290354      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
402      2.67291260      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
403      2.67292428      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\ObjectName      BUFFER OVERFLOW            
404      2.67293644      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\ObjectName      SUCCESS      "LocalSystem"      
405      2.67294574      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
406      2.67300653      services.exe:372      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList      SUCCESS            
407      2.67302442      services.exe:372      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory      SUCCESS      "%SystemDrive%\Documents and Settings"      
408      2.67303729      services.exe:372      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList      SUCCESS            
409      2.67305827      services.exe:372      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList      SUCCESS            
410      2.67307377      services.exe:372      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile      SUCCESS      "All Users"      
411      2.67308402      services.exe:372      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList      SUCCESS            
412      2.67311263      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Control\Session Manager\Environment      REPARSE            
413      2.67312789      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment      SUCCESS            
414      2.67314029      services.exe:372      QueryKey      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment      SUCCESS      Subkeys = 0      
415      2.67315865      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\ComSpec      SUCCESS      "%SystemRoot%\system32\cmd.exe"      
416      2.67317080      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment      BUFFER OVERFLOW            
417      2.67318940      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\Path      SUCCESS      "C:\Program Files\Support Tools\;C:\Program Files (x86)\PHP\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\WINDOWS\sysWOW64"      
418      2.67320156      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\windir      SUCCESS      "%SystemRoot%"      
419      2.67321324      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\FP_NO_HOST_CHECK      SUCCESS      "NO"      
420      2.67323065      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\OS      SUCCESS      "Windows_NT"      
421      2.67324758      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\PROCESSOR_ARCHITECTURE      SUCCESS      "AMD64"      
422      2.67326474      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\PROCESSOR_LEVEL      SUCCESS      "15"      
423      2.67328405      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\PROCESSOR_IDENTIFIER      SUCCESS      "AMD64 Family 15 Model 37 Stepping 1, AuthenticAMD"      
424      2.67330122      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\PROCESSOR_REVISION      SUCCESS      "2501"      
425      2.67331815      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\NUMBER_OF_PROCESSORS      SUCCESS      "1"      
426      2.67333817      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\PATHEXT      SUCCESS      ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH"      
427      2.67335486      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\TEMP      SUCCESS      "%SystemRoot%\TEMP"      
428      2.67336702      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\TMP      SUCCESS      "%SystemRoot%\TEMP"      
429      2.67337966      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\ClusterLog      SUCCESS      "C:\WINDOWS\Cluster\cluster.log"      
430      2.67339277      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\PHPRC      SUCCESS      "C:\Program Files (x86)\PHP\"      
431      2.67341042      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\ComSpec      SUCCESS      "%SystemRoot%\system32\cmd.exe"      
432      2.67342854      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment      BUFFER OVERFLOW            
433      2.67344618      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\Path      SUCCESS      "C:\Program Files\Support Tools\;C:\Program Files (x86)\PHP\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\WINDOWS\sysWOW64"      
434      2.67346907      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\windir      SUCCESS      "%SystemRoot%"      
435      2.67348814      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\FP_NO_HOST_CHECK      SUCCESS      "NO"      
436      2.67349982      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\OS      SUCCESS      "Windows_NT"      
437      2.67351151      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\PROCESSOR_ARCHITECTURE      SUCCESS      "AMD64"      
438      2.67352295      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\PROCESSOR_LEVEL      SUCCESS      "15"      
439      2.67353678      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\PROCESSOR_IDENTIFIER      SUCCESS      "AMD64 Family 15 Model 37 Stepping 1, AuthenticAMD"      
440      2.67354846      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\PROCESSOR_REVISION      SUCCESS      "2501"      
441      2.67355990      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\NUMBER_OF_PROCESSORS      SUCCESS      "1"      
442      2.67357230      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\PATHEXT      SUCCESS      ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH"      
443      2.67358398      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\TEMP      SUCCESS      "%SystemRoot%\TEMP"      
444      2.67365789      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\TMP      SUCCESS      "%SystemRoot%\TEMP"      
445      2.67369986      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\ClusterLog      SUCCESS      "C:\WINDOWS\Cluster\cluster.log"      
446      2.67371750      services.exe:372      EnumerateValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment\PHPRC      SUCCESS      "C:\Program Files (x86)\PHP\"      
447      2.67372823      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment      SUCCESS            
448      2.67374706      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Control\ComputerName      REPARSE            
449      2.67376065      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName      SUCCESS            
450      2.67377591      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
451      2.67378974      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName      SUCCESS      "TCGWEB-01"      
452      2.67380023      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
453      2.67381215      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName      SUCCESS            
454      2.67383885      services.exe:372      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList      SUCCESS            
455      2.67385530      services.exe:372      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory      SUCCESS      "%SystemDrive%\Documents and Settings"      
456      2.67386794      services.exe:372      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList      SUCCESS            
457      2.67388868      services.exe:372      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList      SUCCESS            
458      2.67390418      services.exe:372      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\DefaultUserProfile      SUCCESS      "Default User"      
459      2.67391443      services.exe:372      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList      SUCCESS            
460      2.67394257      services.exe:372      OpenKey      HKLM\Software\Microsoft\Windows\CurrentVersion      SUCCESS            
461      2.67395926      services.exe:372      QueryValue      HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir      SUCCESS      "C:\Program Files"      
462      2.67398000      services.exe:372      QueryValue      HKLM\Software\Microsoft\Windows\CurrentVersion\CommonFilesDir      SUCCESS      "C:\Program Files\Common Files"      
463      2.67399859      services.exe:372      QueryValue      HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)      SUCCESS      "C:\Program Files (x86)"      
464      2.67401910      services.exe:372      QueryValue      HKLM\Software\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)      SUCCESS      "C:\Program Files (x86)\Common Files"      
465      2.67403364      services.exe:372      CloseKey      HKLM\Software\Microsoft\Windows\CurrentVersion      SUCCESS            
466      2.67404962      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Services      REPARSE            
467      2.67406178      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
468      2.67407513      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
469      2.67408442      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
470      2.67409706      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Environment      NOT FOUND            
471      2.67410660      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
472      2.67428184      services.exe:372      OpenKey      HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers      REPARSE            
473      2.67429638      services.exe:372      OpenKey      HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers      NOT FOUND            
474      2.67431498      services.exe:372      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\svchost.exe      NOT FOUND            
475      2.67434549      services.exe:372      OpenKey      HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Image File Execution Options\svchost.exe      NOT FOUND            
476      2.67465043      services.exe:372      OpenKey      HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide      SUCCESS            
477      2.67466378      services.exe:372      QueryValue      HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest      NOT FOUND            
478      2.67467427      services.exe:372      CloseKey      HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide      SUCCESS            
479      2.67488194      services.exe:372      SetValue      HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent\(Default)      SUCCESS      0x17      
480      2.67595220      svchost.exe:2824      OpenKey      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon      SUCCESS            
481      2.67613530      svchost.exe:2824      QueryValue      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LeakTrack      NOT FOUND            
482      2.67629981      lsass.exe:384      OpenKey      HKLM\SECURITY\Policy      SUCCESS            
483      2.67631412      lsass.exe:384      OpenKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
484      2.67632866      lsass.exe:384      QueryValue      HKLM\SECURITY\Policy\SecDesc\(Default)      BUFFER OVERFLOW            
485      2.67633748      lsass.exe:384      CloseKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
486      2.67634964      lsass.exe:384      OpenKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
487      2.67636418      lsass.exe:384      QueryValue      HKLM\SECURITY\Policy\SecDesc\(Default)      SUCCESS      NONE      
488      2.67637277      lsass.exe:384      CloseKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
489      2.67654562      lsass.exe:384      CloseKey      HKLM\SECURITY\Policy      SUCCESS            
490      2.67671800      lsass.exe:384      OpenKey      HKLM\SECURITY\Policy      SUCCESS            
491      2.67673039      lsass.exe:384      OpenKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
492      2.67674232      lsass.exe:384      QueryValue      HKLM\SECURITY\Policy\SecDesc\(Default)      BUFFER OVERFLOW            
493      2.67675066      lsass.exe:384      CloseKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
494      2.67676234      lsass.exe:384      OpenKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
495      2.67677331      lsass.exe:384      QueryValue      HKLM\SECURITY\Policy\SecDesc\(Default)      SUCCESS      NONE      
496      2.67678165      lsass.exe:384      CloseKey      HKLM\SECURITY\Policy\SecDesc      SUCCESS            
497      2.67681718      svchost.exe:2824      CloseKey      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon      SUCCESS            
498      2.67703104      lsass.exe:384      CloseKey      HKLM\SECURITY\Policy      SUCCESS            
499      2.68249536      svchost.exe:2824      OpenKey      HKLM\System\Setup      SUCCESS            
500      2.69220209      svchost.exe:2824      QueryValue      HKLM\System\Setup\SystemSetupInProgress      SUCCESS      0x0      
501      2.69221616      svchost.exe:2824      CloseKey      HKLM\System\Setup      SUCCESS            
502      2.69226432      svchost.exe:2824      OpenKey      HKLM      SUCCESS            
503      2.69229484      svchost.exe:2824      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics      NOT FOUND            
504      2.69238210      svchost.exe:2824      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost      SUCCESS            
505      2.69240141      svchost.exe:2824      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs      SUCCESS      "TermService"      
506      2.69241524      svchost.exe:2824      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs      SUCCESS      "TermService"      
507      2.69242883      svchost.exe:2824      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs      NOT FOUND            
508      2.69244266      svchost.exe:2824      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost      SUCCESS            
509      2.69247508      svchost.exe:2824      OpenKey      HKLM\System\CurrentControlSet\Control\Session Manager      REPARSE            
510      2.69249034      svchost.exe:2824      OpenKey      HKLM\SYSTEM\ControlSet001\Control\Session Manager      SUCCESS            
511      2.69250536      svchost.exe:2824      QueryValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\SafeDllSearchMode      NOT FOUND            
512      2.69251490      svchost.exe:2824      CloseKey      HKLM\SYSTEM\ControlSet001\Control\Session Manager      SUCCESS            
513      2.69255924      svchost.exe:2824      OpenKey      HKLM\Software\Microsoft\Rpc      SUCCESS            
514      2.69257379      svchost.exe:2824      QueryValue      HKLM\Software\Microsoft\Rpc\MaxRpcSize      NOT FOUND            
515      2.69258308      svchost.exe:2824      CloseKey      HKLM\Software\Microsoft\Rpc      SUCCESS            
516      2.69260383      svchost.exe:2824      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\RpcThreadPoolThrottle      NOT FOUND            
517      2.69264531      svchost.exe:2824      OpenKey      HKLM\System\CurrentControlSet\Control\ComputerName      REPARSE            
518      2.69265914      svchost.exe:2824      OpenKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName      SUCCESS            
519      2.69267488      svchost.exe:2824      OpenKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
520      2.69268942      svchost.exe:2824      QueryValue      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName      SUCCESS      "TCGWEB-01"      
521      2.69269991      svchost.exe:2824      CloseKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName      SUCCESS            
522      2.69270921      svchost.exe:2824      CloseKey      HKLM\SYSTEM\ControlSet001\Control\ComputerName      SUCCESS            
523      2.69272614      svchost.exe:2824      OpenKey      HKLM\Software\Policies\Microsoft\Windows NT\Rpc      NOT FOUND            
524      2.69276404      svchost.exe:2824      OpenKey      HKLM\System\CurrentControlSet\Control\ServiceCurrent      REPARSE            
525      2.69277859      svchost.exe:2824      OpenKey      HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent      SUCCESS            
526      2.69279218      svchost.exe:2824      QueryValue      HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent\(Default)      SUCCESS      0x17      
527      2.69280481      svchost.exe:2824      CloseKey      HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent      SUCCESS            
528      2.69328213      svchost.exe:2824      SetValue      HKLM\SOFTWARE\MICROSOFT\Cryptography\RNG\Seed      SUCCESS      C6 8B E1 6B 52 8E CA 73 ...      
529      2.69359422      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
530      2.69361115      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\PlugPlayServiceType      NOT FOUND            
531      2.69362545      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS            
532      2.69363880      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum\Count      SUCCESS      0x1      
533      2.69365215      services.exe:372      QueryKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS      Subkeys = 0      
534      2.69366288      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS            
535      2.69367242      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
536      2.69369268      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
537      2.69370699      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\PlugPlayServiceType      NOT FOUND            
538      2.69372010      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS            
539      2.69373178      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum\Count      SUCCESS      0x1      
540      2.69374895      services.exe:372      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum\0      SUCCESS      "Root\LEGACY_TERMSERVICE\0000"      
541      2.69375920      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Enum      SUCCESS            
542      2.69376826      services.exe:372      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
543      2.69379377      services.exe:372      OpenKey      HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000      REPARSE            
544      2.69380808      services.exe:372      OpenKey      HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000      NOT FOUND            
545      2.69390798      svchost.exe:2824      OpenKey      HKLM\System\CurrentControlSet\Services      REPARSE            
546      2.69392180      svchost.exe:2824      OpenKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
547      2.69393563      svchost.exe:2824      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
548      2.69394994      svchost.exe:2824      OpenKey      HKLM\SYSTEM\ControlSet001\Services\TermService\Parameters      SUCCESS            
549      2.69395924      svchost.exe:2824      CloseKey      HKLM\SYSTEM\ControlSet001\Services      SUCCESS            
550      2.69396853      svchost.exe:2824      CloseKey      HKLM\SYSTEM\ControlSet001\Services\TermService      SUCCESS            
551      2.69398546      svchost.exe:2824      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll      SUCCESS      "%SystemRoot%\System32\termsrv.dll"      
552      2.69400167      svchost.exe:2824      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceManifest      NOT FOUND            
553      2.69401455      svchost.exe:2824      QueryValue      HKLM\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceMain      NOT FOUND            
554      2.69756866      svchost.exe:2824      OpenKey      HKLM\System\CurrentControlSet\Control\Error Message Instrument\      REPARSE            
555      2.69758368      svchost.exe:2824      OpenKey      HKLM\SYSTEM\ControlSet001\Control\Error Message Instrument      NOT FOUND            
556      2.69760847      svchost.exe:2824      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize      SUCCESS            
557      2.69762564      svchost.exe:2824      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles      NOT FOUND            
558      2.69763684      svchost.exe:2824      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize      SUCCESS            
559      2.69775128      svchost.exe:2824      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32      SUCCESS            
560      2.69776917      svchost.exe:2824      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32\svchost      NOT FOUND            
561      2.69778585      System:2824      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32      SUCCESS            
562      2.69780421      svchost.exe:2824      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility      SUCCESS            
563      2.69781899      svchost.exe:2824      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility\svchost      NOT FOUND            
564      2.69782948      System:2824      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility      SUCCESS            
565      2.69791746      svchost.exe:2824      OpenKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows      SUCCESS            
566      2.69793177      svchost.exe:2824      QueryValue      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs      SUCCESS      ""      
567      2.69794202      svchost.exe:2824      CloseKey      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows      SUCCESS            
568      2.69815946      svchost.exe:2824      OpenKey      HKLM\SOFTWARE\Microsoft\OLE      SUCCESS            
569      2.69817376      svchost.exe:2824      QueryValue      HKLM\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap      NOT FOUND            
570      2.69818354      svchost.exe:2824      CloseKey      HKLM\SOFTWARE\Microsoft\OLE      SUCCESS            
571      2.69819546      svchost.exe:2824      OpenKey      HKLM\SOFTWARE\Microsoft\OLE      SUCCESS            
572      2.69820762      svchost.exe:2824      QueryValue      HKLM\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate      NOT FOUND            
573      2.69821596      svchost.exe:2824      CloseKey      HKLM\SOFTWARE\Microsoft\OLE      SUCCESS            
574      2.69825768      svchost.exe:2824      OpenKey      HKLM\Software\Microsoft\OLE\Tracing      NOT FOUND            
575      2.69834447      svchost.exe:2824      OpenKey      HKLM\System\CurrentControlSet\Control\WMI\Security      REPARSE            
576      2.69835877      svchost.exe:2824      OpenKey      HKLM\SYSTEM\ControlSet001\Control\WMI\Security      SUCCESS            
577      2.69839954      svchost.exe:2824      QueryValue      HKLM\SYSTEM\ControlSet001\Control\WMI\Security\DF8480A1-7492-4F45-AB78-1084642581FB      NOT FOUND            
578      2.69842482      svchost.exe:2824      QueryValue      HKLM\SYSTEM\ControlSet001\Control\WMI\Security\00000000-0000-0000-0000-000000000000      NOT FOUND            
579      2.69843459      System:2824      CloseKey      HKLM\SYSTEM\ControlSet001\Control\WMI\Security      SUCCESS            
580      2.69868326      svchost.exe:2824      SetValue      HKLM\SOFTWARE\MICROSOFT\Cryptography\RNG\Seed      SUCCESS      B7 19 43 FB 2F BC 59 40 ...      
581      2.69876146      svchost.exe:2824      SetValue      HKLM\SOFTWARE\MICROSOFT\Cryptography\RNG\Seed      SUCCESS      ED 13 BE 13 E5 29 9F 38 ...      
582      2.69883156      svchost.exe:2824      SetValue      HKLM\SOFTWARE\MICROSOFT\Cryptography\RNG\Seed      SUCCESS      7D 55 32 4E 81 50 E7 A2 ...      
583      2.69891548      svchost.exe:2824      SetValue      HKLM\SOFTWARE\MICROSOFT\Cryptography\RNG\Seed      SUCCESS      E6 0F 60 3F EB 7A 4E 15 ...      
584      2.69898415      svchost.exe:2824      SetValue      HKLM\SOFTWARE\MICROSOFT\Cryptography\RNG\Seed      SUCCESS      D8 D3 12 3C 7A 71 70 B3 ...      
585      2.69905305      svchost.exe:2824      SetValue      HKLM\SOFTWARE\MICROSOFT\Cryptography\RNG\Seed      SUCCESS      7A 44 50 F9 27 30 BF C3 ...      
586      2.69912195      svchost.exe:2824      SetValue      HKLM\SOFTWARE\MICROSOFT\Cryptography\RNG\Seed      SUCCESS      31 2F C2 48 06 0F 4D CA ...      
587      2.69915986      svchost.exe:2824      OpenKey      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager      REPARSE            
588      2.69917512      svchost.exe:2824      OpenKey      HKLM\SYSTEM\ControlSet001\Control\Session Manager      SUCCESS            
589      2.69919157      svchost.exe:2824      QueryValue      HKLM\SYSTEM\ControlSet001\Control\Session Manager\CriticalSectionTimeout      SUCCESS      0x278D00      
590      2.69920158      svchost.exe:2824      CloseKey      HKLM\SYSTEM\ControlSet001\Control\Session Manager      SUCCESS            
591      2.69921565      svchost.exe:2824      OpenKey      HKLM\Software\Microsoft\Ole      SUCCESS            
592      2.69922805      svchost.exe:2824      QueryValue      HKLM\Software\Microsoft\Ole\RWLockResourceTimeOut      NOT FOUND            
593      2.69923711      svchost.exe:2824      CloseKey      HKLM\Software\Microsoft\Ole      SUCCESS            
594      2.69926643      svchost.exe:2824      OpenKey      HKCR\Interface      SUCCESS            
595      2.69927955      svchost.exe:2824      QueryValue      HKCR\Interface\InterfaceHelperDisableAll      NOT FOUND            
596      2.69928980      svchost.exe:2824      QueryValue      HKCR\Interface\InterfaceHelperDisableAllForOle32      NOT FOUND            
597      2.69929957      svchost.exe:2824      QueryValue      HKCR\Interface\InterfaceHelperDisableTypeLib      NOT FOUND            
598      2.69930911      svchost.exe:2824      CloseKey      HKCR\Interface      SUCCESS            
599      2.69932437      svchost.exe:2824      OpenKey      HKCR\Interface\{00020400-0000-0000-C000-000000000046}      SUCCESS            
600      2.69933772      svchost.exe:2824      QueryValue      HKCR\Interface\{00020400-0000-0000-C000-000000000046}\InterfaceHelperDisableAll      NOT FOUND            
601      2.69934916      svchost.exe:2824      QueryValue      HKCR\Interface\{00020400-0000-0000-C000-000000000046}\InterfaceHelperDisableAllForOle32      NOT FOUND            
602      2.69935822      svchost.exe:2824      CloseKey      HKCR\Interface\{00020400-0000-0000-C000-000000000046}      SUCCESS            
603      2.69942188      svchost.exe:2824      OpenKey      HKLM\SOFTWARE\Microsoft\OLEAUT      NOT FOUND            
604      2.69943810      svchost.exe:2824      OpenKey      HKLM\SOFTWARE\Microsoft\OLEAUT\UserEra      NOT FOUND            
605      2.69945073      svchost.exe:2824      OpenKey      HKLM\SOFTWARE\Microsoft\OLEAUT      NOT FOUND            
606      2.69952869      svchost.exe:2824      OpenKey      HKLM\System\CurrentControlSet\Services\LDAP      REPARSE            
607      2.69954228      svchost.exe:2824      OpenKey      HKLM\SYSTEM\ControlSet001\Services\LDAP      SUCCESS            
608      2.69955659      svchost.exe:2824      QueryValue      HKLM\SYSTEM\ControlSet001\Services\LDAP\LdapClientIntegrity      SUCCESS      0x1      
609      2.69956589      svchost.exe:2824      CloseKey      HKLM\SYSTEM\ControlSet001\Services\LDAP      SUCCESS            
610      2.69969130      svchost.exe:2824      OpenKey      HKLM\SYSTEM\Setup      SUCCESS            
611      2.69970465      svchost.exe:2824      QueryValue
0
 
norbs101Author Commented:
This is the complete regmon...

To download the file, you must be logged into EE-Stuff. Here are two pages that will display your file, if logged in:

View all files for Question ID: 22889985
https://filedb.experts-exchange.com/incoming/ee-stuff/5033-regmon.txthttps://filedb.experts-exchange.com/incoming/ee-stuff/5034-ms.zip
https://filedb.experts-exchange.com/incoming/ee-stuff/5035-filemon.txt


Direct link to your file
https://filedb.experts-exchange.com/incoming/ee-stuff/5033-regmon.txt 
0
 
dreamyguyCommented:
could you compress and upload these logs to any ftp site, (for example http://www.ee-stuff.com) that way i can open them up with excel and it would be easy for me to filter the results.
0
 
dreamyguyCommented:
could you also go to save a copy of the msinfo32.nfo file (by going to start-->run-->msinfo32-->file-->save as) and upload that to the ee-stuff site? id like to have a look at the status of the services related to terminal services.
0
 
norbs101Author Commented:
file is uploaded.. thanks.


n.
0
 
dreamyguyCommented:
Where is the msinfo and the filemon log? I only see the regmon log there.
0
 
norbs101Author Commented:
msinfo is there  under ms.zip

I just put up filemon...   prior is posted it in this thread.

check out the list of files for the question.


Thanks.
0
 
dreamyguyCommented:
Could you please compare the following keys with a similar working machine. I don't see these drivers listed under the system drivers in the Msinfo file. These keys and the dll's related to these keys need to be present for Terminal Services to function.

HKLM\SYSTEM\CurrentControlSet\Services\rdpdr
HKLM\SYSTEM\CurrentControlSet\Services\rdpwd
HKLM\SYSTEM\CurrentControlSet\Services\tdtcp

311      10:46:03 AM      svchost.exe:2824      QUERY INFORMATION      C:\WINDOWS\System32\msapsspc.dll      NOT FOUND      Attributes: Error

Also copy the msapsspc.dll from a similar working machine and place it in the system32 folder.

I also see lots of not founds in reference to the microsoft windows common-controls.dll. I don't see how they would be relavent in our scenario but I would nevertheless search for Microsoft.Windows.Common-Controls.DLL  in this machine to see if it exists and compare it with a working machine and copy it over if found in the working machine.

96      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en-US_B7C8CB1F\      NOT FOUND      Options: Open Directory  Access: 00100001      
97      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en-US_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll      PATH NOT FOUND      Attributes: Error      
102      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en-US_28BBCDE0.manifest      NOT FOUND      Attributes: Error      
103      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL      PATH NOT FOUND      Attributes: Error      
104      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en-US\Microsoft.Windows.Common-Controls.DLL      NOT FOUND      Attributes: Error      
105      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en-US\Microsoft.Windows.Common-Controls.MANIFEST      NOT FOUND      Attributes: Error      
106      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en-US\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.DLL      PATH NOT FOUND      Attributes: Error      
107      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en-US\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.MANIFEST      PATH NOT FOUND      Attributes: Error      
108      10:46:03 AM      csrss.exe:300      OPEN      C:\WINDOWS\WinSxS\policies\amd64_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en_C6849106\      NOT FOUND      Options: Open Directory  Access: 00100001      
109      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll      PATH NOT FOUND      Attributes: Error      
110      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\WinSxS\manifests\amd64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en_8ED881B9.manifest      NOT FOUND      Attributes: Error      
111      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL      PATH NOT FOUND      Attributes: Error      
112      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.DLL      NOT FOUND      Attributes: Error      
113      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.MANIFEST      NOT FOUND      Attributes: Error      
114      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.DLL      PATH NOT FOUND      Attributes: Error      
115      10:46:03 AM      csrss.exe:300      QUERY INFORMATION      C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.MANIFEST      PATH NOT FOUND      Attributes: Error      
0
 
dreamyguyCommented:
Another suggestion: you might also want to try to install the RDP 6 client for x64. Maybe that'll replace the registry keys/files that are needed for terminal services to function properly.

http://www.microsoft.com/downloads/details.aspx?FamilyId=160CE316-BF2B-48D0-A035-E2ABBC55D8E8&displaylang=en
0
 
norbs101Author Commented:
I tried the client.. no improvements...

I have a feeling, short of a reinstall, I can be trying till the end of time.

n.
0
 
dreamyguyCommented:
what about the three keys that i mentioned? i didn't find those keys in the msinfo file u sent. could u compare them with a working machine to see if they exist?
0
 
norbs101Author Commented:
Ok.. I added the 3 keys from the working machine.

Both machines have the  C:\WINDOWS\System32\msapsspc.dll file in the same location.. the Wow64 directory..  Same goes for the csrss.exe errors.. the file is on both machines in the system32 dir.

After adding the 3 keys I get the following errors on boot in the event log.







Terminal Server session creation failed. The relevant status code was 0xC0000034.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




AND




The following boot-start or system-start driver(s) failed to load:
TermDD

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



should there be a TermDD service under my services.msg?
0
 
dreamyguyCommented:
Not all services and drivers show up under services.msc. But the TermDD service should be listed in the registry under HKLM\System\CurrentControlSet\Services\TermDD

It would be good to compare the values of all the keys and attributes of this key with the ones in your working machine. Also make sure that termdd.sys is present under the system32\drivers directory.
0
 
dreamyguyCommented:
http://www.winserverkb.com/Uwe/Forum.aspx/windows-ts/2930/Terminal-Server-session-creation-failed

seems like the author of this post contacted ms support with regards to the same issue and even they couldn't find out a solution to his problem.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

  • 20
  • 18
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now