Resellers | Contact | Privacy | Copyright

DiamondCS Deep System Explorer
     Detection example - DSE vs Hidden & Invalid Registry Items ...

• Home
• Software
• Shop
• Books
• Help
• About

Home > Software > Deep System Explorer - Detection example: Hidden & Invalid Registry Items

Home - Features - Screenshots - Download - Detections - Detection Example: Hidden & Invalid Registry Items

Detection Example: DSE vs Hidden & Invalid Registry Items

Description: The Windows registry is a large database that applications use to store settings. It has a tree-like structure, and can be browsed with registry viewing utilities such as Regedit that comes with Windows (\Windows\regedit.exe).

However, it is becoming common for malicious software (malware) such as rootkits to hide registry items, usually by hooking or patching registry-related API functions.

Another trick involves embedding a 'null-char' byte (character code 0) in either the value name or the key name, which prevents most registry viewers including Regedit from being able to open such keys, even if it's still able to 'see' them.

Deep System Explorer can easily detect such invalid registry items as well as hidden registry items. The registry itself is a very large database, but Deep System Explorer is able to completely analyse a typical registry in approximately half a minute.


Detection: Possibly the first public demonstration of using a null-char in a registry key was RegHide by Mark Russinovich. Purely a non-malicious demonstration, RegHide simply creates a key called HKEY_LOCAL_MACHINE\Software\System Internals\Can't touch me!, with a null-char appended on the end, allowing users to test it for themselves.

Using Regedit we can see the key, but not open/browse it:

Therefore we cannot see any values or subkeys within the key.

Deep System Explorer easily detects this anomaly and also allows us to see the last time any modifications took place within that key, which can often help give a clue about which program created the key. We can also see two other keys that use this trick, which are created during Windows installation. Notice the "." character at the end of each invalidly-named item which is actually the null character:


So technically speaking RegHide doesn't actually hide the key, but it does hide values and other subkeys within the key by preventing the key from being opened by most registry viewers.

Hidden registry items on the other hand are actually quite common - there are quite a lot of hidden keys created during Windows installation, mainly under the HKEY_LOCAL_MACHINE\SAM\SAM\ and HKEY_LOCAL_MACHINE\SECURITY\ keys.

The Windows operating system is responsible for hiding those keys, but when a rootkit wants to hide keys it will generally hook or patch registry-related API functions, which can also be detected by Deep System Explorer.

Here is a sample of what you may see on a default Windows installation. Due to space constraints only hidden keys are listed; hidden values within these keys have been omitted but can be seen with Deep System Explorer:

 HKLM\SAM\SAM\Domains\
 HKLM\SAM\SAM\Domains\Account\
 HKLM\SAM\SAM\Domains\Account\Aliases\
 HKLM\SAM\SAM\Domains\Account\Aliases\000003E9\
 HKLM\SAM\SAM\Domains\Account\Aliases\Members\
 HKLM\SAM\SAM\Domains\Account\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\
 HKLM\SAM\SAM\Domains\Account\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\000003EA\
 HKLM\SAM\SAM\Domains\Account\Aliases\Names\
 HKLM\SAM\SAM\Domains\Account\Aliases\Names\HelpServicesGroup\
 HKLM\SAM\SAM\Domains\Account\Groups\
 HKLM\SAM\SAM\Domains\Account\Groups\00000201\
 HKLM\SAM\SAM\Domains\Account\Groups\Names\
 HKLM\SAM\SAM\Domains\Account\Groups\Names\None\
 HKLM\SAM\SAM\Domains\Account\Users\
 HKLM\SAM\SAM\Domains\Account\Users\000001F4\
 HKLM\SAM\SAM\Domains\Account\Users\000001F5\
 HKLM\SAM\SAM\Domains\Account\Users\000003E8\
 HKLM\SAM\SAM\Domains\Account\Users\000003EA\
 HKLM\SAM\SAM\Domains\Account\Users\000003EB\
 HKLM\SAM\SAM\Domains\Account\Users\000003EC\
 HKLM\SAM\SAM\Domains\Account\Users\Names\
 HKLM\SAM\SAM\Domains\Account\Users\Names\Administrator\
 HKLM\SAM\SAM\Domains\Account\Users\Names\Guest\
 HKLM\SAM\SAM\Domains\Account\Users\Names\HelpAssistant\
 HKLM\SAM\SAM\Domains\Builtin\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\00000221\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\00000222\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\00000223\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\00000227\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\00000228\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022B\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\0000022C\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Members\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5\00000004\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5\0000000B\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\000001F4\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\000001F5\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\000003EB\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\000003EC\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Names\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Names\Administrators\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Names\Backup Operators\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Names\Guests\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Names\Network Configuration Operators\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Names\Power Users\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Names\Remote Desktop Users\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Names\Replicator\
 HKLM\SAM\SAM\Domains\Builtin\Aliases\Names\Users\
 HKLM\SAM\SAM\Domains\Builtin\Groups\
 HKLM\SAM\SAM\Domains\Builtin\Groups\Names\
 HKLM\SAM\SAM\Domains\Builtin\Users\
 HKLM\SAM\SAM\Domains\Builtin\Users\Names\
 HKLM\SAM\SAM\RXACT\
 HKLM\SECURITY\Policy\
 HKLM\SECURITY\Policy\Accounts\
 HKLM\SECURITY\Policy\Accounts\S-1-1-0\
 HKLM\SECURITY\Policy\Accounts\S-1-1-0\ActSysAc\
 HKLM\SECURITY\Policy\Accounts\S-1-1-0\Privilgs\
 HKLM\SECURITY\Policy\Accounts\S-1-1-0\SecDesc\
 HKLM\SECURITY\Policy\Accounts\S-1-1-0\Sid\
 HKLM\SECURITY\Policy\Accounts\S-1-5-19\
 HKLM\SECURITY\Policy\Accounts\S-1-5-19\Privilgs\
 HKLM\SECURITY\Policy\Accounts\S-1-5-19\SecDesc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-19\Sid\
 HKLM\SECURITY\Policy\Accounts\S-1-5-20\
 HKLM\SECURITY\Policy\Accounts\S-1-5-20\ActSysAc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-20\Privilgs\
 HKLM\SECURITY\Policy\Accounts\S-1-5-20\SecDesc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-20\Sid\
 HKLM\SECURITY\Policy\Accounts\S-1-5-21-6060284292-692894295-222355549-1002\
 HKLM\SECURITY\Policy\Accounts\S-1-5-21-6060284292-692894295-222355549-1002\ActSysAc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-21-6060284292-692894295-222355549-1002\SecDesc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-21-6060284292-692894295-222355549-1002\Sid\
 HKLM\SECURITY\Policy\Accounts\S-1-5-21-6060284292-692894295-222355549-501\
 HKLM\SECURITY\Policy\Accounts\S-1-5-21-6060284292-692894295-222355549-501\ActSysAc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-21-6060284292-692894295-222355549-501\SecDesc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-21-6060284292-692894295-222355549-501\Sid\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-544\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-544\ActSysAc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-544\Privilgs\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-544\SecDesc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-544\Sid\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-545\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-545\ActSysAc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-545\Privilgs\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-545\SecDesc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-545\Sid\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-547\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-547\ActSysAc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-547\Privilgs\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-547\SecDesc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-547\Sid\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-551\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-551\ActSysAc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-551\Privilgs\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-551\SecDesc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-551\Sid\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-555\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-555\ActSysAc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-555\SecDesc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-32-555\Sid\
 HKLM\SECURITY\Policy\Accounts\S-1-5-4\
 HKLM\SECURITY\Policy\Accounts\S-1-5-4\Privilgs\
 HKLM\SECURITY\Policy\Accounts\S-1-5-4\SecDesc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-4\Sid\
 HKLM\SECURITY\Policy\Accounts\S-1-5-6\
 HKLM\SECURITY\Policy\Accounts\S-1-5-6\Privilgs\
 HKLM\SECURITY\Policy\Accounts\S-1-5-6\SecDesc\
 HKLM\SECURITY\Policy\Accounts\S-1-5-6\Sid\
 HKLM\SECURITY\Policy\DefQuota\
 HKLM\SECURITY\Policy\Domains\
 HKLM\SECURITY\Policy\PolAcDmN\
 HKLM\SECURITY\Policy\PolAcDmS\
 HKLM\SECURITY\Policy\PolAdtEv\
 HKLM\SECURITY\Policy\PolAdtFL\
 HKLM\SECURITY\Policy\PolAdtLg\
 HKLM\SECURITY\Policy\PolDnDDN\
 HKLM\SECURITY\Policy\PolDnDmG\
 HKLM\SECURITY\Policy\PolDnTrN\
 HKLM\SECURITY\Policy\PolMod\
 HKLM\SECURITY\Policy\PolPrDmN\
 HKLM\SECURITY\Policy\PolPrDmS\
 HKLM\SECURITY\Policy\PolRevision\
 HKLM\SECURITY\Policy\PolSecretEncryptionKey\
 HKLM\SECURITY\Policy\PolState\
 HKLM\SECURITY\Policy\QuAbsMax\
 HKLM\SECURITY\Policy\QuAbsMin\
 HKLM\SECURITY\Policy\SecDesc\
 HKLM\SECURITY\Policy\Secrets\
 HKLM\SECURITY\Policy\Secrets\_SC_Alerter\
 HKLM\SECURITY\Policy\Secrets\_SC_Alerter\CupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_Alerter\CurrVal\
 HKLM\SECURITY\Policy\Secrets\_SC_Alerter\OldVal\
 HKLM\SECURITY\Policy\Secrets\_SC_Alerter\OupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_Alerter\SecDesc\
 HKLM\SECURITY\Policy\Secrets\_SC_ALG\
 HKLM\SECURITY\Policy\Secrets\_SC_ALG\CupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_ALG\CurrVal\
 HKLM\SECURITY\Policy\Secrets\_SC_ALG\OldVal\
 HKLM\SECURITY\Policy\Secrets\_SC_ALG\OupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_ALG\SecDesc\
 HKLM\SECURITY\Policy\Secrets\_SC_Dnscache\
 HKLM\SECURITY\Policy\Secrets\_SC_Dnscache\CupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_Dnscache\CurrVal\
 HKLM\SECURITY\Policy\Secrets\_SC_Dnscache\OldVal\
 HKLM\SECURITY\Policy\Secrets\_SC_Dnscache\OupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_Dnscache\SecDesc\
 HKLM\SECURITY\Policy\Secrets\_SC_LmHosts\
 HKLM\SECURITY\Policy\Secrets\_SC_LmHosts\CupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_LmHosts\CurrVal\
 HKLM\SECURITY\Policy\Secrets\_SC_LmHosts\OldVal\
 HKLM\SECURITY\Policy\Secrets\_SC_LmHosts\OupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_LmHosts\SecDesc\
 HKLM\SECURITY\Policy\Secrets\_SC_MSDTC\
 HKLM\SECURITY\Policy\Secrets\_SC_MSDTC\CupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_MSDTC\CurrVal\
 HKLM\SECURITY\Policy\Secrets\_SC_MSDTC\OldVal\
 HKLM\SECURITY\Policy\Secrets\_SC_MSDTC\OupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_MSDTC\SecDesc\
 HKLM\SECURITY\Policy\Secrets\_SC_RpcLocator\
 HKLM\SECURITY\Policy\Secrets\_SC_RpcLocator\CupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_RpcLocator\CurrVal\
 HKLM\SECURITY\Policy\Secrets\_SC_RpcLocator\OldVal\
 HKLM\SECURITY\Policy\Secrets\_SC_RpcLocator\OupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_RpcLocator\SecDesc\
 HKLM\SECURITY\Policy\Secrets\_SC_RpcSs\
 HKLM\SECURITY\Policy\Secrets\_SC_RpcSs\CupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_RpcSs\CurrVal\
 HKLM\SECURITY\Policy\Secrets\_SC_RpcSs\OldVal\
 HKLM\SECURITY\Policy\Secrets\_SC_RpcSs\OupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_RpcSs\SecDesc\
 HKLM\SECURITY\Policy\Secrets\_SC_SSDPSRV\
 HKLM\SECURITY\Policy\Secrets\_SC_SSDPSRV\CupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_SSDPSRV\CurrVal\
 HKLM\SECURITY\Policy\Secrets\_SC_SSDPSRV\OldVal\
 HKLM\SECURITY\Policy\Secrets\_SC_SSDPSRV\OupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_SSDPSRV\SecDesc\
 HKLM\SECURITY\Policy\Secrets\_SC_upnphost\
 HKLM\SECURITY\Policy\Secrets\_SC_upnphost\CupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_upnphost\CurrVal\
 HKLM\SECURITY\Policy\Secrets\_SC_upnphost\OldVal\
 HKLM\SECURITY\Policy\Secrets\_SC_upnphost\OupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_upnphost\SecDesc\
 HKLM\SECURITY\Policy\Secrets\_SC_WebClient\
 HKLM\SECURITY\Policy\Secrets\_SC_WebClient\CupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_WebClient\CurrVal\
 HKLM\SECURITY\Policy\Secrets\_SC_WebClient\OldVal\
 HKLM\SECURITY\Policy\Secrets\_SC_WebClient\OupdTime\
 HKLM\SECURITY\Policy\Secrets\_SC_WebClient\SecDesc\
 HKLM\SECURITY\Policy\Secrets\0083343a-f925-4ed7-b1d6-a95f19a0b572-RemoteDesktopHelpAssistantAccount\
 HKLM\SECURITY\Policy\Secrets\0083343a-f925-4ed7-b1d6-a95f19a0b572-RemoteDesktopHelpAssistantAccount\CupdTime\
 HKLM\SECURITY\Policy\Secrets\0083343a-f925-4ed7-b1d6-a95f19a0b572-RemoteDesktopHelpAssistantAccount\CurrVal\
 HKLM\SECURITY\Policy\Secrets\0083343a-f925-4ed7-b1d6-a95f19a0b572-RemoteDesktopHelpAssistantAccount\OldVal\
 HKLM\SECURITY\Policy\Secrets\0083343a-f925-4ed7-b1d6-a95f19a0b572-RemoteDesktopHelpAssistantAccount\OupdTime\
 HKLM\SECURITY\Policy\Secrets\0083343a-f925-4ed7-b1d6-a95f19a0b572-RemoteDesktopHelpAssistantAccount\SecDesc\
 HKLM\SECURITY\Policy\Secrets\0083343a-f925-4ed7-b1d6-a95f19a0b572-RemoteDesktopHelpAssistantSID\
 HKLM\SECURITY\Policy\Secrets\0083343a-f925-4ed7-b1d6-a95f19a0b572-RemoteDesktopHelpAssistantSID\CupdTime\
 HKLM\SECURITY\Policy\Secrets\0083343a-f925-4ed7-b1d6-a95f19a0b572-RemoteDesktopHelpAssistantSID\CurrVal\
 HKLM\SECURITY\Policy\Secrets\0083343a-f925-4ed7-b1d6-a95f19a0b572-RemoteDesktopHelpAssistantSID\OldVal\
 HKLM\SECURITY\Policy\Secrets\0083343a-f925-4ed7-b1d6-a95f19a0b572-RemoteDesktopHelpAssistantSID\OupdTime\
 HKLM\SECURITY\Policy\Secrets\0083343a-f925-4ed7-b1d6-a95f19a0b572-RemoteDesktopHelpAssistantSID\SecDesc\
 HKLM\SECURITY\Policy\Secrets\20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT\
 HKLM\SECURITY\Policy\Secrets\20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT\CupdTime\
 HKLM\SECURITY\Policy\Secrets\20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT\CurrVal\
 HKLM\SECURITY\Policy\Secrets\20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT\OldVal\
 HKLM\SECURITY\Policy\Secrets\20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT\OupdTime\
 HKLM\SECURITY\Policy\Secrets\20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT\SecDesc\
 HKLM\SECURITY\Policy\Secrets\DPAPI_SYSTEM\
 HKLM\SECURITY\Policy\Secrets\DPAPI_SYSTEM\CupdTime\
 HKLM\SECURITY\Policy\Secrets\DPAPI_SYSTEM\CurrVal\
 HKLM\SECURITY\Policy\Secrets\DPAPI_SYSTEM\OldVal\
 HKLM\SECURITY\Policy\Secrets\DPAPI_SYSTEM\OupdTime\
 HKLM\SECURITY\Policy\Secrets\DPAPI_SYSTEM\SecDesc\
 HKLM\SECURITY\Policy\Secrets\G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}\
 HKLM\SECURITY\Policy\Secrets\G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}\CupdTime\
 HKLM\SECURITY\Policy\Secrets\G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}\CurrVal\
 HKLM\SECURITY\Policy\Secrets\G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}\OldVal\
 HKLM\SECURITY\Policy\Secrets\G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}\OupdTime\
 HKLM\SECURITY\Policy\Secrets\G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}\SecDesc\
 HKLM\SECURITY\Policy\Secrets\L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}\
 HKLM\SECURITY\Policy\Secrets\L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}\CupdTime\
 HKLM\SECURITY\Policy\Secrets\L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}\CurrVal\
 HKLM\SECURITY\Policy\Secrets\L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}\OldVal\
 HKLM\SECURITY\Policy\Secrets\L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}\OupdTime\
 HKLM\SECURITY\Policy\Secrets\L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}\SecDesc\
 HKLM\SECURITY\Policy\Secrets\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75\
 HKLM\SECURITY\Policy\Secrets\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75\CupdTime\
 HKLM\SECURITY\Policy\Secrets\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75\CurrVal\
 HKLM\SECURITY\Policy\Secrets\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75\OldVal\
 HKLM\SECURITY\Policy\Secrets\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75\OupdTime\
 HKLM\SECURITY\Policy\Secrets\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75\SecDesc\
 HKLM\SECURITY\Policy\Secrets\L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588\
 HKLM\SECURITY\Policy\Secrets\L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588\CupdTime\
 HKLM\SECURITY\Policy\Secrets\L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588\CurrVal\
 HKLM\SECURITY\Policy\Secrets\L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588\OldVal\
 HKLM\SECURITY\Policy\Secrets\L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588\OupdTime\
 HKLM\SECURITY\Policy\Secrets\L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588\SecDesc\
 HKLM\SECURITY\Policy\Secrets\SAC.\
 HKLM\SECURITY\Policy\Secrets\SAI.\
 HKLM\SECURITY\RXACT\
 HKLM\SECURITY\SAM\
 HKLM\SECURITY\SAM\Domains\
 HKLM\SECURITY\SAM\Domains\Account\
 HKLM\SECURITY\SAM\Domains\Account\Aliases\
 HKLM\SECURITY\SAM\Domains\Account\Aliases\000003E9\
 HKLM\SECURITY\SAM\Domains\Account\Aliases\Members\
 HKLM\SECURITY\SAM\Domains\Account\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\
 HKLM\SECURITY\SAM\Domains\Account\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\000003EA\
 HKLM\SECURITY\SAM\Domains\Account\Aliases\Names\
 HKLM\SECURITY\SAM\Domains\Account\Aliases\Names\HelpServicesGroup\
 HKLM\SECURITY\SAM\Domains\Account\Groups\
 HKLM\SECURITY\SAM\Domains\Account\Groups\00000201\
 HKLM\SECURITY\SAM\Domains\Account\Groups\Names\
 HKLM\SECURITY\SAM\Domains\Account\Groups\Names\None\
 HKLM\SECURITY\SAM\Domains\Account\Users\
 HKLM\SECURITY\SAM\Domains\Account\Users\000001F4\
 HKLM\SECURITY\SAM\Domains\Account\Users\000001F5\
 HKLM\SECURITY\SAM\Domains\Account\Users\000003E8\
 HKLM\SECURITY\SAM\Domains\Account\Users\000003EA\
 HKLM\SECURITY\SAM\Domains\Account\Users\000003EB\
 HKLM\SECURITY\SAM\Domains\Account\Users\000003EC\
 HKLM\SECURITY\SAM\Domains\Account\Users\Names\
 HKLM\SECURITY\SAM\Domains\Account\Users\Names\Administrator\
 HKLM\SECURITY\SAM\Domains\Account\Users\Names\Guest\
 HKLM\SECURITY\SAM\Domains\Account\Users\Names\HelpAssistant\
 HKLM\SECURITY\SAM\Domains\Builtin\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\00000220\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\00000221\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\00000222\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\00000223\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\00000227\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\00000228\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\0000022B\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\0000022C\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Members\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Members\S-1-5\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Members\S-1-5\00000004\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Members\S-1-5\0000000B\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\000001F4\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\000001F5\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\000003EB\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-6060284292-692894295-222355549\000003EC\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Names\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Names\Administrators\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Names\Backup Operators\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Names\Guests\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Names\Network Configuration Operators\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Names\Power Users\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Names\Remote Desktop Users\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Names\Replicator\
 HKLM\SECURITY\SAM\Domains\Builtin\Aliases\Names\Users\
 HKLM\SECURITY\SAM\Domains\Builtin\Groups\
 HKLM\SECURITY\SAM\Domains\Builtin\Groups\Names\
 HKLM\SECURITY\SAM\Domains\Builtin\Users\
 HKLM\SECURITY\SAM\Domains\Builtin\Users\Names\
 HKLM\SECURITY\SAM\RXACT\
 HKU\S-1-5-21-6060284292-692894295-222355549-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-6060284292-692894295-222355549-1003\Data\
 HKU\S-1-5-21-6060284292-692894295-222355549-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-6060284292-692894295-222355549-1003\Data\14d96c20-255b-11d1-898f-00c04fb6bfc4\
 HKU\S-1-5-21-6060284292-692894295-222355549-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-6060284292-692894295-222355549-1003\Data\14d96c20-255b-11d1-898f-00c04fb6bfc4\00000000-0000-0000-0000-000000000000\
 HKU\S-1-5-21-6060284292-692894295-222355549-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-6060284292-692894295-222355549-1003\Data\89c39569-6841-11d2-9f59-0000f8085266\
 HKU\S-1-5-21-6060284292-692894295-222355549-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-6060284292-692894295-222355549-1003\Data\89c39569-6841-11d2-9f59-0000f8085266\4874a1d6-e941-4f09-bbae-4db71f256e0a\
 HKU\S-1-5-21-6060284292-692894295-222355549-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-6060284292-692894295-222355549-1003\Data\89c39569-6841-11d2-9f59-0000f8085266\4874a1d6-e941-4f09-bbae-4db71f256e0a\IdentitiesPass\
 HKU\S-1-5-21-6060284292-692894295-222355549-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-6060284292-692894295-222355549-1003\Data 2\
 HKU\S-1-5-21-6060284292-692894295-222355549-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-6060284292-692894295-222355549-1003\Data 2\Windows\

---

Copyright © 1999 - 2010, Diamond Computer Systems Pty. Ltd.  All rights reserved.

Return to Top