Despite this restriction, the system images shipped by Microsoft but come with a load of Policies set only in the Registry and therefore not shown by the Local Group Policy Editor or the Local Security Policy snap-ins of the Microsoft Management Console! Windows 10 20H2 ...
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\DataCollection]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Power\PowerSettings]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoAddingComponents"=dword:00000001
"NoComponents"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"ScanWithAntiVirus"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ForceActiveDesktopOn"=dword:00000000
"NoActiveDesktop"=dword:00000001
"NoActiveDesktopChanges"=dword:00000001
"NoRecentDocsHistory"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing]
"CountryCode"="EN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"DSCAutomationHostEnabled"=dword:00000002
"EnableCursorSuppression"=dword:00000001
"EnableFullTrustStartupTasks"=dword:00000002
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableSecureUIAPaths"=dword:00000001
"EnableUIADesktopToggle"=dword:00000000
"EnableUwpStartupTasks"=dword:00000002
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"SupportFullTrustStartupTasks"=dword:00000001
"SupportUwpStartupTasks"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"scforceoption"=dword:00000000
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats]
"CF_BITMAP"=dword:00000002
"CF_DIB"=dword:00000008
"CF_DIBV5"=dword:00000011
"CF_OEMTEXT"=dword:00000007
"CF_PALETTE"=dword:00000009
"CF_TEXT"=dword:00000001
"CF_UNICODETEXT"=dword:0000000d
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet]
"Disabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM]
"OSManagedAuthLevel"=dword:00000005
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\BITS]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"CallLegacyWCMPolicies"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverSearching]
"DriverUpdateWizardWuSearchEnabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EnhancedStorageDevices]
"TCGSecurityActivationDisabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections]
"NC_PersonalFirewallConfig"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers]
"authenticodeenabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync]
"EnableBackupForWin8Apps"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\Local]
"WCMPresent"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WSDAPI\Discovery Proxies]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client]
"fEnableUsbBlockDeviceBySetupClass"=dword:00000001
"fEnableUsbNoAckIsochWriteToDevice"=dword:00000050
"fEnableUsbSelectDeviceByInterface"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses]
"1000"="{3376f4ce-ff8d-40a2-a80f-bb4359d1415c}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces]
"1000"="{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection]
"KnownDllList"="nlhtml.dll"
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs]
[HKEY_USERS\S-1-5-19\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache]
[HKEY_USERS\S-1-5-19\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
[HKEY_USERS\S-1-5-19\SOFTWARE\Policies\Power\PowerSettings]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Power\PowerSettings]
Note: the subdirectories
%SystemRoot%\System32\GroupPolicy\Machine
and
%SystemRoot%\System32\GroupPolicy\User
with the
registry policy files Registry.pol
where these registry
entries are supposed to be stored are but missing in the system
images!
See the MSDN article Registry Policy File Format for details.
Also missing are the archive
files NTUser.pol
where the original, now overwritten registry entries are supposed to
be saved for restore.
Short8.3 Filenames
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
@="mnmsrvc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName]
@="mnmsrvc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
@="mnmsrvc"
%windir%\temp\sso\ssoexec.dll
\Setup\WIM\setup.wim
on the
Evaluation CD
for Windows Embedded POSReady 2009 available in the
Microsoft Download Center contains the following
registry entries:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SSOExec]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Logoff"="SSOReset"
"Unlock"="SSOExec"
"Lock"="SSOReset"
"DLLName"="%windir%\\temp\\sso\\ssoexec.dll"
Note: the unusual placement of this (non-existent)
DLL looks rather
suspicious, it indicates that the computer from
which the installation image was captured might have been
compromised and infected with malware.
The directory %windir%\temp
in the system image is but
empty; on systems installed from this image as well as the image of
the sold product too, the (inheritable)
NTFS
DACL
D:PAI
(A;OICI;FA;;;SY)
(A;OICI;FA;;;BA)
(A;CI;0x100026;;;BU)
(A;OICIIO;FA;;;CO)
of this directory allows unprivileged users to create both the
subdirectory sso
and the file ssoexec.dll
therein, enabling them to have arbitrary code run under every
(other) user account used to log on afterwards, resulting in a
privilege escalation.
SSO single sign-on
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\3Com\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\ATI Technologies\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Aureal\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\BCMDM\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Brother\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Creative Tech\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Digi\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Generic\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\GenericSoftModemUninstallInfo\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Logitech\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Lucent\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Neomagic\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\PCTEL\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\S3\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Specialix\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\TOSHIBA\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Vid_0471\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Vid_05A9\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\VN_VUIns\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}]
@="GraphicsShellExt Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}\InProcServer32]
@="C:\\WINDOWS\\system32\\igfxpph.dll"
…
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0160-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Display Property Sheet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0160-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTDisply.dll"
…
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0161-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Gamma2 Property Sheet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0161-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTGamma2.dll"
…
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0162-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Info2 Property Sheet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0162-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTInfo2.dll"
…
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0163-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Overlay Property Sheet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0163-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTOvrlay.dll"
…
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba87e880-5a57-11d3-bfcb-00aa0022f394}]
@="S3ConfigD3D Property Sheet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba87e880-5a57-11d3-bfcb-00aa0022f394}\InProcServer32]
@="S3Cfg3d.dll"
…
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\igfxcui]
@="{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Config3D]
@="{ba87e880-5a57-11d3-bfcb-00aa0022f394}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Display]
@="{300b0160-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Gamma2]
@="{300b0161-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Info2]
@="{300b0162-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Overlay]
@="{300b0163-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTConfig3D]
@="{ba87e880-5a57-11d3-bfcb-00aa0022f394}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTDisplay]
@="{300b0160-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTGamma2]
@="{300b0161-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTInfo2]
@="{300b0162-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTOverlay]
@="{300b0163-6129-11d7-8dc7-00d0b72c72f7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VModes"="VModes UpdateRegistryOnly"
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"S3Trayp"="S3trayp.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"TrackPointSrv"="tp4mon.exe"
"USBC"="C:\\WINDOWS\\system32\\wscript.exe C:\\WINDOWS\\system32\\drivers\\netusbc.vbs"
"XeroxScannerDaemon"="C:\\Program Files\\Xerox\\NWWia\\XrxFTPLt.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ati HotKey Poller]
"Start"=dword:00000002
"Type"=dword:00000110
"ErrorControl"=dword:00000001
"ImagePath"=expand:"system32\\atievxx.exe"
"ObjectName"="LocalSystem"
"Group"="Event log"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\AssetManagement]
"EventMessageFile"=expand:"C:\\WINDOWS\\system32\\CCM\\ccm_caltrack.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\LiveMeeting]
"TypesSupported"=dword:00000007
"EventMessageFile"=expand:"C:\\PROGRA~1\\MICROS~3\\LIVEME~1\\Console\\MUI\\0409\\UCCPRES.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SmsClient]
"EventMessageFile"=expand:"C:\\WINDOWS\\system32\\CCM\\climsgs.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Pctspk]
"Start"=dword:00000002
"Type"=dword:00000010
"ErrorControl"=dword:00000001
"ImagePath"=expand:"system32\\pctspk.exe"
"DisplayName"="PCTEL Speaker Phone"
Note: the (highlighted) unqualified and unquoted
filenames used in this cruft are nice targets for binary planting
attacks!
Needless to say: all the (executable) files referenced in this junk
are not present in the system image, and all the
device drivers which have registry subkeys created below the various
registry keys
[HKEY_LOCAL_MACHINE\SOFTWARE\‹vendor name›]
are missing too.
Whoever built this system image did most obviously not start from a clean environment, but installed superfluous components like LiveMeeting Console and System Center Configuration Management Client, used unsuitable tools to integrate 3rd-party drivers, and used unsuitable tools to prepare it for deployment.
Is this trustworthy computing?
Proper software engineering?
Due diligence?
And what about quality assurance?
It but looks like the pretty good job of
Microsoft’s miserability
assurance!
Or just total incompetence.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE CompList]
"IE40.Comctl32"=""
"IE40.UserAgent"=""
"IE.HKCUZoneInfo"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IE UserData NT\\IE UserData NT.DAT"
"BackupFileSize"=dword:00000000
"BackupPath"="C:\\Program Files\\Uninstall Information\\IE UserData NT"
"InstallINFFile"="C:\\Windows\\System32\\ieuinit.inf"
"InstallINFSection"="DefaultInstall.Windows7"
"BackupRegistry"="y"
"ComponentVersion"="6.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IE.HKCUZoneInfo\\IE.HKCUZoneInfo.DAT"
"BackupFileSize"=dword:00000000
"BackupPath"="C:\\Program Files\\Uninstall Information\\IE.HKCUZoneInfo"
"InstallINFFile"="C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\RGI‹abcd›.tmp"
"InstallINFSection"="Backup.HKCU"
"BackupRegistry"="y"
"ComponentVersion"="6.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IE40.UserAgent\\IE40.UserAgent.DAT"
"BackupFileSize"=dword:00000000
"BackupPath"="C:\\Program Files\\Uninstall Information\\IE40.UserAgent"
"InstallINFFile"="C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\RGI‹abcd›.tmp"
"InstallINFSection"="BackupUserAgent"
"BackupRegistry"="y"
"ComponentVersion"="6.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0]
"e1be3f182420a0a0"=hex:2c,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,2c,00,00,00
"57fd7ae31ab34c2c"=hex:2c,00,53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,2c,00,00,00
[HKEY_USERS\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map]
"e1be3f182420a0a0"=",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"
"57fd7ae31ab34c2c"=",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0]
"ef29a4ec885fa451"=hex:2c,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,2c,00,00,00
"2ba02e083fadee33"=hex:2c,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,2c,00,00,00
[HKEY_USERS\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map]
"ef29a4ec885fa451"=",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"
"2ba02e083fadee33"=",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"
Note: neither any subdirectory below
C:\Program Files\Uninstall Information\
nor the
directory C:\Users\ADMINI~1\
alias
C:\Users\Administrator\
are present in the system
images shipped by Microsoft!
...
Note: these registry entries are overwritten when a
member of the
BUILTIN\Administrators
user group
whose account is not controlled by
UAC logs on for the
first time.
%SystemRoot%\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-‹digits›-‹digits›-‹digits›-500
WHOAMI.EXE /USER DIR "%SystemRoot%\System32\Tasks\OneDrive*" TYPE "%SystemRoot%\System32\Tasks\OneDrive*"
USER INFORMATION ---------------- User Name SID =============== =========================================== AMNESIAC\Stefan S-1-5-21-820728443-44925810-1835867902-1000 Volume in drive C has no label. Volume Serial Number is 1957-0427 Directory of C:\Windows\System32\Tasks 11/19/2020 00:58 AM 3,392 OneDrive Standalone Update Task-S-1-5-21-506450434-4066129981-3206064658-500 01/08/2021 01:23 PM 2,846 OneDrive Standalone Update Task-S-1-5-21-820728443-44925810-1835867902-1000 2 File(s) 6,238 bytes 0 Dir(s) 9,876,543,210 bytes free C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-506450434-4066129981-3206064658-500 <?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Author>Microsoft Corporation</Author> <URI>\OneDrive Standalone Update Task-S-1-5-21-506450434-4066129981-3206064658-500</URI> </RegistrationInfo> <Triggers> <TimeTrigger> <StartBoundary>1992-05-01T00:00:00</StartBoundary> <Enabled>true</Enabled> <Repetition> <Interval>P1D</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <RandomDelay>PT4H</RandomDelay> </TimeTrigger> </Triggers> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P1D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe</Command> <Arguments /> </Exec> </Actions> <Principals> <Principal id="Author"> <UserId>WIN-5MFJT3L56DB\Administrator</UserId> <LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> </Task> C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-820728443-44925810-1835867902-1000 <?xml version="1.0" encoding="UTF-16"?> […] <Principals> <Principal id="Author"> <UserId>AMNESIAC\Stefan</UserId> <LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> </Task>
Use the X.509 certificate to send S/MIME encrypted mail.
Note: email in weird format and without a proper sender name is likely to be discarded!
I dislike
HTML (and even
weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your
nickname.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.
cookiesin the web browser.
The web service is operated and provided by
Telekom Deutschland GmbH The web service provider stores a session cookie
in the web
browser and records every visit of this web site with the following
data in an access log on their server(s):