Me, myself & IT

Assorted Cruft, Random Droppings, some Junk, plus Various Remnants

Purpose

Reason

Introduction

Purpose

Reason

Introduction

All versions of Windows^™ NT

Policies

Despite this restriction, the system images shipped by Microsoft but come with a load of Policies set only in the Registry and therefore not shown by the Local Group Policy Editor or the Local Security Policy snap-ins of the Microsoft Management Console! Windows 10 20H2 ...

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\DataCollection]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Power\PowerSettings]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoAddingComponents"=dword:00000001
"NoComponents"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"ScanWithAntiVirus"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ForceActiveDesktopOn"=dword:00000000
"NoActiveDesktop"=dword:00000001
"NoActiveDesktopChanges"=dword:00000001
"NoRecentDocsHistory"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing]
"CountryCode"="EN"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"DSCAutomationHostEnabled"=dword:00000002
"EnableCursorSuppression"=dword:00000001
"EnableFullTrustStartupTasks"=dword:00000002
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableSecureUIAPaths"=dword:00000001
"EnableUIADesktopToggle"=dword:00000000
"EnableUwpStartupTasks"=dword:00000002
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"SupportFullTrustStartupTasks"=dword:00000001
"SupportUwpStartupTasks"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"scforceoption"=dword:00000000
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats]
"CF_BITMAP"=dword:00000002
"CF_DIB"=dword:00000008
"CF_DIBV5"=dword:00000011
"CF_OEMTEXT"=dword:00000007
"CF_PALETTE"=dword:00000009
"CF_TEXT"=dword:00000001
"CF_UNICODETEXT"=dword:0000000d

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet]
"Disabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM]
"OSManagedAuthLevel"=dword:00000005

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\BITS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"CallLegacyWCMPolicies"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverSearching]
"DriverUpdateWizardWuSearchEnabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EnhancedStorageDevices]
"TCGSecurityActivationDisabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections]
"NC_PersonalFirewallConfig"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers]
"authenticodeenabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync]
"EnableBackupForWin8Apps"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\Local]
"WCMPresent"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WSDAPI\Discovery Proxies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client]
"fEnableUsbBlockDeviceBySetupClass"=dword:00000001
"fEnableUsbNoAckIsochWriteToDevice"=dword:00000050
"fEnableUsbSelectDeviceByInterface"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses]
"1000"="{3376f4ce-ff8d-40a2-a80f-bb4359d1415c}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces]
"1000"="{6bdd1fc6-810f-11d0-bec7-08002be2092f}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection]
"KnownDllList"="nlhtml.dll"

[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs]

[HKEY_USERS\S-1-5-19\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache]
[HKEY_USERS\S-1-5-19\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
[HKEY_USERS\S-1-5-19\SOFTWARE\Policies\Power\PowerSettings]

[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Power\PowerSettings]

See the MSDN article Registry Policy File Format for details.

Also missing are the archive files NTUser.pol where the original, now overwritten registry entries are supposed to be saved for restore.

Short 8.3 Filenames

Windows 2000 and all later versions

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
@="mnmsrvc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName]
@="mnmsrvc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
@="mnmsrvc"

Windows Embedded POSReady 2009

%windir%\temp\sso\ssoexec.dll

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SSOExec]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Logoff"="SSOReset"
"Unlock"="SSOExec"
"Lock"="SSOReset"
"DLLName"="%windir%\\temp\\sso\\ssoexec.dll"

The directory %windir%\temp in the system image is but empty; on systems installed from this image as well as the image of the sold product too, the (inheritable) NTFS DACL D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;CI;0x100026;;;BU)(A;OICIIO;FA;;;CO) of this directory allows unprivileged users to create both the subdirectory sso and the file ssoexec.dll therein, enabling them to have arbitrary code run under every (other) user account used to log on afterwards, resulting in a privilege escalation. SSO single sign-on

More garbage

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\3Com\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\ATI Technologies\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Aureal\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\BCMDM\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Brother\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Creative Tech\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Digi\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Generic\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\GenericSoftModemUninstallInfo\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Logitech\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Lucent\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Neomagic\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\PCTEL\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\S3\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Specialix\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\TOSHIBA\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Vid_0471\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Vid_05A9\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\VN_VUIns\…]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}]
@="GraphicsShellExt Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}\InProcServer32]
@="C:\\WINDOWS\\system32\\igfxpph.dll"
…

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0160-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Display Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0160-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTDisply.dll"
…

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0161-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Gamma2 Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0161-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTGamma2.dll"
…

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0162-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Info2 Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0162-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTInfo2.dll"
…

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0163-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Overlay Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0163-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTOvrlay.dll"
…

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba87e880-5a57-11d3-bfcb-00aa0022f394}]
@="S3ConfigD3D Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba87e880-5a57-11d3-bfcb-00aa0022f394}\InProcServer32]
@="S3Cfg3d.dll"
…

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\igfxcui]
@="{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Config3D]
@="{ba87e880-5a57-11d3-bfcb-00aa0022f394}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Display]
@="{300b0160-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Gamma2]
@="{300b0161-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Info2]
@="{300b0162-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Overlay]
@="{300b0163-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTConfig3D]
@="{ba87e880-5a57-11d3-bfcb-00aa0022f394}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTDisplay]
@="{300b0160-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTGamma2]
@="{300b0161-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTInfo2]
@="{300b0162-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTOverlay]
@="{300b0163-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VModes"="VModes UpdateRegistryOnly"
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"S3Trayp"="S3trayp.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"TrackPointSrv"="tp4mon.exe"
"USBC"="C:\\WINDOWS\\system32\\wscript.exe C:\\WINDOWS\\system32\\drivers\\netusbc.vbs"
"XeroxScannerDaemon"="C:\\Program Files\\Xerox\\NWWia\\XrxFTPLt.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ati HotKey Poller]
"Start"=dword:00000002
"Type"=dword:00000110
"ErrorControl"=dword:00000001
"ImagePath"=expand:"system32\\atievxx.exe"
"ObjectName"="LocalSystem"
"Group"="Event log"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\AssetManagement]
"EventMessageFile"=expand:"C:\\WINDOWS\\system32\\CCM\\ccm_caltrack.dll"
"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\LiveMeeting]
"TypesSupported"=dword:00000007
"EventMessageFile"=expand:"C:\\PROGRA~1\\MICROS~3\\LIVEME~1\\Console\\MUI\\0409\\UCCPRES.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SmsClient]
"EventMessageFile"=expand:"C:\\WINDOWS\\system32\\CCM\\climsgs.dll"
"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Pctspk]
"Start"=dword:00000002
"Type"=dword:00000010
"ErrorControl"=dword:00000001
"ImagePath"=expand:"system32\\pctspk.exe"
"DisplayName"="PCTEL Speaker Phone"

Needless to say: all the (executable) files referenced in this junk are not present in the system image, and all the device drivers which have registry subkeys created below the various registry keys [HKEY_LOCAL_MACHINE\SOFTWARE\‹vendor name›] are missing too.

Whoever built this system image did most obviously not start from a clean environment, but installed superfluous components like LiveMeeting Console and System Center Configuration Management Client, used unsuitable tools to integrate 3rd-party drivers, and used unsuitable tools to prepare it for deployment.

Is this trustworthy computing?
Proper software engineering?
Due diligence?
And what about quality assurance?

It but looks like the pretty good job of Microsoft’s miserability assurance!
Or just total incompetence.

Windows 7 and all later versions

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE CompList]
"IE40.Comctl32"=""
"IE40.UserAgent"=""
"IE.HKCUZoneInfo"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IE UserData NT\\IE UserData NT.DAT"
"BackupFileSize"=dword:00000000
"BackupPath"="C:\\Program Files\\Uninstall Information\\IE UserData NT"
"InstallINFFile"="C:\\Windows\\System32\\ieuinit.inf"
"InstallINFSection"="DefaultInstall.Windows7"
"BackupRegistry"="y"
"ComponentVersion"="6.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IE.HKCUZoneInfo\\IE.HKCUZoneInfo.DAT"
"BackupFileSize"=dword:00000000
"BackupPath"="C:\\Program Files\\Uninstall Information\\IE.HKCUZoneInfo"
"InstallINFFile"="C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\RGI‹abcd›.tmp"
"InstallINFSection"="Backup.HKCU"
"BackupRegistry"="y"
"ComponentVersion"="6.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IE40.UserAgent\\IE40.UserAgent.DAT"
"BackupFileSize"=dword:00000000
"BackupPath"="C:\\Program Files\\Uninstall Information\\IE40.UserAgent"
"InstallINFFile"="C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\RGI‹abcd›.tmp"
"InstallINFSection"="BackupUserAgent"
"BackupRegistry"="y"
"ComponentVersion"="6.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0]
"e1be3f182420a0a0"=hex:2c,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,2c,00,00,00
"57fd7ae31ab34c2c"=hex:2c,00,53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,2c,00,00,00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map]
"e1be3f182420a0a0"=",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"
"57fd7ae31ab34c2c"=",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0]
"ef29a4ec885fa451"=hex:2c,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,2c,00,00,00
"2ba02e083fadee33"=hex:2c,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,2c,00,00,00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map]
"ef29a4ec885fa451"=",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"
"2ba02e083fadee33"=",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"

Note: these registry entries are overwritten when a member of the BUILTIN\Administrators user group whose account is not controlled by UAC logs on for the first time.

Windows 10

%SystemRoot%\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-‹digits›-‹digits›-‹digits›-500

WHOAMI.EXE /USER
DIR "%SystemRoot%\System32\Tasks\OneDrive*"
TYPE "%SystemRoot%\System32\Tasks\OneDrive*"

USER INFORMATION
----------------

User Name       SID
=============== ===========================================
AMNESIAC\Stefan S-1-5-21-820728443-44925810-1835867902-1000

 Volume in drive C has no label.
 Volume Serial Number is 1957-0427

 Directory of C:\Windows\System32\Tasks

11/19/2020  00:58 AM             3,392 OneDrive Standalone Update Task-S-1-5-21-506450434-4066129981-3206064658-500
01/08/2021  01:23 PM             2,846 OneDrive Standalone Update Task-S-1-5-21-820728443-44925810-1835867902-1000
               2 File(s)          6,238 bytes
               0 Dir(s)    9,876,543,210 bytes free

C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-506450434-4066129981-3206064658-500


<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Author>Microsoft Corporation</Author>
    <URI>\OneDrive Standalone Update Task-S-1-5-21-506450434-4066129981-3206064658-500</URI>
  </RegistrationInfo>
  <Triggers>
    <TimeTrigger>
      <StartBoundary>1992-05-01T00:00:00</StartBoundary>
      <Enabled>true</Enabled>
      <Repetition>
        <Interval>P1D</Interval>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <RandomDelay>PT4H</RandomDelay>
    </TimeTrigger>
  </Triggers>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P1D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe</Command>
      <Arguments />
    </Exec>
  </Actions>
  <Principals>
    <Principal id="Author">
      <UserId>WIN-5MFJT3L56DB\Administrator</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
</Task>
C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-820728443-44925810-1835867902-1000


<?xml version="1.0" encoding="UTF-16"?>
[…]
  <Principals>
    <Principal id="Author">
      <UserId>AMNESIAC\Stefan</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
</Task>

Contact

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

• The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
  In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
• Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
  An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
• Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
• Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

The web service is operated and provided by

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

• the (pseudonymised) IP address;
• the date and time of the request;
• the URL of the requested web page or file;
• the Referer and User-Agent HTTP headers sent by the web browser;
• the result (success or failure) of the request;
• the amount of data received and sent.