Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Assorted Cruft, Random Droppings, some Junk, plus Various Remnants

Purpose
Reason
Introduction

Purpose

Microsoft® ...

Reason

Introduction

All versions of Windows® NT

Policies

Policies are supposed to be reserved for use by (local) administrators, they are not supposed to be (ab)used by software vendors.

Despite this restriction, the system images shipped by Microsoft but come with a load of Policies set only in the Registry and therefore not shown by the Local Group Policy Editor or the Local Security Policy snap-ins of the Microsoft Management Console! Windows 10 20H2 ...

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\DataCollection]
[HKEY_CURRENT_USER\SOFTWARE\Policies\Power\PowerSettings]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoAddingComponents"=dword:00000001
"NoComponents"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"ScanWithAntiVirus"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ForceActiveDesktopOn"=dword:00000000
"NoActiveDesktop"=dword:00000001
"NoActiveDesktopChanges"=dword:00000001
"NoRecentDocsHistory"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing]
"CountryCode"="EN"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"DSCAutomationHostEnabled"=dword:00000002
"EnableCursorSuppression"=dword:00000001
"EnableFullTrustStartupTasks"=dword:00000002
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableSecureUIAPaths"=dword:00000001
"EnableUIADesktopToggle"=dword:00000000
"EnableUwpStartupTasks"=dword:00000002
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"SupportFullTrustStartupTasks"=dword:00000001
"SupportUwpStartupTasks"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"scforceoption"=dword:00000000
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats]
"CF_BITMAP"=dword:00000002
"CF_DIB"=dword:00000008
"CF_DIBV5"=dword:00000011
"CF_OEMTEXT"=dword:00000007
"CF_PALETTE"=dword:00000009
"CF_TEXT"=dword:00000001
"CF_UNICODETEXT"=dword:0000000d

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet]
"Disabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM]
"OSManagedAuthLevel"=dword:00000005

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\BITS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"CallLegacyWCMPolicies"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverSearching]
"DriverUpdateWizardWuSearchEnabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EnhancedStorageDevices]
"TCGSecurityActivationDisabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections]
"NC_PersonalFirewallConfig"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers]
"authenticodeenabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync]
"EnableBackupForWin8Apps"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\Local]
"WCMPresent"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WSDAPI\Discovery Proxies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client]
"fEnableUsbBlockDeviceBySetupClass"=dword:00000001
"fEnableUsbNoAckIsochWriteToDevice"=dword:00000050
"fEnableUsbSelectDeviceByInterface"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses]
"1000"="{3376f4ce-ff8d-40a2-a80f-bb4359d1415c}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces]
"1000"="{6bdd1fc6-810f-11d0-bec7-08002be2092f}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection]
"KnownDllList"="nlhtml.dll"

[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs]
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs]

[HKEY_USERS\S-1-5-19\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache]
[HKEY_USERS\S-1-5-19\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
[HKEY_USERS\S-1-5-19\SOFTWARE\Policies\Power\PowerSettings]

[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
[HKEY_USERS\S-1-5-20\SOFTWARE\Policies\Power\PowerSettings]
Note: the subdirectories %SystemRoot%\System32\GroupPolicy\Machine and %SystemRoot%\System32\GroupPolicy\User with the registry policy files Registry.pol where these registry entries are supposed to be stored are but missing in the system images!

See the MSDN article Registry Policy File Format for details.

Also missing are the archive files NTUser.pol where the original, now overwritten registry entries are supposed to be saved for restore.

Short 8.3 Filenames

Windows 2000 and all later versions

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
@="mnmsrvc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName]
@="mnmsrvc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
@="mnmsrvc"

Windows Embedded POSReady 2009

%windir%\temp\sso\ssoexec.dll

The system image \Setup\WIM\setup.wim on the Evaluation CD for Windows Embedded POSReady 2009 available in the Microsoft Download Center contains the following registry entries:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SSOExec]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Logoff"="SSOReset"
"Unlock"="SSOExec"
"Lock"="SSOReset"
"DLLName"="%windir%\\temp\\sso\\ssoexec.dll"
Note: the unusual placement of this (non-existent) DLL looks rather suspicious, it indicates that the computer from which the installation image was captured might have been compromised and infected with malware.

The directory %windir%\temp in the system image is but empty; on systems installed from this image as well as the image of the sold product too, the (inheritable) NTFS DACL D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;CI;0x100026;;;BU)(A;OICIIO;FA;;;CO) of this directory allows unprivileged users to create both the subdirectory sso and the file ssoexec.dll therein, enabling them to have arbitrary code run under every (other) user account used to log on afterwards, resulting in a privilege escalation. SSO single sign-on

More garbage

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\3Com\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\ATI Technologies\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Aureal\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\BCMDM\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Brother\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Creative Tech\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Digi\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Generic\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\GenericSoftModemUninstallInfo\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Logitech\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Lucent\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Neomagic\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\PCTEL\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\S3\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Specialix\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\TOSHIBA\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Vid_0471\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\Vid_05A9\…]
[HKEY_LOCAL_MACHINE\SOFTWARE\VN_VUIns\…]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}]
@="GraphicsShellExt Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}\InProcServer32]
@="C:\\WINDOWS\\system32\\igfxpph.dll"
…

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0160-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Display Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0160-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTDisply.dll"
…

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0161-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Gamma2 Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0161-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTGamma2.dll"
…

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0162-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Info2 Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0162-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTInfo2.dll"
…

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0163-6129-11d7-8dc7-00d0b72c72f7}]
@="S3Overlay Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{300b0163-6129-11d7-8dc7-00d0b72c72f7}\InProcServer32]
@="VTOvrlay.dll"
…

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba87e880-5a57-11d3-bfcb-00aa0022f394}]
@="S3ConfigD3D Property Sheet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba87e880-5a57-11d3-bfcb-00aa0022f394}\InProcServer32]
@="S3Cfg3d.dll"
…

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\igfxcui]
@="{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Config3D]
@="{ba87e880-5a57-11d3-bfcb-00aa0022f394}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Display]
@="{300b0160-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Gamma2]
@="{300b0161-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Info2]
@="{300b0162-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\S3Overlay]
@="{300b0163-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTConfig3D]
@="{ba87e880-5a57-11d3-bfcb-00aa0022f394}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTDisplay]
@="{300b0160-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTGamma2]
@="{300b0161-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTInfo2]
@="{300b0162-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Display\ShellEx\PropertySheetHandlers\VTOverlay]
@="{300b0163-6129-11d7-8dc7-00d0b72c72f7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VModes"="VModes UpdateRegistryOnly"
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"S3Trayp"="S3trayp.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"TrackPointSrv"="tp4mon.exe"
"USBC"="C:\\WINDOWS\\system32\\wscript.exe C:\\WINDOWS\\system32\\drivers\\netusbc.vbs"
"XeroxScannerDaemon"="C:\\Program Files\\Xerox\\NWWia\\XrxFTPLt.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ati HotKey Poller]
"Start"=dword:00000002
"Type"=dword:00000110
"ErrorControl"=dword:00000001
"ImagePath"=expand:"system32\\atievxx.exe"
"ObjectName"="LocalSystem"
"Group"="Event log"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\AssetManagement]
"EventMessageFile"=expand:"C:\\WINDOWS\\system32\\CCM\\ccm_caltrack.dll"
"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\LiveMeeting]
"TypesSupported"=dword:00000007
"EventMessageFile"=expand:"C:\\PROGRA~1\\MICROS~3\\LIVEME~1\\Console\\MUI\\0409\\UCCPRES.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SmsClient]
"EventMessageFile"=expand:"C:\\WINDOWS\\system32\\CCM\\climsgs.dll"
"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Pctspk]
"Start"=dword:00000002
"Type"=dword:00000010
"ErrorControl"=dword:00000001
"ImagePath"=expand:"system32\\pctspk.exe"
"DisplayName"="PCTEL Speaker Phone"
Note: the (highlighted) unqualified and unquoted filenames used in this cruft are nice targets for binary planting attacks!

Needless to say: all the (executable) files referenced in this junk are not present in the system image, and all the device drivers which have registry subkeys created below the various registry keys [HKEY_LOCAL_MACHINE\SOFTWARE\‹vendor name›] are missing too.

Whoever built this system image did most obviously not start from a clean environment, but installed superfluous components like LiveMeeting Console and System Center Configuration Management Client, used unsuitable tools to integrate 3rd-party drivers, and used unsuitable tools to prepare it for deployment.

Is this trustworthy computing?
Proper software engineering?
Due diligence?
And what about quality assurance?

It but looks like the pretty good job of Microsoft’s miserability assurance!
Or just total incompetence.

Windows 7 and all later versions

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE CompList]
"IE40.Comctl32"=""
"IE40.UserAgent"=""
"IE.HKCUZoneInfo"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IE UserData NT\\IE UserData NT.DAT"
"BackupFileSize"=dword:00000000
"BackupPath"="C:\\Program Files\\Uninstall Information\\IE UserData NT"
"InstallINFFile"="C:\\Windows\\System32\\ieuinit.inf"
"InstallINFSection"="DefaultInstall.Windows7"
"BackupRegistry"="y"
"ComponentVersion"="6.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IE.HKCUZoneInfo\\IE.HKCUZoneInfo.DAT"
"BackupFileSize"=dword:00000000
"BackupPath"="C:\\Program Files\\Uninstall Information\\IE.HKCUZoneInfo"
"InstallINFFile"="C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\RGI‹abcd›.tmp"
"InstallINFSection"="Backup.HKCU"
"BackupRegistry"="y"
"ComponentVersion"="6.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IE40.UserAgent\\IE40.UserAgent.DAT"
"BackupFileSize"=dword:00000000
"BackupPath"="C:\\Program Files\\Uninstall Information\\IE40.UserAgent"
"InstallINFFile"="C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\RGI‹abcd›.tmp"
"InstallINFSection"="BackupUserAgent"
"BackupRegistry"="y"
"ComponentVersion"="6.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0]
"e1be3f182420a0a0"=hex:2c,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,2c,00,00,00
"57fd7ae31ab34c2c"=hex:2c,00,53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,2c,00,00,00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map]
"e1be3f182420a0a0"=",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"
"57fd7ae31ab34c2c"=",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0]
"ef29a4ec885fa451"=hex:2c,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,2c,00,00,00
"2ba02e083fadee33"=hex:2c,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,2c,00,00,00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map]
"ef29a4ec885fa451"=",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"
"2ba02e083fadee33"=",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"
Note: neither any subdirectory below C:\Program Files\Uninstall Information\ nor the directory C:\Users\ADMINI~1\ alias C:\Users\Administrator\ are present in the system images shipped by Microsoft! ...

Note: these registry entries are overwritten when a member of the BUILTIN\Administrators user group whose account is not controlled by UAC logs on for the first time.

Windows 10

%SystemRoot%\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-‹digits›-‹digits›-‹digits›-500

WHOAMI.EXE /USER
DIR "%SystemRoot%\System32\Tasks\OneDrive*"
TYPE "%SystemRoot%\System32\Tasks\OneDrive*"

USER INFORMATION
----------------

User Name       SID
=============== ===========================================
AMNESIAC\Stefan S-1-5-21-820728443-44925810-1835867902-1000

 Volume in drive C has no label.
 Volume Serial Number is 1957-0427

 Directory of C:\Windows\System32\Tasks

11/19/2020   0:58 AM             3,392 OneDrive Standalone Update Task-S-1-5-21-506450434-4066129981-3206064658-500
01/08/2021   1:23 PM             2,846 OneDrive Standalone Update Task-S-1-5-21-820728443-44925810-1835867902-1000
               2 File(s)          6,238 bytes
               0 Dir(s)   9,876,543,210 bytes free

C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-506450434-4066129981-3206064658-500


<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Author>Microsoft Corporation</Author>
    <URI>\OneDrive Standalone Update Task-S-1-5-21-506450434-4066129981-3206064658-500</URI>
  </RegistrationInfo>
  <Triggers>
    <TimeTrigger>
      <StartBoundary>1992-05-01T00:00:00</StartBoundary>
      <Enabled>true</Enabled>
      <Repetition>
        <Interval>P1D</Interval>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <RandomDelay>PT4H</RandomDelay>
    </TimeTrigger>
  </Triggers>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P1D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe</Command>
      <Arguments />
    </Exec>
  </Actions>
  <Principals>
    <Principal id="Author">
      <UserId>WIN-5MFJT3L56DB\Administrator</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
</Task>
C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-820728443-44925810-1835867902-1000


<?xml version="1.0" encoding="UTF-16"?>
[…]
  <Principals>
    <Principal id="Author">
      <UserId>AMNESIAC\Stefan</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
</Task>

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):


Copyright © 1995–2022 • Stefan Kanthak • <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>