Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Tidbits – Tiny Console Applications plus some Scripts

Click the appropriate button to select and display your tidbit, or the last (empty) button to reset your selection and hide the tidbit.

All console applications are presented with their (self-contained) ANSI C source code and build without the MSVCRT runtime library.

Group Policy Scripts Client Registration

Privileged Process Launcher Interactive SYSTEM Process Launcher Privilege Twiddler

Really Known SIDs Enumerator Security Descriptor Definition Language Decoder

Security Descriptor Inspector 8.3 File and Directory Name Changer Directory Change Notifier

Debug String Monitor Non-interactive Symbolic Debugger Shim Database Decoder

Registry Policy Reader Registry INF Dumper Offline Registry Reader

Portable Executable Version Information Reader Portable Executable Resource Enumerator

Portable Executable Metadata Reader Product Key Validator

UU Encoder Base64 Encoder

MSVC Helper Library  • 

Privileged Process Launcher

Purpose
Background Information
Demonstration

Purpose

Launch an arbitrary process with arbitrary command line, customised environment variables and arbitrary privileges enabled in an arbitrary working directory.

Note: only privileges already assigned to a user account can be enabled!

Background Information

The TechNet articles User Rights and Configuring User Rights as well as the MSDN article Privileges provide background information.

Demonstration

Perform the following 2 simple steps to launch the Command Processor Cmd.exe with the privileges SeAuditPrivilege, SeBackupPrivilege, SeDebugPrivilege, SeRestorePrivilege, SeSecurityPrivilege and SeTakeOwnershipPrivilege enabled in the directory C:\System Volume Information\ and list its contents.

  1. Create the text file PROCESS.VBS with the following content in an arbitrary directory: 

    Rem Copyright © 1999-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

Rem * The software is provided "as is" without any warranty, neither express
Rem   nor implied.
Rem * In no event will the author be held liable for any damage(s) arising
Rem   from the use of the software.
Rem * Redistribution of the software is allowed only in unmodified form.
Rem * Permission is granted to use the software solely for personal private
Rem   and non-commercial purposes.
Rem * An individuals use of the software in his or her capacity or function
Rem   as an agent, (independent) contractor, employee, member or officer of
Rem   a business, corporation or organization (commercial or non-commercial)
Rem   does not qualify as personal private and non-commercial purpose.
Rem * Without written approval from the author the software must not be used
Rem   for a business, for commercial, corporate, governmental, military or
Rem   organizational purposes of any kind, or in a commercial, corporate,
Rem   governmental, military or organizational environment of any kind.

Option Explicit

Const strCommandLine = "C:\Windows\System32\Cmd.exe /D /K DIR /A"
Const strCurrentDirectory = "C:\System Volume Information"

Dim arrEnvironment(10)
arrEnvironment(0) = "NoDefaultCurrentDirectoryInExePath=*"

With WScript.CreateObject("Scripting.FileSystemObject")
	Const fsoWindowsFolder   = 0
	Const fsoSystemFolder    = 1
	Const fsoTemporaryFolder = 2

	arrEnvironment(1) = "SYSTEMDRIVE=" & .GetSpecialFolder(fsoWindowsFolder).Drive
	arrEnvironment(2) = "SYSTEMROOT=" & .GetSpecialFolder(fsoWindowsFolder).Path
	arrEnvironment(3) = "PATH=" & .GetSpecialFolder(fsoSystemFolder).Path & ";" & .GetSpecialFolder(fsoWindowsFolder).Path
	arrEnvironment(4) = "TEMP=" & .GetSpecialFolder(fsoTemporaryFolder).Path
	arrEnvironment(5) = "LOCALAPPDATA=" & .GetSpecialFolder(fsoTemporaryFolder).ParentFolder.Path
	arrEnvironment(6) = "USERPROFILE=" & .GetSpecialFolder(fsoTemporaryFolder).ParentFolder.ParentFolder.ParentFolder.Path
End With

With WScript.CreateObject("WScript.Network")
	arrEnvironment(7) = "COMPUTERNAME=" & .ComputerName
	arrEnvironment(8) = "USERDOMAIN=" & .UserDomain
	arrEnvironment(9) = "USERNAME=" & .UserName
End With

With GetObject("WinMgmts:{impersonationLevel=Impersonate, (Audit, Backup, Debug, Restore, Security, TakeOwnership)}!\\.\Root\CIMv2")
	Dim objProcessStartup
	Set objProcessStartup = .Get("Win32_ProcessStartup").SpawnInstance_
	With objProcessStartup
	'	.CreateFlags = 8	' Detached_Process
		.EnvironmentVariables = arrEnvironment
		.ErrorMode = 2		' Fail_Critical_Errors
		.FillAttribute = 240	' Black on White
		.PriorityClass = 32	' Normal
		.ShowWindow = 1		' SW_NORMAL
		.Title = vbNullString
		.WinstationDesktop = vbNullString
	'	.X = 0
		.XCountChars = 80
	'	.XSize = 640
	'	.Y = 240
		.YCountChars = 50
	'	.YSize = 480
	End With

	Dim intReturn, intProcessID
	intReturn = .Get("Win32_Process").Create(strCommandLine, strCurrentDirectory, objProcessStartup, intProcessID)
	If intReturn <> 0 Then
		WScript.Echo "Error " & intReturn
	Else
		WScript.Echo "Process " & intProcessID & " created"
	End If
End With

  2. Execute the VBScript PROCESS.VBS created in step 1. per double-click.

    Note: PROCESS.VBS must be run under a user account which has the privileges to enable assigned, typically any member of the BUILTIN\Administrators user group!

Group Policy Scripts

Purpose
Operation

Purpose

Add startup, shutdown, logon and logoff scripts (really: arbitrary command lines, which are executed during shutdown, startup, logoff and logon) programmatically, without a Group Policy, using just what’s already installed with Windows®.

Note: startup and shutdown scripts run under the NT AUTHORITY\SYSTEM alias LocalSystem account; logon and logoff scripts run under the current user account.

Operation

Download the setup script SCRIPTS.INF and save it in an arbitrary directory, then right-click the downloaded file to display its context menu and click Install to run it.

Note: on Windows Vista and newer versions of Windows NT, InfDefaultInstall.exe, the application registered for the Install verb of *.inf files, requests administrative privileges and access rights.

Client Registration

Purpose
Background Information
Operation

Purpose

Demonstrate how to add an additional WWW browser, an additional USENET news reader, an additional mail client and an additional calendar with all bells and whistles so that Windows 2000 and newer versions of Windows NT recognise them as fully functional client programs which can be selected by every user as the default program for their associated file types and URL protocols.

Background Information

The MSDN article Default Programs provides background information.

Operation

Download the setup script CLIENTS.INF and save it in an arbitrary directory, then right-click the downloaded file to display its context menu and click Install to run it.

Note: on Windows Vista and newer versions of Windows NT, InfDefaultInstall.exe, the application registered for the Install verb of *.inf files, requests administrative privileges.

Shim Database Decoder

Purpose
Synopsis
Downloads
Implementation and Build Details
Source and Build Instructions

Purpose

Decode an Application Compatibility Shim Database (.sdb) file and print its contents in UTF-16LE encoding on standard output (which must be redirected to a file or piped into an application that reads from standard input, like Clip, Find or More).

Synopsis

APPHELP.COM ‹input file name› >‹output file name›
APPHELP.COM ‹input file name› | MORE.COM

Downloads

The console application is available in two functional identical forms: APPHELP.EXE, a big form with embedded application manifest, version information, icon plus time-stamped digital signature, and APPHELP.COM, a small form without these extras.

Implementation and Build Details

Shim Database Decoder is a pure Win32 console application, written in ANSI C, built with the Platform SDK for Windows Server 2003 R2 Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows 2000 and newer versions of Windows NT as well as Windows PE 1.0 and newer versions.

Note: due to the design and implementation of Windows’ (classic alias legacy) console, the Win32 function WriteConsole() can only write to a console, not to a file nor a pipe, i.e. redirection of standard error is not supported!

The MSDN article Console Handles provides background information.

Source and Build Instructions

Perform the following 3 simple steps to build the console application Shim Database Decoder from the source presented hereafter.

  1. Create the text file APPHELP.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

// * The software is provided "as is" without any warranty, neither express
//   nor implied.
// * In no event will the author be held liable for any damage(s) arising
//   from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
//   and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
//   as an agent, (independent) contractor, employee, member or officer of
//   a business, corporation or organization (commercial or non-commercial)
//   does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
//   for a business, for commercial, corporate, governmental, military or
//   organizational purposes of any kind, or in a commercial, corporate,
//   governmental, military or organizational environment of any kind.

#ifndef _DLL
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <shellapi.h>

typedef	enum	_PATH_TYPE
{
	DOS_PATH,
	NT_PATH
} PATH_TYPE;

#define PATCH_STOP	0UL
#define PATCH_REPLACE	2UL
#define PATCH_MATCH	4UL

typedef	struct	_PATCH_ACTION
{
	DWORD	Opcode;
	DWORD	ActionSize;		// size of structure
	DWORD	PatternSize;
	DWORD	RVA;
	DWORD	Reserved;
	WCHAR	ModuleName[32];
	BYTE	Pattern[ANYSIZE_ARRAY];
} PATCH_ACTION, *LPPATCH_ACTION;

typedef	LPVOID	PDB;

typedef	ULONGLONG	QWORD;

typedef WORD	TAG;

#define TAG_TYPE_NULL		0x1000	// no value associated with the TAG
#define TAG_TYPE_BYTE		0x2000	// BYTE value
#define TAG_TYPE_WORD		0x3000	// WORD value
#define TAG_TYPE_DWORD		0x4000	// DWORD value
#define TAG_TYPE_QWORD		0x5000	// ULONGLONG value
#define TAG_TYPE_STRINGREF	0x6000	// tokenized string value
#define TAG_TYPE_LIST		0x7000	// list of TAG values
#define TAG_TYPE_STRING		0x8000	// UNICODE string value
#define TAG_TYPE_BINARY		0x9000	// binary value
#define TAG_TYPE_MASK		0xF000

#define TAG_LINK_DATE			(TAG_TYPE_DWORD | 0x001D)	// link date attribute of a file
#define TAG_UPTO_LINK_DATE		(TAG_TYPE_DWORD | 0x001E)	// link date attribute of a file; matching is done up to and including this link date
#define TAG_APP_NAME_RC_ID		(TAG_TYPE_DWORD | 0x0024)	// application name resource identifier attribute for AppHelp entries
#define TAG_VENDOR_NAME_RC_ID		(TAG_TYPE_DWORD | 0x0025)	// vendor name resource identifier attribute for AppHelp entries
#define TAG_SUMMARY_MSG_RC_ID		(TAG_TYPE_DWORD | 0x0026)	// summary message resource identifier attribute for AppHelp entries
#define TAG_DESCRIPTION_RC_ID		(TAG_TYPE_DWORD | 0x0028)	// description resource identifier attribute for AppHelp entries
#define TAG_PARAMETER1_RC_ID		(TAG_TYPE_DWORD | 0x0029)	// parameter1 resource identifier attribute for AppHelp entries

#define TAG_TIME			(TAG_TYPE_QWORD | 0x0001)	// time attribute
#define TAG_BIN_FILE_VERSION		(TAG_TYPE_QWORD | 0x0002)	// bin file version attribute for file entries
#define TAG_BIN_PRODUCT_VERSION		(TAG_TYPE_QWORD | 0x0003)	// bin product version attribute for file entries
#define TAG_UPTO_BIN_PRODUCT_VERSION	(TAG_TYPE_QWORD | 0x0006)	// bin product version attribute of a file; matching is done up to and including this product version
#define TAG_UPTO_BIN_FILE_VERSION	(TAG_TYPE_QWORD | 0x000D)	// bin file version attribute of a file; matching is done up to and including this file version

#define TAG_PATCH_BITS			(TAG_TYPE_BINARY | 0x0002)	// patch file bits attribute
#define TAG_EXE_ID			(TAG_TYPE_BINARY | 0x0004)	// GUID attribute of an executable entry
#define TAG_MSI_PACKAGE_ID		(TAG_TYPE_BINARY | 0x0006)	// MSI package identifier attribute of an MSI package
#define TAG_DATABASE_ID			(TAG_TYPE_BINARY | 0x0007)	// GUID attribute of a database
#define TAG_CONTEXT_PLATFORM_ID		(TAG_TYPE_BINARY | 0x0008)
#define TAG_CONTEXT_BRANCH_ID		(TAG_TYPE_BINARY | 0x0009)
#define TAG_FIX_ID			(TAG_TYPE_BINARY | 0x0010)
#define TAG_APP_ID			(TAG_TYPE_BINARY | 0x0011)

typedef DWORD	TAGID;

#define TAGID_NULL	0UL
#define TAGID_ROOT	0UL

__declspec(dllimport)
VOID	WINAPI	SdbCloseDatabase(PDB lpdb);

__declspec(dllimport)
LPVOID	WINAPI	SdbGetBinaryTagData(PDB   lpdb,
		                    TAGID tiWhich);

__declspec(dllimport)
BOOL	WINAPI	SdbGetDatabaseVersion(LPCWSTR lpwszFileName,
		                      LPDWORD dwMajorversion,
		                      LPDWORD dwMinorversion);

__declspec(dllimport)
TAGID	WINAPI	SdbGetFirstChild(PDB   lpdb,
		                 TAGID tiParent);

__declspec(dllimport)
TAGID	WINAPI	SdbGetNextChild(PDB   lpdb,
		                TAGID tiParent,
		                TAGID tiPrevious);

__declspec(dllimport)
LPWSTR	WINAPI	SdbGetStringTagPtr(PDB   lpdb,
		                   TAGID tiWhich);

__declspec(dllimport)
DWORD	WINAPI	SdbGetTagDataSize(PDB   lpdb,
		                  TAGID tiWhich);

__declspec(dllimport)
TAG	WINAPI	SdbGetTagFromTagID(PDB   lpdb,
		                   TAGID tiWhich);

__declspec(dllimport)
BOOL	WINAPI	SdbGUIDToString(GUID   *lpGuid,
		                LPWSTR lpwszGuidString);

__declspec(dllimport)
PDB	WINAPI	SdbOpenDatabase(LPCWSTR   lpwszPath,
		                PATH_TYPE eType);

__declspec(dllimport)
DWORD	WINAPI	SdbReadDWORDTag(PDB   lpdb,
		                TAGID tiWhich,
		                DWORD dwDefault);

__declspec(dllimport)
QWORD	WINAPI	SdbReadQWORDTag(PDB   lpdb,
		                TAGID tiWhich,
		                QWORD qwDefault);

__declspec(dllimport)
WORD	WINAPI	SdbReadWORDTag(PDB   lpdb,
		               TAGID tiWhich,
		               WORD  wDefault);

__declspec(dllimport)
LPCWSTR	WINAPI	SdbTagToString(TAG tag);

__declspec(safebuffers)
BOOL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

__declspec(safebuffers)
BOOL	PrintFormat(HANDLE hFile, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	LPBYTE	lpOutput;
	DWORD	dwOutput;
	DWORD	dwFile;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	dwOutput *= sizeof(*szOutput);
	lpOutput = (LPBYTE) szOutput;

	do
	{
		if (!WriteFile(hFile, lpOutput, dwOutput, &dwFile, (LPOVERLAPPED) NULL))
			return FALSE;

		lpOutput += dwFile;
		dwOutput -= dwFile;
	} while (dwOutput > 0);

	return TRUE;
}

#define PrintString(HANDLE, LITERAL)	PrintDirect(HANDLE, LITERAL, sizeof(LITERAL) / sizeof(*LITERAL) - 1UL)

__inline
BOOL	WINAPI	PrintDirect(HANDLE hFile, LPCWSTR lpString, DWORD dwString)
{
	DWORD	dwFile;

	dwString *= sizeof(*lpString);

	do
	{
		if (!WriteFile(hFile, lpString, dwString, &dwFile, (LPOVERLAPPED) NULL))
			return FALSE;

		lpString = (LPCWSTR) ((LPBYTE) lpString + dwFile);
		dwString -= dwFile;
	} while (dwString > 0);

	return TRUE;
}

const	LPCWSTR	szDayOfWeek[7] = {L"Sunday",
		                  L"Monday",
		                  L"Tuesday",
		                  L"Wednesday",
		                  L"Thursday",
		                  L"Friday",
		                  L"Saturday"};

__declspec(safebuffers)
VOID	WINAPI	Children(HANDLE hConsole, HANDLE hOutput, PDB lpdb, TAGID tiParent, DWORD dwLevel)
{
	SYSTEMTIME	st;
	PATCH_ACTION	*lpPatch;

	BOOL	bOutput = TRUE;
	DWORD	dw;
	LPBYTE	lpData;
	WORD	wData;
	DWORD	dwData;
	QWORD	qwData;
	WCHAR	szGUID[sizeof("{00000000-0000-0000-0000-000000000000}")];
	TAG	tChild;
	TAGID	tiChild = SdbGetFirstChild(lpdb, tiParent);

	while (tiChild != TAGID_NULL)
	{
		tChild = SdbGetTagFromTagID(lpdb, tiChild);

		bOutput &= PrintFormat(hOutput,
		                       L"0x%08lX%ls0x%04hX = %ls",
		                       tiChild,
		                       L"\t\t\t\t\t\t\t\t\t\t" + 9 - dwLevel,
		                       tChild,
		                       SdbTagToString(tChild));

		switch (tChild & TAG_TYPE_MASK)
		{
		case TAG_TYPE_NULL:

			bOutput &= PrintString(hOutput, L"\r\n");

			break;

		case TAG_TYPE_WORD:

			wData = SdbReadWORDTag(lpdb, tiChild, ~0U);

			if (wData == ~0U)
				bOutput &= PrintString(hOutput, L"\r\n");
			else
				bOutput &= PrintFormat(hOutput, L": 0x%04hX\r\n", wData);
			break;

		case TAG_TYPE_DWORD:

			dwData = SdbReadDWORDTag(lpdb, tiChild, ~0UL);

			if (dwData == ~0UL)
				bOutput &= PrintString(hOutput, L"\r\n");
			else
				if ((tChild == TAG_LINK_DATE)
				 || (tChild == TAG_UPTO_LINK_DATE))
				{
					qwData = __emulu(dwData, 10000000)	// seconds since 1970-01-01 to
					       + 116444736000000000;		//  100 nano-seconds since 1601-01-01

					if (!FileTimeToSystemTime((LPFILETIME) &qwData, &st))
						PrintConsole(hConsole,
						             L"FileTimeToSystemTime() returned error %lu\n",
						             GetLastError());
					else
						bOutput &= PrintFormat(hOutput,
						                       L": %ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu.%03hu UTC\r\n",
						                       szDayOfWeek[st.wDayOfWeek],
						                       st.wYear, st.wMonth, st.wDay, st.wHour,
						                       st.wMinute, st.wSecond, st.wMilliseconds);
				}
#if 0	// NOTE: Windows Vista or newer!
				else if ((tChild == TAG_APP_NAME_RC_ID)
				      || (tChild == TAG_VENDOR_NAME_RC_ID)
				      || (tChild == TAG_SUMMARY_MSG_RC_ID)
				      || (tChild == TAG_DESCRIPTION_RC_ID)
				      || (tChild == TAG_PARAMETER1_RC_ID))
					bOutput &= PrintFormat(hOutput, L": 0x%08lX\r\n", dwData);
#endif
				else
					bOutput &= PrintFormat(hOutput, L": 0x%08lX\r\n", dwData);
			break;

		case TAG_TYPE_QWORD:

			qwData = SdbReadQWORDTag(lpdb, tiChild, ~0ULL);

			if (qwData == ~0ULL)
				bOutput &= PrintString(hOutput, L"\r\n");
			else
				if ((tChild == TAG_BIN_FILE_VERSION)
				 || (tChild == TAG_BIN_PRODUCT_VERSION)
				 || (tChild == TAG_UPTO_BIN_PRODUCT_VERSION)
				 || (tChild == TAG_UPTO_BIN_FILE_VERSION))
					bOutput &= PrintFormat(hOutput,
					                       L": %hu.%hu.%hu.%hu\r\n",
					                       (WORD) (qwData >> 48), (WORD) (qwData >> 32), (WORD) (qwData >> 16), (WORD) qwData);
				else if (tChild != TAG_TIME)
					bOutput &= PrintFormat(hOutput, L": 0x%016I64X\r\n", qwData);
				else
					if (!FileTimeToSystemTime((LPFILETIME) &qwData, &st))
						PrintConsole(hConsole,
						             L"FileTimeToSystemTime() returned error %lu\n",
						             GetLastError());
					else
						bOutput &= PrintFormat(hOutput,
						                       L": %ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu.%03hu UTC\r\n",
						                       szDayOfWeek[st.wDayOfWeek],
						                       st.wYear, st.wMonth, st.wDay, st.wHour,
						                       st.wMinute, st.wSecond, st.wMilliseconds);
			break;

		case TAG_TYPE_STRING:
		case TAG_TYPE_STRINGREF:

			bOutput &= PrintFormat(hOutput,
			                       L": %ls\r\n",
			                       SdbGetStringTagPtr(lpdb, tiChild));
			break;

		case TAG_TYPE_BYTE:
		case TAG_TYPE_BINARY:

			lpData = SdbGetBinaryTagData(lpdb, tiChild);
			dwData = SdbGetTagDataSize(lpdb, tiChild);

			if ((dwData == sizeof(GUID))
			 && ((tChild == TAG_EXE_ID)
			  || (tChild == TAG_MSI_PACKAGE_ID)
			  || (tChild == TAG_DATABASE_ID)
			  || (tChild == TAG_CONTEXT_PLATFORM_ID)
			  || (tChild == TAG_CONTEXT_BRANCH_ID)
			  || (tChild == TAG_FIX_ID)
			  || (tChild == TAG_APP_ID)))
				if (!SdbGUIDToString((LPGUID) lpData, szGUID))
					PrintConsole(hConsole,
					             L"SdbGUIDToString() returned FALSE!\n");
				else
					bOutput &= PrintFormat(hOutput, L": %ls\r\n", szGUID);
			else if (tChild == TAG_PATCH_BITS)
			{
				bOutput &= PrintString(hOutput, L":\r\n");

				while (dwData > 0)
				{
					lpPatch = (LPPATCH_ACTION) lpData;

					if ((lpPatch->Opcode == PATCH_STOP)
					 && (lpPatch->ActionSize == 0))
						break;

					dwData -= lpPatch->ActionSize;
					lpData += lpPatch->ActionSize;

					if ((lpPatch->Opcode != PATCH_REPLACE)
					 && (lpPatch->Opcode != PATCH_MATCH))
						continue;

					bOutput &= PrintFormat(hOutput,
					                       L"%ls Action  = %lu (%ls)\r\n"
					                       L"%ls Module  = %.32ls\r\n"
					                       L"%ls RVA     = 0x%08lX\r\n"
					                       L"%ls Length  = %lu\r\n"
					                       L"%ls Pattern = 0x",
					                       L"\t\t\t\t\t\t\t\t\t\t" + 7 - dwLevel,
					                       lpPatch->Opcode,
					                       lpPatch->Opcode == PATCH_MATCH ? L"MATCH" : L"REPLACE",
					                       L"\t\t\t\t\t\t\t\t\t\t" + 7 - dwLevel,
					                       lpPatch->ModuleName,
					                       L"\t\t\t\t\t\t\t\t\t\t" + 7 - dwLevel,
					                       lpPatch->RVA,
					                       L"\t\t\t\t\t\t\t\t\t\t" + 7 - dwLevel,
					                       lpPatch->PatternSize,
					                       L"\t\t\t\t\t\t\t\t\t\t" + 7 - dwLevel);

					for (dw = 0; dw < lpPatch->PatternSize; dw++)
						bOutput &= PrintFormat(hOutput, L"%02X", lpPatch->Pattern[dw]);

					bOutput &= PrintFormat(hOutput,
					                       L"\r\n"
					                       L"%ls Unknown = 0x%08lX\r\n",
					                       L"\t\t\t\t\t\t\t\t\t\t" + 7 - dwLevel,
					                       lpPatch->Reserved);
				}
#if 0
				if (dwData != 8)
					PrintConsole(hConsole,
					             L"Sequence of \'PATCH_ACTION\' structures not properly terminated!\n");
#endif
			}
			else
			{
				if (dwData > 0)
					bOutput &= PrintString(hOutput, L": 0x");

				for (dw = 0; dw < dwData; dw++)
					bOutput &= PrintFormat(hOutput, L"%02X", lpData[dw]);

				bOutput &= PrintString(hOutput, L"\r\n");
			}

			break;

		case TAG_TYPE_LIST:

			bOutput &= PrintString(hOutput, L"\r\n");

			Children(hConsole, hOutput, lpdb, tiChild, dwLevel + 1);

			break;

		default:
			bOutput &= PrintString(hOutput, L"\r\n");

			PrintConsole(hConsole,
			             L"Undefined TAG_TYPE 0x%04hX for TAGID 0x%08lX\n",
			             tChild, tiChild);
		}

		tiChild = SdbGetNextChild(lpdb, tiParent, tiChild);
	}

	if (!bOutput)
		PrintConsole(hConsole,
		             L"WriteFile() returned error %lu for level %lu\n",
		             GetLastError(), dwLevel);
}

__declspec(noreturn)
VOID	WINAPI	wmainCRTStartup(VOID)
{
	PDB	lpdb;
	LPWSTR	*lpArguments;
	INT	nArguments;
	DWORD	dwError = ERROR_BAD_ARGUMENTS;
	DWORD	dwMajor, dwMinor;
	HANDLE	hOutput;
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);

		if (lpArguments == NULL)
			PrintConsole(hConsole,
			             L"CommandLineToArgv() returned error %lu\n",
			             dwError = GetLastError());
		else
		{
			if (nArguments != 2)
				PrintConsole(hConsole,
				             L"Bad arguments: a single file or path name of a shim database must be given!\n");
			else
			{
				hOutput = GetStdHandle(STD_OUTPUT_HANDLE);

				if (hOutput == INVALID_HANDLE_VALUE)
					PrintConsole(hConsole,
					             L"GetStdHandle() returned error %lu\n",
					             dwError = GetLastError());
				else
				{
					if (!FlushFileBuffers(hOutput))
						PrintConsole(hConsole,
						             L"FlushFileBuffers() returned error %lu: standard output is not redirected to a file!\n",
						             dwError = GetLastError());
					else
					{
						dwError = ERROR_SUCCESS;

						if (SdbGetDatabaseVersion(lpArguments[1], &dwMajor, &dwMinor))
							PrintConsole(hConsole,
							             L"Shim database version: %lu.%lu\n",
							             dwMajor, dwMinor);

						lpdb = SdbOpenDatabase(lpArguments[1], DOS_PATH);

						if (lpdb == NULL)
							PrintConsole(hConsole,
							             L"SdbOpenDatabase() returned NULL for file \'%ls\'\n",
							             lpArguments[1]);
						else
						{
							if (!PrintFormat(hOutput,
							                 L"\xFEFF"	// UTF-16LE BOM
							                 L"Shim database file:\t%ls\r\n"
							                 L"Shim database version:\t%lu.%lu\r\n"
							                 L"\r\n"
							                 L"TAGID\t\tTAG    = TAGSTRING: TAGVALUE\r\n"
							                 L"\r\n",
							                 lpArguments[1],
							                 dwMajor, dwMinor))
								PrintConsole(hConsole,
								             L"WriteFile() returned error %lu\n",
								             dwError = GetLastError());

							Children(hConsole, hOutput, lpdb, TAGID_ROOT, 0);

							SdbCloseDatabase(lpdb);
						}
					}

					if (!CloseHandle(hOutput))
						PrintConsole(hConsole,
						             L"CloseHandle() returned error %lu\n",
						             GetLastError());
				}
			}

			if (LocalFree(lpArguments) != NULL)
				PrintConsole(hConsole,
				             L"LocalFree() returned error %lu\n",
				             GetLastError());
		}

		if (!CloseHandle(hConsole))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu\n",
			             GetLastError());
	}

	ExitProcess(dwError);
}
#else // _DLL
__declspec(dllexport)
long	SdbCloseDatabase(void *_1)
{ return 0; }

__declspec(dllexport)
long	SdbGetBinaryTagData(void *_1, long _2)
{ return 0; }

__declspec(dllexport)
long	SdbGetDatabaseVersion(void *_1, void *_2, void *_3)
{ return 0; }

__declspec(dllexport)
long	SdbGetFirstChild(void *_1, long _2)
{ return 0; }

__declspec(dllexport)
long	SdbGetNextChild(void *_1, long _2, long _3)
{ return 0; }

__declspec(dllexport)
long	SdbGetStringTagPtr(void *_1, long _2)
{ return 0; }

__declspec(dllexport)
long	SdbGetTagDataSize(void *_1, long _2)
{ return 0; }

__declspec(dllexport)
long	SdbGetTagFromTagID(void *_1, long _2)
{ return 0; }

__declspec(dllexport)
long	SdbGUIDToString(void *_1, void *_2)
{ return 0; }

__declspec(dllexport)
long	SdbOpenDatabase(void *_1, long _2)
{ return 0; }

__declspec(dllexport)
long	SdbReadDWORDTag(void *_1, long _2, long _3)
{ return 0; }

__declspec(dllexport)
long	SdbReadQWORDTag(void *_1, long _2, long long _3)
{ return 0; }

__declspec(dllexport)
long	SdbReadWORDTag(void *_1, long _2, short _3)
{ return 0; }

__declspec(dllexport)
long	SdbTagToString(short _1)
{ return 0; }
#endif // _DLL

  2. Run the following four command lines to compile the source file APPHELP.C created in step 1. a first time, generate the import library APPHELP.LIB from the compiled object file APPHELP.OBJ and cleanup afterwards: 

    SET CL=/Gz /LD /MD /W4 /wd4100 /X /Zl
SET LINK=/EXPORT:SdbCloseDatabase /EXPORT:SdbGetBinaryTagData /EXPORT:SdbGetDatabaseVersion /EXPORT:SdbGetFirstChild /EXPORT:SdbGetNextChild /EXPORT:SdbGetStringTagPtr /EXPORT:SdbGetTagDataSize /EXPORT:SdbGetTagFromTagID /EXPORT:SdbGUIDToString /EXPORT:SdbOpenDatabase /EXPORT:SdbReadDWORDTag /EXPORT:SdbReadQWORDTag /EXPORT:SdbReadWORDTag /EXPORT:SdbTagToString /NODEFAULTLIB /NOENTRY
CL.EXE APPHELP.C
ERASE APPHELP.DLL APPHELP.EXP APPHELP.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

APPHELP.C

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…
   Creating library APPHELP.lib and object APPHELP.exp

  3. Run the following four command lines to compile the source file APPHELP.C created in step 1. a second time, link the compiled object file APPHELP.OBJ with the import library APPHELP.LIB generated in step 2. and cleanup afterwards: 

    SET CL=/GAFS /Gy /O1isy /W4 /Zl
SET LINK=/DEFAULTLIB:APPHELP.LIB /DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.1 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815
CL.EXE /FeAPPHELP.COM APPHELP.C
ERASE APPHELP.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

APPHELP.C
APPHELP.C(222) : warning C4213: nonstandard extension used : cast on l-value
APPHELP.C(274) : warning C4310: cast truncates constant value

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…

Non-interactive Symbolic Debugger

Purpose
Synopsis
Demonstration
Downloads
Implementation and Build Details
Source and Build Instructions

Purpose

Execute another Win32 application as debuggee and log all Debugging Events encountered during its run.

Synopsis

DEBUGGER.COM [ ‹debuggee› ] ‹quoted command line›
Note: the optional first argument is the absolute or relative path name of the debuggee; when omitted, the first token of the then first and only argument, a properly quoted command line, is used as file name of the debuggee and searched in the PATH.

Demonstration

Execute the Command Processor Cmd.exe as debuggee and use a 24 (in words: twenty-four) year old bug to let it crash with an unhandled integer overflow exception raised from the division ~2147483647 ÷ ~0 = −2147483648 ÷ −1 = 2147483648: 
VER
.\DEBUGGER.COM "%COMSPEC%" "CMD /E:ON /D /C SET /A ~2147483647 % ~0"
Microsoft Windows [Version 10.0.19044.2486]

Command line:     'CMD /E:ON /D /C SET /A ~2147483647 % ~0'
Application name: 'C:\Windows\system32\cmd.exe'
Application type: 0 = 32-bit Windows

DbgHelp API:
	Version  = 4.0
	Revision = 5
	Reserved = 0

Debuggee process loaded from image file 'C:\Windows\SysWOW64\cmd.exe'
Debuggee process version is 10.0
Debuggee process 14052 with primary thread 11164 created

Process 14052 created with primary thread 11164:
Symbol search path: .
	Process filename = C:\Windows\SysWOW64\cmd.exe
	Base address     = 0x00220000
	Start address    = 0x00236B20
	TEB address      = 0x02A5F000

DLL loaded in process 14052 by thread 11164:
SymRefreshModuleList() returned error 0x8000000D
ReadProcessMemory() returned error 299
	Base address   = 0x77AF0000

DLL loaded in process 14052 by thread 11164:
	DLL filename   = C:\Windows\SysWOW64\KERNEL32.DLL
	Base address   = 0x75B80000	KERNEL32

DLL loaded in process 14052 by thread 11164:
	DLL filename   = C:\Windows\SysWOW64\KERNELBASE.dll
	Base address   = 0x77890000	KERNELBASE

DLL loaded in process 14052 by thread 11164:
	DLL filename   = C:\Windows\SysWOW64\ADVAPI32.DLL
	Base address   = 0x76AF0000	ADVAPI32

DLL loaded in process 14052 by thread 11164:
	DLL filename   = C:\Windows\SysWOW64\msvcrt.dll
	Base address   = 0x77710000	msvcrt

DLL loaded in process 14052 by thread 11164:
	DLL filename   = C:\Windows\SysWOW64\sechost.dll
	Base address   = 0x77480000	sechost

DLL loaded in process 14052 by thread 11164:
	DLL filename   = C:\Windows\SysWOW64\RPCRT4.dll
	Base address   = 0x75DC0000	RPCRT4

DLL loaded in process 14052 by thread 11164:
	DLL filename   = C:\Windows\SysWOW64\combase.dll
	Base address   = 0x75F10000	combase

DLL loaded in process 14052 by thread 11164:
	DLL filename   = C:\Windows\SysWOW64\ucrtbase.dll
	Base address   = 0x75C70000	ucrtbase

Thread 9304 created in process 14052:
	Start address = 0x77B259C0	ntdll!TpCallbackIndependent+0x140
	TEB address   = 0x02A62000

Thread 8732 created in process 14052:
	Start address = 0x77B259C0	ntdll!TpCallbackIndependent+0x140
	TEB address   = 0x02A65000

First chance exception in thread 11164 of process 14052:
	Description       = Breakpoint
	Code              = 0x80000003
	Flags             = 0x00000000 (continuable)
	Address           = 0x77BA1EE2	ntdll!LdrInitShimEngineDynamic+0x6E2
	Parameters[1]     = 0x00000000
	Call stack:
		Address   = 0x77BA1EE3	ntdll!LdrInitShimEngineDynamic+0x6E3
		Address   = 0x77B9C431	ntdll!RtlCaptureStackContext+0x23501
		Address   = 0x77B56551	ntdll!LdrInitializeThunk+0x121
		Address   = 0x77B56441	ntdll!LdrInitializeThunk+0x11

First chance exception in thread 11164 of process 14052:
	Description       = Integer overflow
	Code              = 0xC0000095
	Flags             = 0x00000000 (continuable)
	Address           = 0x0023F6C7
	Call stack:
		Address   = 0x00233063
		Address   = 0x00232E3D
		Address   = 0x00232D7C
		Address   = 0x00232D20
		Address   = 0x00232CC4
		Address   = 0x00232C68
		Address   = 0x00232F8F
		Address   = 0x00232DE4
		Address   = 0x00233366
		Address   = 0x0022AB45
		Address   = 0x0023C9F0
		Address   = 0x0022AFC9
		Address   = 0x0022E4F6
		Address   = 0x00230B09
		Address   = 0x00236A0A
		Address   = 0x75BA00F9	KERNEL32!BaseThreadInitThunk+0x19
		Address   = 0x77B57BBE	ntdll!RtlGetAppContainerNamedObjectPath+0x11E
		Address   = 0x77B57B8E	ntdll!RtlGetAppContainerNamedObjectPath+0xEE

Last chance exception in thread 11164 of process 14052:
	Description       = Integer overflow
	Code              = 0xC0000095
	Flags             = 0x00000000 (continuable)
	Address           = 0x0023F6C7

Thread 9304 exited from process 14052:
	Exit code = 0xC0000095

Thread 11164 exited from process 14052:
	Exit code = 0xC0000095

Process 14052 exited with thread 8732:
	Exit code = 0xC0000095

Primary thread 11164 of debuggee process 14052 exited with code 0xC0000095
Primary thread times:
	Real   =          3.5438404 s
	Kernel =          0.0156250 s
	User   =          0.0000000 s
Debuggee process 14052 exited with code 0xC0000095
Debuggee process times:
	Real   =          3.5712333 s
	Kernel =          0.0156250 s
	User   =          0.0000000 s

Downloads

The console application is available in two functional identical forms: DEBUGGER.EXE, a big form with embedded application manifest, version information, icon plus time-stamped digital signature, and DEBUGGER.COM, a small form without these extras.

Implementation and Build Details

Non-interactive Symbolic Debugger is a pure Win32 console application, written in ANSI C, built with the Platform SDK for Windows Server 2003 R2 Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows 2000 and newer versions of Windows NT as well as Windows PE 1.0 and newer versions.

Note: due to the design and implementation of Windows’ (classic alias legacy) console, the Win32 function WriteConsole() can only write to a console, not to a file nor a pipe, i.e. redirection of standard error or standard output is not supported!

The MSDN article Console Handles provides background information.

Source and Build Instructions

Perform the following 2 simple steps to build the console application Non-interactive Symbolic Debugger from the source presented hereafter.

  1. Create the text file DEBUGGER.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

// * The software is provided "as is" without any warranty, neither express
//   nor implied.
// * In no event will the author be held liable for any damage(s) arising
//   from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
//   and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
//   as an agent, (independent) contractor, employee, member or officer of
//   a business, corporation or organization (commercial or non-commercial)
//   does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
//   for a business, for commercial, corporate, governmental, military or
//   organizational purposes of any kind, or in a commercial, corporate,
//   governmental, military or organizational environment of any kind.

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <shellapi.h>

#define wmemcpy	__movsw

#if _MSC_VER < 1500 // MSC 9.0 alias 2008
#include <crt\delayimp.h>
#else
#include <delayimp.h>
#endif

#ifdef SYMBOLS
#ifdef UNICODE
#define DBGHELP_TRANSLATE_TCHAR
#endif
#include <dbghelp.h>
#ifdef DBGHELP_TRANSLATE_TCHAR
#undef IMAGEHLP_CBA_EVENT
#undef SymLoadModuleEx
#endif
#endif // SYMBOLS

#define DELPHI_RUNTIME_EXCEPTION		0x0EEDFADEL

#ifndef EXCEPTION_SEGMENT_NOTIFICATION
#define EXCEPTION_SEGMENT_NOTIFICATION		0x40000005L
#endif

#ifndef EXCEPTION_FATAL_APP_EXIT
#define EXCEPTION_FATAL_APP_EXIT		0x40000015L
#endif

#ifndef EXCEPTION_WX86_SINGLE_STEP
#define EXCEPTION_WX86_SINGLE_STEP		0x4000001EL
#endif

#ifndef EXCEPTION_WX86_BREAKPOINT
#define EXCEPTION_WX86_BREAKPOINT		0x4000001FL
#endif

#ifndef DBG_PRINTEXCEPTION_C
#define DBG_PRINTEXCEPTION_C			0x40010006L
#endif

#ifndef DBG_RIPEXCEPTION
#define DBG_RIPEXCEPTION			0x40010007L
#endif

#ifndef DBG_PRINTEXCEPTION_WIDE_C
#define DBG_PRINTEXCEPTION_WIDE_C		0x4001000AL
#endif

#ifndef EXCEPTION_CPP_EXCEPTION
#define EXCEPTION_CPP_EXCEPTION			0x406D1388L
#endif

#ifndef EXCEPTION_INVALID_PARAMETER
#define EXCEPTION_INVALID_PARAMETER		0xC000000DL
#endif

#ifndef EXCEPTION_NO_MEMORY
#define EXCEPTION_NO_MEMORY			0xC0000017L
#endif

#ifndef EXCEPTION_ACCESS_DENIED
#define EXCEPTION_ACCESS_DENIED			0xC0000022L
#endif

#ifndef EXCEPTION_OBJECT_NAME_NOT_FOUND
#define EXCEPTION_OBJECT_NAME_NOT_FOUND		0xC0000034L
#endif

#ifndef EXCEPTION_OBJECT_PATH_NOT_FOUND
#define EXCEPTION_OBJECT_PATH_NOT_FOUND		0xC000003AL
#endif

#ifndef EXCEPTION_PROCEDURE_NOT_FOUND
#define EXCEPTION_PROCEDURE_NOT_FOUND		0xC000007AL
#endif

#ifndef EXCEPTION_INSTRUCTION_MISALIGNMENT
#define EXCEPTION_INSTRUCTION_MISALIGNMENT	0xC00000AAL
#endif

#ifndef EXCEPTION_DLL_NOT_FOUND
#define EXCEPTION_DLL_NOT_FOUND			0xC0000135L
#endif

#ifndef EXCEPTION_ORDINAL_NOT_FOUND
#define EXCEPTION_ORDINAL_NOT_FOUND		0xC0000138L
#endif

#ifndef EXCEPTION_ENTRYPOINT_NOT_FOUND
#define EXCEPTION_ENTRYPOINT_NOT_FOUND		0xC0000139L
#endif

#ifndef EXCEPTION_DLL_INIT_FAILED
#define EXCEPTION_DLL_INIT_FAILED		0xC0000142L
#endif

#ifndef EXCEPTION_UNHANDLED_EXCEPTION
#define EXCEPTION_UNHANDLED_EXCEPTION		0xC0000144L
#endif

#ifndef EXCEPTION_ILLEGAL_FLOAT_CONTEXT
#define EXCEPTION_ILLEGAL_FLOAT_CONTEXT		0xC000014AL
#endif

#ifndef STATUS_POSSIBLE_DEADLOCK
#define STATUS_POSSIBLE_DEADLOCK		0xC0000194L
#endif

#ifndef EXCEPTION_HANDLE_NOT_CLOSABLE
#define EXCEPTION_HANDLE_NOT_CLOSABLE		0xC0000235L
#endif

#ifndef EXCEPTION_FLOAT_MULTIPLE_FAULTS
#define EXCEPTION_FLOAT_MULTIPLE_FAULTS		0xC00002B4L
#endif

#ifndef EXCEPTION_FLOAT_MULTIPLE_TRAPS
#define EXCEPTION_FLOAT_MULTIPLE_TRAPS		0xC00002B5L
#endif

#ifndef EXCEPTION_DATATYPE_MISALIGNMENT_ERROR
#define EXCEPTION_DATATYPE_MISALIGNMENT_ERROR	0xC00002C5L
#endif

#ifndef EXCEPTION_REG_NAT_CONSUMPTION
#define EXCEPTION_REG_NAT_CONSUMPTION		0xC00002C9L
#endif

#ifndef EXCEPTION_INVALID_IMAGE_WIN_32
#define EXCEPTION_INVALID_IMAGE_WIN_32		0xC0000359L
#endif

#ifndef EXCEPTION_INVALID_IMAGE_WIN_64
#define EXCEPTION_INVALID_IMAGE_WIN_64		0xC000035AL
#endif

#ifndef EXCEPTION_HEAP_CORRUPTION
#define EXCEPTION_HEAP_CORRUPTION		0xC0000374L
#endif

#ifndef EXCEPTION_STACK_BUFFER_OVERRUN
#define EXCEPTION_STACK_BUFFER_OVERRUN		0xC0000409L
#endif

#ifndef EXCEPTION_INVALID_CRUNTIME_PARAMETER
#define EXCEPTION_INVALID_CRUNTIME_PARAMETER	0xC0000417L
#endif

#ifndef EXCEPTION_FATAL_USER_CALLBACK_EXCEPTION
#define EXCEPTION_FATAL_USER_CALLBACK_EXCEPTION	0xC000041DL
#endif

#ifndef EXCEPTION_ASSERTION_FAILURE
#define EXCEPTION_ASSERTION_FAILURE		0xC0000420L
#endif

#ifndef EXCEPTION_VERIFIER_STOP
#define EXCEPTION_VERIFIER_STOP			0xC0000421L
#endif

#ifndef EXCEPTION_FAIL_FAST_EXCEPTION
#define EXCEPTION_FAIL_FAST_EXCEPTION		0xC0000602L
#endif

#ifndef EXCEPTION_DISK_QUOTA_EXCEEDED
#define EXCEPTION_DISK_QUOTA_EXCEEDED		0xC0000802L
#endif

#ifndef EXCEPTION_DELAY_LOAD_INVALID_PARAMETER
#define EXCEPTION_DELAY_LOAD_INVALID_PARAMETER	0xC06D0057L
#endif

#ifndef EXCEPTION_DELAY_LOAD_MODULE_NOT_FOUND
#define EXCEPTION_DELAY_LOAD_MODULE_NOT_FOUND	0xC06D007EL
#endif

#ifndef EXCEPTION_DELAY_LOAD_ENTRY_NOT_FOUND
#define EXCEPTION_DELAY_LOAD_ENTRY_NOT_FOUND	0xC06D007FL
#endif

#ifndef EXCEPTION_APPLICATION_HANG
#define EXCEPTION_APPLICATION_HANG		0xCFFFFFFFL
#endif

#ifndef EXCEPTION_CLR_CCR_EXCEPTION
#define EXCEPTION_CLR_CCR_EXCEPTION		0xE0434352L	// = 0xE0000000L + 'CCR'
#endif

#ifndef EXCEPTION_CLR_COM_EXCEPTION
#define EXCEPTION_CLR_COM_EXCEPTION		0xE0434F4DL	// = 0xE0000000L + 'COM'
#endif

#ifndef EXCEPTION_CLR_SOFT_STACK_OVERFLOW
#define EXCEPTION_CLR_SOFT_STACK_OVERFLOW	0xE053534FL	// = 0xE0000000L + 'SSO'
#endif

#ifndef EXCEPTION_SEH_VERIFICATION_EXCEPTION
#define EXCEPTION_SEH_VERIFICATION_EXCEPTION	0xE0564552L	// = 0xE0000000L + 'VER'
#endif

#ifndef EXCEPTION_CLR_INTERNAL_ASSERTION
#define EXCEPTION_CLR_INTERNAL_ASSERTION	0xE0584D4EL	// = 0xE0000000L + 'XMN'
#endif

#ifndef EXCEPTION_CPP_EH_EXCEPTION
#define EXCEPTION_CPP_EH_EXCEPTION		0xE06D7363L	// = 0xE0000000L + 'msc'
#endif

typedef	struct	_THREADNAME_INFO
{
	DWORD	dwType;		// = 0x00001000UL
	LPCSTR	szName;		// thread name to assign
	DWORD	dwThreadId;	// thread id (~0UL = caller thread)
	DWORD	dwFlags;	// reserved for future use (must be 0UL)
} THREADNAME_INFO;

__forceinline
LPCWSTR	WINAPI	ExceptionAccess(DWORD_PTR dwAccess)
{
	switch (dwAccess)
	{
	case EXCEPTION_READ_FAULT:
		return L"reading";

	case EXCEPTION_WRITE_FAULT:
		return L"writing";

	case EXCEPTION_EXECUTE_FAULT:
		return L"executing";

	default:
		return L"accessing";
	}
}

LPCWSTR	WINAPI	ExceptionName(WCHAR szBuffer[1024], EXCEPTION_RECORD *ExceptionRecord)
{
	switch (ExceptionRecord->ExceptionCode)
	{
	case RPC_S_INVALID_BINDING:			// 0x000006A6
	case __HRESULT_FROM_WIN32(RPC_S_INVALID_BINDING):
		return L"RPC binding handle invalid";

	case RPC_S_UNKNOWN_IF:				// 0x000006B5L
	case __HRESULT_FROM_WIN32(RPC_S_UNKNOWN_IF):
		return L"RPC interface unknown";

	case RPC_S_SERVER_UNAVAILABLE:			// 0x000006BA
	case __HRESULT_FROM_WIN32(RPC_S_SERVER_UNAVAILABLE):
		return L"RPC server unavailable";

	case RPC_S_INVALID_BOUND:			// 0x000006C6
	case __HRESULT_FROM_WIN32(RPC_S_INVALID_BOUND):
		return L"RPC array bounds invalid";

	case EPT_S_NOT_REGISTERED:			// 0x000006D9
	case __HRESULT_FROM_WIN32(EPT_S_NOT_REGISTERED):
		return L"RPC endpoint not registered";

	case RPC_S_CANNOT_SUPPORT:			// 0x000006E4
	case __HRESULT_FROM_WIN32(RPC_S_CANNOT_SUPPORT):
		return L"RPC operation not supported";

	case RPC_X_SS_IN_NULL_CONTEXT:			// 0x000006EF
	case __HRESULT_FROM_WIN32(RPC_X_SS_IN_NULL_CONTEXT):
		return L"RPC null context handle";

	case RPC_X_BAD_STUB_DATA:			// 0x000006F7
	case __HRESULT_FROM_WIN32(RPC_X_BAD_STUB_DATA):
		return L"RPC stub received bad data";

	case DELPHI_RUNTIME_EXCEPTION:			// 0x0EEDFADE
		return L"Delphi runtime exception";

	case EXCEPTION_SEGMENT_NOTIFICATION:		// 0x40000005
		return L"Segment notification";

	case EXCEPTION_FATAL_APP_EXIT:			// 0x40000015
		return L"Fatal application exit";

	case EXCEPTION_WX86_SINGLE_STEP:		// 0x4000001E
		return L"WoW64 single-step";

	case EXCEPTION_WX86_BREAKPOINT:			// 0x4000001F
		return L"WoW64 breakpoint";

	case DBG_TERMINATE_THREAD:			// 0x40010003
		return L"Debugger terminate thread";

	case DBG_TERMINATE_PROCESS:			// 0x40010004
		return L"Debugger terminate process";

	case DBG_CONTROL_C:				// 0x40010005
		return L"Ctrl-C";

	case DBG_PRINTEXCEPTION_C:			// 0x40010006
	case DBG_PRINTEXCEPTION_WIDE_C:			// 0x4001000A
		return L"Debugger print exception";

	case DBG_RIPEXCEPTION:				// 0x40010007
		return L"Debugger RIP exception";

	case DBG_CONTROL_BREAK:				// 0x40010008
		return L"Ctrl-Break";

	case DBG_COMMAND_EXCEPTION:			// 0x40010009
		return L"Debugger command";

	case EXCEPTION_CPP_EXCEPTION:			// 0x406D1388
		return L"Assign thread name";

	case EXCEPTION_GUARD_PAGE:			// 0x80000001
		return L"Guard page access";

	case EXCEPTION_DATATYPE_MISALIGNMENT:		// 0x80000002
		return L"Data misalignment";

	case EXCEPTION_BREAKPOINT:			// 0x80000003
		return L"Breakpoint";

	case EXCEPTION_SINGLE_STEP:			// 0x80000004
		return L"Single-step";

	case EXCEPTION_ACCESS_VIOLATION:		// 0xC0000005

		if (wsprintf(szBuffer,
		             L"Access violation %ls 0x%p",
		             ExceptionAccess(ExceptionRecord->ExceptionInformation[0]),
		             ExceptionRecord->ExceptionInformation[1]) > 0)
			return szBuffer;

		return L"Access violation";

	case EXCEPTION_IN_PAGE_ERROR:			// 0xC0000006

		if (wsprintf(szBuffer,
#ifdef _WIN64
		             L"In-page error %ls 0x%p (0x%016I64X)",
#else
		             L"In-page error %ls 0x%p (0x%08lX)",
#endif
		             ExceptionAccess(ExceptionRecord->ExceptionInformation[0]),
		             ExceptionRecord->ExceptionInformation[1],
		             ExceptionRecord->ExceptionInformation[2]) > 0)
			return szBuffer;

		return L"In-page error";

	case EXCEPTION_INVALID_HANDLE:			// 0xC0000008
		return L"Invalid handle";

	case EXCEPTION_INVALID_PARAMETER:		// 0xC000000D
		return L"Invalid parameter";

	case EXCEPTION_NO_MEMORY:			// 0xC0000017
		return L"Not enough quota (no virtual memory)";

	case EXCEPTION_ILLEGAL_INSTRUCTION:		// 0xC000001D
		return L"Illegal instruction";

	case EXCEPTION_ACCESS_DENIED:			// 0xC0000022
		return L"Access denied";

	case EXCEPTION_NONCONTINUABLE_EXCEPTION:	// 0xC0000025
		return L"Non-continuable";

	case EXCEPTION_INVALID_DISPOSITION:		// 0xC0000026
		return L"Invalid disposition";

	case EXCEPTION_OBJECT_NAME_NOT_FOUND:		// 0xC0000034
		return L"Object name not found";

	case EXCEPTION_OBJECT_PATH_NOT_FOUND:		// 0xC000003A
		return L"Object path not found";

	case EXCEPTION_PROCEDURE_NOT_FOUND:		// 0xC000007A
		return L"Procedure not found";

	case EXCEPTION_ARRAY_BOUNDS_EXCEEDED:		// 0xC000008C
		return L"Array bounds exceeded";

	case EXCEPTION_FLT_DENORMAL_OPERAND:		// 0xC000008D
		return L"Denormal floating-point operand";

	case EXCEPTION_FLT_DIVIDE_BY_ZERO:		// 0xC000008E
		return L"Floating-point divide-by-zero";

	case EXCEPTION_FLT_INEXACT_RESULT:		// 0xC000008F
		return L"Inexact floating-point result";

	case EXCEPTION_FLT_INVALID_OPERATION:		// 0xC0000090
		return L"Invalid floating-point operation";

	case EXCEPTION_FLT_OVERFLOW:			// 0xC0000091
		return L"Floating-point overflow";

	case EXCEPTION_FLT_STACK_CHECK:			// 0xC0000092
		return L"Floating-point stack check";

	case EXCEPTION_FLT_UNDERFLOW:			// 0xC0000093
		return L"Floating-point underflow";

	case EXCEPTION_INT_DIVIDE_BY_ZERO:		// 0xC0000094
		return L"Integer divide-by-zero";

	case EXCEPTION_INT_OVERFLOW:			// 0xC0000095
		return L"Integer overflow";

	case EXCEPTION_PRIV_INSTRUCTION:		// 0xC0000096
		return L"Privileged instruction";

	case EXCEPTION_INSTRUCTION_MISALIGNMENT:	// 0xC00000AA
		return L"Instruction misalignment";

	case EXCEPTION_STACK_OVERFLOW:			// 0xC00000FD
		return L"Stack overflow";

	case EXCEPTION_DLL_NOT_FOUND:			// 0xC0000135
		return L"DLL not found";

	case EXCEPTION_ORDINAL_NOT_FOUND:		// 0xC0000138
		return L"Ordinal not found";

	case EXCEPTION_ENTRYPOINT_NOT_FOUND:		// 0xC0000139
		return L"Entrypoint not found";

	case CONTROL_C_EXIT:				// 0xC000013A
		return L"Ctrl-C";

	case EXCEPTION_DLL_INIT_FAILED:			// 0xC0000142
		return L"DLL initialisation failed";

	case EXCEPTION_UNHANDLED_EXCEPTION:		// 0xC0000144
		return L"Unhandled exception";

	case EXCEPTION_ILLEGAL_FLOAT_CONTEXT:		// 0xC000014A
		return L"No floating-point hardware";

	case EXCEPTION_POSSIBLE_DEADLOCK:		// 0xC0000194
		return L"Possible deadlock";

	case EXCEPTION_HANDLE_NOT_CLOSABLE:		// 0xC0000235
		return L"Close protected handle";

	case EXCEPTION_FLOAT_MULTIPLE_FAULTS:		// 0xC00002B4
		return L"Multiple floating-point faults";

	case EXCEPTION_FLOAT_MULTIPLE_TRAPS:		// 0xC00002B5
		return L"Multiple floating-point traps";

	case EXCEPTION_DATATYPE_MISALIGNMENT_ERROR:	// 0xC00002C5
		return L"Alignment error";

	case EXCEPTION_REG_NAT_CONSUMPTION:		// 0xC00002C9
		return L"Register NaT consumption fault";

	case EXCEPTION_INVALID_IMAGE_WIN_32:		// 0xC0000359
		return L"32-bit image in 64-bit process";

	case EXCEPTION_INVALID_IMAGE_WIN_64:		// 0xC000035A
		return L"64-bit image in 32-bit process";

	case EXCEPTION_HEAP_CORRUPTION:			// 0xC0000374
		return L"Heap corruption";

	case EXCEPTION_STACK_BUFFER_OVERRUN:		// 0xC0000409
		return L"Buffer overrun on stack (stack corruption)";

	case EXCEPTION_INVALID_CRUNTIME_PARAMETER:	// 0xC0000417
		return L"C runtime exception (invalid parameter)";

	case EXCEPTION_FATAL_USER_CALLBACK_EXCEPTION:	// 0xC000041D
		return L"Unhandled exception during user callback";

	case EXCEPTION_ASSERTION_FAILURE:		// 0xC0000420
		return L"Assertion failed";

	case EXCEPTION_VERIFIER_STOP:			// 0xC0000421
		return L"Application verifier stop";

	case EXCEPTION_FAIL_FAST_EXCEPTION:		// 0xC0000602
		return L"Fail-fast exception";

	case EXCEPTION_DISK_QUOTA_EXCEEDED:		// 0xC0000802
		return L"Disk quota exceeded";

	case EXCEPTION_DELAY_LOAD_INVALID_PARAMETER:	// 0xC06D0057
		return L"Delay-load exception (invalid parameter)";

	case EXCEPTION_DELAY_LOAD_MODULE_NOT_FOUND:	// 0xC06D007E
#ifdef DELAYLOADINFO
		if (wsprintf(szBuffer,
		             L"Delay-load exception (module %hs not found; 0x%08lX)",
		             ((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->szDll,
		             ((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->dwLastError) > 0)
			return szBuffer;
#else
		return L"Delay-load exception (module not found)";
#endif
	case EXCEPTION_DELAY_LOAD_ENTRY_NOT_FOUND:	// 0xC06D007F

		if (((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->dlp.fImportByName)
#ifdef DELAYLOADINFO
			if (wsprintf(szBuffer,
			             L"Delay-load exception (entry %hs not found in module %hs; 0x%08lX)",
			             ((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->dlp.szProcName,
			             ((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->szDll,
			             ((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->dwLastError) > 0)
				return szBuffer;
			else
#endif
			return L"Delay-load exception (entry not found)";
		else
#ifdef DELAYLOADINFO
			if (wsprintf(szBuffer,
			             L"Delay-load exception (ordinal %lu not found in module %hs; 0x%08lX)",
			             ((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->dlp.dwOrdinal,
			             ((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->szDll,
			             ((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->dwLastError) > 0)
				return szBuffer;
			else
#endif
			return L"Delay-load exception (ordinal not found)";

	case EXCEPTION_APPLICATION_HANG:		// 0xCFFFFFFF
		return L"Application hang";

	case EXCEPTION_CLR_CCR_EXCEPTION:		// 0xE0434352 = 0xE0000000 + 'CCR'
	case EXCEPTION_CLR_COM_EXCEPTION:		// 0xE0434F4D = 0xE0000000 + 'COM'
	case EXCEPTION_CLR_SOFT_STACK_OVERFLOW:		// 0xE053534F = 0xE0000000 + 'SSO'
	case EXCEPTION_CLR_INTERNAL_ASSERTION:		// 0xE0584D4E = 0xE0000000 + 'XMN'
		return L".NET CLR exception";

	case EXCEPTION_SEH_VERIFICATION_EXCEPTION:	// 0xE0564552 = 0xE0000000 + 'VER'
		return L"SEH verification exception";

	case EXCEPTION_CPP_EH_EXCEPTION:		// 0xE06D7363 = 0xE0000000 + 'msc'
		return L"C++ exception";

	default:
		return L"<not available>";
	}
}

#ifdef SYMBOLS
typedef	struct	_siplus
{
	SYMBOL_INFO	si;
	WCHAR		name[MAX_SYM_NAME + sizeof("+0x0123456789ABCDEF")];
} SYMBOL_INFO_PLUS;

LPCWSTR	WINAPI	NameLookup(HANDLE            hProcess,
		           DWORD64           ullAddress,
		           IMAGEHLP_MODULE64 *mi,
		           SYMBOL_INFO_PLUS  *siplus)
{
	DWORD64	ullDisplacement;
	SIZE_T	usModule;
	LPWSTR	lpModule;

	if (!SymFromAddr(hProcess,
	                 ullAddress,
	                 &ullDisplacement,
	                 &siplus->si))
	{
#if 0
		PrintConsole(hConsole,
		             L"SymFromAddr() returned error %lu\n",
		             GetLastError());
		return L"";
#else
		if (!SymGetModuleInfo64(hProcess,
		                        ullAddress,
		                        mi))
		{
		//	PrintConsole(hConsole,
		//	             L"SymGetModuleInfo64() returned error %lu\n",
		//	             GetLastError());
			return L"";
		}
		else
		{
			mi->ModuleName[sizeof(mi->ModuleName)] = L'\0';

			usModule = wcslen(mi->ModuleName);

			if (usModule == 0)
				return L"";

			mi->ModuleName[-1] = L'\t';

			ullDisplacement = ullAddress - mi->BaseOfImage;

			if (ullDisplacement != 0)
				wsprintf(mi->ModuleName + usModule,
				         L"+0x%I64X",
				         ullDisplacement);

			return mi->ModuleName - 1;
		}
	}
#endif
	else
	{
	//	siplus->si.Name[0] = L'\0';

		if (ullDisplacement == 0)
			siplus->si.Name[siplus->si.NameLen] = L'\0';
		else
			wsprintf(siplus->si.Name + siplus->si.NameLen,
			         L"+0x%I64X",
			         ullDisplacement);

		if (!SymGetModuleInfo64(hProcess,
		                        ullAddress,
		                        mi))
		{
		//	PrintConsole(hConsole,
		//	             L"SymGetModuleInfo64() returned error %lu\n",
		//	             GetLastError());

			siplus->si.Name[-1] = L'\t';

			return siplus->si.Name - 1;
		}
		else
		{
			mi->ModuleName[sizeof(mi->ModuleName)] = L'\0';

			if (ullDisplacement == ~0ULL)
			{
				mi->ModuleName[-1] = L'\t';

				return mi->ModuleName - 1;
			}
			else
			{
				usModule = wcslen(mi->ModuleName);

				lpModule = siplus->si.Name - 1 - usModule;
#if 0
				wcscpy(lpModule, mi->ModuleName);
#else
				wmemcpy(lpModule, mi->ModuleName, usModule);
#endif
				siplus->si.Name[-1] = L'!';
				lpModule[-1] = L'\t';

				return lpModule - 1;
			}
		}
	}
}

#ifdef VERBOSE
LPCSTR	WINAPI	CallbackAction(DWORD  ActionCode,
		               LPVOID CallbackData)
{
	switch (ActionCode)
	{
	case CBA_DEFERRED_SYMBOL_LOAD_START:
		return "DbgHelp: Deferred symbol load has started\n";

	case CBA_DEFERRED_SYMBOL_LOAD_COMPLETE:
		return "DbgHelp: Deferred symbol load has completed\n";

	case CBA_DEFERRED_SYMBOL_LOAD_FAILURE:
		return "DbgHelp: Deferred symbol load has failed\n";

	case CBA_SYMBOLS_UNLOADED:
		return "DbgHelp: Symbols have been unloaded\n";

	case CBA_DUPLICATE_SYMBOL:
		return "DbgHelp: Duplicate symbols were found\n";

	case CBA_READ_MEMORY:
		return "DbgHelp: The loaded image has been read\n";

	case CBA_DEFERRED_SYMBOL_LOAD_CANCEL:
		return "DbgHelp: Deferred symbol loading has started\n";

	case CBA_SET_OPTIONS:
		return "DbgHelp: Symbol options have been updated\n";

	case CBA_EVENT:
#if 0
		return "DbgHelp: Display verbose information\n";
#else
		return ((IMAGEHLP_CBA_EVENT *) CallbackData)->desc;
#endif
		break;

	case CBA_DEFERRED_SYMBOL_LOAD_PARTIAL:
		return "DbgHelp: Deferred symbol load has partially completed; "
		       "the symbol loader is unable to read the image header "
		       "from either the image file or the specified module\n";

	case CBA_DEBUG_INFO:
		return (LPCSTR) CallbackData;

#ifdef CBA_SRCSRV_INFO
	case CBA_SRCSRV_INFO:
#if 0
		return "DbgHelp: Display verbose information for source server\n";
#else
		return (LPCSTR) CallbackData;
#endif
#endif // CBA_SRCSRV_INFO
#ifdef CBA_SRCSRV_EVENT
	case CBA_SRCSRV_EVENT:
#if 0
		return "DbgHelp: Display verbose information for source server\n";
#else
		return ((IMAGEHLP_CBA_EVENT *) CallbackData)->desc;
#endif
#endif // CBA_SRCSRV_EVENT
	default:
		return "DbgHelp: Unknown action code\n";
	}
}

#ifdef _WIN64
BOOL	WINAPI	SymRegisterCallbackProc(HANDLE  hProcess,
		                        ULONG   ActionCode,
		                        ULONG64 CallbackData,
		                        ULONG64 UserContext)
#else
BOOL	WINAPI	SymRegisterCallbackProc(HANDLE  hProcess,
		                        ULONG   ActionCode,
		                        LPVOID  CallbackData,
		                        LPVOID  UserContext)
#endif
{
	LPCSTR	lpString = CallbackAction(ActionCode, CallbackData);
	DWORD	dwString = strlen(lpString);

	WriteConsoleA((HANDLE) UserContext, lpString, dwString, &dwString, NULL);

	return (ActionCode == CBA_EVENT)
	     | (ActionCode == CBA_DEBUG_INFO);
}
#endif // VERBOSE
#endif // SYMBOLS

__declspec(safebuffers)
BOOL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

#if _WIN32_WINNT < 0x0600
__declspec(dllimport)
DWORD	WINAPI	GetMappedFileNameA(HANDLE hProcess,
		                   LPVOID lpv,
		                   LPSTR  lpFileName,
		                   DWORD  dwSize);

__declspec(dllimport)
DWORD	WINAPI	GetMappedFileNameW(HANDLE hProcess,
		                   LPVOID lpv,
		                   LPWSTR lpFileName,
		                   DWORD  dwSize);

#ifndef UNICODE
#define GetMappedFileName	GetMappedFileNameA
#else
#define GetMappedFileName	GetMappedFileNameW
#endif

LPCWSTR	WINAPI	GetFileNameFromHandle(HANDLE hConsole,
		                      HANDLE hFile,
		                      WCHAR  szFileName[MAX_PATH])
{
	DWORD	dwFileName;
	LPCWSTR	lpFileName;
	DWORD	dwDeviceName;
	WCHAR	szDeviceName[MAX_PATH];
	WCHAR	szDrive[] = L"@:";
	WCHAR	szBuffer[26 * sizeof("@:\\") + 1];
	DWORD	dwBuffer;
	LPCWSTR	lpBuffer = szBuffer;
	LPVOID	lpMapping;
	HANDLE	hMapping;

	hMapping = CreateFileMapping(hFile,
	                             (LPSECURITY_ATTRIBUTES) NULL,
	                             PAGE_READONLY,
	                             0, 1,
	                             (LPCWSTR) NULL);

	if (hMapping == NULL)
		PrintConsole(hConsole,
		             L"CreateFileMapping() returned error %lu\n",
		             GetLastError());
	else
	{
		lpMapping = MapViewOfFile(hMapping,
		                          FILE_MAP_READ,
		                          0, 0,
		                          (SIZE_T) 1);

		if (lpMapping == NULL)
			PrintConsole(hConsole,
			             L"MapViewOfFile() returned error %lu\n",
			             GetLastError());
		else
		{
			dwFileName = GetMappedFileName(GetCurrentProcess(),
			                               lpMapping,
			                               szFileName,
			                               MAX_PATH);

			if (dwFileName == 0)
				PrintConsole(hConsole,
				             L"GetMappedFileName() returned error %lu\n",
				             GetLastError());
			else
			{
				dwBuffer = GetLogicalDriveStrings(sizeof(szBuffer) / sizeof(*szBuffer) - 1,
				                                  szBuffer);

				if (dwBuffer == 0)
					PrintConsole(hConsole,
					             L"GetLogicalDriveStrings() returned error %lu\n",
					             GetLastError());
				else
					if (dwBuffer >= sizeof(szBuffer) / sizeof(*szBuffer))
						PrintConsole(hConsole,
						             L"Buffer to small!\n");
					else
						do
						{
							szDrive[0] = lpBuffer[0];

							if (QueryDosDevice(szDrive,
							                   szDeviceName,
							                   sizeof(szDeviceName) / sizeof(*szDeviceName)) == 0)
								PrintConsole(hConsole,
								             L"QueryDosDevice() returned error %lu\n",
								             GetLastError());
							else
							{
								dwDeviceName = wcslen(szDeviceName);

								if (dwDeviceName >= MAX_PATH)
									PrintConsole(hConsole,
									             L"Length %lu of device name \'%ls\' exceeds MAX_PATH!\n",
									             dwDeviceName, szDeviceName);
								else
#if 1
									if (szFileName[dwDeviceName] == L'\\')
									{
										szFileName[dwDeviceName] = L'\0';

										if (wcscmp(szFileName, szDeviceName) == 0)
										{
											szFileName[dwDeviceName--] = L'\\';
											szFileName[dwDeviceName--] = L':';
											szFileName[dwDeviceName] = szDrive[0];

											lpFileName = szFileName + dwDeviceName;
										}
										else
											szFileName[dwDeviceName] = L'\\';
									}
#else
									if ((szFileName[dwDeviceName] == L'\\')
									 && (wmemcmp(szFileName, szDeviceName, dwDeviceName) == 0))
									{
										szFileName[dwDeviceName--] = L'\\';
										szFileName[dwDeviceName--] = L':';
										szFileName[dwDeviceName] = szDrive[0];

										lpFileName = szFileName + dwDeviceName;
									}
#endif
							}

							while (*lpBuffer++ != L'\0')
								continue;
						} while ((lpFileName == NULL) && (*lpBuffer != L'\0'));
			}

			if (!UnmapViewOfFile(lpMapping))
				PrintConsole(hConsole,
				             L"UnmapViewOfFile() returned error %lu\n",
				             GetLastError());
		}

		if (!CloseHandle(hMapping))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu\n",
			             GetLastError());
	}

	return lpFileName;
}
#endif // _WIN32_WINNT

const	LPCWSTR	szBinaryType[7] = {L"32-bit Windows",
		                   L"MS-DOS",
		                   L"16-bit Windows",
		                   L".PIF for MS-DOS",
		                   L"POSIX",
		                   L"16-bit OS/2",
		                   L"64-bit Windows"};
#ifdef VERBOSE
const	LPCWSTR	szDirectories[3] = {L"Home   ",		// hdBase
		                    L"Symbols",		// hdSym
		                    L"Sources"};	// hdSrc

const	LPCWSTR	szDayOfWeek[7] = {L"Sunday",
		                  L"Monday",
		                  L"Tuesday",
		                  L"Wednesday",
		                  L"Thursday",
		                  L"Friday",
		                  L"Saturday"};
#endif
const	LPCWSTR	szTimes[4] = {NULL,
		              L"Real  ",
		              L"Kernel",
		              L"User  "};

const	STARTUPINFO	si = {sizeof(si)};

#ifdef _M_IX86
__forceinline
struct
{
	DWORD	dwQuotient, dwRemainder;
}	WINAPI	SplitFileTime(DWORD dwLow, DWORD dwHigh)
{
	__asm	// returns quotient in eax and remainder in edx
	{
		mov	eax, dwLow
		mov	edx, dwHigh
		mov	ecx, 10000000
		div	ecx
	}
}
#endif

__declspec(noreturn)
VOID	WINAPI	wmainCRTStartup(VOID)
{
#ifdef _WIN64
	BOOL	bWow64 = FALSE;

	WOW64_CONTEXT	wow64_context;
#endif
	CONTEXT	context;

	PEXCEPTION_RECORD	lpExceptionRecord;

	PROCESS_INFORMATION	pi;

	ULARGE_INTEGER	uli[4];

	DEBUG_EVENT	de;
#ifdef SYMBOLS
	LPAPI_VERSION	lpApiVersion = ImagehlpApiVersion();
#ifdef VERBOSE // DBGHELP >= 6.1
	DWORD	dwDirectory;
	LPWSTR	lpDirectory;
	WCHAR	szDirectory[MAX_PATH];

	SYSTEMTIME	st;

	DWORD64	ull;
#endif // VERBOSE
	DWORD64	ullBaseOfModule;

	IMAGEHLP_MODULE64	mi;
	SYMBOL_INFO_PLUS	siplus;

	STACKFRAME64	sf;
#endif // SYMBOLS
	LPWSTR	*lpArguments;
	INT	nArguments;
	WCHAR	szBuffer[1024];
	WCHAR	szImageName[MAX_PATH];
	DWORD	dwImageName = MAX_PATH;
	LPBYTE	lpImageName;
	LPBYTE	lpString;
	DWORD	dwString;
	DWORD	dwError = ERROR_BAD_ARGUMENTS;
	DWORD	dwBinaryType;
	DWORD	dwVersion;
	DWORD	dwParameter;
	DWORD	dwThread;
	DWORD	dwProcess;
	HANDLE	hProcess;
	HANDLE	hThread;
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);

		if (lpArguments == NULL)
			PrintConsole(hConsole,
			             L"CommandLineToArgv() returned error %lu\n",
			             dwError = GetLastError());
		else
		{
			if ((nArguments < 2)
			 || (*lpArguments[1] == L'\0')
			 || (nArguments > 3))
				PrintConsole(hConsole,
				             L"Bad arguments: either a (properly quoted) command line\n"
				             L"               or the (absolute or relative) path name of an application\n"
				             L"               followed by a (properly quoted) command line must be given!\n");
			else
			{
				PrintConsole(hConsole,
				             L"Command line:     \'%ls\'\n"
				             L"Application name: \'%ls\'\n",
				             lpArguments[nArguments - 1],
				             lpArguments[4 - nArguments]);

				if (nArguments == 3)
					if (!GetBinaryType(lpArguments[1], &dwBinaryType))
						PrintConsole(hConsole,
						             L"GetBinaryType() returned error %lu\n",
						             dwError = GetLastError());
					else
						PrintConsole(hConsole,
						             L"Application type: %lu = %ls\n",
						             dwBinaryType, szBinaryType[dwBinaryType]);
#ifdef SYMBOLS
				PrintConsole(hConsole,
				             L"\n"
				             L"DbgHelp API:\n"
				             L"\tVersion  = %hu.%hu\n"
				             L"\tRevision = %hu\n"
				             L"\tReserved = %hu\n",
				             lpApiVersion->MajorVersion, lpApiVersion->MinorVersion,
				             lpApiVersion->Revision,
				             lpApiVersion->Reserved);
#ifdef VERBOSE // DBGHELP >= 6.1
				PrintConsole(hConsole,
				             L"DbgHelp Directories:\n");

				for (dwDirectory = 0; dwDirectory < sizeof(szDirectories) / sizeof(*szDirectories); dwDirectory++)
				{
					lpDirectory = SymGetHomeDirectory(dwDirectory,
					                                  szDirectory,
					                                  sizeof(szDirectory));

					if (lpDirectory == NULL)
						PrintConsole(hConsole,
						             L"SymGetHomeDirectory() returned error %lu\n",
						             dwError = GetLastError());
					else
						PrintConsole(hConsole,
						             L"\t%ls = %ls\n",
						             szDirectories[dwDirectory], lpDirectory);
				}
#endif // VERBOSE
				SymSetOptions(SymGetOptions() | SYMOPT_DEBUG | SYMOPT_INCLUDE_32BIT_MODULES);
#endif // SYMBOLS
				if (!CreateProcess(lpArguments[4 - nArguments],
				                   lpArguments[nArguments - 1],
				                   (SECURITY_ATTRIBUTES *) NULL,
				                   (SECURITY_ATTRIBUTES *) NULL,
				                   FALSE,
				                   CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT | DEBUG_ONLY_THIS_PROCESS | NORMAL_PRIORITY_CLASS,
#if 1
				                   NULL,		// current environment block
#elif 1
				                   L"",			// empty environment block
#else
				                   L"__COMPAT_LAYER=RunAsInvoker\0_NO_DEBUG_HEAP=1\0DBGENG_NO_DEBUG_PRIVILEGE=1\0TMP=NUL:\0",
#endif
				                   (LPCWSTR) NULL,
				                   &si,
				                   &pi))
					PrintConsole(hConsole,
					             L"CreateProcess() returned error %lu\n",
					             dwError = GetLastError());
				else
				{
					dwError = ERROR_SUCCESS;
#if _WIN32_WINNT >= 0x0600
					if (!QueryFullProcessImageName(pi.hProcess,
					                               0,
					                               szImageName,
					                               &dwImageName))
						PrintConsole(hConsole,
						             L"QueryFullProcessImageName() returned error %lu\n",
						             dwError = GetLastError());
					else
						PrintConsole(hConsole,
						             L"Debuggee process loaded from image file \'%ls\'\n",
						             szImageName);
#endif
					dwVersion = GetProcessVersion(pi.dwProcessId);

					if (dwVersion == 0)
						PrintConsole(hConsole,
						             L"GetProcessVersion() returned error %lu\n",
						             dwError = GetLastError());
					else
						PrintConsole(hConsole,
						             L"Debuggee process version is %hu.%hu\n",
						             HIWORD(dwVersion), LOWORD(dwVersion));

					PrintConsole(hConsole,
					             L"\n"
					             L"Debuggee process %lu with primary thread %lu created\n",
					             pi.dwProcessId, pi.dwThreadId);

					if (!DebugSetProcessKillOnExit(FALSE))
						PrintConsole(hConsole,
						             L"DebugSetProcessKillOnExit() returned error %lu\n",
						             dwError = GetLastError());
#ifdef SYMBOLS
					mi.SizeOfStruct = sizeof(mi);
					siplus.si.SizeOfStruct = sizeof(siplus.si);
					siplus.si.MaxNameLen = MAX_SYM_NAME;
				//	siplus.si.Name[0] = L'\0';
#endif
					context.ContextFlags = CONTEXT_CONTROL;
#ifdef _WIN64
					wow64_context.ContextFlags = WOW64_CONTEXT_CONTROL;
#endif
					do
					{
						if (!WaitForDebugEvent(&de, INFINITE))
						{
							PrintConsole(hConsole,
							             L"WaitForDebugEvent() returned error %lu\n",
							             dwError = GetLastError());
							break;
						}

						switch (de.dwDebugEventCode)
						{
						case CREATE_PROCESS_DEBUG_EVENT:

							PrintConsole(hConsole,
							             L"\n"
							             L"Process %lu created with primary thread %lu:\n",
							             de.dwProcessId, de.dwThreadId);

							hProcess = de.u.CreateProcessInfo.hProcess;

							if (de.u.CreateProcessInfo.hProcess != NULL)
							{
#ifdef _WIN64
								if (!IsWow64Process(de.u.CreateProcessInfo.hProcess, &bWow64))
									PrintConsole(hConsole,
									             L"IsWow64Process() returned error %lu\n",
									             dwError = GetLastError());
#endif
#ifdef SYMBOLS
								// NOTE: on Windows 7, SymInitialize() abuses HRESULT as error code!

								if (!SymInitialize(de.u.CreateProcessInfo.hProcess,
								                   (LPCWSTR) NULL,	// evaluate _NT_SYMBOL_PATH environment variable
								                   FALSE))
								{
									dwError = GetLastError();

									if (dwError > 65535)
										PrintConsole(hConsole,
										             L"SymInitialize() returned error 0x%08lX\n",
										             dwError);
									else
										PrintConsole(hConsole,
										             L"SymInitialize() returned error %lu\n",
										             dwError);
								}
								else
								{
#ifdef VERBOSE
									if (!SymRegisterCallback(de.u.CreateProcessInfo.hProcess,
									                         SymRegisterCallbackProc,
									                         hConsole))
										PrintConsole(hConsole,
										             L"SymRegisterCallback() returned error %lu\n",
										             dwError = GetLastError());
#endif
#if 0
									if (!SymSetSearchPath(de.u.CreateProcessInfo.hProcess,
									                      L".;SRV**https://msdl.microsoft.com/download/symbols"))
										PrintConsole(hConsole,
										             L"SymSetSearchPath() returned error %lu\n",
										             dwError = GetLastError());
#else
									if (!SymGetSearchPath(de.u.CreateProcessInfo.hProcess,
									                      szBuffer,
									                      sizeof(szBuffer) / sizeof(*szBuffer)))
										PrintConsole(hConsole,
										             L"SymGetSearchPath() returned error %lu\n",
										             dwError = GetLastError());
									else
										PrintConsole(hConsole,
										             L"Symbol search path: %ls\n",
										             szBuffer);
#endif
								}

								ullBaseOfModule = 0;
#endif // SYMBOLS
								if (de.u.CreateProcessInfo.lpImageName != NULL)
									if (!ReadProcessMemory(de.u.CreateProcessInfo.hProcess,
									                       de.u.CreateProcessInfo.lpImageName,
									                       &lpImageName,
									                       sizeof(lpImageName),
									                       (SIZE_T *) NULL))
										PrintConsole(hConsole,
										             L"ReadProcessMemory() returned error %lu\n",
										             dwError = GetLastError());
									else
										if (lpImageName != NULL)
											if (!ReadProcessMemory(de.u.CreateProcessInfo.hProcess,
											                       lpImageName,
											                       szImageName,
											                       sizeof(szImageName),
											                       (SIZE_T *) NULL))
											{
												dwError = GetLastError();

												if (dwError != ERROR_PARTIAL_COPY)
													PrintConsole(hConsole,
													             L"ReadProcessMemory() returned error %lu\n",
													             dwError);
												else
													goto FILENAME;
											}
											else
											FILENAME:
												if (de.u.CreateProcessInfo.fUnicode != 0)
												{
													PrintConsole(hConsole,
													             L"\tProcess filename = %ls\n",
													             szImageName);
#ifdef SYMBOLS // DBGHELP >= 6.0
													ullBaseOfModule = SymLoadModuleExW(de.u.CreateProcessInfo.hProcess,
													                                   de.u.CreateProcessInfo.hFile,
													                                   szImageName,
													                                   (LPCWSTR) NULL,
													                                   de.u.CreateProcessInfo.lpBaseOfImage,
													                                   0,
													                                   (MODLOAD_DATA *) NULL,
													                                   0);

													if (ullBaseOfModule == 0)
													{
														dwError = GetLastError();

														if (dwError != ERROR_SUCCESS)
															PrintConsole(hConsole,
															             L"SymLoadModuleExW() returned error %lu\n",
															             dwError);
													}
#endif // SYMBOLS
												}
												else
												{
													PrintConsole(hConsole,
													             L"\tProcess filename = %hs\n",
													             szImageName);
#ifdef SYMBOLS
													ullBaseOfModule = SymLoadModuleEx(de.u.CreateProcessInfo.hProcess,
													                                  de.u.CreateProcessInfo.hFile,
													                                  (LPCSTR) szImageName,
													                                  (LPCSTR) NULL,
													                                  de.u.CreateProcessInfo.lpBaseOfImage,
													                                  0,
													                                  (MODLOAD_DATA *) NULL,
													                                  0);

													if (ullBaseOfModule == 0)
													{
														dwError = GetLastError();

														if (dwError != ERROR_SUCCESS)
															PrintConsole(hConsole,
															             L"SymLoadModuleEx() returned error %lu\n",
															             dwError);
													}
#endif // SYMBOLS
												}
										else
											goto NOFILENAME;
								else
								NOFILENAME:
								{
#if _WIN32_WINNT < 0x0600
									dwImageName = GetModuleFileNameEx(de.u.CreateProcessInfo.hProcess,
#if 0
									                                  de.u.CreateProcessInfo.lpBaseOfImage,
#else
									                                  (HMODULE) NULL,
#endif
									                                  szImageName,
									                                  sizeof(szImageName) / sizeof(*szImageName));

									if (dwImageName == 0)
									{
										PrintConsole(hConsole,
										             L"GetModuleFileNameEx() returned error %lu\n",
										             dwError = GetLastError());

										lpImageName = GetFileNameFromHandle(hConsole,
										                                    de.u.CreateProcessInfo.hFile,
										                                    szImageName);

										if (lpImageName != NULL)
											PrintConsole(hConsole,
											             L"\tProcess filename = %ls\n",
											             lpImageName);
									}
									else
										PrintConsole(hConsole,
										             L"\tProcess filename = %ls\n",
										             szImageName);
#else // _WIN32_WINNT
									dwImageName = GetFinalPathNameByHandle(de.u.CreateProcessInfo.hFile,
									                                       szImageName,
									                                       sizeof(szImageName) / sizeof(*szImageName),
									                                       FILE_NAME_NORMALIZED | VOLUME_NAME_DOS);

									if (dwImageName == 0)
										PrintConsole(hConsole,
										             L"GetFinalPathNameByHandle() returned error %lu\n",
										             dwError = GetLastError());
									else
										PrintConsole(hConsole,
										             L"\tProcess filename = %ls\n",
										             szImageName + 4);
#endif // _WIN32_WINNT
#ifdef SYMBOLS
									ullBaseOfModule = SymLoadModuleEx(de.u.CreateProcessInfo.hProcess,
									                                  de.u.CreateProcessInfo.hFile,
									                                  (LPCSTR) NULL,
									                                  (LPCSTR) NULL,
									                                  de.u.CreateProcessInfo.lpBaseOfImage,
									                                  0,
									                                  (MODLOAD_DATA *) NULL,
									                                  0);

									if (ullBaseOfModule == 0)
									{
										dwError = GetLastError();

										if (dwError != ERROR_SUCCESS)
											PrintConsole(hConsole,
											             L"SymLoadModuleEx() returned error %lu\n",
											             dwError);
									}
#endif // SYMBOLS
								}
#ifdef SYMBOLS
								if (ullBaseOfModule != 0)
									if (!SymGetModuleInfo64(de.u.CreateProcessInfo.hProcess,
									                        ullBaseOfModule,
									                        &mi))
										PrintConsole(hConsole,
										             L"SymGetModuleInfo64() returned error %lu\n",
										             dwError = GetLastError());
#ifdef VERBOSE
									else
									{
										ull = __emulu(mi.TimeDateStamp, 10000000)	// seconds since 1970-01-01 to
										    + 116444736000000000;			//  100 nano-seconds since 1601-01-01

										if (!FileTimeToSystemTime((LPFILETIME) &ull, &st))
											PrintConsole(hConsole,
											             L"FileTimeToSystemTime() returned error %lu\n",
											             dwError = GetLastError());

										PrintConsole(hConsole,
										             L"\tModule date      = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\n"
										             L"\tModule size      = 0x%08lX\n"
										             L"\tModule name      = %.32ls\n"
										             L"\tImage name       = %.256ls\n"
										             L"\tImage filename   = %.256ls\n"
										             L"\tPDB filename     = %.256ls\n"
										             L"\tSymbol count     = %lu\n",
										             mi.TimeDateStamp,
										             szDayOfWeek[st.wDayOfWeek],
										             st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond,
										             mi.ImageSize,
										             mi.ModuleName,
										             mi.ImageName,
										             mi.LoadedImageName,
										             mi.LoadedPdbName,
										             mi.NumSyms);
									}
#endif // VERBOSE
#endif // SYMBOLS
							}
#ifdef VERBOSE
							PrintConsole(hConsole,
							             L"\tFile handle      = 0x%p\n"
							             L"\tProcess handle   = 0x%p\n"
							             L"\tThread handle    = 0x%p\n",
							             de.u.CreateProcessInfo.hFile,
							             de.u.CreateProcessInfo.hProcess,
							             de.u.CreateProcessInfo.hThread);
#endif
							PrintConsole(hConsole,
							             L"\tBase address     = 0x%p\n"
#ifndef SYMBOLS
							             L"\tStart address    = 0x%p\n"
#else
							             L"\tStart address    = 0x%p%ls\n"
#endif
							             L"\tTEB address      = 0x%p\n",
							             de.u.CreateProcessInfo.lpBaseOfImage,
#ifndef SYMBOLS
							             de.u.CreateProcessInfo.lpStartAddress,
#else
							             de.u.CreateProcessInfo.lpStartAddress,
							             NameLookup(de.u.CreateProcessInfo.hProcess, de.u.CreateProcessInfo.lpStartAddress, &mi, &siplus),
#endif
							             de.u.CreateProcessInfo.lpThreadLocalBase);

							if (de.u.CreateProcessInfo.hFile != INVALID_HANDLE_VALUE)
								if (!CloseHandle(de.u.CreateProcessInfo.hFile))
									PrintConsole(hConsole,
									             L"CloseHandle() returned error %lu\n",
									             dwError = GetLastError());
							break;

						case CREATE_THREAD_DEBUG_EVENT:

							PrintConsole(hConsole,
							             L"\n"
							             L"Thread %lu created in process %lu:\n"
#ifdef VERBOSE
							             L"\tThread handle = 0x%p\n"
#endif
#ifndef SYMBOLS
							             L"\tStart address = 0x%p\n"
#else
							             L"\tStart address = 0x%p%ls\n"
#endif
							             L"\tTEB address   = 0x%p\n",
							             de.dwThreadId, de.dwProcessId,
#ifdef VERBOSE
							             de.u.CreateThread.hThread,
#endif
#ifndef SYMBOLS
							             de.u.CreateThread.lpStartAddress,
#else
							             de.u.CreateThread.lpStartAddress,
							             NameLookup(hProcess, de.u.CreateThread.lpStartAddress, &mi, &siplus),
#endif
							             de.u.CreateThread.lpThreadLocalBase);
							break;

						case EXIT_PROCESS_DEBUG_EVENT:

							PrintConsole(hConsole,
							             L"\n"
							             L"Process %lu exited with thread %lu:\n"
							             L"\tExit code = 0x%08lX\n",
							             de.dwProcessId, de.dwThreadId,
							             de.u.ExitProcess.dwExitCode);
#ifdef SYMBOLS
							if (!SymCleanup(hProcess))
								PrintConsole(hConsole,
								             L"SymCleanup() returned error %lu\n",
								             dwError = GetLastError());
#endif // SYMBOLS
							hProcess = NULL;

							break;

						case EXIT_THREAD_DEBUG_EVENT:

							PrintConsole(hConsole,
							             L"\n"
							             L"Thread %lu exited from process %lu:\n"
							             L"\tExit code = 0x%08lX\n",
							             de.dwThreadId, de.dwProcessId,
							             de.u.ExitThread.dwExitCode);
							break;

						case LOAD_DLL_DEBUG_EVENT:

							PrintConsole(hConsole,
							             L"\n"
							             L"DLL loaded in process %lu by thread %lu:\n",
							             de.dwProcessId, de.dwThreadId);
#ifdef SYMBOLS // DBGHELP >= 6.5
							if (!SymRefreshModuleList(hProcess))
							{
								dwError = GetLastError();

								if (dwError > 65535)
									PrintConsole(hConsole,
									             L"SymRefreshModuleList() returned error 0x%08lX\n",
									             dwError);
								else
									PrintConsole(hConsole,
									             L"SymRefreshModuleList() returned error %lu\n",
									             dwError);
							}

							ullBaseOfModule = 0;
#endif // SYMBOLS
							if (de.u.LoadDll.lpImageName != NULL)
								if (!ReadProcessMemory(hProcess,
								                       de.u.LoadDll.lpImageName,
								                       &lpImageName,
								                       sizeof(lpImageName),
								                       (SIZE_T *) NULL))
									PrintConsole(hConsole,
									             L"ReadProcessMemory() returned error %lu\n",
									             dwError = GetLastError());
								else
									if (lpImageName != NULL)
									{
										if (!ReadProcessMemory(hProcess,
										                       lpImageName,
										                       szImageName,
										                       sizeof(szImageName),
										                       (SIZE_T *) NULL))
										{
											dwError = GetLastError();

											if (dwError != ERROR_PARTIAL_COPY)
												PrintConsole(hConsole,
												             L"ReadProcessMemory() returned error %lu\n",
												             dwError);
											else
												goto DLLNAME;
										}
										else
										DLLNAME:
											if (de.u.LoadDll.fUnicode != 0)
											{
												PrintConsole(hConsole,
												             L"\tDLL filename   = %ls\n",
												             szImageName);
#ifdef SYMBOLS // DBGHELP >= 6.0
												ullBaseOfModule = SymLoadModuleExW(hProcess,
												                                   de.u.LoadDll.hFile,
												                                   szImageName,
												                                   (LPCWSTR) NULL,
												                                   de.u.LoadDll.lpBaseOfDll,
												                                   0,
												                                   (MODLOAD_DATA *) NULL,
												                                   0);

												if (ullBaseOfModule == 0)
												{
													dwError = GetLastError();

													if (dwError != ERROR_SUCCESS)
														PrintConsole(hConsole,
														             L"SymLoadModuleExW() returned error %lu\n",
														             dwError);
												}
#endif // SYMBOLS
											}
											else
											{
												PrintConsole(hConsole,
												             L"\tDLL filename   = %hs\n",
												             szImageName);
#ifdef SYMBOLS
												ullBaseOfModule = SymLoadModuleEx(hProcess,
												                                  de.u.LoadDll.hFile,
												                                  (LPCSTR) szImageName,
												                                  (LPCSTR) NULL,
												                                  de.u.LoadDll.lpBaseOfDll,
												                                  0,
												                                  (MODLOAD_DATA *) NULL,
												                                  0);

												if (ullBaseOfModule == 0)
												{
													dwError = GetLastError();

													if (dwError != ERROR_SUCCESS)
														PrintConsole(hConsole,
														             L"SymLoadModuleEx() returned error %lu\n",
														             dwError);
												}
#endif // SYMBOLS
											}
									}
									else
										goto NODLLNAME;
							else
							NODLLNAME:
							{
#if _WIN32_WINNT < 0x0600
								dwImageName = GetModuleFileNameEx(hProcess,
								                                  de.u.LoadDll.lpBaseOfDll,
								                                  szImageName,
								                                  sizeof(szImageName) / sizeof(*szImageName));

								if (dwImageName == 0)
								{
									PrintConsole(hConsole,
									             L"GetModuleFileNameEx() returned error %lu\n",
									             dwError = GetLastError());

									lpImageName = GetFileNameFromHandle(hConsole,
									                                    de.u.LoadDll.hFile,
									                                    szImageName);

									if (lpImageName != NULL)
										PrintConsole(hConsole,
										             L"\tDLL filename   = %ls\n",
										             lpImageName);

								}
								else
									PrintConsole(hConsole,
									             L"\tDLL filename   = %ls\n",
									             szImageName);
#else // _WIN32_WINNT
								dwImageName = GetFinalPathNameByHandle(de.u.LoadDll.hFile,
								                                       szImageName,
								                                       sizeof(szImageName) / sizeof(*szImageName),
								                                       FILE_NAME_NORMALIZED | VOLUME_NAME_DOS);

								if (dwImageName == 0)
									PrintConsole(hConsole,
									             L"GetFinalPathNameByHandle() returned error %lu\n",
									             dwError = GetLastError());
								else
									PrintConsole(hConsole,
									             L"\tDLL filename   = %ls\n",
									             szImageName + 4);
#endif // _WIN32_WINNT
#ifdef SYMBOLS
								ullBaseOfModule = SymLoadModuleEx(hProcess,
								                                  de.u.LoadDll.hFile,
								                                  (LPCSTR) NULL,
								                                  (LPCSTR) NULL,
								                                  de.u.LoadDll.lpBaseOfDll,
								                                  0,
								                                  (MODLOAD_DATA *) NULL,
								                                  0);

								if (ullBaseOfModule == 0)
								{
									dwError = GetLastError();

									if (dwError != ERROR_SUCCESS)
										PrintConsole(hConsole,
										             L"SymLoadModuleEx() returned error %lu\n",
										             dwError);
								}
#endif // SYMBOLS
							}
#ifdef SYMBOLS
							if (ullBaseOfModule != 0)
								if (!SymGetModuleInfo64(hProcess,
								                        ullBaseOfModule,
								                        &mi))
									PrintConsole(hConsole,
									             L"SymGetModuleInfo64() returned error %lu\n",
									             dwError = GetLastError());
#ifdef VERBOSE
								else
								{
									ull = __emulu(mi.TimeDateStamp, 10000000)	// seconds since 1970-01-01 to
									    + 116444736000000000;			//  100 nano-seconds since 1601-01-01

									if (!FileTimeToSystemTime((LPFILETIME) &ull, &st))
										PrintConsole(hConsole,
										             L"FileTimeToSystemTime() returned error %lu\n",
										             dwError = GetLastError());

									PrintConsole(hConsole,
									             L"\tModule date    = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\n"
									             L"\tModule size    = 0x%08lX\n"
									             L"\tModule name    = %.32ls\n"
									             L"\tImage name     = %.256ls\n"
									             L"\tImage filename = %.256ls\n"
									             L"\tPDB filename   = %.256ls\n"
									             L"\tSymbol count   = %lu\n",
									             mi.TimeDateStamp,
									             szDayOfWeek[st.wDayOfWeek],
									             st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond,
									             mi.ImageSize,
									             mi.ModuleName,
									             mi.ImageName,
									             mi.LoadedImageName,
									             mi.LoadedPdbName,
									             mi.NumSyms);
								}
#endif // VERBOSE
#endif // SYMBOLS
							PrintConsole(hConsole,
#ifdef VERBOSE
							             L"\tFile handle    = 0x%p\n"
#endif
#ifndef SYMBOLS
							             L"\tBase address   = 0x%p\n",
#ifdef VERBOSE
							             de.u.LoadDll.hFile,
#endif
							             de.u.LoadDll.lpBaseOfDll);
#else // SYMBOLS
							             L"\tBase address   = 0x%p%ls\n",
#ifdef VERBOSE
							             de.u.LoadDll.hFile,
#endif
							             de.u.LoadDll.lpBaseOfDll,
							             NameLookup(hProcess, de.u.LoadDll.lpBaseOfDll, &mi, &siplus));
#endif // SYMBOLS
							if (de.u.LoadDll.hFile != INVALID_HANDLE_VALUE)
								if (!CloseHandle(de.u.LoadDll.hFile))
									PrintConsole(hConsole,
									             L"CloseHandle() returned error %lu\n",
									             dwError = GetLastError());
							break;

						case UNLOAD_DLL_DEBUG_EVENT:

							PrintConsole(hConsole,
							             L"\n"
							             L"DLL unloaded from process %lu by thread %lu:\n"
#ifndef SYMBOLS
							             L"\tBase address = 0x%p\n",
#else
							             L"\tBase address = 0x%p%ls\n",
#endif
							             de.dwProcessId, de.dwThreadId,
#ifndef SYMBOLS
							             de.u.UnloadDll.lpBaseOfDll);
#else
							             de.u.UnloadDll.lpBaseOfDll,
							             NameLookup(hProcess, de.u.UnloadDll.lpBaseOfDll, &mi, &siplus));

							if (!SymUnloadModule64(hProcess,
							                       de.u.UnloadDll.lpBaseOfDll))
								PrintConsole(hConsole,
								             L"SymUnloadModule64() returned error %lu\n",
								             dwError = GetLastError());
#endif // SYMBOLS
							break;

						case OUTPUT_DEBUG_STRING_EVENT:

							PrintConsole(hConsole,
							             L"\n"
							             L"Output debug string in thread %lu of process %lu:\n"
							             L"\tString length  = %hu\n"
#ifndef SYMBOLS
							             L"\tString address = 0x%p\n",
#else
							             L"\tString address = 0x%p%ls\n",
#endif
							             de.dwThreadId, de.dwProcessId,
							             de.u.DebugString.nDebugStringLength - 1,
#ifndef SYMBOLS
							             de.u.DebugString.lpDebugStringData);
#else
							             de.u.DebugString.lpDebugStringData,
							             NameLookup(hProcess, de.u.DebugString.lpDebugStringData, &mi, &siplus));
#endif
							dwString = de.u.DebugString.nDebugStringLength;
#if 0	// NOTE: debug string is always ANSI!
							if (de.u.CreateProcessInfo.fUnicode != 0)
								dwString *= sizeof(L'\0');
#endif
							lpString = LocalAlloc(LPTR, dwString);

							if (lpString == NULL)
								PrintConsole(hConsole,
								             L"LocalAlloc() returned error %lu\n",
								             dwError = GetLastError());
							else
							{
								if (!ReadProcessMemory(hProcess,
								                       de.u.DebugString.lpDebugStringData,
								                       lpString,
								                       dwString,
								                       (SIZE_T *) NULL))
									PrintConsole(hConsole,
									             L"ReadProcessMemory() returned error %lu\n",
									             dwError = GetLastError());
								else
#if 0	// NOTE: debug string is always ANSI!
									if (de.u.CreateProcessInfo.fUnicode != 0)
									{
										dwString = wcslen((LPCWSTR) lpString);

										while ((dwString-- > 0)
										    && ((lpString[dwString] == L' ')
										     || (lpString[dwString] == L'\a')
										     || (lpString[dwString] == L'\b')
										     || (lpString[dwString] == L'\f')
										     || (lpString[dwString] == L'\n')
										     || (lpString[dwString] == L'\r')
										     || (lpString[dwString] == L'\t')
										     || (lpString[dwString] == L'\v')))
											/* lpString[dwString] = L'\0' */;

										lpString[++dwString] = L'\0';

										PrintConsole(hConsole,
										             L"\tString value   = %ls\n",
										             lpString);
									}
									else
#endif
								{
									dwString = strlen((LPCSTR) lpString);

									while ((dwString-- > 0)
									    && ((lpString[dwString] == ' ')
									     || (lpString[dwString] == '\a')
									     || (lpString[dwString] == '\b')
									     || (lpString[dwString] == '\f')
									     || (lpString[dwString] == '\n')
									     || (lpString[dwString] == '\r')
									     || (lpString[dwString] == '\t')
									     || (lpString[dwString] == '\v')))
										/* lpString[dwString] = '\0' */;

									lpString[++dwString] = '\0';

									PrintConsole(hConsole,
									             L"\tString value   = %hs\n",
									             lpString);
								}

								if (LocalFree(lpString) != NULL)
									PrintConsole(hConsole,
									             L"LocalFree() returned error %lu\n",
									             dwError = GetLastError());
							}

							break;

						case RIP_EVENT:

							PrintConsole(hConsole,
							             L"\n"
							             L"RIP in thread %lu of process %lu:\n"
							             L"\tError = %lu\n"
							             L"\tType  = %lu\n",
							             de.dwThreadId, de.dwProcessId,
							             de.u.RipInfo.dwError,
							             de.u.RipInfo.dwType);
							break;

						case EXCEPTION_DEBUG_EVENT:

							PrintConsole(hConsole,
							             L"\n"
							             L"%ls chance exception in thread %lu of process %lu:\n"
							             L"\tDescription       = %ls\n"
							             L"\tCode              = 0x%08lX\n"
							             L"\tFlags             = 0x%08lX (%lscontinuable)\n"
#ifndef SYMBOLS
							             L"\tAddress           = 0x%p\n",
#else
							             L"\tAddress           = 0x%p%ls\n",
#endif
							             de.u.Exception.dwFirstChance != 0 ? L"First" : L"Last",
							             de.dwThreadId, de.dwProcessId,
							             ExceptionName(szBuffer, &de.u.Exception.ExceptionRecord),
							             de.u.Exception.ExceptionRecord.ExceptionCode,
							             de.u.Exception.ExceptionRecord.ExceptionFlags,
							             de.u.Exception.ExceptionRecord.ExceptionFlags != 0 ? L"non-" : L"",
#ifndef SYMBOLS
							             de.u.Exception.ExceptionRecord.ExceptionAddress);
#else
							             de.u.Exception.ExceptionRecord.ExceptionAddress,
							             NameLookup(hProcess, de.u.Exception.ExceptionRecord.ExceptionAddress, &mi, &siplus));
#endif
							if (de.u.Exception.dwFirstChance != 0)
							{
								if (de.u.Exception.ExceptionRecord.NumberParameters > 0)
								{
									PrintConsole(hConsole,
									             L"\tParameters[%lu]    %lc",
									             de.u.Exception.ExceptionRecord.NumberParameters,
									             de.u.Exception.ExceptionRecord.NumberParameters > 10 ? L'\0' : L' ');

									for (dwParameter = 0; dwParameter < de.u.Exception.ExceptionRecord.NumberParameters; dwParameter++)
										PrintConsole(hConsole,
										             dwParameter == 0 ? L"= 0x%p" : L", 0x%p",
										             de.u.Exception.ExceptionRecord.ExceptionInformation[dwParameter]);

									PrintConsole(hConsole, L"\n");
								}

								for (lpExceptionRecord = de.u.Exception.ExceptionRecord.ExceptionRecord;
								     lpExceptionRecord != NULL;
								     lpExceptionRecord = lpExceptionRecord->ExceptionRecord)
								{
									PrintConsole(hConsole,
									             L"\n"
									             L"\tChained exception:\n"
									             L"\t\tDescription       = %ls\n"
									             L"\t\tCode              = 0x%08lX\n"
									             L"\t\tFlags             = 0x%08lX (%lscontinuable)\n"
#ifndef SYMBOLS
									             L"\t\tAddress           = 0x%p\n",
#else
									             L"\t\tAddress           = 0x%p%ls\n",
#endif
									             ExceptionName(szBuffer, lpExceptionRecord),
									             lpExceptionRecord->ExceptionCode,
									             lpExceptionRecord->ExceptionFlags,
									             lpExceptionRecord->ExceptionFlags != 0 ? L"non-" : L"",
#ifndef SYMBOLS
									             lpExceptionRecord->ExceptionAddress);
#else
									             lpExceptionRecord->ExceptionAddress,
									             NameLookup(hProcess, lpExceptionRecord->ExceptionAddress, &mi, &siplus));
#endif
									if (lpExceptionRecord->NumberParameters > 0)
									{
										PrintConsole(hConsole,
										             L"\t\tParameters[%lu]    %lc",
										             lpExceptionRecord->NumberParameters,
										             lpExceptionRecord->NumberParameters > 10 ? L'\0' : L' ');

										for (dwParameter = 0; dwParameter < lpExceptionRecord->NumberParameters; dwParameter++)
											PrintConsole(hConsole,
											             dwParameter == 0 ? L"= 0x%p" : L", 0x%p",
											             lpExceptionRecord->ExceptionInformation[dwParameter]);

										PrintConsole(hConsole, L"\n");
									}
								}
#ifdef SYMBOLS
								hThread = OpenThread(THREAD_GET_CONTEXT,
								                     FALSE,
								                     de.dwThreadId);

								if (hThread == NULL)
									PrintConsole(hConsole,
									             L"OpenThread() returned error %lu\n",
									             dwError = GetLastError());
								else
								{
#if _M_IX86
									if (!GetThreadContext(hThread, &context))
										PrintConsole(hConsole,
										             L"GetThreadContext() returned error %lu\n",
										             dwError = GetLastError());
									else
									{
#ifdef VERBOSE
										PrintConsole(hConsole, L"\tRegisters:\n");

										if ((context.ContextFlags & CONTEXT_CONTROL) == CONTEXT_CONTROL)
											PrintConsole(hConsole,
											             L"\t\tEbp = 0x%08lX, Eip = 0x%08lX, Esp = 0x%08lX\n"
											             L"\t\tCs  = 0x%08lX, Ss  = 0x%08lX\n"
										                     L"\t\tEfl = 0x%08lX: Iopl %1lu,%ls%ls %ls %ls %ls %ls %ls %ls %ls %ls\n",
											             context.Ebp, context.Eip, context.Esp,
											             context.SegCs, context.SegSs,
										                     context.EFlags,
											             (context.EFlags >> 12) & 0x00000003,		//  IOPL level
											             context.EFlags & 0x00100000 ? L" vip" : L"",	//  VIP (virtual interrupt pending)
											             context.EFlags & 0x00080000 ? L" vif" : L"",	//  VIF (virtual interrupt flag)
											             context.EFlags & 0x00000800 ? L"ov" : L"nv",	//  OF (overflow flag)
											             context.EFlags & 0x00000400 ? L"dn" : L"up",	//  DF (direction flag)
											             context.EFlags & 0x00000200 ? L"ei" : L"di",	//  IF (interrupt enable flag)
											             context.EFlags & 0x00000080 ? L"ng" : L"pl",	//  SF (sign flag)
											             context.EFlags & 0x00000040 ? L"zr" : L"nz",	//  ZF (zero flag)
											             context.EFlags & 0x00000010 ? L"ac" : L"na",	//  AF (aux carry flag)
											             context.EFlags & 0x00000004 ? L"pe" : L"po",	//  PF (parity flag)
											             context.EFlags & 0x00000001 ? L"cy" : L"nc");	//  CF (carry flag)

										if ((context.ContextFlags & CONTEXT_INTEGER) == CONTEXT_INTEGER)
											PrintConsole(hConsole,
											             L"\t\tEax = 0x%08lX, Ebx = 0x%08lX, Ecx = 0x%08lX, Edx = 0x%08lX\n"
											             L"\t\tEdi = 0x%08lX, Esi = 0x%08lX\n",
											             context.Eax, context.Ebx, context.Ecx, context.Edx,
											             context.Edi, context.Esi);

										if ((context.ContextFlags & CONTEXT_SEGMENTS) == CONTEXT_SEGMENTS)
											PrintConsole(hConsole,
											             L"\t\tDs  = 0x%08lX, Es  = 0x%08lX, Fs  = 0x%08lX, Gs  = 0x%08lX\n",
											             context.SegDs, context.SegEs, context.SegFs, context.SegGs);

										if ((context.ContextFlags & CONTEXT_DEBUG_REGISTERS) == CONTEXT_DEBUG_REGISTERS)
											PrintConsole(hConsole,
											             L"\t\tDr0 = 0x%08lX, Dr1 = 0x%08lX, Dr2 = 0x%08lX, Dr3 = 0x%08lX\n"
											             L"\t\tDr6 = 0x%08lX, Dr7 = 0x%08lX\n",
											             context.Dr0, context.Dr1, context.Dr2, context.Dr3,
											             context.Dr6, context.Dr7);

										if ((context.ContextFlags & CONTEXT_FLOATING_POINT) == CONTEXT_FLOATING_POINT)
											;

										if ((context.ContextFlags & CONTEXT_EXTENDED_REGISTERS) == CONTEXT_EXTENDED_REGISTERS)
											;
#endif // VERBOSE
										sf.AddrPC.Offset = context.Eip;
										sf.AddrPC.Mode = AddrModeFlat;
										sf.AddrReturn.Mode = AddrModeFlat;
										sf.AddrFrame.Offset = context.Ebp;
										sf.AddrFrame.Mode = AddrModeFlat;
										sf.AddrStack.Offset = context.Esp;
										sf.AddrStack.Mode = AddrModeFlat;

										PrintConsole(hConsole, L"\tCall stack:\n");

										while (StackWalk64(IMAGE_FILE_MACHINE_I386,
										                   hProcess,
										                   hThread,
										                   &sf,
										                   &context,
#if 1
										                   NULL,
#else
										                   ReadProcessMemory,
#endif
										                   SymFunctionTableAccess64,
										                   SymGetModuleBase64,
										                   NULL))
#ifdef VERBOSE
											PrintConsole(hConsole,
											             L"\t\tAddress   = 0x%08lX%ls\n"
											             L"\t\tReturn    = 0x%08lX\n"
											             L"\t\tFrame     = 0x%08lX\n"
											             L"\t\tStack     = 0x%08lX\n"
											             L"\t\tParameter = 0x%08lX, 0x%08lX, 0x%08lX, 0x%08lX\n",
											             (DWORD) sf.AddrPC.Offset,
											             NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus),
											             (DWORD) sf.AddrReturn.Offset,
											             (DWORD) sf.AddrFrame.Offset,
											             (DWORD) sf.AddrStack.Offset,
											             (DWORD) sf.Params[0],
											             (DWORD) sf.Params[1],
											             (DWORD) sf.Params[2],
											             (DWORD) sf.Params[3]);
#else
											PrintConsole(hConsole,
											             L"\t\tAddress   = 0x%08lX%ls\n",
											             (DWORD) sf.AddrPC.Offset,
											             NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus));
#endif // VERBOSE
									}
#elif _M_AMD64
									if (bWow64)
									{
										if (!Wow64GetThreadContext(hThread, &wow64_context))
											PrintConsole(hConsole,
											             L"Wow64GetThreadContext() returned error %lu\n",
											             dwError = GetLastError());
										else
										{
#ifdef VERBOSE
											PrintConsole(hConsole, L"\tRegisters:\n");

											if ((wow64_context.ContextFlags & CONTEXT_CONTROL) == CONTEXT_CONTROL)
												PrintConsole(hConsole,
												             L"\t\tEbp = 0x%08lX, Eip = 0x%08lX, Esp = 0x%08lX\n"
												             L"\t\tCs  = 0x%08lX, Ss  = 0x%08lX\n"
											                     L"\t\tEfl = 0x%08lX: Iopl %1lu,%ls%ls %ls %ls %ls %ls %ls %ls %ls %ls\n",
												             wow64_context.Ebp, wow64_context.Eip, wow64_context.Esp,
												             wow64_context.SegCs, wow64_context.SegSs,
											                     wow64_context.EFlags,
												             (wow64_context.EFlags >> 12) & 0x00000003,		//  IOPL level
												             wow64_context.EFlags & 0x00100000 ? L" vip" : L"",	//  VIP (virtual interrupt pending)
												             wow64_context.EFlags & 0x00080000 ? L" vif" : L"",	//  VIF (virtual interrupt flag)
												             wow64_context.EFlags & 0x00000800 ? L"ov" : L"nv",	//  OF (overflow flag)
												             wow64_context.EFlags & 0x00000400 ? L"dn" : L"up",	//  DF (direction flag)
												             wow64_context.EFlags & 0x00000200 ? L"ei" : L"di",	//  IF (interrupt enable flag)
												             wow64_context.EFlags & 0x00000080 ? L"ng" : L"pl",	//  SF (sign flag)
												             wow64_context.EFlags & 0x00000040 ? L"zr" : L"nz",	//  ZF (zero flag)
												             wow64_context.EFlags & 0x00000010 ? L"ac" : L"na",	//  AF (aux carry flag)
												             wow64_context.EFlags & 0x00000004 ? L"pe" : L"po",	//  PF (parity flag)
												             wow64_context.EFlags & 0x00000001 ? L"cy" : L"nc");	//  CF (carry flag)

											if ((wow64_context.ContextFlags & CONTEXT_INTEGER) == CONTEXT_INTEGER)
												PrintConsole(hConsole,
												             L"\t\tEax = 0x%08lX, Ebx = 0x%08lX, Ecx = 0x%08lX, Edx = 0x%08lX\n"
												             L"\t\tEdi = 0x%08lX, Esi = 0x%08lX\n",
												             wow64_context.Eax, wow64_context.Ebx, wow64_context.Ecx, wow64_context.Edx,
												             wow64_context.Edi, wow64_context.Esi);

											if ((wow64_context.ContextFlags & CONTEXT_SEGMENTS) == CONTEXT_SEGMENTS)
												PrintConsole(hConsole,
												             L"\t\tDs  = 0x%08lX, Es  = 0x%08lX, Fs  = 0x%08lX, Gs  = 0x%08lX\n",
												             wow64_context.SegDs, wow64_context.SegEs, wow64_context.SegFs, wow64_context.SegGs);

											if ((wow64_context.ContextFlags & CONTEXT_DEBUG_REGISTERS) == CONTEXT_DEBUG_REGISTERS)
												PrintConsole(hConsole,
												             L"\t\tDr0 = 0x%08lX, Dr1 = 0x%08lX, Dr2 = 0x%08lX, Dr3 = 0x%08lX\n"
												             L"\t\tDr6 = 0x%08lX, Dr7 = 0x%08lX\n",
												             wow64_context.Dr0, wow64_context.Dr1, wow64_context.Dr2, wow64_context.Dr3,
												             wow64_context.Dr6, wow64_context.Dr7);

											if ((wow64_context.ContextFlags & CONTEXT_FLOATING_POINT) == CONTEXT_FLOATING_POINT)
												;

											if ((wow64_context.ContextFlags & CONTEXT_EXTENDED_REGISTERS) == CONTEXT_EXTENDED_REGISTERS)
												;
#endif // VERBOSE
											sf.AddrPC.Offset = wow64_context.Eip;
											sf.AddrPC.Mode = AddrModeFlat;
											sf.AddrReturn.Mode = AddrModeFlat;
											sf.AddrFrame.Offset = wow64_context.Ebp;
											sf.AddrFrame.Mode = AddrModeFlat;
											sf.AddrStack.Offset = wow64_context.Esp;
											sf.AddrStack.Mode = AddrModeFlat;

											PrintConsole(hConsole, L"\tCall stack:\n");

											while (StackWalk64(IMAGE_FILE_MACHINE_I386,
											                   hProcess,
											                   hThread,
											                   &sf,
											                   &wow64_context,
#if 1
											                   NULL,
#else
											                   ReadProcessMemory,
#endif
											                   SymFunctionTableAccess64,
											                   SymGetModuleBase64,
											                   NULL))
#ifdef VERBOSE
												PrintConsole(hConsole,
												             L"\t\tAddress   = 0x%08lX%ls\n"
												             L"\t\tReturn    = 0x%08lX\n"
												             L"\t\tFrame     = 0x%08lX\n"
												             L"\t\tStack     = 0x%08lX\n"
												             L"\t\tParameter = 0x%08lX, 0x%08lX, 0x%08lX, 0x%08lX\n",
												             (DWORD) sf.AddrPC.Offset,
												             NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus),
												             (DWORD) sf.AddrReturn.Offset,
												             (DWORD) sf.AddrFrame.Offset,
												             (DWORD) sf.AddrStack.Offset,
												             (DWORD) sf.Params[0],
												             (DWORD) sf.Params[1],
												             (DWORD) sf.Params[2],
												             (DWORD) sf.Params[3]);
#else
												PrintConsole(hConsole,
												             L"\t\tAddress   = 0x%08lX%ls\n",
												             (DWORD) sf.AddrPC.Offset,
												             NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus));
#endif // VERBOSE
										}
									}
									else
									{
										if (!GetThreadContext(hThread, &context))
											PrintConsole(hConsole,
											             L"GetThreadContext() returned error %lu\n",
											             dwError = GetLastError());
										else
										{
#ifdef VERBOSE
											PrintConsole(hConsole, L"\tRegisters:\n");

											if ((context.ContextFlags & CONTEXT_CONTROL) == CONTEXT_CONTROL)
												PrintConsole(hConsole,
												             L"\t\tRip = 0x%016I64X, Rsp = 0x%016I64X\n"
												             L"\t\tCs  = %04hX, Ss  = %04hX\n"
											                     L"\t\tRfl = 0x%08lX: Iopl %1lu,%ls%ls %ls %ls %ls %ls %ls %ls %ls %ls\n",
												             context.Rip, context.Rsp,
												             context.SegCs, context.SegSs,
											                     context.EFlags,
												             (context.EFlags >> 12) & 0x00000003,		//  IOPL level
												             context.EFlags & 0x00100000 ? L" vip" : L"",	//  VIP (virtual interrupt pending)
												             context.EFlags & 0x00080000 ? L" vif" : L"",	//  VIF (virtual interrupt flag)
												             context.EFlags & 0x00000800 ? L"ov" : L"nv",	//  OF (overflow flag)
												             context.EFlags & 0x00000400 ? L"dn" : L"up",	//  DF (direction flag)
												             context.EFlags & 0x00000200 ? L"ei" : L"di",	//  IF (interrupt enable flag)
												             context.EFlags & 0x00000080 ? L"ng" : L"pl",	//  SF (sign flag)
												             context.EFlags & 0x00000040 ? L"zr" : L"nz",	//  ZF (zero flag)
												             context.EFlags & 0x00000010 ? L"ac" : L"na",	//  AF (aux carry flag)
												             context.EFlags & 0x00000004 ? L"pe" : L"po",	//  PF (parity flag)
												             context.EFlags & 0x00000001 ? L"cy" : L"nc");	//  CF (carry flag)

											if ((context.ContextFlags & CONTEXT_INTEGER) == CONTEXT_INTEGER)
												PrintConsole(hConsole,
												             L"\t\tRax = 0x%016I64X, Rbx = 0x%016I64X, Rcx = 0x%016I64X, Rdx = 0x%016I64X\n"
												             L"\t\tRbp = 0x%016I64X, Rdi = 0x%016I64X, Rsi = 0x%016I64X\n"
												             L"\t\tR08 = 0x%016I64X, R09 = 0x%016I64X, R10 = 0x%016I64X, R11 = 0x%016I64X\n"
												             L"\t\tR12 = 0x%016I64X, R13 = 0x%016I64X, R14 = 0x%016I64X, R15 = 0x%016I64X\n",
												             context.Rax, context.Rbx, context.Rcx, context.Rdx,
												             context.Rbp, context.Rdi, context.Rsi,
												             context.R08, context.R09, context.R10, context.R11,
												             context.R12, context.R13, context.R14, context.R15);

											if ((context.ContextFlags & CONTEXT_SEGMENTS) == CONTEXT_SEGMENTS)
												PrintConsole(hConsole,
												             L"\t\tDs  = %04hX, Es  = %04hX, Fs  = %04hX, Gs  = %04hX\n",
												             context.SegDs, context.SegEs, context.SegFs, context.SegGs);

											if ((context.ContextFlags & CONTEXT_DEBUG_REGISTERS) == CONTEXT_DEBUG_REGISTERS)
												PrintConsole(hConsole,
												             L"\t\tDr0 = 0x%016I64X, Dr1 = 0x%016I64X, Dr2 = 0x%016I64X, Dr3 = 0x%016I64X\n"
												             L"\t\tDr6 = 0x%016I64X, Dr7 = 0x%016I64X\n",
												             context.Dr0, context.Dr1, context.Dr2, context.Dr3,
												             context.Dr6, context.Dr7);

											if ((context.ContextFlags & CONTEXT_FLOATING_POINT) == CONTEXT_FLOATING_POINT)
												;
#endif // VERBOSE
											sf.AddrPC.Offset = context.Rip;
											sf.AddrPC.Mode = AddrModeFlat;
											sf.AddrReturn.Mode = AddrModeFlat;
											sf.AddrFrame.Offset = context.Rbp;
											sf.AddrFrame.Mode = AddrModeFlat;
											sf.AddrStack.Offset = context.Rsp;
											sf.AddrStack.Mode = AddrModeFlat;

											PrintConsole(hConsole, L"\tCall stack:\n");

											while (StackWalk64(IMAGE_FILE_MACHINE_AMD64,
											                   hProcess,
											                   hThread,
											                   &sf,
											                   &context,
#if 1
											                   NULL,
#else
											                   ReadProcessMemory,
#endif
											                   SymFunctionTableAccess64,
											                   SymGetModuleBase64,
											                   NULL))
#ifdef VERBOSE
												PrintConsole(hConsole,
												             L"\t\tAddress   = 0x%016I64X%ls\n"
												             L"\t\tReturn    = 0x%016I64X\n"
												             L"\t\tFrame     = 0x%016I64X\n"
												             L"\t\tStack     = 0x%016I64X\n"
												             L"\t\tParameter = 0x%016I64X, 0x%016I64X, 0x%016I64X, 0x%016I64X\n",
												             sf.AddrPC.Offset,
												             NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus),
												             sf.AddrReturn.Offset,
												             sf.AddrFrame.Offset,
												             sf.AddrStack.Offset,
												             sf.Params[0],
												             sf.Params[1],
												             sf.Params[2],
												             sf.Params[3]);
#else
												PrintConsole(hConsole,
												             L"\t\tAddress   = 0x%016I64X%ls\n",
												             sf.AddrPC.Offset,
												             NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus));
#endif // VERBOSE
										}
									}
#elif _M_IA64
									if (bWow64)
									{
										if (!Wow64GetThreadContext(hThread, &wow64_context))
											PrintConsole(hConsole,
											             L"Wow64GetThreadContext() returned error %lu\n",
											             dwError = GetLastError());
										else
										{
#ifdef VERBOSE
											PrintConsole(hConsole, L"\tRegisters:\n");

											if ((wow64_context.ContextFlags & CONTEXT_CONTROL) == CONTEXT_CONTROL)
												PrintConsole(hConsole,
												             L"\t\tEbp = 0x%08lX, Eip = 0x%08lX, Esp = 0x%08lX\n"
												             L"\t\tCs  = 0x%08lX, Ss  = 0x%08lX\n"
											                     L"\t\tEfl = 0x%08lX: Iopl %1lu,%ls%ls %ls %ls %ls %ls %ls %ls %ls %ls\n",
												             wow64_context.Ebp, wow64_context.Eip, wow64_context.Esp,
												             wow64_context.SegCs, wow64_context.SegSs,
											                     wow64_context.EFlags,
												             (wow64_context.EFlags >> 12) & 0x00000003,		//  IOPL level
												             wow64_context.EFlags & 0x00100000 ? L" vip" : L"",	//  VIP (virtual interrupt pending)
												             wow64_context.EFlags & 0x00080000 ? L" vif" : L"",	//  VIF (virtual interrupt flag)
												             wow64_context.EFlags & 0x00000800 ? L"ov" : L"nv",	//  OF (overflow flag)
												             wow64_context.EFlags & 0x00000400 ? L"dn" : L"up",	//  DF (direction flag)
												             wow64_context.EFlags & 0x00000200 ? L"ei" : L"di",	//  IF (interrupt enable flag)
												             wow64_context.EFlags & 0x00000080 ? L"ng" : L"pl",	//  SF (sign flag)
												             wow64_context.EFlags & 0x00000040 ? L"zr" : L"nz",	//  ZF (zero flag)
												             wow64_context.EFlags & 0x00000010 ? L"ac" : L"na",	//  AF (aux carry flag)
												             wow64_context.EFlags & 0x00000004 ? L"pe" : L"po",	//  PF (parity flag)
												             wow64_context.EFlags & 0x00000001 ? L"cy" : L"nc");	//  CF (carry flag)

											if ((wow64_context.ContextFlags & CONTEXT_INTEGER) == CONTEXT_INTEGER)
												PrintConsole(hConsole,
												             L"\t\tEax = 0x%08lX, Ebx = 0x%08lX, Ecx = 0x%08lX, Edx = 0x%08lX\n"
												             L"\t\tEdi = 0x%08lX, Esi = 0x%08lX\n",
												             wow64_context.Eax, wow64_context.Ebx, wow64_context.Ecx, wow64_context.Edx,
												             wow64_context.Edi, wow64_context.Esi);

											if ((wow64_context.ContextFlags & CONTEXT_SEGMENTS) == CONTEXT_SEGMENTS)
												PrintConsole(hConsole,
												             L"\t\tDs  = 0x%08lX, Es  = 0x%08lX, Fs  = 0x%08lX, Gs  = 0x%08lX\n",
												             wow64_context.SegDs, wow64_context.SegEs, wow64_context.SegFs, wow64_context.SegGs);

											if ((wow64_context.ContextFlags & CONTEXT_DEBUG_REGISTERS) == CONTEXT_DEBUG_REGISTERS)
												PrintConsole(hConsole,
												             L"\t\tDr0 = 0x%08lX, Dr1 = 0x%08lX, Dr2 = 0x%08lX, Dr3 = 0x%08lX\n"
												             L"\t\tDr6 = 0x%08lX, Dr7 = 0x%08lX\n",
												             wow64_context.Dr0, wow64_context.Dr1, wow64_context.Dr2, wow64_context.Dr3,
												             wow64_context.Dr6, wow64_context.Dr7);

											if ((wow64_context.ContextFlags & CONTEXT_FLOATING_POINT) == CONTEXT_FLOATING_POINT)
												;

											if ((wow64_context.ContextFlags & CONTEXT_EXTENDED_REGISTERS) == CONTEXT_EXTENDED_REGISTERS)
												;
#endif // VERBOSE
											sf.AddrPC.Offset = wow64_context.Eip;
											sf.AddrPC.Mode = AddrModeFlat;
											sf.AddrReturn.Mode = AddrModeFlat;
											sf.AddrFrame.Offset = wow64_context.Ebp;
											sf.AddrFrame.Mode = AddrModeFlat;
											sf.AddrStack.Offset = wow64_context.Esp;
											sf.AddrStack.Mode = AddrModeFlat;

											PrintConsole(hConsole, L"\tCall stack:\n");

											while (StackWalk64(IMAGE_FILE_MACHINE_I386,
											                   hProcess,
											                   hThread,
											                   &sf,
											                   &wow64_context,
#if 1
											                   NULL,
#else
											                   ReadProcessMemory,
#endif
											                   SymFunctionTableAccess64,
											                   SymGetModuleBase64,
											                   NULL))
#ifdef VERBOSE
												PrintConsole(hConsole,
												             L"\t\tAddress   = 0x%08lX%ls\n"
												             L"\t\tReturn    = 0x%08lX\n"
												             L"\t\tFrame     = 0x%08lX\n"
												             L"\t\tStack     = 0x%08lX\n"
												             L"\t\tParameter = 0x%08lX, 0x%08lX, 0x%08lX, 0x%08lX\n",
												             (DWORD) sf.AddrPC.Offset,
												             NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus),
												             (DWORD) sf.AddrReturn.Offset,
												             (DWORD) sf.AddrFrame.Offset,
												             (DWORD) sf.AddrStack.Offset,
												             (DWORD) sf.Params[0],
												             (DWORD) sf.Params[1],
												             (DWORD) sf.Params[2],
												             (DWORD) sf.Params[3]);
#else
												PrintConsole(hConsole,
												             L"\t\tAddress   = 0x%08lX%ls\n",
												             (DWORD) sf.AddrPC.Offset,
												             NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus));
#endif // VERBOSE
										}
									}
									else
									{
										if (!GetThreadContext(hThread, &context))
											PrintConsole(hConsole,
											             L"GetThreadContext() returned error %lu\n",
											             dwError = GetLastError());
										else
										{
											sf.AddrPC.Offset = context.StIIP;
											sf.AddrPC.Mode = AddrModeFlat;
											sf.AddrReturn.Mode = AddrModeFlat;
											sf.AddrFrame.Mode = AddrModeFlat;
											sf.AddrStack.Offset = context.IntSp;
											sf.AddrStack.Mode = AddrModeFlat;
											sf.AddrBStore.Offset = context.RsBSP;
											sf.AddrBStore.Mode = AddrModeFlat;

											PrintConsole(hConsole, L"\tCall stack:\n");

											while (StackWalk64(IMAGE_FILE_MACHINE_IA64,
											                   hProcess,
											                   hThread,
											                   &sf,
											                   &context,
#if 1
											                   NULL,
#else
											                   ReadProcessMemory,
#endif
											                   SymFunctionTableAccess64,
											                   SymGetModuleBase64,
											                   NULL))
#ifdef VERBOSE
												PrintConsole(hConsole,
												             L"\t\tAddress   = 0x%016I64X%ls\n"
												             L"\t\tReturn    = 0x%016I64X\n"
												             L"\t\tFrame     = 0x%016I64X\n"
												             L"\t\tStack     = 0x%016I64X\n"
												             L"\t\tParameter = 0x%016I64X, 0x%016I64X, 0x%016I64X, 0x%016I64X\n",
												             sf.AddrPC.Offset,
												             NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus),
												             sf.AddrReturn.Offset,
												             sf.AddrFrame.Offset,
												             sf.AddrStack.Offset,
												             sf.Params[0],
												             sf.Params[1],
												             sf.Params[2],
												             sf.Params[3]);
#else
												PrintConsole(hConsole,
												             L"\t\tAddress   = 0x%016I64X%ls\n",
												             sf.AddrPC.Offset,
												             NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus));
#endif // VERBOSE
										}
									}
#else
#error Only I386, AMD64 and IA64 supported!
#endif
									if (!CloseHandle(hThread))
										PrintConsole(hConsole,
										             L"CloseHandle() returned error %lu\n",
										             dwError = GetLastError());
								}
#endif // SYMBOLS
							}

							break;

						default:
							PrintConsole(hConsole,
							             L"\n"
							             L"Unknown debug event %lu in thread %lu of process %lu\n",
							             de.dwDebugEventCode,
							             de.dwThreadId, de.dwProcessId);
						}

						// NOTE: DBG_EXCEPTION_NOT_HANDLED repeats OUTPUT_DEBUG_STRING_EVENT once!

						if (!ContinueDebugEvent(de.dwProcessId,
						                        de.dwThreadId,
						                        de.dwDebugEventCode == EXCEPTION_DEBUG_EVENT ? DBG_EXCEPTION_NOT_HANDLED : DBG_CONTINUE))
						{
							PrintConsole(hConsole,
							             L"ContinueDebugEvent() returned error %lu\n",
							             dwError = GetLastError());
							break;
						}
					} while (hProcess != NULL);

					PrintConsole(hConsole, L"\n");

					if (WaitForSingleObject(pi.hThread, INFINITE) == WAIT_FAILED)
						PrintConsole(hConsole,
						             L"WaitForSingleObject() returned error %lu\n",
						             dwError = GetLastError());

					if (!GetExitCodeThread(pi.hThread, &dwThread))
						PrintConsole(hConsole,
						             L"GetExitCodeThread() returned error %lu\n",
						             dwError = GetLastError());
					else
						if (dwThread > 65535)
							PrintConsole(hConsole,
							             L"Primary thread %lu of debuggee process %lu exited with code 0x%08lX\n",
							             pi.dwThreadId, pi.dwProcessId, dwThread);
						else
							PrintConsole(hConsole,
							             L"Primary thread %lu of debuggee process %lu exited with code %lu\n",
							             pi.dwThreadId, pi.dwProcessId, dwThread);

					if (!GetThreadTimes(pi.hThread,
					                    (LPFILETIME) uli,
					                    (LPFILETIME) uli + 1,
					                    (LPFILETIME) uli + 2,
					                    (LPFILETIME) uli + 3))
						PrintConsole(hConsole,
						             L"GetThreadTimes() returned error %lu\n",
						             dwError = GetLastError());
					else
					{
						PrintConsole(hConsole,
						             L"Primary thread times:\n");

						uli[1].QuadPart -= uli[0].QuadPart;

						for (dwThread = 1; dwThread < 4; dwThread++)
							PrintConsole(hConsole,
							             L"\t%ls = %10lu.%07lu s\n",
							             szTimes[dwThread],
#ifdef _M_IX86
							             SplitFileTime(uli[dwThread].LowPart, uli[dwThread].HighPart));
#else
							             (DWORD) (uli[dwThread].QuadPart / 10000000),
							             (DWORD) (uli[dwThread].QuadPart % 10000000));
#endif
					}

					if (!CloseHandle(pi.hThread))
						PrintConsole(hConsole,
						             L"CloseHandle() returned error %lu\n",
						             dwError = GetLastError());

					if (WaitForSingleObject(pi.hProcess, INFINITE) == WAIT_FAILED)
						PrintConsole(hConsole,
						             L"WaitForSingleObject() returned error %lu\n",
						             dwError = GetLastError());

					if (!GetExitCodeProcess(pi.hProcess, &dwProcess))
						PrintConsole(hConsole,
						             L"GetExitCodeProcess() returned error %lu\n",
						             dwError = GetLastError());
					else
						if (dwProcess > 65535)
							PrintConsole(hConsole,
							             L"Debuggee process %lu exited with code 0x%08lX\n",
							             pi.dwProcessId, dwProcess);
						else
							PrintConsole(hConsole,
							             L"Debuggee process %lu exited with code %lu\n",
							             pi.dwProcessId, dwProcess);

					if (!GetProcessTimes(pi.hProcess,
					                     (LPFILETIME) uli,
					                     (LPFILETIME) uli + 1,
					                     (LPFILETIME) uli + 2,
					                     (LPFILETIME) uli + 3))
						PrintConsole(hConsole,
						             L"GetProcessTimes() returned error %lu\n",
						             dwError = GetLastError());
					else
					{
						PrintConsole(hConsole,
						             L"Debuggee process times:\n");

						uli[1].QuadPart -= uli[0].QuadPart;

						for (dwProcess = 1; dwProcess < 4; dwProcess++)
							PrintConsole(hConsole,
							             L"\t%ls = %10lu.%07lu s\n",
							             szTimes[dwProcess],
#ifdef _M_IX86
							             SplitFileTime(uli[dwProcess].LowPart, uli[dwProcess].HighPart));
#else
							             (DWORD) (uli[dwProcess].QuadPart / 10000000),
							             (DWORD) (uli[dwProcess].QuadPart % 10000000));
#endif
					}

					if (!CloseHandle(pi.hProcess))
						PrintConsole(hConsole,
						             L"CloseHandle() returned error %lu\n",
						             dwError = GetLastError());
				}
			}

			if (LocalFree(lpArguments) != NULL)
				PrintConsole(hConsole,
				             L"LocalFree() returned error %lu\n",
				             GetLastError());
		}

		if (!CloseHandle(hConsole))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu\n",
			             GetLastError());
	}

	ExitProcess(dwError);
}

  2. Run the following four command lines to compile the source file DEBUGGER.C created in step 1., link the compiled object file DEBUGGER.OBJ and cleanup afterwards: 

    SET CL=/DDELAYLOADINFO /DSYMBOLS /GAFS /Gs69632 /Gy /O1isy /UVERBOSE /W4 /Zl
SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:6.0 /RELEASE /STACK:1048576,65536 /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815
CL.EXE /FeDEBUGGER.COM DEBUGGER.C
ERASE DEBUGGER.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

DEBUGGER.C
delayimp.h(67) : warning C4201: nonstandard extension used : nameless struct/union
DEBUGGER.C(754) : warning C4100: 'hProcess' : unreferenced formal parameter
DEBUGGER.C(1122) : warning C4090: 'function' : different 'const' qualifiers
DEBUGGER.C(1290) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID'
DEBUGGER.C(1290) : warning C4024: 'SymLoadModuleExW' : different types for formal and actual parameter 5
DEBUGGER.C(1316) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID'
DEBUGGER.C(1316) : warning C4024: 'SymLoadModuleEx' : different types for formal and actual parameter 5
DEBUGGER.C(1386) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID'
DEBUGGER.C(1386) : warning C4024: 'SymLoadModuleEx' : different types for formal and actual parameter 5
DEBUGGER.C(1464) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPTHREAD_START_ROUTINE'
DEBUGGER.C(1464) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2
DEBUGGER.C(1497) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPTHREAD_START_ROUTINE'
DEBUGGER.C(1497) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2
DEBUGGER.C(1592) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID'
DEBUGGER.C(1592) : warning C4024: 'SymLoadModuleExW' : different types for formal and actual parameter 5
DEBUGGER.C(1618) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID'
DEBUGGER.C(1618) : warning C4024: 'SymLoadModuleEx' : different types for formal and actual parameter 5
DEBUGGER.C(1686) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID'
DEBUGGER.C(1686) : warning C4024: 'SymLoadModuleEx' : different types for formal and actual parameter 5
DEBUGGER.C(1757) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID'
DEBUGGER.C(1757) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2
DEBUGGER.C(1781) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID'
DEBUGGER.C(1781) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2
DEBUGGER.C(1784) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID'
DEBUGGER.C(1784) : warning C4024: 'SymUnloadModule64' : different types for formal and actual parameter 2
DEBUGGER.C(1808) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPSTR'
DEBUGGER.C(1808) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2
DEBUGGER.C(1920) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'PVOID'
DEBUGGER.C(1920) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2
DEBUGGER.C(1962) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'PVOID'
DEBUGGER.C(1962) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2
DEBUGGER.C(1499) : warning C4701: potentially uninitialized local variable 'hProcess' used

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…

Debug String Monitor

Purpose
Background Information
Synopsis
Downloads
Implementation and Build Details
Source and Build Instructions

Purpose

Monitor debug strings written from all processes running in the current (user) session with the Win32 function OutputDebugString().

Background Information

In Win32 processes that are run under a debugger, debug strings written with the Win32 function OutputDebugString() are catched and typically displayed by the debugger.

In Win32 processes that are not run under a debugger, the Win32 function OutputDebugString() checks whether the shared memory section named DBWIN_BUFFER as well as the events named DBWIN_BUFFER_READY and DBWIN_DATA_READY exist; if yes, it waits until the event DBWIN_BUFFER_READY is signaled, writes the process identifier and its argument into the shared memory section DBWIN_BUFFER, signals the event DBWIN_DATA_READY and returns to its caller.

Synopsis

DBWINNER.COM

Downloads

The console application is available in two functional identical forms: DBWINNER.EXE, a big form with embedded application manifest, version information, icon plus time-stamped digital signature, and DBWINNER.COM, a small form without these extras.

Implementation and Build Details

Debug String Monitor is a pure Win32 console application, written in ANSI C, built with the Platform SDK for Windows Server 2003 R2 Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows 2000 and newer versions of Windows NT as well as Windows PE 1.0 and newer versions.

Note: due to the design and implementation of Windows’ (classic alias legacy) console, the Win32 function WriteConsole() can only write to a console, not to a file nor a pipe, i.e. redirection of standard error or standard output is not supported!

The MSDN article Console Handles provides background information.

Source and Build Instructions

Perform the following 2 simple steps to build the console application Debug String Monitor from the source presented hereafter.

  1. Create the text file DBWINNER.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

// * The software is provided "as is" without any warranty, neither express
//   nor implied.
// * In no event will the author be held liable for any damage(s) arising
//   from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
//   and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
//   as an agent, (independent) contractor, employee, member or officer of
//   a business, corporation or organization (commercial or non-commercial)
//   does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
//   for a business, for commercial, corporate, governmental, military or
//   organizational purposes of any kind, or in a commercial, corporate,
//   governmental, military or organizational environment of any kind.

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

const	LPCSTR	szCtrlType[] = {"Ctrl-C",
		                "Ctrl-Break",
		                "Ctrl-Close",
		                NULL,
		                NULL,
		                "Ctrl-Logoff",
		                "Ctrl-Shutdown"};

BOOL	WINAPI	CtrlHandler(DWORD dwCtrlType)
{
	switch (dwCtrlType)
	{
	case CTRL_C_EVENT:
	case CTRL_BREAK_EVENT:
	case CTRL_CLOSE_EVENT:
	case CTRL_LOGOFF_EVENT:
	case CTRL_SHUTDOWN_EVENT:

		OutputDebugStringA(szCtrlType[dwCtrlType]);

		return TRUE;

	default:
		return FALSE;
	}
}

__declspec(safebuffers)
BOOL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

typedef	struct	_dbwin_buffer
{
	DWORD	dwProcessId;
	CHAR	szString[4096 - sizeof(DWORD)];
} DBWIN_BUFFER;

__declspec(noreturn)
VOID	WINAPI	wmainCRTStartup(VOID)
{
	DBWIN_BUFFER	*lpDBWin;

	HANDLE	hDBWin;
	HANDLE	hDBWinBuffer;
	HANDLE	hDBWinData;
	DWORD	dwDBWinData;
	DWORD	dwString;
	DWORD	dwError = ERROR_SUCCESS;
	DWORD	dwProcessId = 0;
	DWORD	dwCurrentProcessId = GetCurrentProcessId();
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		hDBWin = CreateFileMapping(INVALID_HANDLE_VALUE,
		                           (LPSECURITY_ATTRIBUTES) NULL,
		                           PAGE_READWRITE,
		                           0,
		                           sizeof(DBWIN_BUFFER),
		                           L"DBWIN_BUFFER");
		dwError = GetLastError();

		if (hDBWin == NULL)
			PrintConsole(hConsole,
			             L"CreateFileMapping() returned error %lu\n",
			             dwError);
		else
		{
			if (dwError == ERROR_ALREADY_EXISTS)
				PrintConsole(hConsole,
				             L"Shared section \'DBWIN_BUFFER\' already created by another process!\n");
			else
			{
				hDBWinBuffer = CreateEvent((LPSECURITY_ATTRIBUTES) NULL,
				                           FALSE,
				                           FALSE,
				                           L"DBWIN_BUFFER_READY");
				dwError = GetLastError();

				if (hDBWinBuffer == NULL)
					PrintConsole(hConsole,
					             L"CreateEvent() returned error %lu\n",
					             dwError);
				else
				{
					if (dwError == ERROR_ALREADY_EXISTS)
						PrintConsole(hConsole,
						             L"Event \'DBWIN_BUFFER_READY\' already created by another process!\n");
					else
					{
						hDBWinData = CreateEvent((LPSECURITY_ATTRIBUTES) NULL,
						                         FALSE,
						                         FALSE,
						                         L"DBWIN_DATA_READY");
						dwError = GetLastError();

						if (hDBWinData == NULL)
							PrintConsole(hConsole,
							             L"CreateEvent() returned error %lu\n",
							             dwError);
						else
						{
							if (dwError == ERROR_ALREADY_EXISTS)
								PrintConsole(hConsole,
								             L"Event \'DBWIN_DATA_READY\' already created by another process!\n");
							else
							{
								lpDBWin = MapViewOfFile(hDBWin,
								                        SECTION_MAP_READ | SECTION_MAP_WRITE,
								                        0, 0,
								                        (SIZE_T) 0);

								if (lpDBWin == NULL)
									PrintConsole(hConsole,
									             L"MapViewOfFile() returned error %lu\n",
									             dwError = GetLastError());
								else
								{
									if (!SetConsoleCtrlHandler(CtrlHandler, TRUE))
										PrintConsole(hConsole,
										             L"SetConsoleCtrlHandler() returned error %lu\n",
										             dwError = GetLastError());

									PrintConsole(hConsole,
									             L"Press \'Ctrl-C\' or \'Ctrl-Break\' to stop!\n"
									             L"\n"
									             L"Process\tDebug String\n");
									do
									{
										dwDBWinData = SignalObjectAndWait(hDBWinBuffer,
										                                  hDBWinData,
										                                  INFINITE,
										                                  FALSE);

										if (dwDBWinData != WAIT_OBJECT_0)
											break;

										dwString = strlen(lpDBWin->szString);

										while ((dwString-- > 0)
										    && ((lpDBWin->szString[dwString] == ' ')
										     || (lpDBWin->szString[dwString] == '\a')
										     || (lpDBWin->szString[dwString] == '\b')
										     || (lpDBWin->szString[dwString] == '\f')
										     || (lpDBWin->szString[dwString] == '\n')
										     || (lpDBWin->szString[dwString] == '\r')
										     || (lpDBWin->szString[dwString] == '\t')
										     || (lpDBWin->szString[dwString] == '\v')))
											/* lpDBWin->szString[dwString] = '\0' */;

										lpDBWin->szString[++dwString] = '\0';

										if (lpDBWin->dwProcessId != dwProcessId)
											PrintConsole(hConsole,
											             L"\n"
											             L"%7lu\t%hs\n",
											             dwProcessId = lpDBWin->dwProcessId,
											             lpDBWin->szString);
										else
											PrintConsole(hConsole,
											             L"\t%hs\n",
											             lpDBWin->szString);
									} while (dwProcessId != dwCurrentProcessId);

									if (dwDBWinData == WAIT_FAILED)
										PrintConsole(hConsole,
										             L"SignalObjectAndWait() returned error %lu\n",
										             dwError = GetLastError());

									if (!SetConsoleCtrlHandler(CtrlHandler, FALSE))
										PrintConsole(hConsole,
										             L"SetConsoleCtrlHandler() returned error %lu\n",
										             GetLastError());

									if (!UnmapViewOfFile(lpDBWin))
										PrintConsole(hConsole,
										             L"UnmapViewOfFile() returned error %lu\n",
										             GetLastError());
								}
							}

							if (!CloseHandle(hDBWinData))
								PrintConsole(hConsole,
								             L"CloseHandle() returned error %lu\n",
								             GetLastError());
						}
					}

					if (!CloseHandle(hDBWinBuffer))
						PrintConsole(hConsole,
						             L"CloseHandle() returned error %lu\n",
						             GetLastError());
				}
			}

			if (!CloseHandle(hDBWin))
				PrintConsole(hConsole,
				             L"CloseHandle() returned error %lu\n",
				             GetLastError());
		}

		if (!CloseHandle(hConsole))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu\n",
			             GetLastError());
	}

	ExitProcess(dwError);
}

  2. Run the following four command lines to compile the source file DBWINNER.C created in step 1., link the compiled object file DBWINNER.OBJ and cleanup afterwards: 

    SET CL=/GAFS /Gy /O1isy /W4 /Zl
SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815
CL.EXE /FeDBWINNER.COM DBWINNER.C
ERASE DBWINNER.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

DBWINNER.C

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…

Language Enumerator

Purpose
Synopsis
Downloads
Implementation and Build Details
Source and Build Instructions

Purpose

Enumerate Languages via Language Identifiers and print the (localised) Language Names.

Synopsis

LANGUAGE.COM

Downloads

The console application is available in two functional identical forms: LANGUAGE.EXE, a big form with embedded application manifest, version information, icon plus time-stamped digital signature, and LANGUAGE.COM, a small form without these extras.

Implementation and Build Details

Language Enumerator is a pure Win32 console application, written in ANSI C, built with the Platform SDK for Windows Server 2003 R2 Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows 2000 and newer versions of Windows NT as well as Windows PE 1.0 and newer versions.

Note: due to the design and implementation of Windows’ (classic alias legacy) console, the Win32 function WriteConsole() can only write to a console, not to a file nor a pipe, i.e. redirection of standard error or standard output is not supported!

The MSDN article Console Handles provides background information.

Source and Build Instructions

Perform the following 2 simple steps to build the console application Language Enumerator from the source presented hereafter.

  1. Create the text file LANGUAGE.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

// * The software is provided "as is" without any warranty, neither express
//   nor implied.
// * In no event will the author be held liable for any damage(s) arising
//   from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
//   and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
//   as an agent, (independent) contractor, employee, member or officer of
//   a business, corporation or organization (commercial or non-commercial)
//   does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
//   for a business, for commercial, corporate, governmental, military or
//   organizational purposes of any kind, or in a commercial, corporate,
//   governmental, military or organizational environment of any kind.

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

__declspec(safebuffers)
BOOL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

__declspec(noreturn)
VOID	WINAPI	wmainCRTStartup(VOID)
{
	DWORD	dwError = ERROR_SUCCESS;
	DWORD	dwPrimaryLanguage;
	DWORD	dwLanguage;
	WCHAR	szLanguage[123];
	WCHAR	szNeutral[123];
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		if (VerLanguageName(0,
		                    szNeutral,
		                    sizeof(szNeutral) / sizeof(*szNeutral)) == 0)
			PrintConsole(hConsole,
			             L"VerLanguageName() returned error %lu for LCID 0x%04lX\n",
			             dwError = GetLastError(), 0);
		else
		{
			PrintConsole(hConsole,
			             L"\n0x%04lX = %ls\n",
			             0, szNeutral);

			for (dwPrimaryLanguage = 0; dwPrimaryLanguage < 0x0200; dwPrimaryLanguage++)
				for (dwLanguage = dwPrimaryLanguage; dwLanguage < 0x8000; dwLanguage += 0x0400)
					if (VerLanguageName(dwLanguage,
					                    szLanguage,
					                    sizeof(szLanguage) / sizeof(*szLanguage)) == 0)
						PrintConsole(hConsole,
						             L"VerLanguageName() returned error %lu for LCID 0x%04lX\n",
						             dwError = GetLastError(), dwLanguage);
					else
						if (wcscmp(szLanguage, szNeutral) != 0)
							PrintConsole(hConsole,
							             L"\n0x%04lX = %ls\n" + (dwLanguage != dwPrimaryLanguage),
							             dwLanguage, szLanguage);
						else
							if ((dwLanguage != 0)
							 && (dwLanguage == dwPrimaryLanguage))
								break;
		}

		if (!CloseHandle(hConsole))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu\n",
			             GetLastError());
	}

	ExitProcess(dwError);
}

  2. Run the following four command lines to compile the source file LANGUAGE.C created in step 1., link the compiled object file LANGUAGE.OBJ and cleanup afterwards: 

    SET CL=/GAFS /Gy /O1isy /W4 /Zl
SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815
CL.EXE /FeLANGUAGE.COM LANGUAGE.C
ERASE LANGUAGE.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

LANGUAGE.C

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…

Locale Enumerator

Purpose
Synopsis
Downloads
Implementation and Build Details
Source and Build Instructions

Purpose

Enumerate Locales via Locale Identifiers and print the localised, english plus native Locale Names.

Synopsis

LOCALE.COM

Downloads

The console application is available in two functional identical forms: LOCALE.EXE, a big form with embedded application manifest, version information, icon plus time-stamped digital signature, and LOCALE.COM, a small form without these extras.

Implementation and Build Details

Locale Enumerator is a pure Win32 console application, written in ANSI C, built with the Platform SDK for Windows Server 2003 R2 Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows 2000 and newer versions of Windows NT as well as Windows PE 1.0 and newer versions.

Note: due to the design and implementation of Windows’ (classic alias legacy) console, the Win32 function WriteConsole() can only write to a console, not to a file nor a pipe, i.e. redirection of standard error or standard output is not supported!

The MSDN article Console Handles provides background information.

Source and Build Instructions

Perform the following 2 simple steps to build the console application Locale Enumerator from the source presented hereafter.

  1. Create the text file LOCALE.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

// * The software is provided "as is" without any warranty, neither express
//   nor implied.
// * In no event will the author be held liable for any damage(s) arising
//   from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
//   and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
//   as an agent, (independent) contractor, employee, member or officer of
//   a business, corporation or organization (commercial or non-commercial)
//   does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
//   for a business, for commercial, corporate, governmental, military or
//   organizational purposes of any kind, or in a commercial, corporate,
//   governmental, military or organizational environment of any kind.

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

__declspec(safebuffers)
BOOL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

__declspec(noreturn)
VOID	WINAPI	wmainCRTStartup(VOID)
{
	DWORD	dwError = ERROR_SUCCESS;
	DWORD	dwPrimaryLanguage;
	DWORD	dwLanguage;
	BOOL	bLanguage;
	WCHAR	szLanguage[123];
	WCHAR	szEnglishLanguage[123];
	WCHAR	szEnglishCountry[123];
#ifdef NATIVE
	WCHAR	szNativeLanguage[80];
	WCHAR	szNativeCountry[80];
#endif
	WCHAR	szISO639[9];
	WCHAR	szISO3166[9];
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		for (dwPrimaryLanguage = 0; ++dwPrimaryLanguage < 0x0200;)
		{
			bLanguage = FALSE;

			for (dwLanguage = dwPrimaryLanguage; dwLanguage += 0x0400, dwLanguage < 0x8000;)
				if (GetLocaleInfo(dwLanguage,
				                  LOCALE_SLANGUAGE,
				                  szLanguage,
				                  sizeof(szLanguage) / sizeof(*szLanguage)) == 0)
				{
					dwError = GetLastError();

					if (dwError == ERROR_INVALID_PARAMETER)
						dwError = ERROR_SUCCESS;
					else
						PrintConsole(hConsole,
						             L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
						             dwError, dwLanguage);
				}
				else
				{
					if (GetLocaleInfo(dwLanguage,
					                  LOCALE_SISO639LANGNAME,
					                  szISO639,
					                  sizeof(szISO3166) / sizeof(*szISO3166)) == 0)
						PrintConsole(hConsole,
						             L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
						             dwError = GetLastError(), dwLanguage);

					if (GetLocaleInfo(dwLanguage,
					                  LOCALE_SISO3166CTRYNAME,
					                  szISO3166,
					                  sizeof(szISO3166) / sizeof(*szISO3166)) == 0)
						PrintConsole(hConsole,
						             L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
						             dwError = GetLastError(), dwLanguage);

					if (GetLocaleInfo(dwLanguage,
					                  LOCALE_SENGLANGUAGE,
					                  szEnglishLanguage,
					                  sizeof(szEnglishLanguage) / sizeof(*szEnglishLanguage)) == 0)
						PrintConsole(hConsole,
						             L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
						             dwError = GetLastError(), dwLanguage);

					if (GetLocaleInfo(dwLanguage,
					                  LOCALE_SENGCOUNTRY,
					                  szEnglishCountry,
					                  sizeof(szEnglishCountry) / sizeof(*szEnglishCountry)) == 0)
						PrintConsole(hConsole,
						             L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
						             dwError = GetLastError(), dwLanguage);
#ifdef NATIVE
					if (GetLocaleInfo(dwLanguage,
					                  LOCALE_SNATIVELANGNAME,
					                  szNativeLanguage,
					                  sizeof(szNativeLanguage) / sizeof(*szNativeLanguage)) == 0)
						PrintConsole(hConsole,
						             L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
						             dwError = GetLastError(), dwLanguage);

					if (GetLocaleInfo(dwLanguage,
					                  LOCALE_SNATIVECTRYNAME,
					                  szNativeCountry,
					                  sizeof(szNativeCountry) / sizeof(*szNativeCountry)) == 0)
						PrintConsole(hConsole,
						             L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
						             dwError = GetLastError(), dwLanguage);

					PrintConsole(hConsole,
					             L"\n0x%04lX = %ls // %ls-%ls;%ls (%ls), %ls (%ls)\n" + bLanguage,
					             dwLanguage,
					             szLanguage,
					             szISO639,
					             szISO3166,
					             szEnglishLanguage,
					             szEnglishCountry,
					             szNativeLanguage,
					             szNativeCountry);
#else
					PrintConsole(hConsole,
					             L"\n0x%04lX = %ls // %ls-%ls;%ls (%ls)\n" + bLanguage,
					             dwLanguage,
					             szLanguage,
					             szISO639,
					             szISO3166,
					             szEnglishLanguage,
					             szEnglishCountry);
#endif
					bLanguage = TRUE;

				}
		}

		if (!CloseHandle(hConsole))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu\n",
			             GetLastError());
	}

	ExitProcess(dwError);
}

  2. Run the following four command lines to compile the source file LOCALE.C created in step 1., link the compiled object file LOCALE.OBJ and cleanup afterwards: 

    SET CL=/DNATIVE /GAFS /Gy /O1isy /W4 /Zl
SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815
CL.EXE /FeLOCALE.COM LOCALE.C
ERASE LOCALE.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

LOCALE.C

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…

Network Enumerator

Purpose
Synopsis
Downloads
Implementation and Build Details
Source and Build Instructions

Purpose

Enumerate network resources.

Synopsis

NETWORK.COM

Downloads

The console application is available in two functional identical forms: NETWORK.EXE, a big form with embedded application manifest, version information, icon plus time-stamped digital signature, and NETWORK.COM, a small form without these extras.

Implementation and Build Details

Network Enumerator is a pure Win32 console application, written in ANSI C, built with the Platform SDK for Windows Server 2003 R2 Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows 2000 and newer versions of Windows NT as well as Windows PE 1.0 and newer versions.

Note: due to the design and implementation of Windows’ (classic alias legacy) console, the Win32 function WriteConsole() can only write to a console, not to a file nor a pipe, i.e. redirection of standard error or standard output is not supported!

The MSDN article Console Handles provides background information.

Source and Build Instructions

Perform the following 2 simple steps to build the console application Network Enumerator from the source presented hereafter.

  1. Create the text file NETWORK.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

// * The software is provided "as is" without any warranty, neither express
//   nor implied.
// * In no event will the author be held liable for any damage(s) arising
//   from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
//   and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
//   as an agent, (independent) contractor, employee, member or officer of
//   a business, corporation or organization (commercial or non-commercial)
//   does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
//   for a business, for commercial, corporate, governmental, military or
//   organizational purposes of any kind, or in a commercial, corporate,
//   governmental, military or organizational environment of any kind.

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <winnetwk.h>

__declspec(safebuffers)
BOOL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

const	LPCWSTR	szDisplayType[] = {L"Generic",
		                   L"Domain",
		                   L"Server",
		                   L"Share",
		                   L"File",
		                   L"Group",
		                   L"Network",
		                   L"Root",
		                   L"Administrative Share",
		                   L"Directory",
		                   L"Tree",
		                   L"NDS Container"};

__declspec(safebuffers)
VOID	WINAPI	Network(HANDLE hConsole, LPNETRESOURCE lpNR, DWORD dwLevel)
{
	NETRESOURCE	nr[80];

	HANDLE	hNetwork;
	DWORD	dwCount;
	DWORD	dwSize;

	DWORD	dwError = WNetOpenEnum(RESOURCE_GLOBALNET,
		                       RESOURCETYPE_ANY,
#if 0
		                       RESOURCEUSAGE_ALL,
#else
		                       0,
#endif
		                       lpNR,
		                       &hNetwork);

	if (dwError != ERROR_SUCCESS)
		PrintConsole(hConsole,
		             L"WNetOpenEnum() returned error %lu\n",
	                     dwError);
	else
	{
		for (;;)
		{
			dwCount = 1;
			dwSize = sizeof(nr);
			dwError = WNetEnumResource(hNetwork,
			                           &dwCount,
			                           nr,
			                           &dwSize);

			if (dwError != ERROR_SUCCESS)
				break;

			PrintConsole(hConsole,
			             L"\n"
			             L"%lsScope:\t\t%lu\n"
			             L"%lsType:\t\t%lu\n"
			             L"%lsDisplay Type:\t%lu = %ls\n"
			             L"%lsUsage:\t\t0x%08lX\n"
			             L"%lsLocal Name:\t%ls\n"
			             L"%lsRemote Name:\t%ls\n"
			             L"%lsComment:\t%ls\n"
			             L"%lsProvider:\t%ls\n",
			             L"\t\t\t" + 3 + dwLevel, nr->dwScope,
			             L"\t\t\t" + 3 + dwLevel, nr->dwType,
			             L"\t\t\t" + 3 + dwLevel, nr->dwDisplayType,
			             nr->dwDisplayType < sizeof(szDisplayType) / sizeof(*szDisplayType) ? szDisplayType[nr->dwDisplayType] : L"Unknown",
			             L"\t\t\t" + 3 + dwLevel, nr->dwUsage,
			             L"\t\t\t" + 3 + dwLevel, nr->lpLocalName,
			             L"\t\t\t" + 3 + dwLevel, nr->lpRemoteName,
			             L"\t\t\t" + 3 + dwLevel, nr->lpComment,
			             L"\t\t\t" + 3 + dwLevel, nr->lpProvider);

			if (nr->dwUsage & RESOURCEUSAGE_CONTAINER)
				Network(hConsole, nr, dwLevel - 1);
		}

		if (dwError != ERROR_NO_MORE_ITEMS)
			PrintConsole(hConsole,
			             L"WNetEnumResource() returned error %lu\n",
			             dwError);

		dwError = WNetCloseEnum(hNetwork);

		if (dwError != ERROR_SUCCESS)
			PrintConsole(hConsole,
			             L"WNetCloseEnum() returned error %lu\n",
			             dwError);
	}
}

__declspec(noreturn)
VOID	WINAPI	wmainCRTStartup(VOID)
{
	DWORD	dwError = ERROR_SUCCESS;
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		Network(hConsole, (LPNETRESOURCE) NULL, 0);

		if (!CloseHandle(hConsole))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu\n",
			             GetLastError());
	}

	ExitProcess(dwError);
}

  2. Run the following four command lines to compile the source file NETWORK.C created in step 1., link the compiled object file NETWORK.OBJ and cleanup afterwards: 

    SET CL=/GAFS /Gy /O1isy /W4 /Zl
SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:MPR.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815
CL.EXE /FeNETWORK.COM NETWORK.C
ERASE NETWORK.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

NETWORK.C

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…

Directory Change Notifier

Purpose
Synopsis
Downloads
Implementation and Build Details
Source and Build Instructions

Purpose

Monitor up to 64 directory trees, specified by their absolute or relative pathnames, for changes.

Synopsis

NOTIFIER.COM ‹directory name› …

Downloads

The console application is available in two functional identical forms: NOTIFIER.EXE, a big form with embedded application manifest, version information, icon plus time-stamped digital signature, and NOTIFIER.COM, a small form without these extras.

Implementation and Build Details

Directory Change Notifier is a pure Win32 console application, written in ANSI C, built with the Platform SDK for Windows Server 2003 R2 Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows Vista and newer versions of Windows NT as well as Windows PE 2.0 and newer versions.

Note: due to the design and implementation of Windows’ (classic alias legacy) console, the Win32 function WriteConsole() can only write to a console, not to a file nor a pipe, i.e. redirection of standard error or standard output is not supported!

The MSDN article Console Handles provides background information.

Source and Build Instructions

Perform the following 2 simple steps to build the console application Directory Change Notifier from the source presented hereafter.

  1. Create the text file NOTIFIER.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

// * The software is provided "as is" without any warranty, neither express
//   nor implied.
// * In no event will the author be held liable for any damage(s) arising
//   from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
//   and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
//   as an agent, (independent) contractor, employee, member or officer of
//   a business, corporation or organization (commercial or non-commercial)
//   does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
//   for a business, for commercial, corporate, governmental, military or
//   organizational purposes of any kind, or in a commercial, corporate,
//   governmental, military or organizational environment of any kind.

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <shellapi.h>

#define FILE_NOTIFY_CHANGE_UNDOCUMENTED	0x00000E80UL
#define FILE_NOTIFY_CHANGE_ANY		0x00000FFFUL
#define FILE_NOTIFY_CHANGE_INVALID	0xFFFFF000UL

__declspec(safebuffers)
BOOL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

HANDLE	hThreads[MAXIMUM_WAIT_OBJECTS];
DWORD	dwThreads = 0;

const	LPCWSTR	szCtrlType[] = {L"C",
		                L"Break",
		                L"Close",
		                NULL,
		                NULL,
		                L"Logoff",
		                L"Shutdown"};

BOOL	WINAPI	CtrlHandler(DWORD dwCtrlType)
{
	DWORD	dwThread = dwThreads;
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	switch (dwCtrlType)
	{
	case CTRL_C_EVENT:
	case CTRL_BREAK_EVENT:
	case CTRL_CLOSE_EVENT:
	case CTRL_LOGOFF_EVENT:
	case CTRL_SHUTDOWN_EVENT:

		PrintConsole(hConsole,
		             L"Ctrl-%ls\n",
		             szCtrlType[dwCtrlType]);

		while (dwThread-- > 0)
			if (!CancelSynchronousIo(hThreads[dwThread]))
				PrintConsole(hConsole,
				             L"CancelSynchronousIo() returned error %lu for thread 0x%p\n",
				             GetLastError(), hThreads[dwThread]);

		return TRUE;

	default:
		return FALSE;
	}
}

const	LPCWSTR	lpAction[] = {NULL,
		              L"Added",
		              L"Removed",
		              L"Modified",
		              L"Renamed from",
		              L"Renamed to"};

__declspec(safebuffers)
DWORD	WINAPI	ThreadProc(LPCWSTR lpArgument)
{
	FILE_NOTIFY_INFORMATION	*lpEntry;
#if 0
	BY_HANDLE_FILE_INFORMATION	bhfi;
#else
	FILE_ATTRIBUTE_TAG_INFO		fati;
#endif
	HANDLE	hArgument;
	WCHAR	szArgument[MAX_PATH];
	DWORD	dwArgument;
	DWORD	dwError = ERROR_SUCCESS;
	DWORD	dwEntry;
	DWORD	dwBuffer[65536 / sizeof(DWORD)];
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		hArgument = CreateFile(lpArgument,
		                       FILE_LIST_DIRECTORY,
		                       FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE,
		                       (LPSECURITY_ATTRIBUTES) NULL,
		                       OPEN_EXISTING,
		                       FILE_FLAG_BACKUP_SEMANTICS,
		                       (HANDLE) NULL);

		if (hArgument == INVALID_HANDLE_VALUE)
			PrintConsole(hConsole,
			             L"CreateFile() returned error %lu for argument \'%ls\'\n",
			             dwError = GetLastError(), lpArgument);
		else
		{
#if 0
			if (!GetFileInformationByHandle(hArgument,
			                                &bhfi))
				PrintConsole(hConsole,
				             L"GetFileInformationByHandle() returned error %lu for argument \'%ls\'\n",
				             dwError = GetLastError(), lpArgument);
			else
				if (((bhfi.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != FILE_ATTRIBUTE_DIRECTORY)
				 || ((bhfi.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) == FILE_ATTRIBUTE_REPARSE_POINT))
#else
			if (!GetFileInformationByHandleEx(hArgument,
			                                  FileAttributeTagInfo,
			                                  &fati,
			                                  sizeof(fati)))
				PrintConsole(hConsole,
				             L"GetFileInformationByHandleEx() returned error %lu for argument \'%ls\'\n",
				             dwError = GetLastError(), lpArgument);
			else
				if (((fati.FileAttributes & FILE_ATTRIBUTE_DIRECTORY) != FILE_ATTRIBUTE_DIRECTORY)
				 || ((fati.FileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) == FILE_ATTRIBUTE_REPARSE_POINT))
#endif
					PrintConsole(hConsole,
					             L"Argument \'%ls\' is not a directory!\n",
					             lpArgument);
				else
				{
					dwArgument = GetFinalPathNameByHandle(hArgument,
					                                      szArgument,
					                                      sizeof(szArgument) / sizeof(*szArgument),
					                                      FILE_NAME_NORMALIZED | VOLUME_NAME_DOS);

					if (dwArgument == 0)
						PrintConsole(hConsole,
						             L"GetFinalPathNameByHandle() returned error %lu for argument \'%ls\'\n",
						             dwError = GetLastError(), lpArgument);
					else
					{
						while (ReadDirectoryChangesW(hArgument,
						                             dwBuffer,
						                             sizeof(dwBuffer),
						                             TRUE,
#ifdef FILE_NOTIFY_CHANGE_ALL
						                             FILE_NOTIFY_CHANGE_ALL,
#else
						                             FILE_NOTIFY_CHANGE_ATTRIBUTES | FILE_NOTIFY_CHANGE_CREATION | FILE_NOTIFY_CHANGE_DIR_NAME | FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_LAST_ACCESS | FILE_NOTIFY_CHANGE_LAST_WRITE | FILE_NOTIFY_CHANGE_SECURITY | FILE_NOTIFY_CHANGE_SIZE,
#endif
						                             &dwEntry,
						                             (LPOVERLAPPED) NULL,
						                             (LPOVERLAPPED_COMPLETION_ROUTINE) NULL))
							for (lpEntry = (PFILE_NOTIFY_INFORMATION) dwBuffer;
							     dwEntry != 0;
							     lpEntry = (PFILE_NOTIFY_INFORMATION) ((LPBYTE) lpEntry + dwEntry))
							{
								dwEntry = lpEntry->NextEntryOffset;
								lpEntry->FileName[lpEntry->FileNameLength / sizeof(lpEntry->FileName[0])] = L'\0';

								PrintConsole(hConsole,
								             L"%ls %ls\\%ls\n",
								             lpAction[lpEntry->Action], szArgument + 4, lpEntry->FileName);
							}

						PrintConsole(hConsole,
						             L"ReadDirectoryChanges() returned error %lu for directory \'%ls\'\n",
						             dwError = GetLastError(), szArgument + 4);
					}
				}

			if (!CloseHandle(hArgument))
				PrintConsole(hConsole,
				             L"CloseHandle() returned error %lu\n",
				             GetLastError());
		}
	}

	return dwError;
}

__declspec(noreturn)
VOID	WINAPI	wmainCRTStartup(VOID)
{
	LPWSTR	*lpArguments;
	INT	nArguments;
	INT	nArgument = 1;
	DWORD	dwError = ERROR_BAD_ARGUMENTS;
	DWORD	dwThreadId;
	HANDLE	hThread;
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);

		if (lpArguments == NULL)
			PrintConsole(hConsole,
			             L"CommandLineToArgv() returned error %lu\n",
			             dwError = GetLastError());
		else
		{
			if (nArguments < 2)
				PrintConsole(hConsole,
				             L"Too few arguments: at least one directory name must be given!\n");
			else if (nArguments > sizeof(hThreads) / sizeof(*hThreads) + 1)
				PrintConsole(hConsole,
				             L"Too many arguments: at most %lu directory names may be given!\n",
				             sizeof(hThreads) / sizeof(*hThreads));
			else
			{
				do
				{
					hThread = CreateThread((LPSECURITY_ATTRIBUTES) NULL,
					                       (SIZE_T) 65536,
					                       ThreadProc,
					                       lpArguments[nArgument],
					                       0,
					                       &dwThreadId);

					if (hThread == NULL)
						PrintConsole(hConsole,
						             L"CreateThread() returned error %lu\n",
						             dwError = GetLastError());
					else
					{
						hThreads[dwThreads++] = hThread;

						PrintConsole(hConsole,
						             L"Thread %lu created for argument \'%ls\'\n",
						             dwThreadId, lpArguments[nArgument]);
					}
				} while (++nArgument < nArguments);

				if (dwThreads > 0)
				{
					if (!SetConsoleCtrlHandler(CtrlHandler, TRUE))
						PrintConsole(hConsole,
						             L"SetConsoleCtrlHandler() returned error %lu\n",
						             dwError = GetLastError());

					PrintConsole(hConsole,
					             L"Press \'Ctrl-C\' or \'Ctrl-Break\' to stop!\n"
					             L"\n");

					if (WaitForMultipleObjects(dwThreads,
					                           hThreads,
					                           TRUE,
					                           INFINITE) == WAIT_FAILED)
						PrintConsole(hConsole,
						             L"WaitForMultipleObjects() returned error %lu\n",
						             dwError = GetLastError());
					else
						do
							if (!CloseHandle(hThreads[--dwThreads]))
								PrintConsole(hConsole,
								             L"CloseHandle() returned error %lu\n",
								             GetLastError());
						while (dwThreads > 0);

					if (!SetConsoleCtrlHandler(CtrlHandler, FALSE))
						PrintConsole(hConsole,
						             L"SetConsoleCtrlHandler() returned error %lu\n",
						             GetLastError());
				}
			}

			if (LocalFree(lpArguments) != NULL)
				PrintConsole(hConsole,
				             L"LocalFree() returned error %lu\n",
				             GetLastError());
		}

		if (!CloseHandle(hConsole))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu\n",
			             GetLastError());
	}

	ExitProcess(dwError);
}

  2. Run the following four command lines to compile the source file NOTIFIER.C created in step 1., link the compiled object file NOTIFIER.OBJ and cleanup afterwards: 

    SET CL=/GAFS /Gs69632 /Gy /O1isy /W4 /Zl
SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:6.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815
CL.EXE /FeNOTIFIER.COM NOTIFIER.C
ERASE NOTIFIER.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

NOTIFIER.C

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…

Portable Executable Metadata Reader

Purpose
Background Information
Synopsis
Downloads
Implementation and Build Details
Source and Build Instructions

Purpose

Enumerate the metadata of portable executable image files, i.e. applications, (resource) DLLs, drivers etc., print them in UTF-16LE encoding on standard output (which must be redirected to a file or piped into an application that reads from standard input, like Clip, Find or More).

Background Information

The MSDN article PE Format documents the disk layout of portable executable image files; Matt Pietrek’s MSDN magazine articles Peering Inside the PE - A Tour of the Win32 Portable Executable File Format, An In-Depth Look into the Win32 Portable Executable File Format and An In-Depth Look into the Win32 Portable Executable File Format, Part 2 provide additional information.

Synopsis

PECOFFIN.COM ‹image file name› >‹output file name›
PECOFFIN.COM ‹image file name› | MORE.COM

Downloads

The console application is available in two functional identical forms: PECOFFIN.EXE, a big form with embedded application manifest, version information, icon plus time-stamped digital signature, and PECOFFIN.COM, a small form without these extras.

Implementation and Build Details

Portable Executable Metadata Reader is a pure Win32 console application, written in ANSI C, built with the Platform SDK for Windows Server 2003 R2 Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows 2000 and newer versions of Windows NT as well as Windows PE 1.0 and newer versions.

Note: due to the design and implementation of Windows’ (classic alias legacy) console, the Win32 function WriteConsole() can only write to a console, not to a file nor a pipe, i.e. redirection of standard error is not supported!

The MSDN article Console Handles provides background information.

Source and Build Instructions

Perform the following 2 simple steps to build the console application Portable Executable Metadata Reader from the source presented hereafter.

  1. Create the text file PECOFFIN.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

// * The software is provided "as is" without any warranty, neither express
//   nor implied.
// * In no event will the author be held liable for any damage(s) arising
//   from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
//   and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
//   as an agent, (independent) contractor, employee, member or officer of
//   a business, corporation or organization (commercial or non-commercial)
//   does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
//   for a business, for commercial, corporate, governmental, military or
//   organizational purposes of any kind, or in a commercial, corporate,
//   governmental, military or organizational environment of any kind.

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <wintrust.h>
#include <shellapi.h>

#if ANYSIZE_ARRAY != 1
#error ANYSIZE_ARRAY must be defined as 1!
#endif

#ifndef IMAGE_DEBUG_TYPE_VC_FEATURE
#define IMAGE_DEBUG_TYPE_VC_FEATURE	12
#endif

#ifndef IMAGE_DEBUG_TYPE_POGO
#define IMAGE_DEBUG_TYPE_POGO		13
#endif

#ifndef IMAGE_DEBUG_TYPE_ILTCG
#define IMAGE_DEBUG_TYPE_ILTCG		14
#endif

#ifndef IMAGE_DEBUG_TYPE_MPX
#define IMAGE_DEBUG_TYPE_MPX		15
#endif

#ifndef IMAGE_DEBUG_TYPE_REPRO
#define IMAGE_DEBUG_TYPE_REPRO		16
#endif

#define IMAGE_DLLCHARACTERISTICS_RESERVED		0x000FU

#ifndef IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
#define IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA	0x0020U
#endif

#ifndef IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE		0x0040U
#endif

#ifndef IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
#define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY	0x0080U
#endif

#ifndef IMAGE_DLLCHARACTERISTICS_NX_COMPAT
#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT		0x0100U
#endif

#ifndef IMAGE_DLLCHARACTERISTICS_APPCONTAINER
#define IMAGE_DLLCHARACTERISTICS_APPCONTAINER		0x1000U
#endif

#ifndef IMAGE_DLLCHARACTERISTICS_GUARD_CF
#define IMAGE_DLLCHARACTERISTICS_GUARD_CF		0x4000U
#endif

#ifndef IMAGE_LOADER_FLAGS_COMPLUS
#define IMAGE_LOADER_FLAGS_COMPLUS		0x00000001UL
#endif

#ifndef IMAGE_LOADER_FLAGS_SYSTEM_GLOBAL
#define IMAGE_LOADER_FLAGS_SYSTEM_GLOBAL	0x01000000UL
#endif

#ifndef IMAGE_FILE_16BIT_MACHINE
#define IMAGE_FILE_16BIT_MACHINE	0x0040U
#endif

#ifndef IMAGE_FILE_MACHINE_TARGET_HOST
#define IMAGE_FILE_MACHINE_TARGET_HOST	0x0001U
#endif

#ifndef IMAGE_FILE_MACHINE_I860
#define IMAGE_FILE_MACHINE_I860		0x014DU
#endif

#ifndef IMAGE_FILE_MACHINE_ARMNT
#define IMAGE_FILE_MACHINE_ARMNT	0x01C4U
#endif

#ifndef IMAGE_FILE_MACHINE_M68K
#define IMAGE_FILE_MACHINE_M68K		0x0268U
#endif

#ifndef IMAGE_FILE_MACHINE_PARISC
#define IMAGE_FILE_MACHINE_PARISC	0x0290U
#endif

#ifndef IMAGE_FILE_MACHINE_CHPE_X86
#define IMAGE_FILE_MACHINE_CHPE_X86	0x3A64U	// Compiled Hybrid PE
#endif

#ifndef IMAGE_FILE_MACHINE_RISCV32
#define IMAGE_FILE_MACHINE_RISCV32	0x5032U
#endif

#ifndef IMAGE_FILE_MACHINE_RISCV64
#define IMAGE_FILE_MACHINE_RISCV64	0x5064U
#endif

#ifndef IMAGE_FILE_MACHINE_RISCV128
#define IMAGE_FILE_MACHINE_RISCV128	0x5128U
#endif

#ifndef IMAGE_FILE_MACHINE_LOONGARCH32
#define IMAGE_FILE_MACHINE_LOONGARCH32	0x6232U
#endif

#ifndef IMAGE_FILE_MACHINE_LOONGARCH64
#define IMAGE_FILE_MACHINE_LOONGARCH64	0x6264U
#endif

#ifndef IMAGE_FILE_MACHINE_ARM64
#define IMAGE_FILE_MACHINE_ARM64	0xAA64U
#endif

#ifndef IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION
#define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION	16
#endif

#ifndef IMAGE_SUBSYSTEM_XBOX_CODE_CATALOG
#define IMAGE_SUBSYSTEM_XBOX_CODE_CATALOG		17
#endif

#ifndef IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT
#define IMAGE_GUARD_CF_INSTRUMENTED			0x00000100UL
#define IMAGE_GUARD_CFW_INSTRUMENTED			0x00000200UL
#define IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT		0x00000400UL
#define IMAGE_GUARD_SECURITY_COOKIE_UNUSED		0x00000800UL
#define IMAGE_GUARD_PROTECT_DELAYLOAD_IAT		0x00001000UL
#define IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION	0x00002000UL
#define IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT	0x00004000UL
#define IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION	0x00008000UL
#define IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT		0x00010000UL
#define IMAGE_GUARD_RF_INSTRUMENTED			0x00020000UL
#define IMAGE_GUARD_RF_ENABLE				0x00040000UL
#define IMAGE_GUARD_RF_STRICT				0x00080000UL
#define IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK		0xF0000000UL
#define IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT	28
#endif

#ifndef LOAD_LIBRARY_SEARCH_DEFAULT_DIRS
#define LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR		0x00000100UL
#define LOAD_LIBRARY_SEARCH_APPLICATION_DIR		0x00000200UL
#define LOAD_LIBRARY_SEARCH_USER_DIRS			0x00000400UL
#define LOAD_LIBRARY_SEARCH_SYSTEM32			0x00000800UL
#define LOAD_LIBRARY_SEARCH_DEFAULT_DIRS		0x00001000UL
#define LOAD_LIBRARY_SEARCH_SAFE_CURRENT_DIRS		0x00002000UL
#define LOAD_LIBRARY_SEARCH_SYSTEM32_NO_FORWARDER	0x00004000UL
#define LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY		0x00008000UL
#endif

typedef	struct	_IMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY
{
	DWORD	BeginAddress;
	DWORD	UnwindData;
} IMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY, *LPIMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY, *PIMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY;

typedef	struct	_IMAGE_DELAYLOAD_DESCRIPTOR
{
	union
	{
		DWORD	AllAttributes;
		struct
		{
			DWORD	RvaBased           : 1;
			DWORD	ReservedAttributes : 31;
		};
	} Attributes;

	DWORD	DllNameRVA;
	DWORD	ModuleHandleRVA;
	DWORD	ImportAddressTableRVA;
	DWORD	ImportNameTableRVA;
	DWORD	BoundImportAddressTableRVA;
	DWORD	UnloadInformationTableRVA;
	DWORD	TimeDateStamp;
} IMAGE_DELAYLOAD_DESCRIPTOR, *LPIMAGE_DELAYLOAD_DESCRIPTOR, *PIMAGE_DELAYLOAD_DESCRIPTOR;

typedef	struct	_IMAGE_LOAD_CONFIGURATION_DIRECTORY32
{
	DWORD	Size;
	DWORD	TimeDateStamp;
	WORD	MajorVersion;
	WORD	MinorVersion;
	DWORD	GlobalFlagsClear;
	DWORD	GlobalFlagsSet;
	DWORD	CriticalSectionDefaultTimeout;
	DWORD	DeCommitFreeBlockThreshold;
	DWORD	DeCommitTotalFreeThreshold;
	DWORD	LockPrefixTable;
	DWORD	MaximumAllocationSize;
	DWORD	VirtualMemoryThreshold;
	DWORD	ProcessHeapFlags;
	DWORD	ProcessAffinityMask;
	WORD	CSDVersion;
#if 0
	WORD	Reserved1;
#else
	WORD	DependentLoadFlags;
#endif
	DWORD	EditList;
	DWORD	SecurityCookie;
	DWORD	SEHandlerTable;
	DWORD	SEHandlerCount;
						// Threshold 1 (1507)
	DWORD	GuardCFCheckFunctionPointer;
	DWORD	GuardCFDispatchFunctionPointer;
	DWORD	GuardCFFunctionTable;
	DWORD	GuardCFFunctionCount;
	DWORD	GuardFlags;
						// Threshold 2 (1511)
	struct	// _IMAGE_LOAD_CONFIG_CODE_INTEGRITY
	{
		WORD	Flags;
		WORD	Catalog;
		DWORD	CatalogOffset;
		DWORD	Reserved;
	} CodeIntegrity;
						// Redstone 1 (1607)
	DWORD	GuardAddressTakenIatEntryTable;
	DWORD	GuardAddressTakenIatEntryCount;
	DWORD	GuardLongJumpTargetTable;
	DWORD	GuardLongJumpTargetCount;
						//
	DWORD	DynamicValueRelocTable;
	DWORD	CHPEMetadataPointer;
						// Redstone 2 (1703)
	DWORD	GuardRFFailureRoutine;
	DWORD	GuardRFFailureRoutineFunctionPointer;
	DWORD	DynamicValueRelocTableOffset;
	WORD	DynamicValueRelocTableSection;
	WORD	Reserved2;
						//
	DWORD	GuardRFVerifyStackPointerFunctionPointer;
	DWORD	HotPatchTableOffset;
						// Redstone 3 (1709)
	DWORD	Reserved3;
	DWORD	EnclaveConfigurationPointer;
						// Redstone 4 (1803)
	DWORD	VolatileMetadataPointer;
						// Redstone 5 (1809)
	DWORD	GuardEHContinuationTable;
	DWORD	GuardEHContinuationCount;
						// Vanadium 1 (1903)
						// Vanadium 2 (1909)
						// Vibranium 1 (2004)
						// Vibranium 2 (20H2)
						// Vibranium 3 (21H1)
	DWORD	GuardXFGCheckFunctionPointer;
	DWORD	GuardXFGDispatchFunctionPointer;
	DWORD	GuardXFGTableDispatchFunctionPointer;
						// Vibranium 4 (21H2)
	DWORD	CastGuardOsDeterminedFailureMode;
						// Vibranium 5 (22H2)
	DWORD	GuardMemcpyFunctionPointer;
} IMAGE_LOAD_CONFIGURATION_DIRECTORY32, *LPIMAGE_LOAD_CONFIGURATION_DIRECTORY32, *PIMAGE_LOAD_CONFIGURATION_DIRECTORY32;

typedef	struct	_IMAGE_LOAD_CONFIGURATION_DIRECTORY64
{
	DWORD	Size;
	DWORD	TimeDateStamp;
	WORD	MajorVersion;
	WORD	MinorVersion;
	DWORD	GlobalFlagsClear;
	DWORD	GlobalFlagsSet;
	DWORD	CriticalSectionDefaultTimeout;
	DWORD64	DeCommitFreeBlockThreshold;
	DWORD64	DeCommitTotalFreeThreshold;
	DWORD64	LockPrefixTable;
	DWORD64	MaximumAllocationSize;
	DWORD64	VirtualMemoryThreshold;
	DWORD64	ProcessAffinityMask;
	DWORD	ProcessHeapFlags;
	WORD	CSDVersion;
#if 0
	WORD	Reserved1;
#else
	WORD	DependentLoadFlags;
#endif
	DWORD64	EditList;
	DWORD64	SecurityCookie;
	DWORD64	SEHandlerTable;
	DWORD64	SEHandlerCount;
						// Threshold 1 (1507)
	DWORD64	GuardCFCheckFunctionPointer;
	DWORD64	GuardCFDispatchFunctionPointer;
	DWORD64	GuardCFFunctionTable;
	DWORD64	GuardCFFunctionCount;
	DWORD	GuardFlags;
						// Threshold 2 (1511)
	struct	// _IMAGE_LOAD_CONFIG_CODE_INTEGRITY
	{
		WORD	Flags;
		WORD	Catalog;
		DWORD	CatalogOffset;
		DWORD	Reserved;
	} CodeIntegrity;
						// Redstone 1 (1607)
	DWORD64	GuardAddressTakenIatEntryTable;
	DWORD64	GuardAddressTakenIatEntryCount;
	DWORD64	GuardLongJumpTargetTable;
	DWORD64	GuardLongJumpTargetCount;
						//
	DWORD64	DynamicValueRelocTable;
	DWORD64	CHPEMetadataPointer;
						// Redstone 2 (1703)
	DWORD64	GuardRFFailureRoutine;
	DWORD64	GuardRFFailureRoutineFunctionPointer;
	DWORD	DynamicValueRelocTableOffset;
	WORD	DynamicValueRelocTableSection;
	WORD	Reserved2;
						//
	DWORD64	GuardRFVerifyStackPointerFunctionPointer;
	DWORD	HotPatchTableOffset;
						// Redstone 3 (1709)
	DWORD	Reserved3;
	DWORD64	EnclaveConfigurationPointer;
						// Redstone 4 (1803)
	DWORD64	VolatileMetadataPointer;
						// Redstone 5 (1809)
	DWORD64	GuardEHContinuationTable;
	DWORD64	GuardEHContinuationCount;
						// Vanadium 1 (1903)
						// Vanadium 2 (1909)
						// Vibranium 1 (2004)
						// Vibranium 2 (20H2)
						// Vibranium 3 (21H1)
	DWORD64	GuardXFGCheckFunctionPointer;
	DWORD64	GuardXFGDispatchFunctionPointer;
	DWORD64	GuardXFGTableDispatchFunctionPointer;
						// Vibranium 4 (21H2)
	DWORD64	CastGuardOsDeterminedFailureMode;
						// Vibranium 5 (22H2)
	DWORD64	GuardMemcpyFunctionPointer;
} IMAGE_LOAD_CONFIGURATION_DIRECTORY64, *LPIMAGE_LOAD_CONFIGURATION_DIRECTORY64, *PIMAGE_LOAD_CONFIGURATION_DIRECTORY64;

#ifndef RT_MENUEX
#define RT_MENUEX	MAKEINTRESOURCE(13)
#endif

#ifndef RT_NAMETABLE
#define RT_NAMETABLE	MAKEINTRESOURCE(15)
#endif

#ifndef RT_DIALOGEX
#define RT_DIALOGEX	MAKEINTRESOURCE(18)
#endif

#ifndef RT_DLGINIT
#define RT_DLGINIT	MAKEINTRESOURCE(240)
#endif

#ifndef RT_TOOLBAR
#define RT_TOOLBAR	MAKEINTRESOURCE(241)
#endif

#ifndef RT_LOCALE
#define RT_LOCALE	MAKEINTRESOURCE(255)
#endif

#ifndef WIN_CERT_TYPE_PKCS1_SIGN
#define WIN_CERT_TYPE_PKCS1_SIGN	0x0009
#endif

typedef	struct	_COFFStringTable
{
	DWORD	Size;
	CHAR	Strings[ANYSIZE_ARRAY];
} COFFStringTable;

typedef	struct	_CV_INFO_PDB20
{
	DWORD	Magic;		// '01BN' = "NB10"
	DWORD	Offset;
	DWORD	Signature;	// seconds since 1970-01-01
	DWORD	Age;
	CHAR	PdbFileName[ANYSIZE_ARRAY];
} CV_INFO_PDB20, *LPCV_INFO_PDB20, *PCV_INFO_PDB20;

typedef	struct	_CV_INFO_PDB70
{
	DWORD	Magic;		// 'SDSR' = "RSDS"
	GUID	Signature;
	DWORD	Age;
	CHAR	PdbFileName[ANYSIZE_ARRAY];
} CV_INFO_PDB70, *LPCV_INFO_PDB70, *PCV_INFO_PDB70;

typedef	struct	_POGO
{
	DWORD	Magic;		// 'LTCG' = "GCTL"
	struct
	{
		DWORD	Address;
		DWORD	Size;
		CHAR	Section[ANYSIZE_ARRAY];
	} Entries[ANYSIZE_ARRAY];
} POGO, *LPPOGO, *PPOGO;

__declspec(safebuffers)
BOOL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

__declspec(safebuffers)
BOOL	PrintFormat(HANDLE hFile, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	LPBYTE	lpOutput;
	DWORD	dwOutput;
	DWORD	dwFile;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	dwOutput *= sizeof(*szOutput);
	lpOutput = (LPBYTE) szOutput;

	do
	{
		if (!WriteFile(hFile, lpOutput, dwOutput, &dwFile, (LPOVERLAPPED) NULL))
			return FALSE;

		lpOutput += dwFile;
		dwOutput -= dwFile;
	} while (dwOutput > 0);

	return TRUE;
}

#define PrintString(HANDLE, LITERAL)	PrintDirect(HANDLE, LITERAL, sizeof(LITERAL) / sizeof(*LITERAL) - 1UL)

__inline
BOOL	WINAPI	PrintDirect(HANDLE hFile, LPCWSTR lpString, DWORD dwString)
{
	DWORD	dwFile;

	dwString *= sizeof(*lpString);

	do
	{
		if (!WriteFile(hFile, lpString, dwString, &dwFile, (LPOVERLAPPED) NULL))
			return FALSE;

		lpString = (LPCWSTR) ((LPBYTE) lpString + dwFile);
		dwString -= dwFile;
	} while (dwString > 0);

	return TRUE;
}

LPCWSTR	WINAPI	CertificateTypeName(WORD wType)
{
	switch (wType)
	{
	case WIN_CERT_TYPE_X509:
		return L"X.509";

	case WIN_CERT_TYPE_PKCS_SIGNED_DATA:
		return L"PKCS";

	case WIN_CERT_TYPE_RESERVED_1:
		return L"(reserved)";

	case WIN_CERT_TYPE_TS_STACK_SIGNED:
		return L"Terminal Server";

	case WIN_CERT_TYPE_PKCS1_SIGN:
		return L"PKCS1_MODULE_SIGN";

	default:
		return L"<undefined>";
	}
}

LPCWSTR	WINAPI	DebugTypeName(DWORD dwType)
{
	switch (dwType)
	{
	case IMAGE_DEBUG_TYPE_UNKNOWN:
		return L"Unknown";

	case IMAGE_DEBUG_TYPE_COFF:
		return L"COFF";

	case IMAGE_DEBUG_TYPE_CODEVIEW:
		return L"Codeview";

	case IMAGE_DEBUG_TYPE_FPO:
		return L"Frame pointer omission";

	case IMAGE_DEBUG_TYPE_MISC:
		return L"Misc";

	case IMAGE_DEBUG_TYPE_EXCEPTION:
		return L"Exception";

	case IMAGE_DEBUG_TYPE_FIXUP:
		return L"Fixup";

	case IMAGE_DEBUG_TYPE_OMAP_TO_SRC:
		return L"OMAP to source";

	case IMAGE_DEBUG_TYPE_OMAP_FROM_SRC:
		return L"OMAP from source";

	case IMAGE_DEBUG_TYPE_BORLAND:
		return L"Borland";

	case IMAGE_DEBUG_TYPE_RESERVED10:
		return L"Reserved";

	case IMAGE_DEBUG_TYPE_CLSID:
		return L"CLSID";

	case IMAGE_DEBUG_TYPE_VC_FEATURE:
		return L"VC feature";

	case IMAGE_DEBUG_TYPE_POGO:
		return L"Profile guided optimization";

	case IMAGE_DEBUG_TYPE_ILTCG:
		return L"Link time code generation";

	case IMAGE_DEBUG_TYPE_MPX:
		return L"MPX";

	case IMAGE_DEBUG_TYPE_REPRO:
		return L"Repro";

	default:
		return L"<undefined>";
	}
}

LPCWSTR	WINAPI	MachineTypeName(WORD wMachine)
{
	switch (wMachine)
	{
	case IMAGE_FILE_MACHINE_UNKNOWN:	// 0x0000
		return L"Unknown";

	case IMAGE_FILE_MACHINE_TARGET_HOST:	// 0x0001
		return L"Target host";

	case IMAGE_FILE_MACHINE_I386:		// 0x014C
		return L"Intel IA-32";

	case IMAGE_FILE_MACHINE_I860:		// 0x014D
		return L"Intel i860";

	case 0x0160:
		return L"MIPS R3000, big-endian";

	case IMAGE_FILE_MACHINE_R3000:		// 0x0162
		return L"MIPS R3000, little-endian";

	case IMAGE_FILE_MACHINE_R4000:		// 0x0166
		return L"MIPS R4000, little-endian";

	case IMAGE_FILE_MACHINE_R10000:		// 0x0168
		return L"MIPS R10000, little-endian";

	case IMAGE_FILE_MACHINE_WCEMIPSV2:	// 0x0169
		return L"MIPS, little-endian, Windows CE v2";

	case IMAGE_FILE_MACHINE_ALPHA:		// 0x0184
		return L"DEC Alpha AXP";

	case IMAGE_FILE_MACHINE_SH3:		// 0x01A2
		return L"Hitachi SuperH 3, little-endian";

	case IMAGE_FILE_MACHINE_SH3DSP:		// 0x01A3
		return L"Hitachi SuperH 3 with DSP";

	case IMAGE_FILE_MACHINE_SH3E:		// 0x01A4
		return L"Hitachi SuperH 3E, little-endian";

	case IMAGE_FILE_MACHINE_SH4:		// 0x01A6
		return L"Hitachi SuperH 4, little-endian";

	case IMAGE_FILE_MACHINE_SH5:		// 0x01A8
		return L"Hitachi SuperH 5";

	case IMAGE_FILE_MACHINE_ARM:		// 0x01C0
		return L"ARM, little-endian";

	case IMAGE_FILE_MACHINE_THUMB:		// 0x01C2
		return L"ARM Thumb, little-endian";

	case IMAGE_FILE_MACHINE_ARMNT:		// 0x01C4
		return L"ARM Thumb-2, little-endian";

	case IMAGE_FILE_MACHINE_AM33:		// 0x01D3
		return L"Matsushita AM33";

	case IMAGE_FILE_MACHINE_POWERPC:	// 0x01F0
		return L"IBM PowerPC, little-endian";

	case IMAGE_FILE_MACHINE_POWERPCFP:	// 0x01F1
		return L"IBM PowerPC with FPU";

	case IMAGE_FILE_MACHINE_IA64:		// 0x0200
		return L"Intel IA-64";

	case IMAGE_FILE_MACHINE_MIPS16:		// 0x0266
		return L"MIPS, 16-bit instructions";

	case IMAGE_FILE_MACHINE_M68K:		// 0x0268
		return L"Motorola MC68000";

	case IMAGE_FILE_MACHINE_ALPHA64:	// 0x0284
//	case IMAGE_FILE_MACHINE_AXP64:
		return L"DEC Alpha AXP64";

	case IMAGE_FILE_MACHINE_PARISC:		// 0x0290
		return L"Hewlett-Packard PA-RISC";

	case IMAGE_FILE_MACHINE_MIPSFPU:	// 0x0366
		return L"MIPS with FPU";

	case IMAGE_FILE_MACHINE_MIPSFPU16:	// 0x0466
		return L"MIPS with FPU, 16-bit instructions";

	case IMAGE_FILE_MACHINE_TRICORE:	// 0x0520
		return L"Infineon TriCore";

	case 0x0601:
		return L"Motorola PowerPC 601";

	case IMAGE_FILE_MACHINE_CEF:		// 0x0CEF
		return L"CEF";

	case IMAGE_FILE_MACHINE_EBC:		// 0x0EBC
		return L"EFI Byte Code";

	case IMAGE_FILE_MACHINE_CHPE_X86:	// 0x3A64
		return L"Compiled Hybrid PE";

	case IMAGE_FILE_MACHINE_RISCV32:	// 0x5032
		return L"RISC-V, 32-bit address space";

	case IMAGE_FILE_MACHINE_RISCV64:	// 0x5064
		return L"RISC-V, 64-bit address space";

	case IMAGE_FILE_MACHINE_RISCV128:	// 0x5128
		return L"RISC-V, 128-bit address space";

	case IMAGE_FILE_MACHINE_LOONGARCH32:	// 0x6232
		return L"LoongArch, 32-bit";

	case IMAGE_FILE_MACHINE_LOONGARCH64:	// 0x6264
		return L"LoongArch, 64-bit";

	case IMAGE_FILE_MACHINE_AMD64:		// 0x8664
		return L"AMD64";

	case IMAGE_FILE_MACHINE_M32R:		// 0x9041
		return L"Mitsubishi M32R, little-endian";

	case IMAGE_FILE_MACHINE_ARM64:		// 0xAA64
		return L"ARMv8, 64-bit mode, little-endian";

	case IMAGE_FILE_MACHINE_CEE:		// 0xC0EE
		return L"CEE";

	default:
		return L"<undefined>";
	}
}

LPCWSTR	WINAPI	SubsystemName(WORD wSubsystem)
{
	switch (wSubsystem)
	{
	case IMAGE_SUBSYSTEM_UNKNOWN:
		return L"Unknown";

	case IMAGE_SUBSYSTEM_NATIVE:
		return L"Native";

	case IMAGE_SUBSYSTEM_WINDOWS_GUI:
		return L"Windows GUI";

	case IMAGE_SUBSYSTEM_WINDOWS_CUI:
		return L"Windows CUI";

	case IMAGE_SUBSYSTEM_OS2_CUI:
		return L"OS/2 CUI";

	case IMAGE_SUBSYSTEM_POSIX_CUI:
		return L"POSIX CUI";

	case IMAGE_SUBSYSTEM_NATIVE_WINDOWS:
		return L"Native Windows 9x driver";

	case IMAGE_SUBSYSTEM_WINDOWS_CE_GUI:
		return L"Windows CE";

	case IMAGE_SUBSYSTEM_EFI_APPLICATION:
		return L"EFI application";

	case IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:
		return L"EFI driver with boot services";

	case IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:
		return L"EFI driver with run-time services";

	case IMAGE_SUBSYSTEM_EFI_ROM:
		return L"EFI ROM image";

	case IMAGE_SUBSYSTEM_XBOX:
		return L"Xbox";

	case IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION:
		return L"Boot application";

	case IMAGE_SUBSYSTEM_XBOX_CODE_CATALOG:
		return L"Xbox code catalog";

	default:
		return L"<undefined>";
	}
}

LPCWSTR	WINAPI	ResourceTypeName(WORD wResType)
{
	switch (wResType)
	{
	case RT_CURSOR:		// MAKEINTRESOURCE(1)
		return L"RT_CURSOR";

	case RT_BITMAP:		// MAKEINTRESOURCE(2)
		return L"RT_BITMAP";

	case RT_ICON:		// MAKEINTRESOURCE(3)
		return L"RT_ICON";

	case RT_MENU:		// MAKEINTRESOURCE(4)
		return L"RT_MENU";

	case RT_DIALOG:		// MAKEINTRESOURCE(5)
		return L"RT_DIALOG";

	case RT_STRING:		// MAKEINTRESOURCE(6)
#if 1
		return L"RT_STRING";
#else
		return L"RT_STRINGTABLE";
#endif
	case RT_FONTDIR:	// MAKEINTRESOURCE(7)
		return L"RT_FONTDIR";

	case RT_FONT:		// MAKEINTRESOURCE(8)
		return L"RT_FONT";

	case RT_ACCELERATOR:	// MAKEINTRESOURCE(9)
		return L"RT_ACCELERATOR";

	case RT_RCDATA:		// MAKEINTRESOURCE(10)
		return L"RT_RCDATA";

	case RT_MESSAGETABLE:	// MAKEINTRESOURCE(11)
		return L"RT_MESSAGETABLE";

	case RT_GROUP_CURSOR:	// MAKEINTRESOURCE(12)
		return L"RT_GROUP_CURSOR";

	case RT_MENUEX:		// MAKEINTRESOURCE(13)
		return L"RT_MENUEX";

	case RT_GROUP_ICON:	// MAKEINTRESOURCE(14)
		return L"RT_GROUP_ICON";

	case RT_NAMETABLE:	// MAKEINTRESOURCE(15)
		return L"RT_NAMETABLE";

	case RT_VERSION:	// MAKEINTRESOURCE(16)
		return L"RT_VERSION";

	case RT_DLGINCLUDE:	// MAKEINTRESOURCE(17)
		return L"RT_DLGINCLUDE";

	case RT_DIALOGEX:	// MAKEINTRESOURCE(18)
		return L"RT_DIALOGEX";

	case RT_PLUGPLAY:	// MAKEINTRESOURCE(19)
		return L"RT_PLUGPLAY";

	case RT_VXD:		// MAKEINTRESOURCE(20)
		return L"RT_VXD";

	case RT_ANICURSOR:	// MAKEINTRESOURCE(21)
		return L"RT_ANICURSOR";

	case RT_ANIICON:	// MAKEINTRESOURCE(22)
		return L"RT_ANIICON";

	case RT_HTML:		// MAKEINTRESOURCE(23)
		return L"RT_HTML";

	case RT_MANIFEST:	// MAKEINTRESOURCE(24)
		return L"RT_MANIFEST";

	case RT_DLGINIT:	// MAKEINTRESOURCE(240)
		return L"RT_DLGINIT";

	case RT_TOOLBAR:	// MAKEINTRESOURCE(241)
		return L"RT_TOOLBAR";

	case RT_LOCALE:		// MAKEINTRESOURCE(255)
		return L"RT_LOCALE";

	default:
		return NULL;
	}
}

BOOL	WINAPI	Resource(HANDLE                   hOutput,
		         IMAGE_RESOURCE_DIRECTORY *lpRoot,
		         IMAGE_RESOURCE_DIRECTORY *lpLevel,
		         DWORD                    dwLevel)	// 0, 1, 2
{
	BOOL	bOutput = TRUE;
	DWORD	dwEntry;

	IMAGE_RESOURCE_DIRECTORY_ENTRY	*lpEntry;
	IMAGE_RESOURCE_DIR_STRING_U	*lpUnicode;
	IMAGE_RESOURCE_DATA_ENTRY	*lpData;

	for (lpEntry = (IMAGE_RESOURCE_DIRECTORY_ENTRY *) (lpLevel + 1),
	     dwEntry = lpLevel->NumberOfNamedEntries + lpLevel->NumberOfIdEntries;
	     dwEntry > 0;
	     dwEntry--,
	     lpEntry++)
	{
		if ((lpEntry->Name & IMAGE_RESOURCE_NAME_IS_STRING) == IMAGE_RESOURCE_NAME_IS_STRING)
		{
			lpUnicode = (IMAGE_RESOURCE_DIR_STRING_U *) ((BYTE *) lpRoot + (lpEntry->Name ^ IMAGE_RESOURCE_NAME_IS_STRING));

			bOutput &= PrintDirect(hOutput, L"\t\t\t\tName   = " + 2 - dwLevel, dwLevel + 11);
			bOutput &= PrintDirect(hOutput, lpUnicode->NameString, lpUnicode->Length);
			bOutput &= PrintString(hOutput, L"\r\n");
			bOutput &= PrintFormat(hOutput, L"\t\t\t\tOffset = 0x%08lX\r\n" + 2 - dwLevel, lpEntry->OffsetToData);
		}
		else if (dwLevel > 1)
			bOutput &= PrintFormat(hOutput,
			                       L"\t\t\t\tLanguage = %hu\r\n"
			                       L"\t\t\t\tOffset   = 0x%08lX\r\n",
			                       lpEntry->Id,
			                       lpEntry->OffsetToData);
		else if (dwLevel > 0)
			bOutput &= PrintFormat(hOutput,
			                       L"\t\t\tId     = %hu\r\n"
			                       L"\t\t\tOffset = 0x%08lX\r\n",
			                       lpEntry->Id,
			                       lpEntry->OffsetToData);
		else
			bOutput &= PrintFormat(hOutput,
			                       L"\t\tType   = %hu (%ls)\r\n"
			                       L"\t\tOffset = 0x%08lX\r\n",
			                       lpEntry->Id, ResourceTypeName(lpEntry->Id),
			                       lpEntry->OffsetToData);

		if ((lpEntry->OffsetToData & IMAGE_RESOURCE_DATA_IS_DIRECTORY) == IMAGE_RESOURCE_DATA_IS_DIRECTORY)
			bOutput &= Resource(hOutput,
			                    lpRoot,
			                    (IMAGE_RESOURCE_DIRECTORY *) ((BYTE *) lpRoot + (lpEntry->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY)),
			                    dwLevel + 1);
		else
		{
			lpData = (IMAGE_RESOURCE_DATA_ENTRY *) ((BYTE *) lpRoot + lpEntry->OffsetToData);

			bOutput &= PrintFormat(hOutput,
			                       L"\t\t\t\t\tAddress   = 0x%08lX\r\n"
			                       L"\t\t\t\t\tSize      = %lu\r\n"
			                       L"\t\t\t\t\tCode Page = %lu\r\n"
			                       L"\t\t\t\t\tReserved  = 0x%08lX\r\n",
			                       lpData->OffsetToData,
			                       lpData->Size,
			                       lpData->CodePage,
			                       lpData->Reserved);
		}
	}

	return bOutput;
}

const	LPCWSTR	szDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES] = {L"Export",
		                                                 L"Import",
		                                                 L"Resource",
		                                                 L"Exception Handler",
		                                                 L"Security",
		                                                 L"Base Relocation",
		                                                 L"Debug",
		                                                 L"Architecture",
		                                                 L"Global Pointer",
		                                                 L"Thread Local Storage",
		                                                 L"Load Configuration",
		                                                 L"Bound Import",
		                                                 L"Import Address Table",
		                                                 L"Delay Load Import",
		                                                 L"COM+ Descriptor",
		                                                 L"Reserved"};

LPVOID	WINAPI	RVA2Image(BYTE                 *lpImage,
		          IMAGE_SECTION_HEADER *lpSection,
		          DWORD                dwSection,
		          DWORD                dwRVA,
		          DWORD                dwDirectory,
		          HANDLE               hConsole)
{
	while (dwSection > 0)
	{
		if ((dwRVA >= lpSection->VirtualAddress)
		 && (dwRVA < lpSection->VirtualAddress + lpSection->SizeOfRawData))
			return lpImage + dwRVA - lpSection->VirtualAddress + lpSection->PointerToRawData;

		lpSection++;
		dwSection--;
	}

	PrintConsole(hConsole,
	             L"RVA 0x%08lX in IMAGE_DATA_DIRECTORY[%lu] outside of COFF sections!\n",
	             dwRVA, dwDirectory);

	return NULL;
}

const	LPCWSTR	szDayOfWeek[7] = {L"Sunday",
		                  L"Monday",
		                  L"Tuesday",
		                  L"Wednesday",
		                  L"Thursday",
		                  L"Friday",
		                  L"Saturday"};

const	LPCWSTR	szRelocation[16] = {L"ABSOLUTE",
		                    L"HIGH",
		                    L"LOW",
		                    L"HIGHLOW",
		                    L"HIGHADJ",
		                    L"ARM_MOV32",	// also L"MIPS_JMPADDR" or L"RISCV_HIGH20"
		                    L"SECTION",
		                    L"THUMB_MOV32",	// also L"REL32" or L"RISCV_LOW12I"
		                    L"RISCV_LOW12S",	// also L"LOONGARCH32_MARK_LA" or L"LOONGARCH64_MARK_LA"
		                    L"IA64_IMM64",	// also L"MIPS_JMPADDR16"
		                    L"DIR64",
		                    L"HIGH3ADJ",
		                    NULL,
		                    NULL,
		                    NULL,
		                    NULL};

const	LPCWSTR	szGlobalFlags[32] = {L"Stop on exception",
		                     L"Show loader snaps",
		                     NULL,
		                     NULL,
		                     L"Enable heap tail checking",
		                     L"Enable heap free checking",
		                     L"Enable heap parameter checking",
		                     L"Enable heap validation on call",
		                     L"Enable application verifier",
		                     L"Enable silent process exit monitoring",
		                     NULL,
		                     L"Enable heap tagging",
		                     L"Create user mode stack trace database",
		                     NULL,
		                     NULL,
		                     L"Enable heap tagging by DLL",
		                     L"Disable stack extension",
		                     NULL,
		                     NULL,
		                     NULL,
		                     L"Enable system critical breaks",
		                     L"Disable heap coalesce on free",
		                     L"Enable close exception",
		                     NULL,
		                     NULL,
		                     L"Enable page heap",
		                     NULL,
		                     L"Buffer DbgPrint output",
		                     L"Early critical section event creation",
		                     L"Stop on unhandled user-mode exception",
		                     L"Enable bad handles detection",
		                     L"Disable protected DLL verification"};
#ifdef RDN
const	DWORD	dwStrType = CERT_NAME_STR_REVERSE_FLAG | CERT_X500_NAME_STR;
#endif

__declspec(noreturn)
VOID	WINAPI	wmainCRTStartup(VOID)
{
	IMAGE_DOS_HEADER	*lpMZ;
	IMAGE_NT_HEADERS	*lpPE;
	IMAGE_NT_HEADERS32	*lpPE32;
	IMAGE_NT_HEADERS64	*lpPE64;
	IMAGE_SECTION_HEADER	*lpSection;
	IMAGE_SECTION_HEADER	*lpArchitecture = NULL;
	IMAGE_SECTION_HEADER	*lpTLS = NULL;
	IMAGE_DATA_DIRECTORY	*lpDirectory;
	IMAGE_DEBUG_DIRECTORY	*lpDebug = NULL;
	IMAGE_EXPORT_DIRECTORY	*lpExport = NULL;
	IMAGE_IMPORT_DESCRIPTOR	*lpImport = NULL;
	IMAGE_THUNK_DATA32	*lpThunk32;
	IMAGE_THUNK_DATA64	*lpThunk64;
	IMAGE_IMPORT_BY_NAME	*lpAddress;
	IMAGE_DEBUG_MISC	*lpMisc;
	IMAGE_BASE_RELOCATION	*lpRelocation = NULL;
	IMAGE_TLS_DIRECTORY32	*lpTLS32;
	IMAGE_TLS_DIRECTORY64	*lpTLS64;
	IMAGE_COR20_HEADER	*lpCOMPlus;

	IMAGE_RESOURCE_DIRECTORY	*lpResource = NULL;
	IMAGE_BOUND_IMPORT_DESCRIPTOR	*lpDescriptor;
	IMAGE_DELAYLOAD_DESCRIPTOR	*lpDelay = NULL;
	IMAGE_RUNTIME_FUNCTION_ENTRY	*lpRuntime;

	IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY	*lpAlpha;
	IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY	*lpAlpha64;
	IMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY	*lpARM;
	IMAGE_LOAD_CONFIGURATION_DIRECTORY32	*lpLoadCfg32;
	IMAGE_LOAD_CONFIGURATION_DIRECTORY64	*lpLoadCfg64;

	COFFStringTable	*lpCOFF;
	CV_INFO_PDB70	*lpCodeView;
	WIN_CERTIFICATE	*lpCertificate;
	CERT_CONTEXT	*lpSigner;
	CERT_BLOB	blob;
	HCERTSTORE	hStore;
	HCRYPTMSG	hMsg;
	SYSTEMTIME	st;

	LPWSTR	*lpArguments;
	INT	nArguments;
	BOOL	bOutput;
	HANDLE	hOutput;
	HANDLE	hInput;
	DWORD	dwInput;
	DWORD	dwError = ERROR_BAD_ARGUMENTS;
	DWORD	dwIndex;
	DWORD	dwImage;
	HANDLE	hImage;
	BYTE	*lpImage;
	BYTE	*lpBound;
	WORD	*lpWord;
	DWORD	dwSigner;
	LPWSTR	szSigner;
	LPCSTR	lpString;
	BYTE	*lpModule;
	BYTE	*lpException = NULL;
	DWORD	*lpFunctions;
	WORD	*lpOrdinals;
	DWORD	*lpNames;
	DWORD	dwNames;
	DWORD	dwFlags;
	DWORD	dwDebug;
	DWORD	dwDescriptor;
	DWORD	dwCertificate;
	DWORD	dwRelocation;
	DWORD	dwException;
	DWORD	dwDirectory;
	DWORD	dwSection;
	DWORD	dwCheckSum;
	DWORD	dwAccumulator;
	DWORD	dwCode;
	DWORD	dwData;
	DWORD	dwSize;
	DWORD	dwFile;
	DWORD	dwOffset;
	DWORD	dwMemory;
	DWORD	dwRVA;
	DWORD	dwBase;
	DWORD64	qwBase;
	DWORD64	qw;
	DWORD64	*lpCookie64;
	DWORD	*lpCookie32;
	DWORD	*lpHandler;
	DWORD	dwHandler;
	DWORD	dwPogo;
	POGO	*lpPogo;
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);

		if (lpArguments == NULL)
			PrintConsole(hConsole,
			             L"CommandLineToArgv() returned error %lu\n",
			             dwError = GetLastError());
		else
		{
			if (nArguments != 2)
				PrintConsole(hConsole,
				             L"No argument: a single file or path name of an image file must be given!\n");
			else
			{
				hOutput = GetStdHandle(STD_OUTPUT_HANDLE);

				if (hOutput == INVALID_HANDLE_VALUE)
					PrintConsole(hConsole,
					             L"GetStdHandle() returned error %lu\n",
					             dwError = GetLastError());
				else
				{
					if (!FlushFileBuffers(hOutput))
						PrintConsole(hConsole,
						             L"FlushFileBuffers() returned error %lu: standard output is not redirected to a file!\n",
						             dwError = GetLastError());
					else
					{
						hInput = CreateFile(lpArguments[1],
						                    FILE_READ_DATA,
						                    FILE_SHARE_READ,
						                    (SECURITY_ATTRIBUTES *) NULL,
						                    OPEN_EXISTING,
						                    FILE_FLAG_SEQUENTIAL_SCAN,
						                    (HANDLE) NULL);

						if (hInput == INVALID_HANDLE_VALUE)
							PrintConsole(hConsole,
							             L"CreateFile() returned error %lu\n",
							             dwError = GetLastError());
						else
						{
							dwInput = GetFileSize(hInput, (DWORD *) NULL);

							if (dwInput == INVALID_FILE_SIZE)
								PrintConsole(hConsole,
								             L"GetFileSize() returned error %lu\n",
								             dwError = GetLastError());
							else
							{
								hImage = CreateFileMapping(hInput,
								                           (LPSECURITY_ATTRIBUTES) NULL,
								                           PAGE_WRITECOPY,
								                           0, 0,
								                           (LPCWSTR) NULL);

								if (hImage == NULL)
									PrintConsole(hConsole,
									             L"CreateFileMapping() returned error %lu\n",
									             dwError = GetLastError());
								else
								{
									lpImage = MapViewOfFile(hImage,
									                        FILE_MAP_COPY,
									                        0, 0,
									                        (SIZE_T) 0);

									if (lpImage == NULL)
										PrintConsole(hConsole,
										             L"MapViewOfFile() returned error %lu\n",
										             dwError = GetLastError());
									else
									{
										dwError = ERROR_INVALID_EXE_SIGNATURE;

										lpMZ = (IMAGE_DOS_HEADER *) lpImage;

										if (lpMZ->e_magic != IMAGE_DOS_SIGNATURE)
											PrintConsole(hConsole,
											             L"No signature \'%ls\' at offset 0x%08lX in file \'%ls\'!\n",
											             L"MZ", 0, lpArguments[1]);
										else
										{
											dwImage = dwInput;

											lpPE = (IMAGE_NT_HEADERS *) ((BYTE *) lpMZ + lpMZ->e_lfanew);

											if (((DWORD) lpMZ->e_lfanew > dwImage)
											 || (lpPE->Signature != IMAGE_NT_SIGNATURE))
												PrintConsole(hConsole,
												             L"No signature \'%ls\' at offset 0x%08lX in file \'%ls\'!\n",
												             L"PE\\0\\0", lpMZ->e_lfanew, lpArguments[1]);
											else
											{
												dwError = ERROR_SUCCESS;

												qw = __emulu(lpPE->FileHeader.TimeDateStamp, 10000000)
												   + 116444736000000000;	// seconds since 1970-01-01 to
																//  100 nano-seconds since 1601-01-01

												if (!FileTimeToSystemTime((FILETIME *) &qw, &st))
													PrintConsole(hConsole,
													             L"FileTimeToSystemTime() returned error %lu\n",
													             dwError = GetLastError());

												bOutput = PrintFormat(hOutput,
												                      L"\xFEFF"	// UTF-16LE BOM
												                      L"Image File = %ls\r\n"
												                      L"Image Size = %lu\r\n"
												                      L"\r\n"
												                      L"File Header:\r\n"
												                      L"\tMachine                 = 0x%04hX (%ls)\r\n"
												                      L"\tTime/Date Stamp         = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\r\n"
												                      L"\tPointer to Symbol Table = 0x%08lX\r\n"
												                      L"\tNumber of Symbols       = %lu\r\n"
												                      L"\tSize of Optional Header = 0x%04hX\r\n"
												                      L"\tCharacteristics         = 0x%04hX\r\n",
												                      lpArguments[1],
												                      dwImage,
												                      lpPE->FileHeader.Machine, MachineTypeName(lpPE->FileHeader.Machine),
												                      lpPE->FileHeader.TimeDateStamp,
												                      szDayOfWeek[st.wDayOfWeek], st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond,
												                      lpPE->FileHeader.PointerToSymbolTable,
												                      lpPE->FileHeader.NumberOfSymbols,
												                      lpPE->FileHeader.SizeOfOptionalHeader,
												                      lpPE->FileHeader.Characteristics);

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED) == IMAGE_FILE_RELOCS_STRIPPED)
													bOutput &= PrintString(hOutput, L"\t\tRelocation information stripped\r\n");

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_EXECUTABLE_IMAGE) == IMAGE_FILE_EXECUTABLE_IMAGE)
													bOutput &= PrintString(hOutput, L"\t\tExecutable image\r\n");

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_LINE_NUMS_STRIPPED) == IMAGE_FILE_LINE_NUMS_STRIPPED)
													bOutput &= PrintString(hOutput, L"\t\tLine numbers stripped\r\n");

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_LOCAL_SYMS_STRIPPED) == IMAGE_FILE_LOCAL_SYMS_STRIPPED)
													bOutput &= PrintString(hOutput, L"\t\tLocal symbols stripped\r\n");

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_AGGRESIVE_WS_TRIM) == IMAGE_FILE_AGGRESIVE_WS_TRIM)
													bOutput &= PrintString(hOutput, L"\t\tAggressively trim working set\r\n");

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_LARGE_ADDRESS_AWARE) == IMAGE_FILE_LARGE_ADDRESS_AWARE)
													bOutput &= PrintString(hOutput, L"\t\tHandles addresses above 2 GB\r\n");

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_16BIT_MACHINE) == IMAGE_FILE_16BIT_MACHINE)
													bOutput &= PrintString(hOutput, L"\t\t16 bit word machine\r\n");

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_32BIT_MACHINE) == IMAGE_FILE_32BIT_MACHINE)
													bOutput &= PrintString(hOutput, L"\t\t32 bit word machine\r\n");

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_DEBUG_STRIPPED) == IMAGE_FILE_DEBUG_STRIPPED)
													bOutput &= PrintString(hOutput, L"\t\tDebugging information stripped\r\n");

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP) == IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP)
													bOutput &= PrintString(hOutput, L"\t\tRun image on CD from swap file\r\n");

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_NET_RUN_FROM_SWAP) == IMAGE_FILE_NET_RUN_FROM_SWAP)
													bOutput &= PrintString(hOutput, L"\t\tRun image on network from swap file\r\n");

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_SYSTEM) == IMAGE_FILE_SYSTEM)
													bOutput &= PrintString(hOutput, L"\t\tSystem file\r\n");

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_DLL) == IMAGE_FILE_DLL)
													bOutput &= PrintString(hOutput, L"\t\tDLL\r\n");

												if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_UP_SYSTEM_ONLY) == IMAGE_FILE_UP_SYSTEM_ONLY)
													bOutput &= PrintString(hOutput, L"\t\tUniprocessor machine only\r\n");

												if (((lpPE->FileHeader.Characteristics & IMAGE_FILE_BYTES_REVERSED_LO) == IMAGE_FILE_BYTES_REVERSED_LO)
												 || ((lpPE->FileHeader.Characteristics & IMAGE_FILE_BYTES_REVERSED_HI) == IMAGE_FILE_BYTES_REVERSED_HI))
													bOutput &= PrintString(hOutput, L"\t\tBytes of machine word are reversed\r\n");

												if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
												{
													if (lpPE->FileHeader.SizeOfOptionalHeader != sizeof(IMAGE_OPTIONAL_HEADER64))
														PrintConsole(hConsole,
														             L"Size of %ls differs from size of %ls structure!\n",
														             L"optional header", L"IMAGE_OPTIONAL_HEADER64");

													lpPE64 = (IMAGE_NT_HEADERS64 *) lpPE;
												//	lpSection = (IMAGE_SECTION_HEADER *) (lpPE64->OptionalHeader.DataDirectory + lpPE64->OptionalHeader.NumberOfRvaAndSizes);
													lpDirectory = lpPE64->OptionalHeader.DataDirectory;
												//	dwDirectory = lpPE64->OptionalHeader.NumberOfRvaAndSizes;
													qwBase = lpPE64->OptionalHeader.ImageBase;
												//	dwBase = lpPE64->OptionalHeader.BaseOfCode;
													dwCode = lpPE64->OptionalHeader.SizeOfCode;
													dwData = lpPE64->OptionalHeader.SizeOfInitializedData;
													dwSize = lpPE64->OptionalHeader.SizeOfUninitializedData;
													dwOffset = lpPE64->OptionalHeader.SizeOfHeaders;
													dwMemory = lpPE64->OptionalHeader.SectionAlignment;
													dwFile = lpPE64->OptionalHeader.FileAlignment;
												}
												else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
												{
													if (lpPE->FileHeader.SizeOfOptionalHeader != sizeof(IMAGE_OPTIONAL_HEADER32))
														PrintConsole(hConsole,
														             L"Size of %ls differs from size of %ls structure!\n",
														             L"optional header", L"IMAGE_OPTIONAL_HEADER32");

													lpPE32 = (IMAGE_NT_HEADERS32 *) lpPE;
												//	lpSection = (IMAGE_SECTION_HEADER *) (lpPE32->OptionalHeader.DataDirectory + lpPE32->OptionalHeader.NumberOfRvaAndSizes);
													lpDirectory = lpPE32->OptionalHeader.DataDirectory;
												//	dwDirectory = lpPE32->OptionalHeader.NumberOfRvaAndSizes;
													dwBase = lpPE32->OptionalHeader.ImageBase;
												//	dwBase = lpPE32->OptionalHeader.BaseOfCode;
													dwCode = lpPE32->OptionalHeader.SizeOfCode;
													dwData = lpPE32->OptionalHeader.SizeOfInitializedData;
													dwSize = lpPE32->OptionalHeader.SizeOfUninitializedData;
													dwOffset = lpPE32->OptionalHeader.SizeOfHeaders;
													dwMemory = lpPE32->OptionalHeader.SectionAlignment;
													dwFile = lpPE32->OptionalHeader.FileAlignment;
												}
												else
													PrintConsole(hConsole,
													             L"Image format is neither PE32 (32-bit) nor PE32+ (64-bit)!\n");

												dwFile--;

												if ((dwFile & (dwFile + 1)) != 0)
													PrintConsole(hConsole,
													             L"File alignment is not a power of 2!\n");
												else if ((dwMemory & dwFile) != 0)
													PrintConsole(hConsole,
													             L"Section alignment is not a multiple of file alignment!\n");
#if 0
												dwMemory--;

												if ((dwMemory & (dwMemory + 1)) != 0)
													PrintConsole(hConsole,
													             L"Section alignment is not a power of 2!\n");
#else
												if ((dwMemory & (dwMemory - 1)) != 0)
													PrintConsole(hConsole,
													             L"Section alignment is not a power of 2!\n");

												dwMemory--;
#endif
												dwRVA = (dwOffset + dwMemory) & ~dwMemory;

												bOutput &= PrintFormat(hOutput,
												                       L"\tNumber of COFF Sections = %hu\r\n",
												                       lpPE->FileHeader.NumberOfSections);

												for (lpSection = (IMAGE_SECTION_HEADER *) ((BYTE *) &(lpPE->OptionalHeader) + lpPE->FileHeader.SizeOfOptionalHeader),
												     dwSection = lpPE->FileHeader.NumberOfSections;
												     dwSection > 0;
												     dwSection--, lpSection++)
												{
													if ((lpSection->VirtualAddress & dwMemory) != 0)
														PrintConsole(hConsole,
														             L"Address of \'%.8hs\' section is not aligned!\n",
														             lpSection->Name);

													if (lpSection->VirtualAddress != dwRVA)
														PrintConsole(hConsole,
														             L"Address of \'%.8hs\' section is not contiguous!\n",
														             lpSection->Name);

													if ((lpSection->PointerToRawData & dwFile) != 0)
														PrintConsole(hConsole,
														             L"Offset of \'%.8hs\' section is not aligned!\n",
														             lpSection->Name);

													if ((lpSection->PointerToRawData != 0)
													 && (lpSection->PointerToRawData != dwOffset))
														PrintConsole(hConsole,
														             L"Offset of \'%.8hs\' section is not contiguous!\n",
														             lpSection->Name);

													if ((lpSection->PointerToRawData != 0)
													 && (lpSection->SizeOfRawData != 0))
														dwOffset = lpSection->PointerToRawData + lpSection->SizeOfRawData;

													if ((lpSection->SizeOfRawData & dwFile) != 0)
														PrintConsole(hConsole,
														             L"Data of \'%.8hs\' section is not aligned!\n",
														             lpSection->Name);

													dwRVA = (lpSection->Misc.VirtualSize + dwMemory) & ~dwMemory;

													if (lpSection->SizeOfRawData > dwRVA)
														PrintConsole(hConsole,
														             L"Data of \'%.8hs\' section exceeds its size!\n",
														             lpSection->Name);

													dwRVA += lpSection->VirtualAddress;

													if (memcmp(lpSection->Name, ".arch", sizeof(".arch")) == 0)
													{
														dwDirectory = IMAGE_DIRECTORY_ENTRY_ARCHITECTURE;
														lpArchitecture = lpSection;
													}
													else if (memcmp(lpSection->Name, ".debug", sizeof(".debug")) == 0)
													{
														dwDirectory = IMAGE_DIRECTORY_ENTRY_DEBUG;
														lpDebug = (IMAGE_DEBUG_DIRECTORY *) lpSection;
													}
													else if (memcmp(lpSection->Name, ".didat", sizeof(".didat")) == 0)
													{
														dwDirectory = IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT;
														lpDelay = (IMAGE_DELAYLOAD_DESCRIPTOR *) lpSection;
													}
													else if (memcmp(lpSection->Name, ".edata", sizeof(".edata")) == 0)
													{
														dwDirectory = IMAGE_DIRECTORY_ENTRY_EXPORT;
														lpExport = (IMAGE_EXPORT_DIRECTORY *) lpSection;
													}
													else if (memcmp(lpSection->Name, ".idata", sizeof(".idata")) == 0)
													{
														dwDirectory = IMAGE_DIRECTORY_ENTRY_IMPORT;
														lpImport = (IMAGE_IMPORT_DESCRIPTOR *) lpSection;
													}
													else if (memcmp(lpSection->Name, ".pdata", sizeof(".pdata")) == 0)
													{
														dwDirectory = IMAGE_DIRECTORY_ENTRY_EXCEPTION;
														lpException = (BYTE *) lpSection;
													}
													else if (memcmp(lpSection->Name, ".reloc", sizeof(".reloc")) == 0)
													{
														dwDirectory = IMAGE_DIRECTORY_ENTRY_BASERELOC;
														lpRelocation = (IMAGE_BASE_RELOCATION *) lpSection;
													}
													else if (memcmp(lpSection->Name, ".rsrc", sizeof(".rsrc")) == 0)
													{
														dwDirectory = IMAGE_DIRECTORY_ENTRY_RESOURCE;
														lpResource = (IMAGE_RESOURCE_DIRECTORY *) lpSection;
													}
													else if (memcmp(lpSection->Name, ".tls", sizeof(".tls")) == 0)
													{
														dwDirectory = IMAGE_DIRECTORY_ENTRY_TLS;
														lpTLS = lpSection;
													}
													else
														dwDirectory = IMAGE_NUMBEROF_DIRECTORY_ENTRIES;

													if (dwDirectory < IMAGE_NUMBEROF_DIRECTORY_ENTRIES)
													{
														if ((lpDirectory[dwDirectory].VirtualAddress == 0)
														  && (lpDirectory[dwDirectory].Size == 0))
															PrintConsole(hConsole,
															             L"No IMAGE_DATA_DIRECTORY[%lu] for \'%.8hs\' section!\n",
															             dwDirectory, lpSection->Name);
														else if ((dwDirectory != IMAGE_DIRECTORY_ENTRY_TLS)
														      && ((lpDirectory[dwDirectory].VirtualAddress != lpSection->VirtualAddress)
														       || (lpDirectory[dwDirectory].Size != lpSection->Misc.VirtualSize)))
															PrintConsole(hConsole,
															             L"Address/size of IMAGE_DATA_DIRECTORY[%lu] differ from address/size of \'%.8hs\' section!\n",
															             dwDirectory, lpSection->Name);
													}

													bOutput &= PrintFormat(hOutput,
													                       L"\t%.8hs:\r\n"
													                       L"\t\tVirtual Address & Size = 0x%08lX, 0x%08lX\r\n"
													                       L"\t\tFile Offset & Raw Size = 0x%08lX, 0x%08lX\r\n"
													                       L"\t\tCharacteristics        = 0x%08lX\r\n",
													                       lpSection->Name,
													                       lpSection->VirtualAddress,
													                       lpSection->Misc.VirtualSize,
													                       lpSection->PointerToRawData,
													                       lpSection->SizeOfRawData,
													                       lpSection->Characteristics);
#ifdef IMAGE_SCN_TYPE_REG
													if ((lpSection->Characteristics & IMAGE_SCN_TYPE_REG) == IMAGE_SCN_TYPE_REG)
														bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
#endif
#ifdef IMAGE_SCN_TYPE_DSECT
													if ((lpSection->Characteristics & IMAGE_SCN_TYPE_DSECT) == IMAGE_SCN_TYPE_DSECT)
														bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
#endif
#ifdef IMAGE_SCN_TYPE_NOLOAD
													if ((lpSection->Characteristics & IMAGE_SCN_TYPE_NOLOAD) == IMAGE_SCN_TYPE_NOLOAD)
														bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
#endif
#ifdef IMAGE_SCN_TYPE_GROUP
													if ((lpSection->Characteristics & IMAGE_SCN_TYPE_GROUP) == IMAGE_SCN_TYPE_GROUP)
														bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
#endif
													if ((lpSection->Characteristics & IMAGE_SCN_TYPE_NO_PAD) == IMAGE_SCN_TYPE_NO_PAD)
														bOutput &= PrintString(hOutput, L"\t\t\tReserved (COFF)\r\n");
#ifdef IMAGE_SCN_TYPE_COPY
													if ((lpSection->Characteristics & IMAGE_SCN_TYPE_COPY) == IMAGE_SCN_TYPE_COPY)
														bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
#endif
													if ((lpSection->Characteristics & IMAGE_SCN_CNT_CODE) == IMAGE_SCN_CNT_CODE)
													{
														bOutput &= PrintString(hOutput, L"\t\t\tExecutable code\r\n");

														dwCode -= lpSection->SizeOfRawData;
													}

													if ((lpSection->Characteristics & IMAGE_SCN_CNT_INITIALIZED_DATA) == IMAGE_SCN_CNT_INITIALIZED_DATA)
													{
														bOutput &= PrintString(hOutput, L"\t\t\tInitialized data\r\n");

														dwData -= lpSection->SizeOfRawData;
													}

													if ((lpSection->Characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA) == IMAGE_SCN_CNT_UNINITIALIZED_DATA)
													{
														bOutput &= PrintString(hOutput, L"\t\t\tUninitialized data\r\n");

														dwSize -= lpSection->Misc.VirtualSize;
													}

													if ((lpSection->Characteristics & IMAGE_SCN_LNK_OTHER) == IMAGE_SCN_LNK_OTHER)
														bOutput &= PrintString(hOutput, L"\t\t\tReserved (COFF)\r\n");

													if ((lpSection->Characteristics & IMAGE_SCN_LNK_INFO) == IMAGE_SCN_LNK_INFO)
														bOutput &= PrintString(hOutput, L"\t\t\tLinker information: .cormeta, .drectve, .idlsym or .sxdata (COFF)\r\n");
#ifdef IMAGE_SCN_TYPE_OVER
													if ((lpSection->Characteristics & IMAGE_SCN_TYPE_OVER) == IMAGE_SCN_TYPE_OVER)
														bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
#endif
													if ((lpSection->Characteristics & IMAGE_SCN_LNK_REMOVE) == IMAGE_SCN_LNK_REMOVE)
														bOutput &= PrintString(hOutput, L"\t\t\tRemovable content (COFF)\r\n");

													if ((lpSection->Characteristics & IMAGE_SCN_LNK_COMDAT) == IMAGE_SCN_LNK_COMDAT)
														bOutput &= PrintString(hOutput, L"\t\t\tCOMDAT (COFF)\r\n");
#ifdef IMAGE_SCN_MEM_PROTECTED
													if ((lpSection->Characteristics & IMAGE_SCN_MEM_PROTECTED) == IMAGE_SCN_MEM_PROTECTED)
														bOutput &= PrintString(hOutput, L"\t\t\tObsolete\r\n");
#endif
													if ((lpSection->Characteristics & IMAGE_SCN_NO_DEFER_SPEC_EXC) == IMAGE_SCN_NO_DEFER_SPEC_EXC)
														bOutput &= PrintString(hOutput, L"\t\t\tReset speculative exceptions handling bits in the TLB entries for this section\r\n");
#ifdef IMAGE_SCN_GPREL
													if ((lpSection->Characteristics & IMAGE_SCN_GPREL) == IMAGE_SCN_GPREL)
#else
													if ((lpSection->Characteristics & IMAGE_SCN_MEM_FARDATA) == IMAGE_SCN_MEM_FARDATA)
#endif
														bOutput &= PrintString(hOutput, L"\t\t\tGP relative data\r\n");
#ifdef IMAGE_SCN_MEM_SYSHEAP
													if ((lpSection->Characteristics & IMAGE_SCN_MEM_SYSHEAP) == IMAGE_SCN_MEM_SYSHEAP)
														bOutput &= PrintString(hOutput, L"\t\t\tObsolete\r\n");
#endif
													if ((lpSection->Characteristics & IMAGE_SCN_MEM_PURGEABLE) == IMAGE_SCN_MEM_PURGEABLE)
														bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");

													if ((lpSection->Characteristics & IMAGE_SCN_MEM_16BIT) == IMAGE_SCN_MEM_16BIT)
														bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");

													if ((lpSection->Characteristics & IMAGE_SCN_MEM_LOCKED) == IMAGE_SCN_MEM_LOCKED)
														bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");

													if ((lpSection->Characteristics & IMAGE_SCN_MEM_PRELOAD) == IMAGE_SCN_MEM_PRELOAD)
														bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");

													if ((lpSection->Characteristics & IMAGE_SCN_ALIGN_MASK) != 0)
														if ((lpSection->Characteristics & IMAGE_SCN_ALIGN_MASK) == IMAGE_SCN_ALIGN_MASK)
															bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
														else
															bOutput &= PrintFormat(hOutput,
															                       L"\t\t\t%lu-byte alignment (COFF)\r\n",
															                       1UL << (((lpSection->Characteristics & IMAGE_SCN_ALIGN_MASK) >> 20) - 1));

													if ((lpSection->Characteristics & IMAGE_SCN_LNK_NRELOC_OVFL) == IMAGE_SCN_LNK_NRELOC_OVFL)
														bOutput &= PrintString(hOutput, L"\t\t\tExtended relocations\r\n");

													if ((lpSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) == IMAGE_SCN_MEM_DISCARDABLE)
														bOutput &= PrintString(hOutput, L"\t\t\tDiscardable\r\n");

													if ((lpSection->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) == IMAGE_SCN_MEM_NOT_CACHED)
														bOutput &= PrintString(hOutput, L"\t\t\tVolatile, not cacheable\r\n");

													if ((lpSection->Characteristics & IMAGE_SCN_MEM_NOT_PAGED) == IMAGE_SCN_MEM_NOT_PAGED)
														bOutput &= PrintString(hOutput, L"\t\t\tResident, not pageable\r\n");

													if ((lpSection->Characteristics & IMAGE_SCN_MEM_SHARED) == IMAGE_SCN_MEM_SHARED)
														bOutput &= PrintString(hOutput, L"\t\t\tShared\r\n");

													if ((lpSection->Characteristics & IMAGE_SCN_MEM_EXECUTE) == IMAGE_SCN_MEM_EXECUTE)
														bOutput &= PrintString(hOutput, L"\t\t\tExecutable\r\n");

													if ((lpSection->Characteristics & IMAGE_SCN_MEM_READ) == IMAGE_SCN_MEM_READ)
														bOutput &= PrintString(hOutput, L"\t\t\tReadable\r\n");

													if ((lpSection->Characteristics & IMAGE_SCN_MEM_WRITE) == IMAGE_SCN_MEM_WRITE)
														bOutput &= PrintString(hOutput, L"\t\t\tWritable\r\n");
												}

												if (!bOutput)
													PrintConsole(hConsole,
													             L"WriteFile() returned error %lu\n",
													             dwError = GetLastError());

												if (dwCode != 0)
													PrintConsole(hConsole,
													             L"Size of %ls differs from sum of \'*%ls\' section sizes!\n",
													             L"code", L"text");

												if (dwData != 0)
													PrintConsole(hConsole,
													             L"Size of %ls differs from sum of \'*%ls\' section sizes!\n",
													             L"initialised data", L"data");

												if (dwSize != 0)
													PrintConsole(hConsole,
													             L"Size of %ls differs from sum of \'*%ls\' section sizes!\n",
													             L"uninitialised data", L"bss");

												if (lpPE->FileHeader.PointerToSymbolTable > dwImage)
													PrintConsole(hConsole,
													             L"Pointer to COFF symbol table past file size 0x%08lX!\n",
													             dwImage);
												else if (lpPE->FileHeader.PointerToSymbolTable != 0)
												{
													bOutput = PrintString(hOutput,
													                      L"\r\n"
													                      L"COFF String Table:\r\n");

													lpCOFF = (COFFStringTable *) (lpImage + lpPE->FileHeader.PointerToSymbolTable
													                                      + lpPE->FileHeader.NumberOfSymbols * sizeof(IMAGE_SYMBOL));

													for (lpString = lpCOFF->Strings;
													     lpString < (CHAR *) lpCOFF + lpCOFF->Size;
													     lpString += strlen(lpString) + 1)
														bOutput &= PrintFormat(hOutput,
														                       L"\t/%lu = %hs\r\n",
														                       lpString - (CHAR *) lpCOFF, lpString);

													if (!bOutput)
														PrintConsole(hConsole,
														             L"WriteFile() returned error %lu\n",
														             dwError = GetLastError());
												}

												if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
												{
													bOutput = PrintFormat(hOutput,
													                      L"\r\n"
													                      L"Optional Header:\r\n"
													                      L"\tMagic                        = 0x%04hX (32-bit)\r\n"
													                      L"\tSize of Code                 = 0x%08lX\r\n"
													                      L"\tSize of Initialized Data     = 0x%08lX\r\n"
													                      L"\tSize of Uninitialized Data   = 0x%08lX\r\n"
													                      L"\tEntry Point                  = 0x%08lX\r\n"
													                      L"\tBase of Code                 = 0x%08lX\r\n"
													                      L"\tBase of Data                 = 0x%08lX\r\n"
													                      L"\tImage Base                   = 0x%08lX\r\n"
													                      L"\tSection Alignment            = 0x%08lX\r\n"
													                      L"\tFile Alignment               = 0x%08lX\r\n"
													                      L"\tSize of Image                = 0x%08lX\r\n"
													                      L"\tSize of Headers              = 0x%08lX\r\n"
													                      L"\tChecksum                     = 0x%08lX\r\n"
													                      L"\tDLL Characteristics          = 0x%04hX\r\n",
													                      lpPE32->OptionalHeader.Magic,
													                      lpPE32->OptionalHeader.SizeOfCode,
													                      lpPE32->OptionalHeader.SizeOfInitializedData,
													                      lpPE32->OptionalHeader.SizeOfUninitializedData,
													                      lpPE32->OptionalHeader.AddressOfEntryPoint,
													                      lpPE32->OptionalHeader.BaseOfCode,
													                      lpPE32->OptionalHeader.BaseOfData,
													                      lpPE32->OptionalHeader.ImageBase,
													                      lpPE32->OptionalHeader.SectionAlignment,
													                      lpPE32->OptionalHeader.FileAlignment,
													                      lpPE32->OptionalHeader.SizeOfImage,
													                      lpPE32->OptionalHeader.SizeOfHeaders,
													                      lpPE32->OptionalHeader.CheckSum,
													                      lpPE32->OptionalHeader.DllCharacteristics);

													if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_RESERVED) != 0)
														bOutput &= PrintString(hOutput, L"\t\tReserved\r\n");

													if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA) == IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA)
														bOutput &= PrintString(hOutput, L"\t\tHigh entropy ASLR\r\n");

													if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) == IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
														bOutput &= PrintString(hOutput, L"\t\tDynamic base\r\n");

													if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY) == IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY)
														bOutput &= PrintString(hOutput, L"\t\tCode integrity checks enforced\r\n");

													if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT) == IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
														bOutput &= PrintString(hOutput, L"\t\tNX compatible\r\n");

													if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_ISOLATION) == IMAGE_DLLCHARACTERISTICS_NO_ISOLATION)
														bOutput &= PrintString(hOutput, L"\t\tIsolation aware, but don't isolate\r\n");

													if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_SEH) == IMAGE_DLLCHARACTERISTICS_NO_SEH)
														bOutput &= PrintString(hOutput, L"\t\tNo structured exception handler\r\n");

													if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_BIND) == IMAGE_DLLCHARACTERISTICS_NO_BIND)
														bOutput &= PrintString(hOutput, L"\t\tDon\'t bind\r\n");

													if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_APPCONTAINER) == IMAGE_DLLCHARACTERISTICS_APPCONTAINER)
														bOutput &= PrintString(hOutput, L"\t\tApp container\r\n");

													if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_WDM_DRIVER) == IMAGE_DLLCHARACTERISTICS_WDM_DRIVER)
														bOutput &= PrintString(hOutput, L"\t\tWDM driver\r\n");

													if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_GUARD_CF) == IMAGE_DLLCHARACTERISTICS_GUARD_CF)
														bOutput &= PrintString(hOutput, L"\t\tControl flow guard\r\n");

													if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE) == IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE)
														bOutput &= PrintString(hOutput, L"\t\tTerminal server aware\r\n");

													bOutput &= PrintFormat(hOutput,
													                       L"\tLoader Flags                 = 0x%08lX\r\n",
													                       lpPE32->OptionalHeader.LoaderFlags);

													if ((lpPE32->OptionalHeader.LoaderFlags & IMAGE_LOADER_FLAGS_COMPLUS) == IMAGE_LOADER_FLAGS_COMPLUS)
														bOutput &= PrintString(hOutput, L"\t\tCOM+ image\r\n");

													if ((lpPE32->OptionalHeader.LoaderFlags & IMAGE_LOADER_FLAGS_SYSTEM_GLOBAL) == IMAGE_LOADER_FLAGS_SYSTEM_GLOBAL)
														bOutput &= PrintString(hOutput, L"\t\tGlobal subsections apply across TS sessions\r\n");

													bOutput &= PrintFormat(hOutput,
													                       L"\tSize of Stack Reserve        = 0x%08lX\r\n"
													                       L"\tSize of Stack Commit         = 0x%08lX\r\n"
													                       L"\tSize of Heap Reserve         = 0x%08lX\r\n"
													                       L"\tSize of Heap Commit          = 0x%08lX\r\n"
													                       L"\tNumber of Data Directories   = %lu\r\n",
													                       lpPE32->OptionalHeader.SizeOfStackReserve,
													                       lpPE32->OptionalHeader.SizeOfStackCommit,
													                       lpPE32->OptionalHeader.SizeOfHeapReserve,
													                       lpPE32->OptionalHeader.SizeOfHeapCommit,
													                       lpPE32->OptionalHeader.NumberOfRvaAndSizes);

													if (lpPE32->OptionalHeader.NumberOfRvaAndSizes > 0)
														bOutput &= PrintString(hOutput, L"\tData Directories:\r\n");

													for (dwDirectory = 0; dwDirectory < lpPE32->OptionalHeader.NumberOfRvaAndSizes; dwDirectory++)
														bOutput &= PrintFormat(hOutput,
														                       L"\t\t%-20ls = 0x%08lX, 0x%08lX\r\n",
														                       szDirectory[dwDirectory],
														                       lpPE32->OptionalHeader.DataDirectory[dwDirectory].VirtualAddress,
														                       lpPE32->OptionalHeader.DataDirectory[dwDirectory].Size);

													bOutput &= PrintFormat(hOutput,
													                       L"\tLinker Version               = %u.%u\r\n"
													                       L"\tOperating System Version     = %hu.%hu\r\n"
													                       L"\tImage Version                = %hu.%hu\r\n"
													                       L"\tSubsystem version            = %hu.%hu\r\n"
													                       L"\tWin32 Version                = %lu (expected: 0)\r\n"
													                       L"\tSubsystem                    = %hu (%ls)\r\n",
													                       lpPE32->OptionalHeader.MajorLinkerVersion,
													                       lpPE32->OptionalHeader.MinorLinkerVersion,
													                       lpPE32->OptionalHeader.MajorOperatingSystemVersion,
													                       lpPE32->OptionalHeader.MinorOperatingSystemVersion,
													                       lpPE32->OptionalHeader.MajorImageVersion,
													                       lpPE32->OptionalHeader.MinorImageVersion,
													                       lpPE32->OptionalHeader.MajorSubsystemVersion,
													                       lpPE32->OptionalHeader.MinorSubsystemVersion,
													                       lpPE32->OptionalHeader.Win32VersionValue,
													                       lpPE32->OptionalHeader.Subsystem, SubsystemName(lpPE32->OptionalHeader.Subsystem));

													if (!bOutput)
														PrintConsole(hConsole,
														             L"WriteFile() returned error %lu\n",
														             dwError = GetLastError());

													dwCheckSum = lpPE32->OptionalHeader.CheckSum;
													lpPE32->OptionalHeader.CheckSum = 0;

													for (lpWord = (WORD *) (lpImage + dwImage + (dwImage & 1)), dwAccumulator = 0;
													     lpWord > (WORD *) lpImage;
													     dwAccumulator += *--lpWord, dwAccumulator = HIWORD(dwAccumulator) + LOWORD(dwAccumulator))
														continue;

													if (dwAccumulator + dwImage != dwCheckSum)
														PrintConsole(hConsole,
														             L"Computed checksum 0x%08lX differs from image checksum 0x%08lX!\n",
														             dwAccumulator + dwImage, dwCheckSum);

												//	lpSection = (IMAGE_SECTION_HEADER *) (lpPE32->OptionalHeader.DataDirectory + lpPE32->OptionalHeader.NumberOfRvaAndSizes);
												}
												else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
												{
													bOutput = PrintFormat(hOutput,
													                      L"\r\n"
													                      L"Optional Header:\r\n"
													                      L"\tMagic                        = 0x%04hX (64-bit)\r\n"
													                      L"\tSize of Code                 = 0x%08lX\r\n"
													                      L"\tSize of Initialized Data     = 0x%08lX\r\n"
													                      L"\tSize of Uninitialized Data   = 0x%08lX\r\n"
													                      L"\tEntry Point                  = 0x%08lX\r\n"
													                      L"\tBase of Code                 = 0x%08lX\r\n"
													                      L"\tImage Base                   = 0x%016I64X\r\n"
													                      L"\tSection Alignment            = 0x%08lX\r\n"
													                      L"\tFile Alignment               = 0x%08lX\r\n"
													                      L"\tSize of Image                = 0x%08lX\r\n"
													                      L"\tSize of Headers              = 0x%08lX\r\n"
													                      L"\tChecksum                     = 0x%08lX\r\n"
													                      L"\tDLL Characteristics          = 0x%04hX\r\n",
													                      lpPE64->OptionalHeader.Magic,
													                      lpPE64->OptionalHeader.SizeOfCode,
													                      lpPE64->OptionalHeader.SizeOfInitializedData,
													                      lpPE64->OptionalHeader.SizeOfUninitializedData,
													                      lpPE64->OptionalHeader.AddressOfEntryPoint,
													                      lpPE64->OptionalHeader.BaseOfCode,
													                      lpPE64->OptionalHeader.ImageBase,
													                      lpPE64->OptionalHeader.SectionAlignment,
													                      lpPE64->OptionalHeader.FileAlignment,
													                      lpPE64->OptionalHeader.SizeOfImage,
													                      lpPE64->OptionalHeader.SizeOfHeaders,
													                      lpPE64->OptionalHeader.CheckSum,
													                      lpPE64->OptionalHeader.DllCharacteristics);

													if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_RESERVED) != 0)
														bOutput &= PrintString(hOutput, L"\t\tReserved\r\n");

													if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA) == IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA)
														bOutput &= PrintString(hOutput, L"\t\tHigh entropy ASLR\r\n");

													if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) == IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
														bOutput &= PrintString(hOutput, L"\t\tDynamic base\r\n");

													if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY) == IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY)
														bOutput &= PrintString(hOutput, L"\t\tCode integrity checks enforced\r\n");

													if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT) == IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
														bOutput &= PrintString(hOutput, L"\t\tNX compatible\r\n");

													if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_ISOLATION) == IMAGE_DLLCHARACTERISTICS_NO_ISOLATION)
														bOutput &= PrintString(hOutput, L"\t\tIsolation aware, but don't isolate\r\n");

													if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_SEH) == IMAGE_DLLCHARACTERISTICS_NO_SEH)
														bOutput &= PrintString(hOutput, L"\t\tNo structured exception handler\r\n");

													if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_BIND) == IMAGE_DLLCHARACTERISTICS_NO_BIND)
														bOutput &= PrintString(hOutput, L"\t\tDon\'t bind\r\n");

													if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_APPCONTAINER) == IMAGE_DLLCHARACTERISTICS_APPCONTAINER)
														bOutput &= PrintString(hOutput, L"\t\tApp container\r\n");

													if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_WDM_DRIVER) == IMAGE_DLLCHARACTERISTICS_WDM_DRIVER)
														bOutput &= PrintString(hOutput, L"\t\tWDM driver\r\n");

													if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_GUARD_CF) == IMAGE_DLLCHARACTERISTICS_GUARD_CF)
														bOutput &= PrintString(hOutput, L"\t\tControl flow guard\r\n");

													if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE) == IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE)
														bOutput &= PrintString(hOutput, L"\t\tTerminal server aware\r\n");

													bOutput &= PrintFormat(hOutput,
													                       L"\tLoader Flags                 = 0x%08lX\r\n",
													                       lpPE64->OptionalHeader.LoaderFlags);

													if ((lpPE64->OptionalHeader.LoaderFlags & IMAGE_LOADER_FLAGS_COMPLUS) == IMAGE_LOADER_FLAGS_COMPLUS)
														bOutput &= PrintString(hOutput, L"\t\tCOM+ image\r\n");

													if ((lpPE64->OptionalHeader.LoaderFlags & IMAGE_LOADER_FLAGS_SYSTEM_GLOBAL) == IMAGE_LOADER_FLAGS_SYSTEM_GLOBAL)
														bOutput &= PrintString(hOutput, L"\t\tGlobal subsections apply across TS sessions\r\n");

													bOutput &= PrintFormat(hOutput,
													                       L"\tSize of Stack Reserve        = 0x%016I64X\r\n"
													                       L"\tSize of Stack Commit         = 0x%016I64X\r\n"
													                       L"\tSize of Heap Reserve         = 0x%016I64X\r\n"
													                       L"\tSize of Heap Commit          = 0x%016I64X\r\n"
													                       L"\tNumber of Data Directories   = %lu\r\n",
													                       lpPE64->OptionalHeader.SizeOfStackReserve,
													                       lpPE64->OptionalHeader.SizeOfStackCommit,
													                       lpPE64->OptionalHeader.SizeOfHeapReserve,
													                       lpPE64->OptionalHeader.SizeOfHeapCommit,
													                       lpPE64->OptionalHeader.NumberOfRvaAndSizes);

													if (lpPE64->OptionalHeader.NumberOfRvaAndSizes > 0)
														bOutput &= PrintString(hOutput, L"\tData Directories:\r\n");

													for (dwDirectory = 0; dwDirectory < lpPE64->OptionalHeader.NumberOfRvaAndSizes; dwDirectory++)
														bOutput &= PrintFormat(hOutput,
														                       L"\t\t%-20ls = 0x%08lX, 0x%08lX\r\n",
														                       szDirectory[dwDirectory],
														                       lpPE64->OptionalHeader.DataDirectory[dwDirectory].VirtualAddress,
														                       lpPE64->OptionalHeader.DataDirectory[dwDirectory].Size);

													bOutput &= PrintFormat(hOutput,
													                       L"\tLinker Version               = %u.%u\r\n"
													                       L"\tOperating System Version     = %hu.%hu\r\n"
													                       L"\tImage Version                = %hu.%hu\r\n"
													                       L"\tSubsystem Version            = %hu.%hu\r\n"
													                       L"\tWin32 Version                = %lu (expected: 0)\r\n"
													                       L"\tSubsystem                    = %hu (%ls)\r\n",
													                       lpPE64->OptionalHeader.MajorLinkerVersion,
													                       lpPE64->OptionalHeader.MinorLinkerVersion,
													                       lpPE64->OptionalHeader.MajorOperatingSystemVersion,
													                       lpPE64->OptionalHeader.MinorOperatingSystemVersion,
													                       lpPE64->OptionalHeader.MajorImageVersion,
													                       lpPE64->OptionalHeader.MinorImageVersion,
													                       lpPE64->OptionalHeader.MajorSubsystemVersion,
													                       lpPE64->OptionalHeader.MinorSubsystemVersion,
													                       lpPE64->OptionalHeader.Win32VersionValue,
													                       lpPE64->OptionalHeader.Subsystem, SubsystemName(lpPE64->OptionalHeader.Subsystem));

													if (!bOutput)
														PrintConsole(hConsole,
														             L"WriteFile() returned error %lu\n",
														             dwError = GetLastError());

													dwCheckSum = lpPE64->OptionalHeader.CheckSum;
													lpPE64->OptionalHeader.CheckSum = 0;

													for (lpWord = (WORD *) (lpImage + dwImage + (dwImage & 1)), dwAccumulator = 0;
													     lpWord > (WORD *) lpImage;
													     dwAccumulator += *--lpWord, dwAccumulator = HIWORD(dwAccumulator) + LOWORD(dwAccumulator))
														continue;

													if (dwAccumulator + dwImage != dwCheckSum)
														PrintConsole(hConsole,
														             L"Computed checksum 0x%08lX differs from image checksum 0x%08lX!\n",
														             dwAccumulator + dwImage, dwCheckSum);

												//	lpSection = (IMAGE_SECTION_HEADER *) (lpPE64->OptionalHeader.DataDirectory + lpPE64->OptionalHeader.NumberOfRvaAndSizes);
												}

												lpSection = (IMAGE_SECTION_HEADER *) ((BYTE *) &(lpPE->OptionalHeader) + lpPE->FileHeader.SizeOfOptionalHeader);
												dwSection = lpPE->FileHeader.NumberOfSections;

												if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != 0)
												 && (lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size != 0))
												{
													if (lpExport == NULL)
														PrintConsole(hConsole,
														             L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
														             ".edata", IMAGE_DIRECTORY_ENTRY_EXPORT);

													lpExport = (IMAGE_EXPORT_DIRECTORY *) RVA2Image(lpImage, lpSection, dwSection,
													                                                lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress,
													                                                IMAGE_DIRECTORY_ENTRY_EXPORT,
													                                                hConsole);
													if (lpExport != NULL)
													{
														lpModule = RVA2Image(lpImage, lpSection, dwSection,
														                     lpExport->Name,
														                     IMAGE_DIRECTORY_ENTRY_EXPORT,
														                     hConsole);

														qw = __emulu(lpExport->TimeDateStamp, 10000000)	// seconds since 1970-01-01 to
														   + 116444736000000000;			//  100 nano-seconds since 1601-01-01

														if (!FileTimeToSystemTime((FILETIME *) &qw, &st))
															PrintConsole(hConsole,
															             L"FileTimeToSystemTime() returned error %lu for module \'%hs\'\n",
															             dwError = GetLastError(), lpModule);

														bOutput = PrintFormat(hOutput,
														                      L"\r\n"
														                      L"Export Directory:\r\n"
														                      L"\tCharacteristics        = 0x%08lX\r\n"
														                      L"\tTime/Date Stamp        = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\r\n"
														                      L"\tVersion                = %hu.%hu\r\n"
														                      L"\tModule Name            = %hs\r\n"
														                      L"\tBase of Ordinals       = %lu\r\n"
														                      L"\tNumber of Functions    = %lu\r\n"
														                      L"\tNumber of Names        = %lu\r\n"
														                      L"\tArray of Functions     = 0x%08lX\r\n"
														                      L"\tArray of Names         = 0x%08lX\r\n"
														                      L"\tArray of Name Ordinals = 0x%08lX\r\n",
														                      lpExport->Characteristics,
														                      lpExport->TimeDateStamp,
														                      szDayOfWeek[st.wDayOfWeek], st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond,
														                      lpExport->MajorVersion,
														                      lpExport->MinorVersion,
														                      lpModule,
														                      lpExport->Base,
														                      lpExport->NumberOfFunctions,
														                      lpExport->NumberOfNames,
														                      lpExport->AddressOfFunctions,
														                      lpExport->AddressOfNames,
														                      lpExport->AddressOfNameOrdinals);

														lpFunctions = (DWORD *) RVA2Image(lpImage, lpSection, dwSection,
														                                  lpExport->AddressOfFunctions,
														                                  IMAGE_DIRECTORY_ENTRY_EXPORT,
														                                  hConsole);
														if (lpFunctions != NULL)
														{
															if (lpExport->NumberOfNames != 0)
															{
																bOutput &= PrintString(hOutput, L"\tNamed Exports:\r\n");

																lpOrdinals = (WORD *) RVA2Image(lpImage, lpSection, dwSection,
																                                lpExport->AddressOfNameOrdinals,
																                                IMAGE_DIRECTORY_ENTRY_EXPORT,
																                                hConsole);
																lpNames = (DWORD *) RVA2Image(lpImage, lpSection, dwSection,
																                              lpExport->AddressOfNames,
																                              IMAGE_DIRECTORY_ENTRY_EXPORT,
																                              hConsole);
																dwNames = lpExport->NumberOfNames;

																do
																{
																	if (*lpOrdinals < lpExport->NumberOfFunctions)
																	{
																		if ((lpFunctions[*lpOrdinals] < lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
																		 || (lpFunctions[*lpOrdinals] >= lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress
																		                               + lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size))
																			bOutput &= PrintFormat(hOutput,
																			                       L"\t\t%lu\t%lu\t0x%08lX\t%hs\r\n",
																			                       lpExport->Base + *lpOrdinals,
																			                       *lpOrdinals,
																			                       lpFunctions[*lpOrdinals],
																			                       RVA2Image(lpImage, lpSection, dwSection,
																			                                 *lpNames,
																			                                 IMAGE_DIRECTORY_ENTRY_EXPORT,
																			                                 hConsole));
																		else	// forwarded export
																			bOutput &= PrintFormat(hOutput,
																			                       L"\t\t%lu\t%lu\t-\t\t%hs -> %hs\r\n",
																			                       lpExport->Base + *lpOrdinals,
																			                       *lpOrdinals,
																			                       RVA2Image(lpImage, lpSection, dwSection,
																			                                 *lpNames,
																			                                 IMAGE_DIRECTORY_ENTRY_EXPORT,
																			                                 hConsole),
																			                       RVA2Image(lpImage, lpSection, dwSection,
																			                                 lpFunctions[*lpOrdinals],
																			                                 IMAGE_DIRECTORY_ENTRY_EXPORT,
																			                                 hConsole));

																		lpFunctions[*lpOrdinals] = 0;
																	}
																	else
																		PrintConsole(hConsole,
																		             L"Ordinal %hu of export \'%hs\' out of bounds!\n",
																		             lpExport->Base + *lpOrdinals,
																		             RVA2Image(lpImage, lpSection, dwSection,
																		                       *lpNames,
																		                       IMAGE_DIRECTORY_ENTRY_EXPORT,
																		                       hConsole));

																	lpOrdinals++;
																	lpNames++;
																	dwNames--;
																} while (dwNames > 0);
															}

															if (lpExport->NumberOfFunctions > lpExport->NumberOfNames)
															{
																bOutput &= PrintString(hOutput, L"\tUnnamed Exports:\r\n");

																for (dwIndex = 0; dwIndex < lpExport->NumberOfFunctions; dwIndex++)
																	if (lpFunctions[dwIndex] != 0)
																		if ((lpFunctions[dwIndex] < lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
																		 || (lpFunctions[dwIndex] >= lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress
																		                           + lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size))
																			bOutput &= PrintFormat(hOutput,
																			                       L"\t\t%lu\t%lu\t0x%08lX\r\n",
																			                       lpExport->Base + dwIndex,
																			                       dwIndex,
																			                       lpFunctions[dwIndex]);
																		else	// forwarded export
																			bOutput &= PrintFormat(hOutput,
																			                       L"\t\t%lu\t%lu\t-\t\t-> %hs\r\n",
																			                       lpExport->Base + dwIndex,
																			                       dwIndex,
																			                       RVA2Image(lpImage, lpSection, dwSection,
																			                                 lpFunctions[dwIndex],
																			                                 IMAGE_DIRECTORY_ENTRY_EXPORT,
																			                                 hConsole));
															}
														}
													}
												}

												if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != 0)
												 && (lpDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size != 0))
												{
													if (lpImport == NULL)
														PrintConsole(hConsole,
														             L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
														             ".idata", IMAGE_DIRECTORY_ENTRY_IMPORT);

													lpImport = (IMAGE_IMPORT_DESCRIPTOR *) RVA2Image(lpImage, lpSection, dwSection,
													                                                 lpDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress,
													                                                 IMAGE_DIRECTORY_ENTRY_IMPORT,
													                                                 hConsole);
													if (lpImport != NULL)
													{
														bOutput &= PrintString(hOutput,
														                       L"\r\n"
														                       L"Import Directory:\r\n");

														while ((lpImport->OriginalFirstThunk != 0)
														    || (lpImport->TimeDateStamp != 0)
														    || (lpImport->ForwarderChain != 0)
														    || (lpImport->Name != 0)
														    || (lpImport->FirstThunk != 0))
														{
															lpModule = RVA2Image(lpImage, lpSection, dwSection,
															                     lpImport->Name,
															                     IMAGE_DIRECTORY_ENTRY_IMPORT,
															                     hConsole);

															bOutput &= PrintFormat(hOutput,
															                       L"\tImport Descriptor:\r\n"
															                       L"\t\tModule Name     = %hs\r\n"
															                       L"\t\tTime/Date Stamp = 0x%08lX\r\n"
															                       L"\t\tForwarder Chain = 0x%08lX\r\n"
															                       L"\t\tAddress Table   = 0x%08lX\r\n"
															                       L"\t\tLookup Table    = 0x%08lX\r\n"
															                       L"\t\tImports:\r\n",
															                       lpModule,
															                       lpImport->TimeDateStamp,
															                       lpImport->ForwarderChain,
															                       lpImport->FirstThunk,
															                       lpImport->OriginalFirstThunk);

															if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
															{
																lpThunk32 = (IMAGE_THUNK_DATA32 *) RVA2Image(lpImage, lpSection, dwSection,
																                                             lpImport->OriginalFirstThunk != 0 ? lpImport->OriginalFirstThunk : lpImport->FirstThunk,
																                                             IMAGE_DIRECTORY_ENTRY_IMPORT,
																                                             hConsole);
																if (lpThunk32 != NULL)
																	while (lpThunk32->u1.AddressOfData != 0)
																	{
																		if ((lpThunk32->u1.Ordinal & IMAGE_ORDINAL_FLAG32) == IMAGE_ORDINAL_FLAG32)
																			bOutput &= PrintFormat(hOutput,
																			                       L"\t\t\t%hu\r\n",
																			                       LOWORD(lpThunk32->u1.Ordinal));
																		else
																		{
																			lpAddress = (IMAGE_IMPORT_BY_NAME *) RVA2Image(lpImage, lpSection, dwSection,
																			                                               lpThunk32->u1.AddressOfData,
																			                                               IMAGE_DIRECTORY_ENTRY_IMPORT,
																			                                               hConsole);
																			if (lpAddress != NULL)
																				bOutput &= PrintFormat(hOutput,
																				                       L"\t\t\t%hu\t%hs\r\n",
																				                       lpAddress->Hint,
																				                       lpAddress->Name);
																		}

																		lpThunk32++;
																	}
															}
															else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
															{
																lpThunk64 = (IMAGE_THUNK_DATA64 *) RVA2Image(lpImage, lpSection, dwSection,
																                                             lpImport->OriginalFirstThunk != 0 ? lpImport->OriginalFirstThunk : lpImport->FirstThunk,
																                                             IMAGE_DIRECTORY_ENTRY_IMPORT,
																                                             hConsole);
																if (lpThunk64 != NULL)
																	while (lpThunk64->u1.AddressOfData != 0)
																	{
																		if ((lpThunk64->u1.Ordinal & IMAGE_ORDINAL_FLAG64) == IMAGE_ORDINAL_FLAG64)
																			bOutput &= PrintFormat(hOutput,
																			                       L"\t\t\t%hu\r\n",
																			                       LOWORD(lpThunk64->u1.Ordinal));
																		else
																		{
																			lpAddress = (IMAGE_IMPORT_BY_NAME *) RVA2Image(lpImage, lpSection, dwSection,
																			                                               (DWORD) lpThunk64->u1.AddressOfData,
																			                                               IMAGE_DIRECTORY_ENTRY_IMPORT,
																			                                               hConsole);
																			if (lpAddress != NULL)
																				bOutput &= PrintFormat(hOutput,
																				                       L"\t\t\t%hu\t%hs\r\n",
																				                       lpAddress->Hint,
																				                       lpAddress->Name);
																		}

																		lpThunk64++;
																	}
															}

															lpImport++;
														}
													}
												}

												if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress != 0)
												 && (lpDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size != 0))
												{
													if (lpResource == NULL)
														PrintConsole(hConsole,
														             L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
														             ".rsrc", IMAGE_DIRECTORY_ENTRY_RESOURCE);

													lpResource = (IMAGE_RESOURCE_DIRECTORY *) RVA2Image(lpImage, lpSection, dwSection,
													                                                    lpDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress,
													                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE,
													                                                    hConsole);
													if (lpResource != NULL)
													{
														bOutput &= PrintFormat(hOutput,
														                       L"\r\n"
														                       L"Resource Directory:\r\n"
														                       L"\tCharacteristics = 0x%08lX\r\n"
														                       L"\tTime/Date Stamp = 0x%08lX\r\n"
														                       L"\tVersion         = %hu.%hu\r\n"
														                       L"\tNamed Entries   = %hu\r\n"
														                       L"\tUnnamed Entries = %hu\r\n"
														                       L"\tEntries:\r\n",
														                       lpResource->Characteristics,
														                       lpResource->TimeDateStamp,
														                       lpResource->MajorVersion,
														                       lpResource->MinorVersion,
														                       lpResource->NumberOfNamedEntries,
														                       lpResource->NumberOfIdEntries);

														bOutput &= Resource(hOutput, lpResource, lpResource, 0);
													}
												}

												if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].VirtualAddress != 0)
												 && (lpDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].Size != 0))
												{
													if (lpException == NULL)
														PrintConsole(hConsole,
														             L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
														             ".pdata", IMAGE_DIRECTORY_ENTRY_EXCEPTION);

													dwException = lpDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].Size;
													lpException = (BYTE *) RVA2Image(lpImage, lpSection, dwSection,
													                                 lpDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].VirtualAddress,
													                                 IMAGE_DIRECTORY_ENTRY_EXCEPTION,
													                                 hConsole);
													if (lpException != NULL)
													{
														bOutput &= PrintString(hOutput,
														                       L"\r\n"
														                       L"Exception Handler Directory:\r\n");

														if ((lpPE->FileHeader.Machine == IMAGE_FILE_MACHINE_ARMNT)
														 || (lpPE->FileHeader.Machine == IMAGE_FILE_MACHINE_ARM64))
														{
															lpARM = (IMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY *) lpException;
															lpException += dwException;

															do
																bOutput &= PrintFormat(hOutput,
																                       L"\tException Handler:\r\n"
																                       L"\t\tBegin Address = 0x%08lX\r\n"
																                       L"\t\tUnwind Data   = 0x%08lX\r\n",
																                       lpARM->BeginAddress,
																                       lpARM->UnwindData);
															while (++lpARM < (IMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY *) lpException);
														}
														else if (lpPE->FileHeader.Machine == IMAGE_FILE_MACHINE_ALPHA)
														{
															lpAlpha = (IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY *) lpException;
															lpException += dwException;

															do
																bOutput &= PrintFormat(hOutput,
																                       L"\tException Handler:\r\n"
																                       L"\t\tBegin Address      = 0x%08lX\r\n"
																                       L"\t\tEnd Address        = 0x%08lX\r\n"
																                       L"\t\tException Handler  = 0x%08lX\r\n"
																                       L"\t\tHandler Data       = 0x%08lX\r\n"
																                       L"\t\tProlog End Address = 0x%08lX\r\n",
																                       lpAlpha->BeginAddress,
																                       lpAlpha->EndAddress,
																                       lpAlpha->ExceptionHandler,
																                       lpAlpha->HandlerData,
																                       lpAlpha->PrologEndAddress);
															while (++lpAlpha < (IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY *) lpException);
														}
														else if (lpPE->FileHeader.Machine == IMAGE_FILE_MACHINE_ALPHA64)
														{
															lpAlpha64 = (IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY *) lpException;
															lpException += dwException;

															do
																bOutput &= PrintFormat(hOutput,
																                       L"\tException Handler:\r\n"
																                       L"\t\tBegin Address      = 0x%016I64X\r\n"
																                       L"\t\tEnd Address        = 0x%016I64X\r\n"
																                       L"\t\tException Handler  = 0x%016I64X\r\n"
																                       L"\t\tHandler Data       = 0x%016I64X\r\n"
																                       L"\t\tProlog End Address = 0x%016I64X\r\n",
																                       lpAlpha64->BeginAddress,
																                       lpAlpha64->EndAddress,
																                       lpAlpha64->ExceptionHandler,
																                       lpAlpha64->HandlerData,
																                       lpAlpha64->PrologEndAddress);
															while (++lpAlpha64 < (IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY *) lpException);
														}
														else
														{
															lpRuntime = (IMAGE_RUNTIME_FUNCTION_ENTRY *) lpException;
															lpException += dwException;

															do
																bOutput &= PrintFormat(hOutput,
																                       L"\tException Handler:\r\n"
																                       L"\t\tStart Address       = 0x%08lX\r\n"
																                       L"\t\tEnd Address         = 0x%08lX\r\n"
																                       L"\t\tUnwind Info Address = 0x%08lX\r\n",
																                       lpRuntime->BeginAddress,
																                       lpRuntime->EndAddress,
																                       lpRuntime->UnwindInfoAddress);
															while (++lpRuntime < (IMAGE_RUNTIME_FUNCTION_ENTRY *) lpException);
														}
													}
												}

												if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress != 0)
												 && (lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size != 0))
												{
													if (dwOffset != lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress)
														PrintConsole(hConsole,
														             L"Authenticode signature not adjacent to last COFF section!\n");

													if (dwImage != lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress
													             + lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size)
														PrintConsole(hConsole,
														             L"Image file extends past authenticode signature!\n");

													bOutput &= PrintString(hOutput,
													                       L"\r\n"
													                       L"Security Directory:\r\n");

													lpCertificate = (WIN_CERTIFICATE *) (lpImage + lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress);
													dwCertificate = lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size;

													do
													{
														bOutput &= PrintFormat(hOutput,
														                       L"\tCertificate Entry:\r\n"
														                       L"\t\tRevision = %hu\r\n"
														                       L"\t\tType     = %hu (%ls)\r\n"
														                       L"\t\tSize     = %lu\r\n",
														                       lpCertificate->wRevision,
														                       lpCertificate->wCertificateType, CertificateTypeName(lpCertificate->wCertificateType),
														                       lpCertificate->dwLength);

														blob.cbData = lpCertificate->dwLength - (lpCertificate->bCertificate - (BYTE *) lpCertificate);
														blob.pbData = lpCertificate->bCertificate;

														if (!CryptQueryObject(CERT_QUERY_OBJECT_BLOB,
														                      &blob,
														                      CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED,
														                      CERT_QUERY_FORMAT_FLAG_BINARY,
														                      0,
														                      (DWORD *) NULL,
														                      (DWORD *) NULL,
														                      (DWORD *) NULL,
														                      &hStore,
														                      &hMsg,
														                      NULL))
															PrintConsole(hConsole,
															             L"CryptQueryObject() returned error 0x%08lX\n",
															             dwError = GetLastError());
														else
														{
															if (!CryptMsgGetAndVerifySigner(hMsg,
															                                1,
															                                &hStore,
															                                CMSG_TRUSTED_SIGNER_FLAG,
															                                &lpSigner,
															                                (DWORD *) NULL))
																PrintConsole(hConsole,
																             L"CryptMsgGetAndVerifySigner() returned error 0x%08lX\n",
																             dwError = GetLastError());
															else
															{
																dwFlags = 0;

																do
																{
																	dwSigner = CertGetNameString(lpSigner,
#ifndef RDN
																	                             CERT_NAME_FRIENDLY_DISPLAY_TYPE,
																	                             dwFlags,
																	                             NULL,
#else
																	                             CERT_NAME_RDN_TYPE,
																	                             dwFlags,
																	                             &dwStrType,
#endif
																	                             (LPWSTR) NULL,
																                                     0);

																	if (dwSigner == 0)
																		PrintConsole(hConsole,
																		             L"CertGetNameString() returned error 0x%08lX\n",
																		             dwError = GetLastError());
																	else
																	{
																		szSigner = (LPWSTR) LocalAlloc(LPTR, dwSigner * sizeof(*szSigner));

																		if (szSigner == NULL)
																			PrintConsole(hConsole,
																			             L"LocalAlloc() returned error %lu\n",
																			             dwError = GetLastError());
																		else
																		{
																			dwSigner = CertGetNameString(lpSigner,
#ifndef RDN
																			                             CERT_NAME_FRIENDLY_DISPLAY_TYPE,
																			                             dwFlags,
																			                             NULL,
#else
																			                             CERT_NAME_RDN_TYPE,
																			                             dwFlags,
																			                             &dwStrType,
#endif
																			                             szSigner,
																			                             dwSigner);

																			if (dwSigner == 0)
																				PrintConsole(hConsole,
																				             L"CertGetNameString() returned error 0x%08lX\n",
																				             dwError = GetLastError());
																			else
																				bOutput &= PrintFormat(hOutput,
																				                       L"\t\t%ls  = %ls\r\n",
																				                       dwFlags == 0 ? L"Subject" : L"Issuer ", szSigner);

																			if (LocalFree(szSigner) != NULL)
																				PrintConsole(hConsole,
																				             L"LocalFree() returned error %lu\n",
																				             GetLastError());
																		}
																	}
																} while (dwFlags ^= CERT_NAME_ISSUER_FLAG);

																if (!CertFreeCertificateContext(lpSigner))
																	PrintConsole(hConsole,
																	             L"CertFreeCertificateContext() returned error 0x%08lX\n",
																	             dwError = GetLastError());
															}

															if (!CryptMsgClose(hMsg))
																PrintConsole(hConsole,
																             L"CryptMsgClose() returned error 0x%08lX\n",
																             dwError = GetLastError());

															if (!CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG))
																PrintConsole(hConsole,
																             L"CertCloseStore() returned error 0x%08lX\n",
																             dwError = GetLastError());
														}

														dwSize = (lpCertificate->dwLength + sizeof(DWORD64) - 1) & (0 - sizeof(DWORD64));
														lpCertificate = (WIN_CERTIFICATE *) ((BYTE *) lpCertificate + dwSize);
														dwCertificate -= dwSize;
													} while (dwCertificate != 0);
												}
												else
													if (dwOffset != dwImage)
														PrintConsole(hConsole,
														             L"Image file extends past last COFF section!\n");

												if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0)
												 && (lpDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size != 0))
												{
													if (lpRelocation == NULL)
														PrintConsole(hConsole,
														             L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
														             ".reloc", IMAGE_DIRECTORY_ENTRY_BASERELOC);

													dwRelocation = lpDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
													lpRelocation = (IMAGE_BASE_RELOCATION *) RVA2Image(lpImage, lpSection, dwSection,
													                                                   lpDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,
													                                                   IMAGE_DIRECTORY_ENTRY_BASERELOC,
													                                                   hConsole);
													if (lpRelocation != NULL)
													{
														bOutput &= PrintString(hOutput,
														                       L"\r\n"
														                       L"Base Relocation Directory:\r\n");

														while (dwRelocation > 0)
														{
															bOutput &= PrintFormat(hOutput,
															                       L"\tRelocation Block:\r\n"
															                       L"\t\tAddress of Data = 0x%08lX\r\n"
															                       L"\t\tSize of Block   = 0x%08lX\r\n",
															                       lpRelocation->VirtualAddress,
															                       lpRelocation->SizeOfBlock);

															lpWord = (WORD *) (lpRelocation + 1);

															dwRelocation -= lpRelocation->SizeOfBlock;
															lpRelocation = (IMAGE_BASE_RELOCATION *) ((BYTE *) lpRelocation + lpRelocation->SizeOfBlock);

															do
																bOutput &= PrintFormat(hOutput,
																                       L"\t\t\t0x%03hX\t%ls\r\n",
																                       *lpWord & 0x0FFF,
																                       szRelocation[*lpWord >> 12]);
															while (++lpWord < (WORD *) lpRelocation);
														}
													}
												}

												if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress != 0)
												 && (lpDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size != 0))
												{
													if (lpDebug == NULL)
														PrintConsole(hConsole,
														             L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
														             ".debug", IMAGE_DIRECTORY_ENTRY_DEBUG);

													dwDebug = lpDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size;
													lpDebug = (IMAGE_DEBUG_DIRECTORY *) RVA2Image(lpImage, lpSection, dwSection,
													                                              lpDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress,
													                                              IMAGE_DIRECTORY_ENTRY_DEBUG,
													                                              hConsole);
													if (lpDebug != NULL)
													{
														bOutput &= PrintString(hOutput,
														                       L"\r\n"
														                       L"Debug Directory:\r\n");
														do
														{
															qw = __emulu(lpDebug->TimeDateStamp, 10000000)	// seconds since 1970-01-01 to
															   + 116444736000000000;			//  100 nano-seconds since 1601-01-01

															if (!FileTimeToSystemTime((FILETIME *) &qw, &st))
																PrintConsole(hConsole,
																             L"FileTimeToSystemTime() returned error %lu\n",
																             dwError = GetLastError());

															bOutput &= PrintFormat(hOutput,
															                       L"\tDebug Directory Entry:\r\n"
															                       L"\t\tCharacteristics = 0x%08lX\r\n"
															                       L"\t\tTime/Date Stamp = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\r\n"
															                       L"\t\tVersion         = %hu.%hu\r\n"
															                       L"\t\tType            = %lu (%ls)\r\n"
															                       L"\t\tAddress of Data = 0x%08lX\r\n"
															                       L"\t\tOffset of Data  = 0x%08lX\r\n"
															                       L"\t\tSize of Data    = 0x%08lX\r\n",
															                       lpDebug->Characteristics,
															                       lpDebug->TimeDateStamp,
															                       szDayOfWeek[st.wDayOfWeek], st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond,
															                       lpDebug->MajorVersion,
															                       lpDebug->MinorVersion,
															                       lpDebug->Type, DebugTypeName(lpDebug->Type),
															                       lpDebug->AddressOfRawData,
															                       lpDebug->PointerToRawData,
															                       lpDebug->SizeOfData);

															if (lpDebug->Type == IMAGE_DEBUG_TYPE_CODEVIEW)
															{
																lpCodeView = (CV_INFO_PDB70 *) (lpImage + lpDebug->PointerToRawData);

																if (lpCodeView->Magic == 'SDSR')
																	bOutput &= PrintFormat(hOutput,
																	                       L"\t\t\tFormat    = RSDS\r\n"
																	                       L"\t\t\tSignature = {%08lX-%04lX-%04lX-%02X%02X-%02X%02X%02X%02X%02X%02X}\r\n"
																	                       L"\t\t\tAge       = %lu\r\n"
																	                       L"\t\t\tFilename  = %hs\r\n",
																	                       lpCodeView->Signature.Data1, lpCodeView->Signature.Data2, lpCodeView->Signature.Data3,
																	                       lpCodeView->Signature.Data4[0], lpCodeView->Signature.Data4[1],
																	                       lpCodeView->Signature.Data4[2], lpCodeView->Signature.Data4[3], lpCodeView->Signature.Data4[4],
																	                       lpCodeView->Signature.Data4[5], lpCodeView->Signature.Data4[6], lpCodeView->Signature.Data4[7],
																	                       lpCodeView->Age,
																	                       lpCodeView->PdbFileName);
																else
																	bOutput &= PrintFormat(hOutput,
																	                       L"\t\t\tFormat = %.4hs\r\n",
																	                       &lpCodeView->Magic);
															}
															else if (lpDebug->Type == IMAGE_DEBUG_TYPE_MISC)
															{
																lpMisc = (IMAGE_DEBUG_MISC *) (lpImage + lpDebug->PointerToRawData);

																if (lpMisc->DataType == IMAGE_DEBUG_MISC_EXENAME)
																	bOutput &= PrintFormat(hOutput,
																	                       lpMisc->Unicode ? L"\t\t\tFilename = %ls\r\n" : L"\t\t\tFilename = %hs\r\n",
																	                       lpMisc->Data);
															}
															else if (lpDebug->Type == IMAGE_DEBUG_TYPE_RESERVED10)
																bOutput &= PrintFormat(hOutput,
																                       L"\t\t\tData = 0x%08lX\r\n",
																                       *(DWORD *) (lpImage + lpDebug->PointerToRawData));
															else if (lpDebug->Type == IMAGE_DEBUG_TYPE_POGO)
															{
															        dwPogo = lpDebug->SizeOfData - sizeof(DWORD);
																lpPogo = (POGO *) (lpImage + lpDebug->PointerToRawData);

																if (lpPogo->Magic == 'LTCG')
																	while (dwPogo > 0)
																	{
																		bOutput &= PrintFormat(hOutput,
																		                       L"\t\t%hs:\r\n"
																		                       L"\t\t\tVirtual Address & Size = 0x%08lX, 0x%08lX\r\n",
																		                       lpPogo->Entries[0].Section,
																		                       lpPogo->Entries[0].Address, lpPogo->Entries[0].Size);

																		dwSize = (sizeof(POGO) - sizeof(DWORD) + strlen(lpPogo->Entries[0].Section)) & (0 - sizeof(DWORD));
																		dwPogo -= dwSize;
																		lpPogo = (POGO *) ((BYTE *) lpPogo + dwSize);
																	}
															}

															lpDebug++;
															dwDebug -= sizeof(IMAGE_DEBUG_DIRECTORY);
														} while (dwDebug > 0);
													}
												}

												if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_ARCHITECTURE].VirtualAddress != 0)
												 && (lpDirectory[IMAGE_DIRECTORY_ENTRY_ARCHITECTURE].Size != 0))
												{
													if (lpArchitecture == NULL)
														PrintConsole(hConsole,
														             L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
														             ".arch", IMAGE_DIRECTORY_ENTRY_ARCHITECTURE);
												}

												if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != 0)
												 && (lpDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size != 0))
												{
													if (lpTLS == NULL)
														PrintConsole(hConsole,
														             L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
														             ".tls", IMAGE_DIRECTORY_ENTRY_TLS);

													if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
													{
														if (lpDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size != sizeof(IMAGE_TLS_DIRECTORY32))
															PrintConsole(hConsole,
															             L"Size of \'%ls\' differs from size of %ls structure!\n",
															             L"_tls_used", L"IMAGE_TLS_DIRECTORY32");

														lpTLS32 = (IMAGE_TLS_DIRECTORY32 *) RVA2Image(lpImage, lpSection, dwSection,
														                                              lpDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress,
														                                              IMAGE_DIRECTORY_ENTRY_TLS,
														                                              hConsole);
														if (lpTLS32 == NULL)
															PrintConsole(hConsole,
															             L"No \'%ls\' alias %ls structure!\n",
															             L"_tls_used", L"IMAGE_TLS_DIRECTORY32");
														else
														{
															if (lpTLS32->StartAddressOfRawData != lpTLS32->EndAddressOfRawData)
																if (lpTLS == NULL)
																/*	PrintConsole(hConsole,
																	             L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
																	             ".tls", IMAGE_DIRECTORY_ENTRY_TLS) */;
																else
																	if ((lpTLS32->StartAddressOfRawData - dwBase != lpTLS->VirtualAddress)
																	 || (lpTLS32->EndAddressOfRawData - lpTLS32->StartAddressOfRawData != lpTLS->Misc.VirtualSize))
																		PrintConsole(hConsole,
																		             L"Address/size of %ls differ from address/size of \'.tls\' section!\n",
																		             L"IMAGE_TLS_DIRECTORY32");

															bOutput &= PrintFormat(hOutput,
															                       L"\r\n"
															                       L"Thread Local Storage Directory:\r\n"
															                       L"\tStart Address of Data = 0x%08lX\r\n"
															                       L"\tEnd Address of Data   = 0x%08lX\r\n"
															                       L"\tAddress of Index      = 0x%08lX\r\n"
															                       L"\tAddress of Callbacks  = 0x%08lX\r\n"
															                       L"\tSize of Zero Fill     = 0x%08lX\r\n"
															                       L"\tCharacteristics       = 0x%08lX\r\n",
															                       lpTLS32->StartAddressOfRawData,
															                       lpTLS32->EndAddressOfRawData,
															                       lpTLS32->AddressOfIndex,
															                       lpTLS32->AddressOfCallBacks,
															                       lpTLS32->SizeOfZeroFill,
															                       lpTLS32->Characteristics);

															if (lpTLS32->AddressOfCallBacks != 0)
															{
																bOutput &= PrintString(hOutput,
																                       L"\tCallback Functions:\r\n");

																lpCookie32 = (DWORD *) RVA2Image(lpImage, lpSection, dwSection,
																                                 lpTLS32->AddressOfCallBacks - dwBase,
																                                 IMAGE_DIRECTORY_ENTRY_TLS,
																                                 hConsole);
																if (lpCookie32 != NULL)
																	while (*lpCookie32 != 0)
																		bOutput &= PrintFormat(hOutput,
																		                       L"\t\t0x%08lX\r\n",
																		                       *lpCookie32++);
															}
														}
													}
													else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
													{
														if (lpDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size != sizeof(IMAGE_TLS_DIRECTORY64))
															PrintConsole(hConsole,
															             L"Size of \'%ls\' differs from size of %ls structure!\n",
															             L"_tls_used", L"IMAGE_TLS_DIRECTORY64");

														lpTLS64 = (IMAGE_TLS_DIRECTORY64 *) RVA2Image(lpImage, lpSection, dwSection,
														                                              lpDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress,
														                                              IMAGE_DIRECTORY_ENTRY_TLS,
														                                              hConsole);
														if (lpTLS64 == NULL)
															PrintConsole(hConsole,
															             L"No \'%ls\' alias %ls structure!\n",
															             L"_tls_used", L"IMAGE_TLS_DIRECTORY64");
														else
														{
															if (lpTLS64->StartAddressOfRawData != lpTLS64->EndAddressOfRawData)
																if (lpTLS == NULL)
																/*	PrintConsole(hConsole,
																	             L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
																	             ".tls", IMAGE_DIRECTORY_ENTRY_TLS) */;
																else
																	if ((lpTLS64->StartAddressOfRawData - qwBase != lpTLS->VirtualAddress)
																	 || (lpTLS64->EndAddressOfRawData - lpTLS64->StartAddressOfRawData != lpTLS->Misc.VirtualSize))
																		PrintConsole(hConsole,
																		             L"Address/size of %ls differ from address/size of \'.tls\' section!\n",
																		             L"IMAGE_TLS_DIRECTORY64");

															bOutput &= PrintFormat(hOutput,
															                       L"\r\n"
															                       L"Thread Local Storage Directory:\r\n"
															                       L"\tStart Address of Data = 0x%016I64X\r\n"
															                       L"\tEnd Address of Data   = 0x%016I64X\r\n"
															                       L"\tAddress of Index      = 0x%016I64X\r\n"
															                       L"\tAddress of Callbacks  = 0x%016I64X\r\n"
															                       L"\tSize of Zero Fill     = 0x%08lX\r\n"
															                       L"\tCharacteristics       = 0x%08lX\r\n",
															                       lpTLS64->StartAddressOfRawData,
															                       lpTLS64->EndAddressOfRawData,
															                       lpTLS64->AddressOfIndex,
															                       lpTLS64->AddressOfCallBacks,
															                       lpTLS64->SizeOfZeroFill,
															                       lpTLS64->Characteristics);

															if (lpTLS64->AddressOfCallBacks != 0)
															{
																bOutput &= PrintString(hOutput,
																                       L"\tCallback Functions:\r\n");

																lpCookie64 = (DWORD64 *) RVA2Image(lpImage, lpSection, dwSection,
																                                   (DWORD) (lpTLS64->AddressOfCallBacks - qwBase),
																                                   IMAGE_DIRECTORY_ENTRY_TLS,
																                                   hConsole);
																if (lpCookie64 != NULL)
																	while (*lpCookie64 != 0)
																		bOutput &= PrintFormat(hOutput,
																		                       L"\t\t0x%016I64X\r\n",
																		                       *lpCookie64++);
															}
														}
													}
												}

												if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress != 0)
												 && (lpDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size != 0))
												{
													if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
													{
														lpLoadCfg32 = (IMAGE_LOAD_CONFIGURATION_DIRECTORY32 *) RVA2Image(lpImage, lpSection, dwSection,
														                                                                 lpDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress,
														                                                                 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,
														                                                                 hConsole);
														while (lpLoadCfg32 != NULL)
														{
															if (lpLoadCfg32->Size > sizeof(IMAGE_LOAD_CONFIGURATION_DIRECTORY32))
																PrintConsole(hConsole,
																             L"Size of \'%ls\' exceeds size of %ls structure!\n",
																             L"_load_config_used", L"IMAGE_LOAD_CONFIGURATION_DIRECTORY32");

															if (lpLoadCfg32->Size != lpDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size)
																PrintConsole(hConsole,
																             L"Size member of \'%ls\' differs from size member of %ls!\n",
																             L"_load_config_used", L"IMAGE_DATA_DIRECTORY[10]");

															bOutput &= PrintFormat(hOutput,
															                       L"\r\n"
															                       L"Load Configuration:\r\n"
															                       L"\tSize                       = 0x%08lX\r\n"
															                       L"\tTime/Date Stamp            = 0x%08lX\r\n"
															                       L"\tVersion                    = %hu.%hu\r\n"
															                       L"\tGlobal Flags Clear         = 0x%08lX\r\n",
															                       lpLoadCfg32->Size,
															                       lpLoadCfg32->TimeDateStamp,
															                       lpLoadCfg32->MajorVersion,
															                       lpLoadCfg32->MinorVersion,
															                       lpLoadCfg32->GlobalFlagsClear);

															for (dwFlags = lpLoadCfg32->GlobalFlagsClear; _BitScanForward(&dwIndex, dwFlags); dwFlags &= dwFlags - 1)
																bOutput &= PrintFormat(hOutput, L"\t\t%ls\r\n", szGlobalFlags[dwIndex]);

															bOutput &= PrintFormat(hOutput,
															                       L"\tGlobal Flags Set           = 0x%08lX\r\n",
															                       lpLoadCfg32->GlobalFlagsSet);

															for (dwFlags = lpLoadCfg32->GlobalFlagsSet; _BitScanForward(&dwIndex, dwFlags); dwFlags &= dwFlags - 1)
																bOutput &= PrintFormat(hOutput, L"\t\t%ls\r\n", szGlobalFlags[dwIndex]);

															bOutput &= PrintFormat(hOutput,
															                       L"\tCritical Section Timeout   = %lu\r\n"
															                       L"\tDecommit Block Threshold   = 0x%08lX\r\n"
															                       L"\tDecommit Total Threshold   = 0x%08lX\r\n"
															                       L"\tLock Prefix Table Address  = 0x%08lX\r\n"
															                       L"\tMaximum Allocation Size    = 0x%08lX\r\n"
															                       L"\tVirtual Memory Threshold   = 0x%08lX\r\n"
															                       L"\tProcess Heap Flags         = 0x%08lX\r\n"
															                       L"\tProcess Affinity Mask      = 0x%08lX\r\n"
															                       L"\tCSD Version                = %hu\r\n"
															                       L"\tDependent Load Flags       = 0x%04hX\r\n",
															                       lpLoadCfg32->CriticalSectionDefaultTimeout,
															                       lpLoadCfg32->DeCommitFreeBlockThreshold,
															                       lpLoadCfg32->DeCommitTotalFreeThreshold,
															                       lpLoadCfg32->LockPrefixTable,
															                       lpLoadCfg32->MaximumAllocationSize,
															                       lpLoadCfg32->VirtualMemoryThreshold,
															                       lpLoadCfg32->ProcessHeapFlags,
															                       lpLoadCfg32->ProcessAffinityMask,
															                       lpLoadCfg32->CSDVersion,
															                       lpLoadCfg32->DependentLoadFlags);

															if ((lpLoadCfg32->DependentLoadFlags & DONT_RESOLVE_DLL_REFERENCES) == DONT_RESOLVE_DLL_REFERENCES)
																bOutput &= PrintString(hOutput, L"\t\tDon't resolve DLL references\r\n");

															if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_AS_DATAFILE) == LOAD_LIBRARY_AS_DATAFILE)
																bOutput &= PrintString(hOutput, L"\t\tLoad as data file\r\n");
#ifdef LOAD_PACKAGED_LIBRARY
															if ((lpLoadCfg32->DependentLoadFlags & LOAD_PACKAGED_LIBRARY) == LOAD_PACKAGED_LIBRARY)
																bOutput &= PrintString(hOutput, L"\t\tLoad packaged library\r\n");
#endif
															if ((lpLoadCfg32->DependentLoadFlags & LOAD_WITH_ALTERED_SEARCH_PATH) == LOAD_WITH_ALTERED_SEARCH_PATH)
																bOutput &= PrintString(hOutput, L"\t\tLoad with altered search path\r\n");

															if ((lpLoadCfg32->DependentLoadFlags & LOAD_IGNORE_CODE_AUTHZ_LEVEL) == LOAD_IGNORE_CODE_AUTHZ_LEVEL)
																bOutput &= PrintString(hOutput, L"\t\tIgnore AUTHZ level\r\n");

															if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_AS_IMAGE_RESOURCE) == LOAD_LIBRARY_AS_IMAGE_RESOURCE)
																bOutput &= PrintString(hOutput, L"\t\tLoad as image resource\r\n");

															if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE) == LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE)
																bOutput &= PrintString(hOutput, L"\t\tLoad as data file exclusively\r\n");

															if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_REQUIRE_SIGNED_TARGET) == LOAD_LIBRARY_REQUIRE_SIGNED_TARGET)
																bOutput &= PrintString(hOutput, L"\t\tRequire signed target\r\n");

															if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR) == LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR)
																bOutput &= PrintString(hOutput, L"\t\tSearch DLL directory\r\n");

															if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_APPLICATION_DIR) == LOAD_LIBRARY_SEARCH_APPLICATION_DIR)
																bOutput &= PrintString(hOutput, L"\t\tSearch application directory\r\n");

															if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_USER_DIRS) == LOAD_LIBRARY_SEARCH_USER_DIRS)
																bOutput &= PrintString(hOutput, L"\t\tSearch user directories\r\n");

															if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_SYSTEM32) == LOAD_LIBRARY_SEARCH_SYSTEM32)
																bOutput &= PrintString(hOutput, L"\t\tSearch system directory\r\n");

															if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_DEFAULT_DIRS) == LOAD_LIBRARY_SEARCH_DEFAULT_DIRS)
																bOutput &= PrintString(hOutput, L"\t\tSearch default directories\r\n");

															if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_SAFE_CURRENT_DIRS) == LOAD_LIBRARY_SEARCH_SAFE_CURRENT_DIRS)
																bOutput &= PrintString(hOutput, L"\t\tSearch safe current directory\r\n");

															if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_SYSTEM32_NO_FORWARDER) == LOAD_LIBRARY_SEARCH_SYSTEM32_NO_FORWARDER)
																bOutput &= PrintString(hOutput, L"\t\tSearch system directory, exempt (reverse) forwarder modules\r\n");

															if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY) == LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY)
																bOutput &= PrintString(hOutput, L"\t\tOS integrity continuity\r\n");

															if (lpLoadCfg32->Size < 64)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tEdit List Address          = 0x%08lX\r\n"
															                       L"\tSecurity Cookie Address    = 0x%08lX\r\n",
															                       lpLoadCfg32->EditList,
															                       lpLoadCfg32->SecurityCookie);

															if (lpLoadCfg32->SecurityCookie != 0)
															{
																lpCookie32 = (DWORD *) RVA2Image(lpImage, lpSection, dwSection,
																                                 lpLoadCfg32->SecurityCookie - dwBase,
																                                 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,
																                                 hConsole);
																if (lpCookie32 != NULL)
																	bOutput &= PrintFormat(hOutput,
																	                       L"\t\tSecurity Cookie    = 0x%08lX (%ls)\r\n",
																	                       *lpCookie32,
																	                       *lpCookie32 == 0xBB40E64E ? L"default" : L"custom");
															}

															if (lpLoadCfg32->Size < 72)
																break;

															bOutput &= PrintFormat(hOutput,
																               L"\tSEH Table Address          = 0x%08lX\r\n"
															                       L"\tSEH Table Entries          = %lu\r\n",
															                       lpLoadCfg32->SEHandlerTable,
															                       lpLoadCfg32->SEHandlerCount);

															if (lpLoadCfg32->SEHandlerTable != 0)
															{
																lpHandler = (DWORD *) RVA2Image(lpImage, lpSection, dwSection,
																                                lpLoadCfg32->SEHandlerTable - dwBase,
																                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,
																                                hConsole);
																if (lpHandler != NULL)
																	for (dwHandler = 0; dwHandler < lpLoadCfg32->SEHandlerCount; dwHandler++)
																		bOutput &= PrintFormat(hOutput,
																		                       L"\t\tException Handler  = 0x%08lX\r\n",
																		                       lpHandler[dwHandler]);
															}

															if (lpLoadCfg32->Size < 92)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tCFG Check Function         = 0x%08lX\r\n"
															                       L"\tCFG Dispatch Function      = 0x%08lX\r\n"
															                       L"\tCFG Function Table         = 0x%08lX\r\n"
															                       L"\tCFG Function Count         = %lu\r\n"
															                       L"\tCFG Function Table Stride  = %lu\r\n"
															                       L"\tCFG Flags                  = 0x%08lX\r\n",
															                       lpLoadCfg32->GuardCFCheckFunctionPointer,
															                       lpLoadCfg32->GuardCFDispatchFunctionPointer,
															                       lpLoadCfg32->GuardCFFunctionTable,
															                       lpLoadCfg32->GuardCFFunctionCount,
															                       (lpLoadCfg32->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK) >> IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT,
															                       lpLoadCfg32->GuardFlags & ~IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK);

															if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_CF_INSTRUMENTED) == IMAGE_GUARD_CF_INSTRUMENTED)
																bOutput &= PrintString(hOutput, L"\t\tControl flow integrity checks using system-supplied support\r\n");

															if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_CFW_INSTRUMENTED) == IMAGE_GUARD_CFW_INSTRUMENTED)
																bOutput &= PrintString(hOutput, L"\t\tControl flow and write integrity checks\r\n");

															if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT) == IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT)
																bOutput &= PrintString(hOutput, L"\t\tControl flow target metadata\r\n");

															if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_SECURITY_COOKIE_UNUSED) == IMAGE_GUARD_SECURITY_COOKIE_UNUSED)
																bOutput &= PrintString(hOutput, L"\t\t/GS security cookie not used\r\n");

															if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_PROTECT_DELAYLOAD_IAT) == IMAGE_GUARD_PROTECT_DELAYLOAD_IAT)
																bOutput &= PrintString(hOutput, L"\t\tRead-only delay-load IAT\r\n");

															if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION) == IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION)
																bOutput &= PrintString(hOutput, L"\t\tDelay-load import table in own \'.didat\' section\r\n");

															if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT) == IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT)
																bOutput &= PrintString(hOutput, L"\t\tExport suppression information\r\n");

															if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION) == IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION)
																bOutput &= PrintString(hOutput, L"\t\tExport suppression\r\n");

															if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT) == IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT)
																bOutput &= PrintString(hOutput, L"\t\t\'longjmp()\' target information\r\n");

															if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_RF_INSTRUMENTED) == IMAGE_GUARD_RF_INSTRUMENTED)
																bOutput &= PrintString(hOutput, L"\t\tReturn flow instrumentation and metadata\r\n");

															if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_RF_ENABLE) == IMAGE_GUARD_RF_ENABLE)
																bOutput &= PrintString(hOutput, L"\t\tReturn flow protection\r\n");

															if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_RF_STRICT) == IMAGE_GUARD_RF_STRICT)
																bOutput &= PrintString(hOutput, L"\t\tReturn flow protection, strict mode\r\n");

															if (lpLoadCfg32->Size < 104)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tCode Integrity Flags       = 0x%04hX\r\n"
															                       L"\tCode Integrity Catalog     = 0x%04hX\r\n"
															                       L"\tCode Integrity Offset      = 0x%08lX\r\n"
															                       L"\tReserved                   = 0x%08lX\r\n",
															                       lpLoadCfg32->CodeIntegrity.Flags,
															                       lpLoadCfg32->CodeIntegrity.Catalog,
															                       lpLoadCfg32->CodeIntegrity.CatalogOffset,
															                       lpLoadCfg32->CodeIntegrity.Reserved);

															if (lpLoadCfg32->Size < 120)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tCFG IAT Entry Table        = 0x%08lX\r\n"
															                       L"\tCFG IAT Entry Count        = %lu\r\n"
															                       L"\tCFG Jump Target Table      = 0x%08lX\r\n"
															                       L"\tCFG Jump Target Count      = %lu\r\n",
															                       lpLoadCfg32->GuardAddressTakenIatEntryTable,
															                       lpLoadCfg32->GuardAddressTakenIatEntryCount,
															                       lpLoadCfg32->GuardLongJumpTargetTable,
															                       lpLoadCfg32->GuardLongJumpTargetCount);

															if (lpLoadCfg32->Size < 128)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tRelocation Table           = 0x%08lX\r\n"
															                       L"\tCompiled Hybrid Metadata   = 0x%08lX\r\n",
															                       lpLoadCfg32->DynamicValueRelocTable,
															                       lpLoadCfg32->CHPEMetadataPointer);

															if (lpLoadCfg32->Size < 152)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tRFG Failure Routine        = 0x%08lX\r\n"
															                       L"\tRFG Failure Function       = 0x%08lX\r\n"
															                       L"\tRelocation Table Offset    = 0x%08lX\r\n"
															                       L"\tRelocation Table Section   = 0x%04hX\r\n"
															                       L"\tReserved2                  = %hu\r\n"
															                       L"\tRFG Stack Pointer Function = 0x%08lX\r\n"
															                       L"\tHot Patch Table Offset     = 0x%08lX\r\n",
															                       lpLoadCfg32->GuardRFFailureRoutine,
															                       lpLoadCfg32->GuardRFFailureRoutineFunctionPointer,
															                       lpLoadCfg32->DynamicValueRelocTableOffset,
															                       lpLoadCfg32->DynamicValueRelocTableSection,
															                       lpLoadCfg32->Reserved2,
															                       lpLoadCfg32->GuardRFVerifyStackPointerFunctionPointer,
															                       lpLoadCfg32->HotPatchTableOffset);

															if (lpLoadCfg32->Size < 160)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tReserved3                  = %lu\r\n"
															                       L"\tEnclave Configuration      = 0x%08lX\r\n",
															                       lpLoadCfg32->Reserved3,
															                       lpLoadCfg32->EnclaveConfigurationPointer);

															if (lpLoadCfg32->Size < 164)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tVolatile Metadata Pointer  = 0x%08lX\r\n",
															                       lpLoadCfg32->VolatileMetadataPointer);

															if (lpLoadCfg32->Size < 172)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tCFG EH Continuation Table  = 0x%08lX\r\n"
															                       L"\tCFG EH Continuation Count  = %lu\r\n",
															                       lpLoadCfg32->GuardEHContinuationTable,
															                       lpLoadCfg32->GuardEHContinuationCount);

															if (lpLoadCfg32->Size < 184)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tXFG Check Function         = 0x%08lX\r\n"
															                       L"\tXFG Dispatch Function      = 0x%08lX\r\n"
															                       L"\tXFG Function Table         = 0x%08lX\r\n",
															                       lpLoadCfg32->GuardXFGCheckFunctionPointer,
															                       lpLoadCfg32->GuardXFGDispatchFunctionPointer,
															                       lpLoadCfg32->GuardXFGTableDispatchFunctionPointer);

															if (lpLoadCfg32->Size < 188)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tCast Guard OS Failure Mode = 0x%08lX\r\n",
															                       lpLoadCfg32->CastGuardOsDeterminedFailureMode);

															if (lpLoadCfg32->Size < 192)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tCFG memcpy() Function      = 0x%08lX\r\n",
															                       lpLoadCfg32->GuardMemcpyFunctionPointer);
															break;
														}
													}
													else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
													{
														lpLoadCfg64 = (IMAGE_LOAD_CONFIGURATION_DIRECTORY64 *) RVA2Image(lpImage, lpSection, dwSection,
														                                                                 lpDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress,
														                                                                 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,
														                                                                 hConsole);
														while (lpLoadCfg64 != NULL)
														{
															if (lpLoadCfg64->Size > sizeof(IMAGE_LOAD_CONFIGURATION_DIRECTORY64))
																PrintConsole(hConsole,
																             L"Size of \'%ls\' exceeds size of %ls structure!\n",
																             L"_load_config_used", L"IMAGE_LOAD_CONFIGURATION_DIRECTORY64");

															if (lpLoadCfg64->Size != lpDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size)
																PrintConsole(hConsole,
																             L"Size member of \'%ls\' differs from size member of %ls!\n",
																             L"_load_config_used", L"IMAGE_DATA_DIRECTORY[10]");

															bOutput &= PrintFormat(hOutput,
															                       L"\r\n"
															                       L"Load Configuration:\r\n"
															                       L"\tSize                       = 0x%08lX\r\n"
															                       L"\tTime/Date Stamp            = 0x%08lX\r\n"
															                       L"\tVersion                    = %hu.%hu\r\n"
															                       L"\tGlobal Flags Clear         = 0x%08lX\r\n",
															                       lpLoadCfg64->Size,
															                       lpLoadCfg64->TimeDateStamp,
															                       lpLoadCfg64->MajorVersion,
															                       lpLoadCfg64->MinorVersion,
															                       lpLoadCfg64->GlobalFlagsClear);

															for (dwFlags = lpLoadCfg64->GlobalFlagsClear; _BitScanForward(&dwIndex, dwFlags); dwFlags &= dwFlags - 1)
																bOutput &= PrintFormat(hOutput, L"\t\t%ls\r\n", szGlobalFlags[dwIndex]);

															bOutput &= PrintFormat(hOutput,
															                       L"\tGlobal Flags Set           = 0x%08lX\r\n",
															                       lpLoadCfg64->GlobalFlagsSet);

															for (dwFlags = lpLoadCfg64->GlobalFlagsSet; _BitScanForward(&dwIndex, dwFlags); dwFlags &= dwFlags - 1)
																bOutput &= PrintFormat(hOutput, L"\t\t%ls\r\n", szGlobalFlags[dwIndex]);

															bOutput &= PrintFormat(hOutput,
															                       L"\tCritical Section Timeout   = %lu\r\n"
															                       L"\tDecommit Block Threshold   = 0x%016I64X\r\n"
															                       L"\tDecommit Total Threshold   = 0x%016I64X\r\n"
															                       L"\tLock Prefix table Address  = 0x%016I64X\r\n"
															                       L"\tMaximum Allocation Size    = 0x%016I64X\r\n"
															                       L"\tVirtual Memory Threshold   = 0x%016I64X\r\n"
															                       L"\tProcess Affinity Mask      = 0x%016I64X\r\n"
															                       L"\tProcess Heap Flags         = 0x%08lX\r\n"
															                       L"\tCSD Version                = %hu\r\n"
															                       L"\tDependent Load Flags       = 0x%04hX\r\n",
															                       lpLoadCfg64->CriticalSectionDefaultTimeout,
															                       lpLoadCfg64->DeCommitFreeBlockThreshold,
															                       lpLoadCfg64->DeCommitTotalFreeThreshold,
															                       lpLoadCfg64->LockPrefixTable,
															                       lpLoadCfg64->MaximumAllocationSize,
															                       lpLoadCfg64->VirtualMemoryThreshold,
															                       lpLoadCfg64->ProcessAffinityMask,
															                       lpLoadCfg64->ProcessHeapFlags,
															                       lpLoadCfg64->CSDVersion,
															                       lpLoadCfg64->DependentLoadFlags);

															if ((lpLoadCfg64->DependentLoadFlags & DONT_RESOLVE_DLL_REFERENCES) == DONT_RESOLVE_DLL_REFERENCES)
																bOutput &= PrintString(hOutput, L"\t\tDon't resolve DLL references\r\n");

															if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_AS_DATAFILE) == LOAD_LIBRARY_AS_DATAFILE)
																bOutput &= PrintString(hOutput, L"\t\tLoad as data file\r\n");
#ifdef LOAD_PACKAGED_LIBRARY
															if ((lpLoadCfg64->DependentLoadFlags & LOAD_PACKAGED_LIBRARY) == LOAD_PACKAGED_LIBRARY)
																bOutput &= PrintString(hOutput, L"\t\tLoad packaged library\r\n");
#endif
															if ((lpLoadCfg64->DependentLoadFlags & LOAD_WITH_ALTERED_SEARCH_PATH) == LOAD_WITH_ALTERED_SEARCH_PATH)
																bOutput &= PrintString(hOutput, L"\t\tLoad with altered search path\r\n");

															if ((lpLoadCfg64->DependentLoadFlags & LOAD_IGNORE_CODE_AUTHZ_LEVEL) == LOAD_IGNORE_CODE_AUTHZ_LEVEL)
																bOutput &= PrintString(hOutput, L"\t\tIgnore AUTHZ level\r\n");

															if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_AS_IMAGE_RESOURCE) == LOAD_LIBRARY_AS_IMAGE_RESOURCE)
																bOutput &= PrintString(hOutput, L"\t\tLoad as image resource\r\n");

															if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE) == LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE)
																bOutput &= PrintString(hOutput, L"\t\tLoad as data file exclusively\r\n");

															if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_REQUIRE_SIGNED_TARGET) == LOAD_LIBRARY_REQUIRE_SIGNED_TARGET)
																bOutput &= PrintString(hOutput, L"\t\tRequire signed target\r\n");

															if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR) == LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR)
																bOutput &= PrintString(hOutput, L"\t\tSearch DLL directory\r\n");

															if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_APPLICATION_DIR) == LOAD_LIBRARY_SEARCH_APPLICATION_DIR)
																bOutput &= PrintString(hOutput, L"\t\tSearch application directory\r\n");

															if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_USER_DIRS) == LOAD_LIBRARY_SEARCH_USER_DIRS)
																bOutput &= PrintString(hOutput, L"\t\tSearch user directories\r\n");

															if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_SYSTEM32) == LOAD_LIBRARY_SEARCH_SYSTEM32)
																bOutput &= PrintString(hOutput, L"\t\tSearch system directory\r\n");

															if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_DEFAULT_DIRS) == LOAD_LIBRARY_SEARCH_DEFAULT_DIRS)
																bOutput &= PrintString(hOutput, L"\t\tSearch default directories\r\n");

															if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_SAFE_CURRENT_DIRS) == LOAD_LIBRARY_SEARCH_SAFE_CURRENT_DIRS)
																bOutput &= PrintString(hOutput, L"\t\tSearch safe current directory\r\n");

															if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_SYSTEM32_NO_FORWARDER) == LOAD_LIBRARY_SEARCH_SYSTEM32_NO_FORWARDER)
																bOutput &= PrintString(hOutput, L"\t\tSearch system directory, exempt (reverse) forwarder modules\r\n");

															if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY) == LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY)
																bOutput &= PrintString(hOutput, L"\t\tOS integrity continuity\r\n");

															if (lpLoadCfg64->Size < 96)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tEdit List Address          = 0x%016I64X\r\n"
															                       L"\tSecurity Cookie Address    = 0x%016I64X\r\n",
															                       lpLoadCfg64->EditList,
															                       lpLoadCfg64->SecurityCookie);

															if (lpLoadCfg64->SecurityCookie != 0)
															{
																lpCookie64 = (DWORD64 *) RVA2Image(lpImage, lpSection, dwSection,
																                                   (DWORD) (lpLoadCfg64->SecurityCookie - qwBase),
																                                   IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,
																                                   hConsole);
																if (lpCookie64 != NULL)
																	bOutput &= PrintFormat(hOutput,
																	                       L"\t\tSecurity Cookie    = 0x%016I64X (%ls)\r\n",
																	                       *lpCookie64,
																	                       *lpCookie64 == 0x00002B992DDFA232 ? L"default" : L"custom");
															}

															if (lpLoadCfg64->Size < 112)
																break;

															if ((lpLoadCfg64->SEHandlerTable != 0)
															 || (lpLoadCfg64->SEHandlerCount != 0))
																PrintConsole(hConsole,
																             L"Structured exception handler table address or entry count not 0!\n");

															bOutput &= PrintFormat(hOutput,
															                       L"\tSEH Table Address          = 0x%016I64X\r\n"
															                       L"\tSEH Table Entries          = %I64u\r\n",
															                       lpLoadCfg64->SEHandlerTable,
															                       lpLoadCfg64->SEHandlerCount);

															if (lpLoadCfg64->Size < 148)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tCFG Check Function         = 0x%016I64X\r\n"
															                       L"\tCFG Dispatch Function      = 0x%016I64X\r\n"
															                       L"\tCFG Function Table         = 0x%016I64X\r\n"
															                       L"\tCFG Function Count         = %I64u\r\n"
															                       L"\tCFG Function Table Stride  = %lu\r\n"
															                       L"\tCFG Flags                  = 0x%08lX\r\n",
															                       lpLoadCfg64->GuardCFCheckFunctionPointer,
															                       lpLoadCfg64->GuardCFDispatchFunctionPointer,
															                       lpLoadCfg64->GuardCFFunctionTable,
															                       lpLoadCfg64->GuardCFFunctionCount,
															                       (lpLoadCfg64->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK) >> IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT,
															                       lpLoadCfg64->GuardFlags & ~IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK);

															if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_CF_INSTRUMENTED) == IMAGE_GUARD_CF_INSTRUMENTED)
																bOutput &= PrintString(hOutput, L"\t\tControl flow integrity checks using system-supplied support\r\n");

															if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_CFW_INSTRUMENTED) == IMAGE_GUARD_CFW_INSTRUMENTED)
																bOutput &= PrintString(hOutput, L"\t\tControl flow and write integrity checks\r\n");

															if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT) == IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT)
																bOutput &= PrintString(hOutput, L"\t\tControl flow target metadata\r\n");

															if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_SECURITY_COOKIE_UNUSED) == IMAGE_GUARD_SECURITY_COOKIE_UNUSED)
																bOutput &= PrintString(hOutput, L"\t\t/GS security cookie not used\r\n");

															if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_PROTECT_DELAYLOAD_IAT) == IMAGE_GUARD_PROTECT_DELAYLOAD_IAT)
																bOutput &= PrintString(hOutput, L"\t\tRead-only delay-load IAT\r\n");

															if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION) == IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION)
																bOutput &= PrintString(hOutput, L"\t\tDelay-load import table in own \'.didat\' section\r\n");

															if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT) == IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT)
																bOutput &= PrintString(hOutput, L"\t\tExport suppression information\r\n");

															if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION) == IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION)
																bOutput &= PrintString(hOutput, L"\t\tExport suppression\r\n");

															if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT) == IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT)
																bOutput &= PrintString(hOutput, L"\t\t\'longjmp()\' target information\r\n");

															if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_RF_INSTRUMENTED) == IMAGE_GUARD_RF_INSTRUMENTED)
																bOutput &= PrintString(hOutput, L"\t\tReturn flow instrumentation and metadata\r\n");

															if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_RF_ENABLE) == IMAGE_GUARD_RF_ENABLE)
																bOutput &= PrintString(hOutput, L"\t\tReturn flow protection\r\n");

															if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_RF_STRICT) == IMAGE_GUARD_RF_STRICT)
																bOutput &= PrintString(hOutput, L"\t\tReturn flow protection, strict mode\r\n");

															if (lpLoadCfg64->Size < 160)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tCode Integrity Flags       = 0x%04hX\r\n"
															                       L"\tCode Integrity Catalog     = 0x%04hX\r\n"
															                       L"\tCode Integrity Offset      = 0x%08lX\r\n"
															                       L"\tReserved                   = 0x%08lX\r\n",
															                       lpLoadCfg64->CodeIntegrity.Flags,
															                       lpLoadCfg64->CodeIntegrity.Catalog,
															                       lpLoadCfg64->CodeIntegrity.CatalogOffset,
															                       lpLoadCfg64->CodeIntegrity.Reserved);

															if (lpLoadCfg64->Size < 192)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tCFG IAT Entry Table        = 0x%016I64X\r\n"
															                       L"\tCFG IAT Entry Count        = %I64u\r\n"
															                       L"\tCFG Jump Target Table      = 0x%016I64X\r\n"
															                       L"\tCFG Jump Target Count      = %I64u\r\n",
															                       lpLoadCfg64->GuardAddressTakenIatEntryTable,
															                       lpLoadCfg64->GuardAddressTakenIatEntryCount,
															                       lpLoadCfg64->GuardLongJumpTargetTable,
															                       lpLoadCfg64->GuardLongJumpTargetCount);

															if (lpLoadCfg64->Size < 208)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tRelocation Table           = 0x%016I64X\r\n"
															                       L"\tCompiled Hybrid Metadata   = 0x%016I64X\r\n",
															                       lpLoadCfg64->DynamicValueRelocTable,
															                       lpLoadCfg64->CHPEMetadataPointer);

															if (lpLoadCfg64->Size < 244)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tRFG Failure Routine        = 0x%016I64X\r\n"
															                       L"\tRFG Failure Function       = 0x%016I64X\r\n"
															                       L"\tRelocation Table Offset    = 0x%08lX\r\n"
															                       L"\tRelocation Table Section   = 0x%04hX\r\n"
															                       L"\tReserved2                  = %hu\r\n"
															                       L"\tRFG Stack Pointer Function = 0x%016I64X\r\n"
															                       L"\tHot Patch Table Offset     = 0x%08lX\r\n",
															                       lpLoadCfg64->GuardRFFailureRoutine,
															                       lpLoadCfg64->GuardRFFailureRoutineFunctionPointer,
															                       lpLoadCfg64->DynamicValueRelocTableOffset,
															                       lpLoadCfg64->DynamicValueRelocTableSection,
															                       lpLoadCfg64->Reserved2,
															                       lpLoadCfg64->GuardRFVerifyStackPointerFunctionPointer,
															                       lpLoadCfg64->HotPatchTableOffset);

															if (lpLoadCfg64->Size < 256)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tReserved3                  = %lu\r\n"
															                       L"\tEnclave Configuration      = 0x%016I64X\r\n",
															                       lpLoadCfg64->Reserved3,
															                       lpLoadCfg64->EnclaveConfigurationPointer);

															if (lpLoadCfg64->Size < 264)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tVolatile Metadata Pointer  = 0x%016I64X\r\n",
															                       lpLoadCfg64->VolatileMetadataPointer);

															if (lpLoadCfg64->Size < 280)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tCFG EH Continuation Table  = 0x%016I64X\r\n"
															                       L"\tCFG EH Continuation Count  = %I64u\r\n",
															                       lpLoadCfg64->GuardEHContinuationTable,
															                       lpLoadCfg64->GuardEHContinuationCount);

															if (lpLoadCfg64->Size < 304)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tXFG Check Function         = 0x%016I64X\r\n"
															                       L"\tXFG Dispatch Function      = 0x%016I64X\r\n"
															                       L"\tXFG Function Table         = 0x%016I64X\r\n",
															                       lpLoadCfg64->GuardXFGCheckFunctionPointer,
															                       lpLoadCfg64->GuardXFGDispatchFunctionPointer,
															                       lpLoadCfg64->GuardXFGTableDispatchFunctionPointer);

															if (lpLoadCfg64->Size < 312)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tCast Guard OS Failure Mode = 0x%016I64X\r\n",
															                       lpLoadCfg64->CastGuardOsDeterminedFailureMode);

															if (lpLoadCfg64->Size < 320)
																break;

															bOutput &= PrintFormat(hOutput,
															                       L"\tCFG memcpy() Function      = 0x%016I64X\r\n",
															                       lpLoadCfg64->GuardMemcpyFunctionPointer);
															break;
														}
													}
												}

												if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress != 0)
												 && (lpDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size != 0))
												{
													bOutput &= PrintString(hOutput,
													                       L"\r\n"
													                       L"Bound Import Directory:\r\n");

													lpBound = lpImage
													        + lpDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress;
													dwDescriptor = 0;
													lpDescriptor = (IMAGE_BOUND_IMPORT_DESCRIPTOR *) lpBound;

													while (lpDescriptor->TimeDateStamp != 0)
													{
														qw = __emulu(lpDescriptor->TimeDateStamp, 10000000)	// seconds since 1970-01-01 to
														   + 116444736000000000;				//  100 nano-seconds since 1601-01-01

														if (!FileTimeToSystemTime((FILETIME *) &qw, &st))
															PrintConsole(hConsole,
															             L"FileTimeToSystemTime() returned error %lu for module \'%hs\'\n",
															             dwError = GetLastError(), lpBound + lpDescriptor->OffsetModuleName);

														if (dwDescriptor == 0)
														{
															dwDescriptor = lpDescriptor->NumberOfModuleForwarderRefs;

															bOutput &= PrintFormat(hOutput,
															                       L"\tBound Import Entry:\r\n"
															                       L"\t\tModule Name     = %hs\r\n"
															                       L"\t\tTime/Date Stamp = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\r\n",
															                       lpBound + lpDescriptor->OffsetModuleName,
															                       lpDescriptor->TimeDateStamp,
															                       szDayOfWeek[st.wDayOfWeek], st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond);
														}
														else
														{
															dwDescriptor--;

															bOutput &= PrintFormat(hOutput,
															                       L"\t\t\tModule Name     = %hs\r\n"
															                       L"\t\t\tTime/Date Stamp = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\r\n",
															                       lpBound + lpDescriptor->OffsetModuleName,
															                       lpDescriptor->TimeDateStamp,
															                       szDayOfWeek[st.wDayOfWeek], st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond);
														}

														lpDescriptor++;
													}
												}

												if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress != 0)
												 && (lpDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].Size != 0))
												{
													if (lpDelay == NULL)
														PrintConsole(hConsole,
														             L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
														             ".didat", IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT);

													lpDelay = (IMAGE_DELAYLOAD_DESCRIPTOR *) RVA2Image(lpImage, lpSection, dwSection,
													                                                   lpDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress,
													                                                   IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT,
													                                                   hConsole);
													if (lpDelay != NULL)
													{
														bOutput &= PrintString(hOutput,
														                       L"\r\n"
														                       L"Delay Load Import Directory:\r\n");

														while (lpDelay->DllNameRVA != 0)
														{
															if (lpDelay->Attributes.RvaBased)
																dwRVA = lpDelay->DllNameRVA;
															else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
																dwRVA = lpDelay->DllNameRVA - dwBase;
															else
																dwRVA = ~0UL;

															lpModule = RVA2Image(lpImage, lpSection, dwSection,
															                     dwRVA,
															                     IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT,
															                     hConsole);

															bOutput &= PrintFormat(hOutput,
															                       L"\tDelay Load Import Descriptor:\r\n"
															                       L"\t\tAttributes        = 0x%08lX\r\n"
															                       L"\t\tModule Name       = %hs\r\n"
															                       L"\t\tTime/Date Stamp   = 0x%08lX\r\n"
															                       L"\t\tHandle Address    = 0x%08lX\r\n"
															                       L"\t\tAddress Table     = 0x%08lX\r\n"
															                       L"\t\tName Table        = 0x%08lX\r\n"
															                       L"\t\tBound Name Table  = 0x%08lX\r\n"
															                       L"\t\tUnload Name Table = 0x%08lX\r\n"
															                       L"\t\tImports:\r\n",
															                       lpDelay->Attributes.AllAttributes,
															                       lpModule,
															                       lpDelay->TimeDateStamp,
															                       lpDelay->ModuleHandleRVA,
															                       lpDelay->ImportAddressTableRVA,
															                       lpDelay->ImportNameTableRVA,
															                       lpDelay->BoundImportAddressTableRVA,
															                       lpDelay->UnloadInformationTableRVA);

															if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
															{
																lpThunk32 = (IMAGE_THUNK_DATA32 *) RVA2Image(lpImage, lpSection, dwSection,
																                                             lpDelay->Attributes.RvaBased ? lpDelay->ImportNameTableRVA : lpDelay->ImportNameTableRVA - dwBase,
																                                             IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT,
																                                             hConsole);
																if (lpThunk32 != NULL)
																	while (lpThunk32->u1.AddressOfData != 0)
																	{
																		if ((lpThunk32->u1.Ordinal & IMAGE_ORDINAL_FLAG32) == IMAGE_ORDINAL_FLAG32)
																			bOutput &= PrintFormat(hOutput,
																			                       L"\t\t\t%hu\r\n",
																			                       LOWORD(lpThunk32->u1.Ordinal));
																		else
																		{
																			lpAddress = (IMAGE_IMPORT_BY_NAME *) RVA2Image(lpImage, lpSection, dwSection,
																			                                               lpDelay->Attributes.RvaBased ? lpThunk32->u1.AddressOfData : lpThunk32->u1.AddressOfData - dwBase,
																			                                               IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT,
																			                                               hConsole);
																			if (lpAddress != NULL)
																				bOutput &= PrintFormat(hOutput,
																				                       L"\t\t\t%hu\t%hs\r\n",
																				                       lpAddress->Hint,
																				                       lpAddress->Name);
																		}

																		lpThunk32++;
																	}
															}
															else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
															{
																lpThunk64 = (IMAGE_THUNK_DATA64 *) RVA2Image(lpImage, lpSection, dwSection,
																                                             lpDelay->ImportNameTableRVA,
																                                             IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT,
																                                             hConsole);
																if (lpThunk64 != NULL)
																	while (lpThunk64->u1.AddressOfData != 0)
																	{
																		if ((lpThunk64->u1.Ordinal & IMAGE_ORDINAL_FLAG64) == IMAGE_ORDINAL_FLAG64)
																			bOutput &= PrintFormat(hOutput,
																			                       L"\t\t\t%hu\r\n",
																			                       LOWORD(lpThunk64->u1.Ordinal));
																		else
																		{
																			lpAddress = (IMAGE_IMPORT_BY_NAME *) RVA2Image(lpImage, lpSection, dwSection,
																			                                               (DWORD) lpThunk64->u1.AddressOfData,
																			                                               IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT,
																			                                               hConsole);
																			if (lpAddress != NULL)
																				bOutput &= PrintFormat(hOutput,
																				                       L"\t\t\t%hu\t%hs\r\n",
																				                       lpAddress->Hint,
																				                       lpAddress->Name);
																		}

																		lpThunk64++;
																	}
															}

															lpDelay++;
														}
													}
												}

												if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress != 0)
												 && (lpDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size != 0))
												{
													lpCOMPlus = (IMAGE_COR20_HEADER *) RVA2Image(lpImage, lpSection, dwSection,
													                                             lpDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress,
													                                             IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR,
													                                             hConsole);
													if (lpCOMPlus != NULL)
													{
														bOutput &= PrintFormat(hOutput,
														                       L"\r\n"
														                       L"COM+ Directory:\r\n"
														                       L"\tRuntime Version            = %hu.%hu\r\n"
														                       L"\tFlags                      = 0x%08lX\r\n"
														                       L"\tEntry Point Token          = 0x%08lX\r\n"
														                       L"\tMetadata                   = 0x%08lX\r\n"
														                       L"\tResources                  = 0x%08lX\r\n"
														                       L"\tStrong Name Signature      = 0x%08lX\r\n"
														                       L"\tCode Manager Table         = 0x%08lX\r\n"
														                       L"\tVTable Fixups              = 0x%08lX\r\n"
														                       L"\tExport Address Table Jumps = 0x%08lX\r\n"
														                       L"\tManaged Native Header      = 0x%08lX\r\n",
														                       lpCOMPlus->MajorRuntimeVersion,
														                       lpCOMPlus->MinorRuntimeVersion,
														                       lpCOMPlus->Flags,
														                       lpCOMPlus->EntryPointToken,
														                       lpCOMPlus->MetaData,
														                       lpCOMPlus->Resources,
														                       lpCOMPlus->StrongNameSignature,
														                       lpCOMPlus->CodeManagerTable,
														                       lpCOMPlus->VTableFixups,
														                       lpCOMPlus->ExportAddressTableJumps,
														                       lpCOMPlus->ManagedNativeHeader);
													}
												}

												if (!bOutput)
													PrintConsole(hConsole,
													             L"WriteFile() returned error %lu\n",
													             dwError = GetLastError());
											}
										}

										if (!UnmapViewOfFile(lpImage))
											PrintConsole(hConsole,
											             L"UnmapViewOfFile() returned error %lu\n",
											             GetLastError());
									}

									if (!CloseHandle(hImage))
										PrintConsole(hConsole,
										             L"CloseHandle() returned error %lu\n",
										             GetLastError());
								}
							}

							if (!CloseHandle(hInput))
								PrintConsole(hConsole,
								             L"CloseHandle() returned error %lu\n",
								             GetLastError());
						}
					}

					if (!CloseHandle(hOutput))
						PrintConsole(hConsole,
						             L"CloseHandle() returned error %lu\n",
						             GetLastError());
				}
			}

			if (LocalFree(lpArguments) != NULL)
				PrintConsole(hConsole,
				             L"LocalFree() returned error %lu\n",
				             GetLastError());
		}

		if (!CloseHandle(hConsole))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu\n",
			             GetLastError());
	}

	ExitProcess(dwError);
}

  2. Run the following four command lines to compile the source file PECOFFIN.C created in step 1., link the compiled object file PECOFFIN.OBJ and cleanup afterwards: 

    SET CL=/GAFS /Gy /O1isy /W4 /Zl
SET LINK=/DEFAULTLIB:CRYPT32.LIB /DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815
CL.EXE /FePECOFFIN.COM PECOFFIN.C
ERASE PECOFFIN.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

PECOFFIN.C
PECOFFIN.C(186) : warning C4214: nonstandard extension used : bit field types other than int
PECOFFIN.C(187) : warning C4214: nonstandard extension used : bit field types other than int
PECOFFIN.C(188) : warning C4201: nonstandard extension used : nameless struct/union
PECOFFIN.C(1828) : warning C4701: potentially uninitialized local variable 'lpPE64' used
PECOFFIN.C(1471) : warning C4701: potentially uninitialized local variable 'lpDirectory' used
PECOFFIN.C(3205) : warning C4701: potentially uninitialized local variable 'qwBase' used
PECOFFIN.C(1520) : warning C4701: potentially uninitialized local variable 'dwCode' used
PECOFFIN.C(1527) : warning C4701: potentially uninitialized local variable 'dwData' used
PECOFFIN.C(1534) : warning C4701: potentially uninitialized local variable 'dwSize' used
PECOFFIN.C(1370) : warning C4701: potentially uninitialized local variable 'dwOffset' used
PECOFFIN.C(1364) : warning C4701: potentially uninitialized local variable 'dwMemory' used
PECOFFIN.C(1349) : warning C4701: potentially uninitialized local variable 'dwFile' used
PECOFFIN.C(1690) : warning C4701: potentially uninitialized local variable 'lpPE32' used
PECOFFIN.C(3508) : warning C4701: potentially uninitialized local variable 'dwBase' used

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…

Product Key Validator

Purpose
Background Information
Synopsis
Demonstration
Downloads
Implementation and Build Details
Variant 1
Variant 2
Source and Build Instructions – Variant 1
Source and Build Instructions – Variant 2

Purpose

Test (and decode) product keys for Windows Vista and newer versions of Windows NT as well as Microsoft Office 2010 and newer versions.

Background Information

The following product key types are currently known:
OEM:SLP (System Locked Preinstallation)
Manufacturer specific product key for offline activation of Windows Vista or Windows 7 per external certificate provided in a .xrm-ms XML file on factory installed OEM machines with version 2.0 or 2.1 marker embedded in their ACPI SLIC table.
OEM:COA (Certificate of Authenticity)
Individual product key for online activation of Windows Vista or Windows 7, supplied on a sticker attached to factory installed OEM machines; Windows 7 COA keys are for online activation of Windows 10 1511 and newer too.
OEM:NONSLP (Non-System Locked Preinstallation)
Individual product key for online activation of a single system, supplied on a sticker attached to System Builder installed machines.
OEM:DM (Data Management)
Device specific individual product key for online activation of Windows 8 and newer versions of client editions, embedded in the ACPI MSDM table of factory installed OEM machines.
Retail (Full Packaged Product)
Individual product key for online activation of a single system.
Retail (Generic Setup)
Generic setup product key provided with OEM and retail channel installation media for online activation per hardware identification stored on Microsoft’s activation servers, gathered on activated previous installation of Windows 7 and newer versions.
Retail:TB:Eval (Time-Bombed Evaluation)
Volume:CSVLK (Customer-Specific Volume License Key)
Customer-specific KMS host product key.
Volume:GVLK (Generic Volume License Key)
Generic product key provided with VL channel installation media for offline activation of KMS clients per KMS host.
Volume:MAK (Multiple Activation Key)
Individual product key for online activation of a fixed number of systems.
WAU (Windows Anytime Upgrade)
Individual product key for upgrading an activated lower edition of Windows Vista and newer versions.

Synopsis

PIDGENX.COM [‹pidgenx.dll›] ‹pkeyconfig.xrm-ms› ‹product key› …

Demonstration

Decode the well-known generic setup product keys YTMG3-N6DKC-DKB77-7M9GH-8HVX7 and VK7JG-NPHTM-C97JM-9MPGT-3V66T for the Core alias Home and Professional editions of Windows 10 and Windows 11: 
.\PIDGENX.COM "%SystemRoot%\System32\SPP\Tokens\PKeyConfig\PKeyConfig.xrm-ms" YTMG3-N6DKC-DKB77-7M9GH-8HVX7 VK7JG-NPHTM-C97JM-9MPGT-3V66T
Module 'C:\Windows\System32\PIDGENX.dll'
	Module version:		10.0:22621.1
	Product version:	10.0:22621.1

Product key 'YTMG3-N6DKC-DKB77-7M9GH-8HVX7' is valid!

DigitalProductId: size = 164
	Product ID:		00326-10000-00000-AA527
	Edition ID:		[TH]X19-98868
	OEM ID:			
	Hardware ID (static):	
	Hardware ID (dynamic):	

DigitalProductId4: size = 1272
	Advanced Product ID:	DUMMY-03261-000-000000-00-1033-9200.0000-3212022
	Activation ID:		2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8
	OEM ID:			
	Edition Type:		Core
	Edition ID:		[TH]X19-98868
	Key Type:		Retail
	EULA:			Retail

Product key 'VK7JG-NPHTM-C97JM-9MPGT-3V66T' is valid!

DigitalProductId: size = 164
	Product ID:		00330-80000-00000-AA779
	Edition ID:		[TH]X19-98841
	OEM ID:			
	Hardware ID (static):	
	Hardware ID (dynamic):	

DigitalProductId4: size = 1272
	Advanced Product ID:	DUMMY-03308-000-000000-00-1033-9200.0000-3212022
	Activation ID:		4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c
	OEM ID:			
	Edition Type:		Professional
	Edition ID:		[TH]X19-98841
	Key Type:		Retail
	EULA:			Retail

Downloads

The console application is available in two functional identical forms: PIDGENX.EXE, a big form with embedded application manifest, version information, icon plus time-stamped digital signature, and PIDGENX.COM, a small form without these extras.

Implementation and Build Details

Product Key Validator is a pure Win32 console application, written in ANSI C, built with the Platform SDK for Windows Server 2003 R2 Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows 2000 and newer versions of Windows NT as well as Windows PE 1.0 and newer versions.

Note: due to the design and implementation of Windows’ (classic alias legacy) console, the Win32 function WriteConsole() can only write to a console, not to a file nor a pipe, i.e. redirection of standard error or standard output is not supported!

The MSDN article Console Handles provides background information.

Variant 1

The first variant is statically linked with an import library built from scratch; PIDGENX.DLL is located per DLL search order and loaded with the application PIDGENX.COM.

Variant 2

The second variant loads the module specified as first command-line argument dynamically; unless specified with an absolute path name it is located per DLL search order too but restricted to safe directories.

Source and Build Instructions – Variant 1

Perform the following 3 simple steps to build variant 1 of the console application Product Key Validator from the source presented hereafter.

  1. Create the text file PIDGENX.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

// * The software is provided "as is" without any warranty, neither express
//   nor implied.
// * In no event will the author be held liable for any damage(s) arising
//   from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
//   and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
//   as an agent, (independent) contractor, employee, member or officer of
//   a business, corporation or organization (commercial or non-commercial)
//   does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
//   for a business, for commercial, corporate, governmental, military or
//   organizational purposes of any kind, or in a commercial, corporate,
//   governmental, military or organizational environment of any kind.

#ifndef _DLL
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <shellapi.h>

#ifndef E_FILENOTFOUND
#define E_FILENOTFOUND	0x80070002L	// file not found
#endif

#ifndef E_PATHNOTFOUND
#define E_PATHNOTFOUND	0x80070003L	// path not found
#endif

#ifndef E_RESERVEDKEY
#define E_RESERVEDKEY	0x8A010001L	// reserved product key
#endif

#ifndef E_INVALIDKEY
#define E_INVALIDKEY	0x8A010101L	// invalid product key
#endif

#define VS_BINARY	0U
#define VS_TEXT		1U

typedef	struct	_VS_VERSIONINFO
{
	WORD	wSize;			// size of 'VERSION' resource
	WORD	wCount;			// = sizeof(VS_FIXEDFILEINFO)
					//   (number of bytes in binary value)
	WORD	wType;			// = VS_BINARY
	WCHAR	szKey[16];		// = L"VS_VERSION_INFO"
	WORD	wPadding;		// = 0 (alignment to DWORD)

	VS_FIXEDFILEINFO	vsFFI;
} VS_VERSIONINFO;

typedef	struct	_DigitalProductId
{
	DWORD	dwSize;			// 0x000000A4 = 164
	WORD	wMajorVersion;		// 0x0003
	WORD	wMinorVersion;		// 0x0000
	CHAR	szProductId[24];	// "DUMMY-OEM-0123456-78901"
	DWORD	dwKeyIdx;
	CHAR	szEditionId[16];
	BYTE	bCdKey[16];
	DWORD	dwCloneStatus;
	DWORD	dwTime;
	DWORD	dwRandom;
	DWORD	dwLt;
	DWORD	dwLicenseData[2];
	CHAR	sOemId[8];
	DWORD	dwBundleId;
	CHAR	sHardwareIdStatic[8];
	DWORD	dwHardwareIdTypeStatic;
	DWORD	dwBiosChecksumStatic;
	DWORD	dwVolumeSerialStatic;
	DWORD	dwTotalRamStatic;
	DWORD	dwVideoBiosChecksumStatic;
	CHAR	sHardwareIdDynamic[8];
	DWORD	dwHardwareIdTypeDynamic;
	DWORD	dwBiosChecksumDynamic;
	DWORD	dwVolumeSerialDynamic;
	DWORD	dwTotalRamDynamic;
	DWORD	dwVideoBiosChecksumDynamic;
	DWORD	dwCRC32;
} DPI, *LPDPI;

typedef	struct	_DigitalProductId4
{
	DWORD	dwSize;			// 0x000004F8 = 1272
	WORD	wMajorVersion;		// 0x0004
	WORD	wMinorVersion;		// 0x0000
	WCHAR	szAdvancedPid[64];
	WCHAR	szActivationId[64];
	WCHAR	szOemId[8];
	WCHAR	szEditionType[260];
	BYTE	bIsUpgrade;
	BYTE	bReserved[7];
	BYTE	bCdKey[16];
	BYTE	bCdKey256Hash[32];
	BYTE	b256Hash[32];
	WCHAR	szEditionId[64];
	WCHAR	szKeyType[64];
	WCHAR	szEULA[64];
} DPI4, *LPDPI4;

__declspec(dllimport)
HRESULT	WINAPI	PidGenX(LPCWSTR lpProductKey,
		        LPCWSTR lpPKeyConfig,
		        LPCWSTR lpMPC,
		        LPCWSTR lpOEMId,
		        LPCWSTR lpProductId,
		        LPDPI   lpDigitalProductId,
		        LPDPI4  lpDigitalProductId4);

__declspec(safebuffers)
BOOL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

__declspec(noreturn)
VOID	WINAPI	wmainCRTStartup(VOID)
{
	VS_VERSIONINFO	*lpVersion;

	LPWSTR	*lpArguments;
	INT	nArguments;
	INT	nArgument = 2;
	DWORD	dwError = ERROR_BAD_ARGUMENTS;
	HMODULE	hPidGenX;
	HRSRC	hResInfo;
	HGLOBAL	hResData;
	WCHAR	szPidGenX[MAX_PATH];
	WCHAR	szPid[24];
	DPI	dpi;
	DPI4	dpi4;
	HRESULT	hr;
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);

		if (lpArguments == NULL)
			PrintConsole(hConsole,
			             L"CommandLineToArgv() returned error %lu\n",
			             dwError = GetLastError());
		else
		{
			if (nArguments < 3)
				PrintConsole(hConsole,
				             L"Bad arguments: the file or path name of a \'PKeyConfig[*].xrm-ms\' data file plus\n"
				             L"               at least one product key must be given!\n");
			else
			{
				hPidGenX = GetModuleHandle(L"PidGenX");

				if (hPidGenX == NULL)
					PrintConsole(hConsole,
					             L"GetModuleHandle() returned error %lu\n",
					             dwError = GetLastError());
				else
				{
					if (GetModuleFileName(hPidGenX, szPidGenX, sizeof(szPidGenX) / sizeof(*szPidGenX)) == 0)
						PrintConsole(hConsole,
						             L"GetModuleFileName() returned error %lu\n",
						             dwError = GetLastError());
					else
						PrintConsole(hConsole,
						             L"Module \'%ls\'\n",
						             szPidGenX);

					hResInfo = FindResource(hPidGenX, MAKEINTRESOURCE(VS_VERSION_INFO), RT_VERSION);

					if (hResInfo == NULL)
						PrintConsole(hConsole,
						             L"FindResource() returned error %lu\n",
						             dwError = GetLastError());
					else
					{
						hResData = LoadResource(hPidGenX, hResInfo);

						if (hResData == NULL)
							PrintConsole(hConsole,
							             L"LoadResource() returned error %lu\n",
							             dwError = GetLastError());
						else
						{
							lpVersion = LockResource(hResData);

							if (lpVersion == NULL)
								PrintConsole(hConsole,
								             L"LockResource() returned NULL\n");
							else
								PrintConsole(hConsole,
								             L"\tModule version:\t\t%hu.%hu:%hu.%hu\n"
								             L"\tProduct version:\t%hu.%hu:%hu.%hu\n",
								             HIWORD(lpVersion->vsFFI.dwFileVersionMS), LOWORD(lpVersion->vsFFI.dwFileVersionMS),
								             HIWORD(lpVersion->vsFFI.dwFileVersionLS), LOWORD(lpVersion->vsFFI.dwFileVersionLS),
								             HIWORD(lpVersion->vsFFI.dwProductVersionMS), LOWORD(lpVersion->vsFFI.dwProductVersionMS),
								             HIWORD(lpVersion->vsFFI.dwProductVersionLS), LOWORD(lpVersion->vsFFI.dwProductVersionLS));
						}
					}
				}

				dpi.dwSize = sizeof(dpi);
				dpi4.dwSize = sizeof(dpi4);

				do
				{
					hr = PidGenX(lpArguments[nArgument],
					             lpArguments[1],
					             L"DUMMY",
					             (LPCWSTR) NULL,
					             szPid,
					             &dpi,
					             &dpi4);

					switch (hr)
					{
					case ERROR_FILE_NOT_FOUND:
					case ERROR_PATH_NOT_FOUND:
					case E_FILENOTFOUND:		// file 'PKeyConfig.xrm-ms' not found
					case E_PATHNOTFOUND:		// path of 'PKeyConfig.xrm-ms' not found

						PrintConsole(hConsole,
						             L"Data file \'%ls\' not found!\n",
						             lpArguments[1]);
						nArguments = 0;
						break;

					case ERROR_INVALID_PARAMETER:
					case E_INVALIDARG:		// malformed product key

						PrintConsole(hConsole,
						             L"Product key \'%ls\' is malformed!\n",
						             lpArguments[nArgument]);
						break;

					case E_RESERVEDKEY:		// reserved product key

						PrintConsole(hConsole,
						             L"Product key \'%ls\' is reserved!\n",
						             lpArguments[nArgument]);
						break;

					case E_INVALIDKEY:		// invalid product key

						PrintConsole(hConsole,
						             L"Product key \'%ls\' is invalid!\n",
						             lpArguments[nArgument]);
						break;

					case S_OK:

						PrintConsole(hConsole,
						             L"Product key \'%ls\' is valid!\n",
						             lpArguments[nArgument]);
#ifdef VERBOSE
						if ((dpi.dwSize != sizeof(dpi))
						 || (dpi.wMajorVersion != 3)
						 || (dpi.wMinorVersion != 0))
							PrintConsole(hConsole,
							             L"Size of \'DigitalProductId\' not equal %lu or version not equal 3.0\n",
							             sizeof(dpi));
						else
							PrintConsole(hConsole,
							             L"\n"
							             L"DigitalProductId: size = %lu\n"
							             L"\tProduct ID:\t\t%hs\n"
							             L"\tEdition ID:\t\t%hs\n"
							             L"\tOEM ID:\t\t\t%.8hs\n"
							             L"\tHardware ID (static):\t%.8hs\n"
							             L"\tHardware ID (dynamic):\t%.8hs\n",
							             dpi.dwSize,
							             dpi.szProductId,
							             dpi.szEditionId,
							             dpi.sOemId,
							             dpi.sHardwareIdStatic,
							             dpi.sHardwareIdDynamic);

						if ((dpi4.dwSize != sizeof(dpi4))
						 || (dpi4.wMajorVersion != 4)
						 || (dpi4.wMinorVersion != 0))
							PrintConsole(hConsole,
							             L"Size of \'DigitalProductId4\' not equal %lu or version not equal 4.0\n",
							             sizeof(dpi4));
						else
							PrintConsole(hConsole,
							             L"\n"
							             L"DigitalProductId4: size = %lu\n"
							             L"\tAdvanced Product ID:\t%ls\n"
							             L"\tActivation ID:\t\t%ls\n"
							             L"\tOEM ID:\t\t\t%ls\n"
							             L"\tEdition Type:\t\t%ls\n"
							             L"\tEdition ID:\t\t%ls\n"
							             L"\tKey Type:\t\t%ls\n"
							             L"\tEULA:\t\t\t%ls\n",
							             dpi4.dwSize,
							             dpi4.szAdvancedPid,
							             dpi4.szActivationId,
							             dpi4.szOemId,
							             dpi4.szEditionType,
							             dpi4.szEditionId,
							             dpi4.szKeyType,
							             dpi4.szEULA);
#endif
						break;

					default:
						PrintConsole(hConsole,
						             L"PidGenX() returned error 0x%08lX\n",
						             dwError = hr);
					}
				} while (++nArgument < nArguments);
			}

			if (LocalFree(lpArguments) != NULL)
				PrintConsole(hConsole,
				             L"LocalFree() returned error %lu\n",
				             GetLastError());
		}

		if (!CloseHandle(hConsole))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu\n",
			             GetLastError());
	}

	ExitProcess(dwError);
}
#else // _DLL
__declspec(dllexport)
long	PidGenX(void *_1, void *_2, void *_3, void *_4, void *_5, void *_6, void *_7)
{ return 0; }
#endif // _DLL

  2. Run the following four command lines to compile the source file PIDGENX.C created in step 1. a first time, generate the import library PIDGENX.LIB from the compiled object file PIDGENX.OBJ and cleanup afterwards: 

    SET CL=/Gz /LD /MD /W4 /wd4100 /X /Zl
SET LINK=/EXPORT:PidGenX /NODEFAULTLIB /NOENTRY
CL.EXE PIDGENX.C
ERASE PIDGENX.DLL PIDGENX.EXP PIDGENX.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

PIDGENX.C

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…
   Creating library PIDGENX.lib and object PIDGENX.exp

  3. Run the following four command lines to compile the source file PIDGENX.C created in step 1. a second time, link the compiled object file PIDGENX.OBJ with the import library PIDGENX.LIB generated in step 2. and cleanup afterwards: 

    SET CL=/DVERBOSE /GAFS /Gy /O1isy /W4 /Zl
SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:PIDGENX.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.1 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815
CL.EXE /FePIDGENX.COM PIDGENX.C
ERASE PIDGENX.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

PIDGENX.C

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…

Source and Build Instructions – Variant 2

Perform the following 2 simple steps to build variant 2 of the console application Product Key Validator from the source presented hereafter.

  1. Overwrite the text file PIDGENX.C with the following content: 

    // Copyright © 2004-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

// * The software is provided "as is" without any warranty, neither express
//   nor implied.
// * In no event will the author be held liable for any damage(s) arising
//   from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
//   and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
//   as an agent, (independent) contractor, employee, member or officer of
//   a business, corporation or organization (commercial or non-commercial)
//   does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
//   for a business, for commercial, corporate, governmental, military or
//   organizational purposes of any kind, or in a commercial, corporate,
//   governmental, military or organizational environment of any kind.

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <shellapi.h>

#ifndef LOAD_LIBRARY_SAFE_CURRENT_DIRS
#define LOAD_LIBRARY_SAFE_CURRENT_DIRS	0x00002000UL
#endif

#ifndef E_FILENOTFOUND
#define E_FILENOTFOUND	0x80070002L	// file not found
#endif

#ifndef E_PATHNOTFOUND
#define E_PATHNOTFOUND	0x80070003L	// path not found
#endif

#ifndef E_RESERVEDKEY
#define E_RESERVEDKEY	0x8A010001L	// reserved product key
#endif

#ifndef E_INVALIDKEY
#define E_INVALIDKEY	0x8A010101L	// invalid product key
#endif

#define VS_BINARY	0U
#define VS_TEXT		1U

typedef	struct	_VS_VERSIONINFO
{
	WORD	wSize;			// size of 'VERSION' resource
	WORD	wCount;			// = sizeof(VS_FIXEDFILEINFO)
					//   (number of bytes in binary value)
	WORD	wType;			// = VS_BINARY
	WCHAR	szKey[16];		// = L"VS_VERSION_INFO"
	WORD	wPadding;		// = 0 (alignment to DWORD)

	VS_FIXEDFILEINFO	vsFFI;
} VS_VERSIONINFO;

typedef	struct	_DigitalProductId
{
	DWORD	dwSize;			// 0x000000A4 = 164
	WORD	wMajorVersion;		// 0x0003
	WORD	wMinorVersion;		// 0x0000
	CHAR	szProductId[24];	// "DUMMY-OEM-0123456-78901"
	DWORD	dwKeyIdx;
	CHAR	szEditionId[16];
	BYTE	bCdKey[16];
	DWORD	dwCloneStatus;
	DWORD	dwTime;
	DWORD	dwRandom;
	DWORD	dwLt;
	DWORD	dwLicenseData[2];
	CHAR	sOemId[8];
	DWORD	dwBundleId;
	CHAR	sHardwareIdStatic[8];
	DWORD	dwHardwareIdTypeStatic;
	DWORD	dwBiosChecksumStatic;
	DWORD	dwVolumeSerialStatic;
	DWORD	dwTotalRamStatic;
	DWORD	dwVideoBiosChecksumStatic;
	CHAR	sHardwareIdDynamic[8];
	DWORD	dwHardwareIdTypeDynamic;
	DWORD	dwBiosChecksumDynamic;
	DWORD	dwVolumeSerialDynamic;
	DWORD	dwTotalRamDynamic;
	DWORD	dwVideoBiosChecksumDynamic;
	DWORD	dwCRC32;
} DPI, *LPDPI;

typedef	struct	_DigitalProductId4
{
	DWORD	dwSize;			// 0x000004F8 = 1272
	WORD	wMajorVersion;		// 0x0004
	WORD	wMinorVersion;		// 0x0000
	WCHAR	szAdvancedPid[64];
	WCHAR	szActivationId[64];
	WCHAR	szOemId[8];
	WCHAR	szEditionType[260];
	BYTE	bIsUpgrade;
	BYTE	bReserved[7];
	BYTE	bCdKey[16];
	BYTE	bCdKey256Hash[32];
	BYTE	b256Hash[32];
	WCHAR	szEditionId[64];
	WCHAR	szKeyType[64];
	WCHAR	szEULA[64];
} DPI4, *LPDPI4;

typedef	HRESULT	(WINAPI	PIDGENX) (LPCWSTR lpProductKey,
			          LPCWSTR lpPKeyConfig,
			          LPCWSTR lpMPC,
			          LPCWSTR lpOEMId,
			          LPCWSTR lpProductId,
			          LPDPI   lpDigitalProductId,
			          LPDPI4  lpDigitalProductId4);

__declspec(safebuffers)
BOOL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

__declspec(noreturn)
VOID	WINAPI	wmainCRTStartup(VOID)
{
	VS_VERSIONINFO	*lpVersion;

	LPWSTR	*lpArguments;
	INT	nArguments;
	INT	nArgument = 3;
	DWORD	dwError = ERROR_BAD_ARGUMENTS;
	WCHAR	szPid[24];
	DPI	dpi;
	DPI4	dpi4;
	HMODULE	hPidGenX;
	FARPROC	fpPidGenX;
	HRESULT	hr;
	HRSRC	hResInfo;
	HGLOBAL	hResData;
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);

		if (lpArguments == NULL)
			PrintConsole(hConsole,
			             L"CommandLineToArgv() returned error %lu\n",
			             dwError = GetLastError());
		else
		{
			if (nArguments < 4)
				PrintConsole(hConsole,
				             L"Bad arguments: the (absolute or relative) path names of a \'PidGenX.dll\' and\n"
				             L"               its associated \'PKeyConfig[*].xrm-ms\' data file plus at least\n"
				             L"               one product key \'23467-89BCD-FGHJK-MNPQR-TVWXY\' must be given!\n");
			else
			{
				hPidGenX = LoadLibraryEx(lpArguments[1], (HANDLE) NULL, LOAD_LIBRARY_SAFE_CURRENT_DIRS);

				if (hPidGenX == NULL)
					PrintConsole(hConsole,
					             L"LoadLibraryEx() returned error %lu\n",
					             dwError = GetLastError());
				else
				{
					fpPidGenX = GetProcAddress(hPidGenX, "PidGenX");

					if (fpPidGenX == NULL)
						PrintConsole(hConsole,
						             L"GetProcAddress() returned error %lu\n",
						             dwError = GetLastError());
					else
					{
						hResInfo = FindResource(hPidGenX, MAKEINTRESOURCE(VS_VERSION_INFO), RT_VERSION);

						if (hResInfo == NULL)
							PrintConsole(hConsole,
							             L"FindResource() returned error %lu\n",
							             dwError = GetLastError());
						else
						{
							hResData = LoadResource(hPidGenX, hResInfo);

							if (hResData == NULL)
								PrintConsole(hConsole,
								             L"LoadResource() returned error %lu\n",
								             dwError = GetLastError());
							else
							{
								lpVersion = LockResource(hResData);

								if (lpVersion == NULL)
									PrintConsole(hConsole,
									             L"LockResource() returned NULL\n");
								else
									PrintConsole(hConsole,
									             L"Library version = %hu.%hu:%hu.%hu\n"
									             L"Product version = %hu.%hu:%hu.%hu\n",
									             HIWORD(lpVersion->vsFFI.dwFileVersionMS), LOWORD(lpVersion->vsFFI.dwFileVersionMS),
									             HIWORD(lpVersion->vsFFI.dwFileVersionLS), LOWORD(lpVersion->vsFFI.dwFileVersionLS),
									             HIWORD(lpVersion->vsFFI.dwProductVersionMS), LOWORD(lpVersion->vsFFI.dwProductVersionMS),
									             HIWORD(lpVersion->vsFFI.dwProductVersionLS), LOWORD(lpVersion->vsFFI.dwProductVersionLS));
							}
						}

						dpi.dwSize = sizeof(dpi);
						dpi4.dwSize = sizeof(dpi4);

						do
						{
							hr = ((PIDGENX *) fpPidGenX)(lpArguments[nArgument],
							                             lpArguments[2],
							                             L"DUMMY",
							                             (LPCWSTR) NULL,
							                             szPid,
							                             &dpi,
							                             &dpi4);

							switch (hr)
							{
							case ERROR_FILE_NOT_FOUND:
							case ERROR_PATH_NOT_FOUND:
							case E_FILENOTFOUND:		// file 'PKeyConfig.xrm-ms' not found
							case E_PATHNOTFOUND:		// path of 'PKeyConfig.xrm-ms' not found

								PrintConsole(hConsole,
								             L"Data file \'%ls\' not found!\n",
								             lpArguments[2]);
								nArguments = 0;
								break;

							case ERROR_INVALID_PARAMETER:
							case E_INVALIDARG:		// malformed product key

								PrintConsole(hConsole,
								             L"Product key \'%ls\' is malformed!\n",
								             lpArguments[nArgument]);
								break;

							case E_RESERVEDKEY:		// reserved product key

								PrintConsole(hConsole,
								             L"Product key \'%ls\' is reserved!\n",
								             lpArguments[nArgument]);
								break;

							case E_INVALIDKEY:		// invalid product key

								PrintConsole(hConsole,
								             L"Product key \'%ls\' is invalid!\n",
								             lpArguments[nArgument]);
								break;

							case S_OK:

								PrintConsole(hConsole,
								             L"Product key \'%ls\' is valid!\n",
								             lpArguments[nArgument]);
#ifdef VERBOSE
								if ((dpi.dwSize != sizeof(dpi))
								 || (dpi.wMajorVersion != 3)
								 || (dpi.wMinorVersion != 0))
									PrintConsole(hConsole,
									             L"Size of \'DigitalProductId\' not equal %lu or version not equal 3.0\n",
									             sizeof(dpi));
								else
									PrintConsole(hConsole,
									             L"\n"
									             L"DigitalProductId: size = %lu\n"
									             L"\tProduct ID:\t\t%hs\n"
									             L"\tEdition ID:\t\t%hs\n"
									             L"\tOEM ID:\t\t\t%.8hs\n"
									             L"\tHardware ID (static):\t%.8hs\n"
									             L"\tHardware ID (dynamic):\t%.8hs\n",
									             dpi.dwSize,
									             dpi.szProductId,
									             dpi.szEditionId,
									             dpi.sOemId,
									             dpi.sHardwareIdStatic,
									             dpi.sHardwareIdDynamic);

								if ((dpi4.dwSize != sizeof(dpi4))
								 || (dpi4.wMajorVersion != 4)
								 || (dpi4.wMinorVersion != 0))
									PrintConsole(hConsole,
									             L"Size of \'DigitalProductId4\' not equal %lu or version not equal 4.0\n",
									             sizeof(dpi4));
								else
									PrintConsole(hConsole,
									             L"\n"
									             L"DigitalProductId4: size = %lu\n"
									             L"\tAdvanced Product ID:\t%ls\n"
									             L"\tActivation ID:\t\t%ls\n"
									             L"\tOEM ID:\t\t\t%ls\n"
									             L"\tEdition Type:\t\t%ls\n"
									             L"\tEdition ID:\t\t%ls\n"
									             L"\tKey Type:\t\t%ls\n"
									             L"\tEULA:\t\t\t%ls\n",
									             dpi4.dwSize,
									             dpi4.szAdvancedPid,
									             dpi4.szActivationId,
									             dpi4.szOemId,
									             dpi4.szEditionType,
									             dpi4.szEditionId,
									             dpi4.szKeyType,
									             dpi4.szEULA);
#endif
								break;

							default:
								PrintConsole(hConsole,
								             L"PidGenX() returned error 0x%08lX\n",
								             dwError = hr);
							}
						} while (++nArgument < nArguments);
					}

					if (!FreeLibrary(hPidGenX))
						PrintConsole(hConsole,
						             L"FreeLibrary() returned error %lu\n",
						             GetLastError());
				}
			}

			if (LocalFree(lpArguments) != NULL)
				PrintConsole(hConsole,
				             L"LocalFree() returned error %lu\n",
				             GetLastError());
		}

		if (!CloseHandle(hConsole))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu\n",
			             GetLastError());
	}

	ExitProcess(dwError);
}

  2. Run the following four command lines to compile the source file PIDGENX.C created in step 1., link the compiled object file PIDGENX.OBJ and cleanup afterwards: 

    SET CL=/DVERBOSE /GAFS /Gy /O1isy /W4 /Zl
SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815
CL.EXE /FePIDGENX.COM PIDGENX.C
ERASE PIDGENX.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

PIDGENX.C

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…

Registry Policy Reader

Purpose
Background Information
Synopsis
Demonstration
Downloads
Implementation and Build Details
Source, Build Instructions and Demonstration

Purpose

Display the content of Registry Policy files in text format similar to that of Registry Editor script files, and optionally compare their contents against the machines’s or the (current) user’s Registry.

Background Information

Registry Policy files, typically created with the extension .pol, are used either to store the Registry keys and entries (to be) applied by Group Policies as well as Local Security Policies, or to restore the previous contents of Registry keys and entries modified by Group Policies as well as Local Security Policies.

The MSDN article Registry Policy File Format documents their format.

The MSKB article How to add, modify, or delete registry subkeys and values by using a .reg file documents the format of Registry Editor script files, typically created with the extension .reg.

Synopsis

POLYGLOT.COM [ /MACHINE | /USER ] ‹file name› …

Demonstration

Display the contents of some NTUser.pol and Registry.pol files that are (eventually) present on your machine: 
VER
.\POLYGLOT.COM "%USERPROFILE%\NTUser.pol" "%ALLUSERSPROFILE%\NTUser.pol" "%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol" "%SystemRoot%\System32\GroupPolicy\User\Registry.pol"
NET.EXE HelpMsg %ERRORLEVEL%
Microsoft Windows [Version 10.0.19044.2486]

Windows Registry Editor Version 5.00

; Registry Policy File 'C:\Users\Stefan\NTUser.pol'

[HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Group Policy Objects\Local Group Policy Objects]
'**Comment:GPO Name: Local Group Policy Objects'=

[HKEY_RELATIVE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
'LogonHoursAction'=dword:00000002
'DontDisplayLogonHoursWarnings'=dword:00000001

Windows Registry Editor Version 5.00

; Registry Policy File 'C:\ProgramData\NTUser.pol'

[HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Group Policy Objects\Local Group Policy Objects]
'**Comment:GPO Name: Local Group Policy Objects'=

Windows Registry Editor Version 5.00

; Registry Policy File 'C:\Windows\System32\GroupPolicy\Machine\Registry.pol'

[HKEY_RELATIVE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer]
'AuthentiCodeFlags'=dword:00000300

[HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
'PolicyScope'=dword:00000001
'TransparentEnabled'=dword:00000002
'ExecutableTypes'=multi:'WSF','WSC','VBS','VBE','VB','TMP','SHS','SCR','PIF','PCD','OCX','MST','MSP','MSI','MDE','MDB','JSE','JS','ISP','INS','HTA','HLP','EXE','DLL','CRT','CPL','COM','CMD','BAT','BAS','AX','ADP','ADE'
'DefaultLevel'=dword:00000000
'Levels'=dword:00071000
'LogFileName'='C:\Windows\System32\LogFiles\SAFER.Log'
'AuthenticodeEnabled'=dword:00000001

[HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes]
@=none:

[HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}]
'LastModified'=qword:01cf68d87b202417
'Description'=''
'SaferFlags'=dword:00000000
'ItemData'=expand:'%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%'

[HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}]
'LastModified'=qword:01cf68d87b202417
'Description'=''
'SaferFlags'=dword:00000000
'ItemData'=expand:'%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%'

[HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{4fcf2556-cf02-4356-ad71-f82ca93ccd0b}]
'LastModified'=qword:01cf68d979215214
'Description'=''
'SaferFlags'=dword:00000000
'ItemData'=expand:'%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%'

[HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{21c0b260-2d89-4fe0-8275-1c76746b3d2b}]
'LastModified'=qword:01d57587bb48c5c4
'Description'=''
'SaferFlags'=dword:00000000
'ItemData'=expand:'%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir%'

CreateFile() returned error 3 for file 'C:\Windows\System32\GroupPolicy\User\Registry.pol'

The system cannot find the path specified.

Downloads

The console application is available in two functional identical forms: POLYGLOT.EXE, a big form with embedded application manifest, version information, icon plus time-stamped digital signature, and POLYGLOT.COM, a small form without these extras.

Implementation and Build Details

Registry Policy Reader is a pure Win32 console application, written in ANSI C, built with the Platform SDK for Windows Server 2003 R2 Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows 2000 and newer versions of Windows NT as well as Windows PE 1.0 and newer versions.

Note: due to the design and implementation of Windows’ (classic alias legacy) console, the Win32 function WriteConsole() can only write to a console, not to a file nor a pipe, i.e. redirection of standard error or standard output is not supported!

The MSDN article Console Handles provides background information.

Source, Build Instructions and Demonstration

Perform the following 2 simple steps to build the console application Registry Policy Reader from the source presented hereafter.

  1. Create the text file POLYGLOT.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

// * The software is provided "as is" without any warranty, neither express
//   nor implied.
// * In no event will the author be held liable for any damage(s) arising
//   from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
//   and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
//   as an agent, (independent) contractor, employee, member or officer of
//   a business, corporation or organization (commercial or non-commercial)
//   does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
//   for a business, for commercial, corporate, governmental, military or
//   organizational purposes of any kind, or in a commercial, corporate,
//   governmental, military or organizational environment of any kind.

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <shellapi.h>

#define REGFILE_SIGNATURE	'geRP'
#define REGISTRY_FILE_VERSION	1UL

typedef	unsigned long long	QWORD, *LPQWORD;

__declspec(safebuffers)
BOOL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

const	LPCWSTR	szHKEY[8] = {L"HKEY_CLASSES_ROOT",
		             L"HKEY_CURRENT_USER",
		             L"HKEY_LOCAL_MACHINE",
		             L"HKEY_USERS",
		             L"HKEY_PERFORMANCE_DATA",
		             L"HKEY_CURRENT_CONFIG",
		             L"HKEY_DYN_DATA",
		             L"HKEY_CURRENT_USER_LOCAL_SETTINGS"};

const	LPCWSTR	szTYPE[12] = {L"NONE",
		              L"SZ",
		              L"EXPAND_SZ",
		              L"BINARY",
		              L"DWORD",		// alias DWORD_LITTLE_ENDIAN
		              L"DWORD_BIG_ENDIAN",
		              L"LINK",
		              L"MULTI_SZ",
		              L"RESOURCE_LIST",
		              L"FULL_RESOURCE_DESCRIPTOR",
		              L"RESOURCE_REQUIREMENTS_LIST",
		              L"QWORD"};	// alias QWORD_LITTLE_ENDIAN

const	LPCWSTR	szType[12] = {L"none:",
		              L"",
		              L"expand:",
		              L"hex:",
		              L"dword:",
		              L"dword:",
		              L"link:",
		              L"multi:",
		              L"hex(8):",
		              L"hex(9):",
		              L"hex(a):",
		              L"qword:"};

DWORD	WINAPI	Polyglot(HANDLE hConsole, HKEY hkHKEY, LPCWSTR lpArgument)
{
#ifdef REGISTRY
	LPCWSTR	lpHKEY = szHKEY[(DWORD) hkHKEY ^ (DWORD) HKEY_CLASSES_ROOT];
	HKEY	hkKey;
	BYTE	cbData[65536];
#endif
	HANDLE	hInput;
	DWORD	dwInput;
	LPCWSTR	lpInput;
	WCHAR	cwInput;
	HANDLE	hPolicy;
	DWORD	dwPolicy;
	LPDWORD	lpPolicy;
	LPCWSTR	lpKey, lpValue, lpData, lp;
	DWORD	dwKey, dwValue, dwData, dwType, dwSize;
	DWORD	dwError = ERROR_SUCCESS;

	hInput = CreateFile(lpArgument,
	                    FILE_READ_DATA,
	                    FILE_SHARE_READ,
	                    (LPSECURITY_ATTRIBUTES) NULL,
	                    OPEN_EXISTING,
	                    FILE_FLAG_SEQUENTIAL_SCAN,
	                    (HANDLE) NULL);

	if (hInput == INVALID_HANDLE_VALUE)
		PrintConsole(hConsole,
		             L"CreateFile() returned error %lu for file \'%ls\'\n",
		             dwError = GetLastError(), lpArgument);
	else
	{
		dwInput = GetFileSize(hInput, (LPDWORD) NULL);

		if (dwInput == INVALID_FILE_SIZE)
			PrintConsole(hConsole,
			             L"GetFileSize() returned error %lu for file \'%ls\'\n",
			             dwError = GetLastError(), lpArgument);
		else
		{
			hPolicy = CreateFileMapping(hInput,
			                            (LPSECURITY_ATTRIBUTES) NULL,
			                            PAGE_READONLY,
			                            0, 0,
			                            (LPCWSTR) NULL);

			if (hPolicy == NULL)
				PrintConsole(hConsole,
				             L"CreateFileMapping() returned error %lu for file \'%ls\'\n",
				             dwError = GetLastError(), lpArgument);
			else
			{
				lpPolicy = MapViewOfFile(hPolicy,
				                         FILE_MAP_READ,
				                         0, 0,
				                         (SIZE_T) 0);

				if (lpPolicy == NULL)
					PrintConsole(hConsole,
					             L"MapViewOfFile() returned error %lu for file \'%ls\'\n",
					             dwError = GetLastError(), lpArgument);
				else
				{
					if ((lpPolicy[0] != REGFILE_SIGNATURE)
					 || (lpPolicy[1] != REGISTRY_FILE_VERSION))
						PrintConsole(hConsole,
						             L"Signature \'PReg\\1\\0\\0\\0\' missing in file \'%ls\'!\n",
						             lpArgument);
					else
					{
						PrintConsole(hConsole,
						             L"Windows Registry Editor Version 5.00\n"
						             L"\n"
						             L"; Registry Policy File \'%ls\'\n",
						             lpArgument);

						// L'[' key L']'
						// L'[' key L';'           value L';' type L';' size L';' data L']'
						// L'[' key L';' L"**Del." value L';' type L';' size L';' data L']'
						// L'[' key L';' L"**DeleteKeys" { L';' key } ... L']'
						// L'[' key L';' L"**DeleteVals" L']'
						// L'[' key L';' L"**DeleteValues" { L';' value } ... L']'
						// L'[' key L';' L"**SecureKey=0" L']'
						// L'[' key L';' L"**SecureKey=1" L']'
						//
						// WCHAR key[]    NUL-terminated path of registry key beneath
						//                HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
						//
						// WCHAR value[]  NUL-terminated name of registry entry
						//
						// DWORD type     registry data type
						//
						// DWORD size     size of registry data in bytes
						//
						// BYTE  data[]   registry data

						lpInput = (LPCWSTR) (lpPolicy + 2);
						lpKey = NULL;
						dwKey = 0;
						dwPolicy = dwInput;

						while ((LPBYTE) lpInput < (LPBYTE) lpPolicy + dwPolicy)
						{
							if (*lpInput++ != L'[')
								break;

							dwInput = wcslen(lpInput);

							if ((dwKey == 0)
							 || (dwKey != dwInput)
							 || (memcmp(lpInput, lpKey, dwKey * sizeof(L'\0')) != 0))
								PrintConsole(hConsole,
								             L"\n"
								             L"[HKEY_RELATIVE\\%ls]\n",
								             lpInput);

							lpKey = lpInput;
							dwKey = dwInput;
							lpInput += dwInput + 1;
							cwInput = *lpInput++;

							if (cwInput == L']')
								continue;

							if (cwInput != L';')
								break;

							lpValue = lpInput;
							dwValue = wcslen(lpInput);
							lpInput += dwValue + 1;

							if ((dwValue == sizeof("**securekey=1") - 1)
							 && ((memcmp(lpValue, L"**securekey=1", sizeof(L"**securekey=1") - sizeof(L"")) == 0)
							  || (memcmp(lpValue, L"**SecureKey=1", sizeof(L"**securekey=1") - sizeof(L"")) == 0)))
							{
								PrintConsole(hConsole,
								             L"; SecureKey=1\n");

								if (*lpInput++ != L']')
									break;
							}
							else if ((dwValue == sizeof("**securekey=0") - 1)
							      && ((memcmp(lpValue, L"**securekey=0", sizeof(L"**securekey=0") - sizeof(L"")) == 0)
							       || (memcmp(lpValue, L"**SecureKey=0", sizeof(L"**securekey=0") - sizeof(L"")) == 0)))
							{
								PrintConsole(hConsole,
								             L"; SecureKey=0\n");

								if (*lpInput++ != L']')
									break;
							}
							else if ((dwValue == sizeof("**deletevals") - 1)
							      && ((memcmp(lpValue, L"**deletevals", sizeof(L"**deletevals") - sizeof(L"")) == 0)
							       || (memcmp(lpValue, L"**Deletevals", sizeof(L"**Deletevals") - sizeof(L"")) == 0)))
							{
								PrintConsole(hConsole,
								             L"*=-\n");

								if (*lpInput++ != L']')
									break;
							}
							else if ((dwValue == sizeof("**deletevalues") - 1)
							      && ((memcmp(lpValue, L"**deletevalues", sizeof(L"**deletevalues") - sizeof(L"")) == 0)
							       || (memcmp(lpValue, L"**Deletevalues", sizeof(L"**Deletevalues") - sizeof(L"")) == 0)))
							{
								while (*lpInput == L';')
								{
									PrintConsole(hConsole,
									             L"\'%ls\'=-\n",
									             ++lpInput);

									lpInput += wcslen(lpInput) + 1;
								}

								if (*lpInput++ != L']')
									break;
							}
							else if ((dwValue == sizeof("**deletekeys") - 1)
							      && ((memcmp(lpValue, L"**deletekeys", sizeof(L"**deletekeys") - sizeof(L"")) == 0)
							       || (memcmp(lpValue, L"**Deletekeys", sizeof(L"**Deletekeys") - sizeof(L"")) == 0)))
							{
								while (*lpInput == L';')
								{
									PrintConsole(hConsole,
									             L"[-HKEY_RELATIVE\\%ls\\%ls]\n",
									             lpKey, ++lpInput);

									lpInput += wcslen(lpInput) + 1;
								}

								if (*lpInput++ != L']')
									break;
							}
							else
							{
								if ((dwValue > sizeof("**del."))
								 && ((memcmp(lpValue, L"**del.", sizeof(L"**del.") - sizeof(L"")) == 0)
								  || (memcmp(lpValue, L"**Del.", sizeof(L"**Del.") - sizeof(L"")) == 0)))
								{
									lpValue += sizeof("**Del.") - 1;

									if (dwValue == sizeof("**Del.") - 1)
										PrintConsole(hConsole,
										             L"@=- ; =");
									else
										PrintConsole(hConsole,
										             L"\'%ls\'=- ; =", lpValue);
								}
								else
									if (dwValue == 0)
										PrintConsole(hConsole,
										             L"@=");
									else
										PrintConsole(hConsole,
										             L"\'%ls\'=", lpValue);

								cwInput = *lpInput++;

								if (cwInput == L']')
									continue;

								if (cwInput != L';')
									break;

								dwType = *((LPDWORD) lpInput)++;

								if (dwType < sizeof(szType) / sizeof(*szType))
									PrintConsole(hConsole,
									             L"%ls", szType[dwType]);
								else
									PrintConsole(hConsole,
									             L"hex(%lx):", dwType);

								cwInput = *lpInput++;

								if (cwInput == L']')
									continue;

								if (cwInput != L';')
									break;

								dwSize = *((LPDWORD) lpInput)++;

								cwInput = *lpInput++;

								if (cwInput == L']')
									continue;

								if (cwInput != L';')
									break;

								lpData = lpInput;
								(LPBYTE) lpInput += dwSize;

								switch (dwType)
								{
								case REG_SZ:
								case REG_EXPAND_SZ:
								case REG_LINK:

									if (dwSize == 0)
										goto NEWLINE;

									PrintConsole(hConsole,
									             L"\'%ls\'\n",
									             lpData);

									dwData = wcslen(lpData);

									if (dwSize != (dwData + 1) * sizeof(L'\0'))
										PrintConsole(hConsole,
										             L"Size %lu of REG_%ls value data not equal length %lu of string plus terminating \'NUL\' character!\n",
										             dwSize, szTYPE[dwType], dwData);
									break;

								case REG_DWORD_BIG_ENDIAN:

									*(LPDWORD) lpData = _byteswap_ulong(*(LPDWORD) lpData);

								case REG_DWORD_LITTLE_ENDIAN:
							//	case REG_DWORD:

									PrintConsole(hConsole,
									             L"%08lx\n",
									             *(LPDWORD) lpData);

									if (dwSize != sizeof(DWORD))
										PrintConsole(hConsole,
										             L"Size %lu of REG_%ls value data not equal \'sizeof(DWORD)\'!\n",
										             dwSize, szTYPE[dwType]);
									break;

								case REG_QWORD_LITTLE_ENDIAN:
							//	case REG_QWORD:

									PrintConsole(hConsole,
									             L"%016I64x\n",
									             *(LPQWORD) lpData);

									if (dwSize != sizeof(QWORD))
										PrintConsole(hConsole,
										             L"Size %lu of REG_QWORD value data not equal \'sizeof(QWORD)\'!\n",
										             dwSize);
									break;

								case REG_MULTI_SZ:

									if (dwSize == 0)
										goto NEWLINE;

									for (lp = lpData; (lp < lpInput) && (*lp != L'\0'); lp += wcslen(lp) + 1)
										PrintConsole(hConsole,
										             L",\'%ls\'" + (lp == lpData),
										             lp);

									PrintConsole(hConsole,
									             L"\n");

									if ((lp > lpInput) || (*lp != L'\0'))
										PrintConsole(hConsole,
										             L"REG_MULTI_SZ value data not terminated with extra \'NUL\' character!\n");
									else
										lp++;

									if (lp != lpInput)
										PrintConsole(hConsole,
										             L"Size %lu of REG_MULTI_SZ value data not equal sum of string lengths plus terminating \'NUL\' characters!\n",
										             dwSize);
									break;

							//	case REG_NONE:
							//	case REG_BINARY:
							//	case REG_RESOURCE_LIST:
							//	case REG_FULL_RESOURCE_DESCRIPTOR:
							//	case REG_RESOURCE_REQUIREMENTS_LIST:
								default:
									for (lp = lpData; lp < lpInput; (LPBYTE) lp += 1)
										PrintConsole(hConsole,
										             L",%02x" + (lp == lpData),
										             *(LPBYTE) lp);
								NEWLINE:
									PrintConsole(hConsole,
									             L"\n");
								}
#ifdef REGISTRY
								if (hkHKEY != HKEY_CLASSES_ROOT)
								{
									dwError = RegOpenKeyEx(hkHKEY,
									                       lpKey,
									                       REG_OPTION_RESERVED,
									                       KEY_QUERY_VALUE,
									                       &hkKey);

									if (dwError != ERROR_SUCCESS)
										PrintConsole(hConsole,
										             L"RegOpenKeyEx() returned error %lu for registry key \'%ls\\%ls\'\n",
										             dwError, lpHKEY, lpKey);
									else
									{
										dwData = sizeof(cbData);

										dwError = RegQueryValueEx(hkKey,
										                          lpValue,
										                          (LPDWORD) NULL,
										                          &dwValue,
										                          cbData,
										                          &dwData);

										if (dwError != ERROR_SUCCESS)
											PrintConsole(hConsole,
											             L"RegQueryValueEx() returned error %lu for value \'%ls\' of registry key \'%ls\\%ls\'\n",
											             dwError, lpValue, lpHKEY, lpKey);
										else
											if ((dwValue != dwType)
											 || (dwData != dwSize)
											 || (memcmp(lpData, cbData, dwData) != 0))
												PrintConsole(hConsole,
												             L"MISMATCH: data type, size or value in policy file differs from registry!\n");

										dwError = RegCloseKey(hkKey);

										if (dwError != ERROR_SUCCESS)
											PrintConsole(hConsole,
											             L"RegCloseKey() returned error %lu for registry key \'%ls\\%ls\'\n",
											             dwError, lpHKEY, lpKey);
									}
								}
#endif // REGISTRY
								if (*lpInput++ != L']')
									break;
							}
						}

						if ((LPBYTE) lpInput != (LPBYTE) lpPolicy + dwPolicy)
							PrintConsole(hConsole,
							             L"Format error in policy file \'%ls\'!\n",
							             lpArgument);
					}

					if (!UnmapViewOfFile(lpPolicy))
						PrintConsole(hConsole,
						             L"UnmapViewOfFile() returned error %lu for file \'%ls\'\n",
						             GetLastError(), lpArgument);
				}

				if (!CloseHandle(hPolicy))
					PrintConsole(hConsole,
					             L"CloseHandle() returned error %lu for file mapping \'%ls\'\n",
					             GetLastError(), lpArgument);
			}
		}

		if (!CloseHandle(hInput))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu for file \'%ls\'\n",
			             GetLastError(), lpArgument);
	}

	return dwError;
}

__declspec(noreturn)
VOID	WINAPI	wmainCRTStartup(VOID)
{
#ifdef WILDCARD
	WIN32_FIND_DATA	wfd;

	HANDLE	hWildCard;
	DWORD	dwWildCard;
	WCHAR	szWildCard[32768];
	LPWSTR	lpWildCard;
#endif
	LPWSTR	*lpArguments;
	INT	nArguments;
	INT	nArgument = 1;
	DWORD	dwError = ERROR_BAD_ARGUMENTS;
	HKEY	hkHKEY = HKEY_CLASSES_ROOT;
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);

		if (lpArguments == NULL)
			PrintConsole(hConsole,
			             L"CommandLineToArgv() returned error %lu\n",
			             dwError = GetLastError());
		else
		{
#ifdef REGISTRY
			if ((nArguments > 1)
			 && (*lpArguments[1] == L'/'))
				if (wcscmp(lpArguments[1], L"/MACHINE") == 0)
				{
					hkHKEY = HKEY_LOCAL_MACHINE;
					nArgument = 2;
				}
				else if (wcscmp(lpArguments[1], L"/USER") == 0)
				{
					hkHKEY = HKEY_CURRENT_USER;
					nArgument = 2;
				}
				else
				{
					PrintConsole(hConsole,
					             L"Bad arguments: optional first argument must be \'%ls\' or \'%ls\'!\n",
					             L"/MACHINE", L"/USER");
					nArguments = 0;
				}

			if (nArguments <= nArgument)
#else
			if (nArguments < 2)
#endif
				PrintConsole(hConsole,
				             L"No arguments: at least one \'.pol\' file name must be given!\n");
			else
#ifndef WILDCARD
				do
					dwError = Polyglot(hConsole, hkHKEY, lpArguments[nArgument]);
				while (++nArgument < nArguments);
#else
				do
				{
					hWildCard = FindFirstFile(lpArguments[nArgument], &wfd);

					if (hWildCard == INVALID_HANDLE_VALUE)
						PrintConsole(hConsole,
						             L"FindFirstFile() returned error %lu for argument \'%ls\'\n",
						             dwError = GetLastError(), lpArguments[nArgument]);
					else
					{
						wcscpy(szWildCard, lpArguments[nArgument]);

						dwWildCard = 0;
						lpWildCard = NULL;

						do
							if (szWildCard[dwWildCard] == L'\\')
								lpWildCard = szWildCard + dwWildCard;
						while (szWildCard[dwWildCard++] != L'\0');

						if (dwWildCard > MAX_PATH)
							PrintConsole(hConsole,
							             L"Argument \'%ls\' exceeds MAX_PATH!\n",
							             lpArguments[nArgument]);

						if (lpWildCard != NULL)
							lpWildCard++;
						else
							lpWildCard = szWildCard + 2 * (szWildCard[1] == L':');

						dwWildCard = 0;

						do
						{
							if ((wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0)
								continue;

							dwWildCard++;

							wcscpy(lpWildCard, wfd.cFileName);

							dwError = Polyglot(hConsole, hkHKEY, szWildCard);

						} while (FindNextFile(hWildCard, &wfd));

						dwError = GetLastError();

						if (dwError == ERROR_NO_MORE_FILES)
							dwError = ERROR_SUCCESS;
						else
							PrintConsole(hConsole,
							             L"FindNextFile() returned error %lu for argument \'%ls\'\n",
							             dwError, lpArguments[nArgument]);

						if (dwWildCard == 0)
							PrintConsole(hConsole,
							             L"No match for argument \'%ls\'!\n",
							             lpArguments[nArgument]);

						if (!FindClose(hWildCard))
							PrintConsole(hConsole,
							             L"FindClose() returned error %lu for argument \'%ls\'\n",
							             GetLastError(), lpArguments[nArgument]);
					}
				} while (++nArgument < nArguments);
#endif // WILDCARD
			if (LocalFree(lpArguments) != NULL)
				PrintConsole(hConsole,
				             L"LocalFree() returned error %lu\n",
				             GetLastError());
		}

		if (!CloseHandle(hConsole))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu\n",
			             GetLastError());
	}

	ExitProcess(dwError);
}
    Note: with the preprocessor macro REGISTRY defined, an optional /MACHINE or /USER is accepted as first command line argument to compare the settings against the HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER branch of the Registry!

    Note: with the preprocessor macro WILDCARD defined, wildcard expansion of matching file names is performed for the command line arguments!

  2. Run the following four command lines to compile the source file POLYGLOT.C created in step 1., link the compiled object file POLYGLOT.OBJ and cleanup afterwards: 

    SET CL=/DREGISTRY /GAFS /Gs69632 /Gy /O1isy /W4 /Zl
SET LINK=/DEFAULTLIB:ADVAPI32.LIB /DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /STACK:1048576,65536 /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815
CL.EXE /FePOLYGLOT.COM POLYGLOT.C
ERASE POLYGLOT.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

POLYGLOT.C
POLYGLOT.C(313) : warning C4213: nonstandard extension used : cast on l-value
POLYGLOT.C(330) : warning C4213: nonstandard extension used : cast on l-value
POLYGLOT.C(341) : warning C4213: nonstandard extension used : cast on l-value
POLYGLOT.C(425) : warning C4213: nonstandard extension used : cast on l-value

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…

Offline Registry Reader

Purpose
Synopsis
Demonstration
Downloads
Implementation and Build Details
Source and Build Instructions

Purpose

Print an offline registry hive formatted as .inf file in UTF-16LE encoding on standard output (which must be redirected to a file or piped into an application that reads from standard input, like Clip, Find or More).

Synopsis

OFFREG.COM ‹input file name› >‹output file name›
OFFREG.COM ‹input file name› | MORE.COM

Demonstration

Dump the contents of the registry hive %SystemDrive%\Users\Default\NTUSER.DAT to the file ntuser.inf and display it afterwards: 
VER
.\OFFREG.COM "%SystemDrive%\Users\Default\NTUSER.DAT" 1>ntuser.inf
NET.EXE HelpMsg %ERRORLEVEL%
TYPE ntuser.inf
Microsoft Windows [Version 10.0.19044.2486]

OFFREG.DLL version 1.0

The operation completed successfully.

[Version]
DriverVer = 08/15/2021,12.34.56.789 ; UTC
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[Strings]
REG_SZ                         = 0x00000000
REG_BINARY                     = 0x00000001
REG_KEYONLY                    = 0x00000010
REG_MULTI_SZ                   = 0x00010000
REG_DWORD                      = 0x00010001
REG_EXPAND_SZ                  = 0x00020000
REG_NONE                       = 0x00020001
REG_COMPATIBLE                 = 0x00030001 ; same as REG_BINARY
REG_DWORD_LITTLE_ENDIAN        = 0x00040001 ; same as REG_DWORD
REG_DWORD_BIG_ENDIAN           = 0x00050001
REG_LINK                       = 0x00060000
REG_RESOURCE_LIST              = 0x00080001
REG_FULL_RESOURCE_DESCRIPTOR   = 0x00090001
REG_RESOURCE_REQUIREMENTS_LIST = 0x000a0001
REG_QWORD                      = 0x000b0001
REG_QWORD_LITTLE_ENDIAN        = 0x000b0001 ; same as REG_QWORD

[DefaultInstall.NT]
;AddReg = AddReg.HKO

[AddReg.HKO]
HKO,"AppEvents\EventLabels\.Default",,%REG_SZ%,"Default Beep"
HKO,"AppEvents\EventLabels\.Default","DispFileName",%REG_SZ%,"@mmres.dll,-5824"
HKO,"AppEvents\EventLabels\ActivatingDocument",,%REG_SZ%,"Complete Navigation"
HKO,"AppEvents\EventLabels\ActivatingDocument","DispFileName",%REG_SZ%,"@ieframe.dll,-10321"
HKO,"AppEvents\EventLabels\AppGPFault",,%REG_SZ%,"Program Error"
HKO,"AppEvents\EventLabels\AppGPFault","DispFileName",%REG_SZ%,"@mmres.dll,-5825"
HKO,"AppEvents\EventLabels\BlockedPopup",,%REG_SZ%,"Blocked Pop-up Window"
HKO,"AppEvents\EventLabels\BlockedPopup","DispFileName",%REG_SZ%,"@ieframe.dll,-10325"
HKO,"AppEvents\EventLabels\CCSelect",,%REG_SZ%,"Select"
HKO,"AppEvents\EventLabels\CCSelect","DispFileName",%REG_SZ%,"@ieframe.dll,-10323"
HKO,"AppEvents\EventLabels\ChangeTheme",,%REG_SZ%,"Change Theme"
HKO,"AppEvents\EventLabels\ChangeTheme","DispFileName",%REG_SZ%,"@mmres.dll,-5860"
HKO,"AppEvents\EventLabels\Close",,%REG_SZ%,"Close Program"
HKO,"AppEvents\EventLabels\Close","DispFileName",%REG_SZ%,"@mmres.dll,-5826"
HKO,"AppEvents\EventLabels\CriticalBatteryAlarm",,%REG_SZ%,"Critical Battery Alarm"
HKO,"AppEvents\EventLabels\CriticalBatteryAlarm","DispFileName",%REG_SZ%,"@mmres.dll,-5827"
HKO,"AppEvents\EventLabels\DeviceConnect",,%REG_SZ%,"Device Connect"
HKO,"AppEvents\EventLabels\DeviceConnect","DispFileName",%REG_SZ%,"@mmres.dll,-5828"
HKO,"AppEvents\EventLabels\DeviceDisconnect",,%REG_SZ%,"Device Disconnect"
HKO,"AppEvents\EventLabels\DeviceDisconnect","DispFileName",%REG_SZ%,"@mmres.dll,-5829"
HKO,"AppEvents\EventLabels\DeviceFail",,%REG_SZ%,"Device Failed to Connect"
HKO,"AppEvents\EventLabels\DeviceFail","DispFileName",%REG_SZ%,"@mmres.dll,-5830"
HKO,"AppEvents\EventLabels\DisNumbersSound",,%REG_SZ%,"Disambiguation Numbers"
HKO,"AppEvents\EventLabels\DisNumbersSound","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5566"
HKO,"AppEvents\EventLabels\EmptyRecycleBin",,%REG_SZ%,"Empty Recycle Bin"
HKO,"AppEvents\EventLabels\EmptyRecycleBin","DispFileName",%REG_SZ%,"@mmres.dll,-5831"
HKO,"AppEvents\EventLabels\FaxBeep",,%REG_SZ%,"New Fax Notification"
HKO,"AppEvents\EventLabels\FaxBeep","DispFileName",%REG_SZ%,"@mmres.dll,-5858"
HKO,"AppEvents\EventLabels\FeedDiscovered",,%REG_SZ%,"Feed Discovered"
HKO,"AppEvents\EventLabels\FeedDiscovered","DispFileName",%REG_SZ%,"@ieframe.dll,-17315"
HKO,"AppEvents\EventLabels\HubOffSound",,%REG_SZ%,"Off"
HKO,"AppEvents\EventLabels\HubOffSound","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5563"
HKO,"AppEvents\EventLabels\HubOnSound",,%REG_SZ%,"On"
HKO,"AppEvents\EventLabels\HubOnSound","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5562"
HKO,"AppEvents\EventLabels\HubSleepSound",,%REG_SZ%,"Sleep"
HKO,"AppEvents\EventLabels\HubSleepSound","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5564"
HKO,"AppEvents\EventLabels\LowBatteryAlarm",,%REG_SZ%,"Low Battery Alarm"
HKO,"AppEvents\EventLabels\LowBatteryAlarm","DispFileName",%REG_SZ%,"@mmres.dll,-5832"
HKO,"AppEvents\EventLabels\MailBeep",,%REG_SZ%,"Desktop Mail Notification"
HKO,"AppEvents\EventLabels\MailBeep","DispFileName",%REG_SZ%,"@mmres.dll,-5837"
HKO,"AppEvents\EventLabels\Maximize",,%REG_SZ%,"Maximize"
HKO,"AppEvents\EventLabels\Maximize","DispFileName",%REG_SZ%,"@mmres.dll,-5833"
HKO,"AppEvents\EventLabels\MenuCommand",,%REG_SZ%,"Menu Command"
HKO,"AppEvents\EventLabels\MenuCommand","DispFileName",%REG_SZ%,"@mmres.dll,-5834"
HKO,"AppEvents\EventLabels\MenuPopup",,%REG_SZ%,"Menu Pop-up"
HKO,"AppEvents\EventLabels\MenuPopup","DispFileName",%REG_SZ%,"@mmres.dll,-5835"
HKO,"AppEvents\EventLabels\MessageNudge",,%REG_SZ%,"Message Nudge"
HKO,"AppEvents\EventLabels\MessageNudge","DispFileName",%REG_SZ%,"@mmres.dll,-5866"
HKO,"AppEvents\EventLabels\Minimize",,%REG_SZ%,"Minimize"
HKO,"AppEvents\EventLabels\Minimize","DispFileName",%REG_SZ%,"@mmres.dll,-5836"
HKO,"AppEvents\EventLabels\MisrecoSound",,%REG_SZ%,"Misrecognition"
HKO,"AppEvents\EventLabels\MisrecoSound","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5561"
HKO,"AppEvents\EventLabels\MoveMenuItem",,%REG_SZ%,"Move Menu Item"
HKO,"AppEvents\EventLabels\MoveMenuItem","DispFileName",%REG_SZ%,"@ieframe.dll,-10322"
HKO,"AppEvents\EventLabels\Navigating",,%REG_SZ%,"Start Navigation"
HKO,"AppEvents\EventLabels\Navigating","DispFileName",%REG_SZ%,"@ieframe.dll,-10320"
HKO,"AppEvents\EventLabels\Notification.Default",,%REG_SZ%,"Notification"
HKO,"AppEvents\EventLabels\Notification.Default","DispFileName",%REG_SZ%,"@mmres.dll,-5865"
HKO,"AppEvents\EventLabels\Notification.IM",,%REG_SZ%,"Instant Message Notification"
HKO,"AppEvents\EventLabels\Notification.IM","DispFileName",%REG_SZ%,"@mmres.dll,-5863"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm",,%REG_SZ%,"Alarm 1"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm","DispFileName",%REG_SZ%,"@mmres.dll,-5888"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm10",,%REG_SZ%,"Alarm 10"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm10","DispFileName",%REG_SZ%,"@mmres.dll,-5897"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm10","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm2",,%REG_SZ%,"Alarm 2"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm2","DispFileName",%REG_SZ%,"@mmres.dll,-5889"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm2","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm3",,%REG_SZ%,"Alarm 3"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm3","DispFileName",%REG_SZ%,"@mmres.dll,-5890"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm3","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm4",,%REG_SZ%,"Alarm 4"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm4","DispFileName",%REG_SZ%,"@mmres.dll,-5891"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm4","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm5",,%REG_SZ%,"Alarm 5"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm5","DispFileName",%REG_SZ%,"@mmres.dll,-5892"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm5","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm6",,%REG_SZ%,"Alarm 6"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm6","DispFileName",%REG_SZ%,"@mmres.dll,-5893"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm6","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm7",,%REG_SZ%,"Alarm 7"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm7","DispFileName",%REG_SZ%,"@mmres.dll,-5894"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm7","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm8",,%REG_SZ%,"Alarm 8"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm8","DispFileName",%REG_SZ%,"@mmres.dll,-5895"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm8","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm9",,%REG_SZ%,"Alarm 9"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm9","DispFileName",%REG_SZ%,"@mmres.dll,-5896"
HKO,"AppEvents\EventLabels\Notification.Looping.Alarm9","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Call",,%REG_SZ%,"Incoming Call Notification 1"
HKO,"AppEvents\EventLabels\Notification.Looping.Call","DispFileName",%REG_SZ%,"@mmres.dll,-5872"
HKO,"AppEvents\EventLabels\Notification.Looping.Call","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Call10",,%REG_SZ%,"Incoming Call Notification 10"
HKO,"AppEvents\EventLabels\Notification.Looping.Call10","DispFileName",%REG_SZ%,"@mmres.dll,-5881"
HKO,"AppEvents\EventLabels\Notification.Looping.Call10","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Call2",,%REG_SZ%,"Incoming Call Notification 2"
HKO,"AppEvents\EventLabels\Notification.Looping.Call2","DispFileName",%REG_SZ%,"@mmres.dll,-5873"
HKO,"AppEvents\EventLabels\Notification.Looping.Call2","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Call3",,%REG_SZ%,"Incoming Call Notification 3"
HKO,"AppEvents\EventLabels\Notification.Looping.Call3","DispFileName",%REG_SZ%,"@mmres.dll,-5874"
HKO,"AppEvents\EventLabels\Notification.Looping.Call3","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Call4",,%REG_SZ%,"Incoming Call Notification 4"
HKO,"AppEvents\EventLabels\Notification.Looping.Call4","DispFileName",%REG_SZ%,"@mmres.dll,-5875"
HKO,"AppEvents\EventLabels\Notification.Looping.Call4","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Call5",,%REG_SZ%,"Incoming Call Notification 5"
HKO,"AppEvents\EventLabels\Notification.Looping.Call5","DispFileName",%REG_SZ%,"@mmres.dll,-5876"
HKO,"AppEvents\EventLabels\Notification.Looping.Call5","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Call6",,%REG_SZ%,"Incoming Call Notification 6"
HKO,"AppEvents\EventLabels\Notification.Looping.Call6","DispFileName",%REG_SZ%,"@mmres.dll,-5877"
HKO,"AppEvents\EventLabels\Notification.Looping.Call6","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Call7",,%REG_SZ%,"Incoming Call Notification 7"
HKO,"AppEvents\EventLabels\Notification.Looping.Call7","DispFileName",%REG_SZ%,"@mmres.dll,-5878"
HKO,"AppEvents\EventLabels\Notification.Looping.Call7","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Call8",,%REG_SZ%,"Incoming Call Notification 8"
HKO,"AppEvents\EventLabels\Notification.Looping.Call8","DispFileName",%REG_SZ%,"@mmres.dll,-5879"
HKO,"AppEvents\EventLabels\Notification.Looping.Call8","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Looping.Call9",,%REG_SZ%,"Incoming Call Notification 9"
HKO,"AppEvents\EventLabels\Notification.Looping.Call9","DispFileName",%REG_SZ%,"@mmres.dll,-5880"
HKO,"AppEvents\EventLabels\Notification.Looping.Call9","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\Notification.Mail",,%REG_SZ%,"New Mail Notification"
HKO,"AppEvents\EventLabels\Notification.Mail","DispFileName",%REG_SZ%,"@mmres.dll,-5861"
HKO,"AppEvents\EventLabels\Notification.Proximity",,%REG_SZ%,"NFP Completion"
HKO,"AppEvents\EventLabels\Notification.Proximity","DispFileName",%REG_SZ%,"@mmres.dll,-5868"
HKO,"AppEvents\EventLabels\Notification.Reminder",,%REG_SZ%,"Calendar Reminder"
HKO,"AppEvents\EventLabels\Notification.Reminder","DispFileName",%REG_SZ%,"@mmres.dll,-5864"
HKO,"AppEvents\EventLabels\Notification.SMS",,%REG_SZ%,"New Text Message Notification"
HKO,"AppEvents\EventLabels\Notification.SMS","DispFileName",%REG_SZ%,"@mmres.dll,-5862"
HKO,"AppEvents\EventLabels\Open",,%REG_SZ%,"Open Program"
HKO,"AppEvents\EventLabels\Open","DispFileName",%REG_SZ%,"@mmres.dll,-5839"
HKO,"AppEvents\EventLabels\PanelSound",,%REG_SZ%,"Disambiguation Panel"
HKO,"AppEvents\EventLabels\PanelSound","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5565"
HKO,"AppEvents\EventLabels\PrintComplete",,%REG_SZ%,"Print Complete"
HKO,"AppEvents\EventLabels\PrintComplete","DispFileName",%REG_SZ%,"@mmres.dll,-5840"
HKO,"AppEvents\EventLabels\ProximityConnection",,%REG_SZ%,"NFP Connection"
HKO,"AppEvents\EventLabels\ProximityConnection","DispFileName",%REG_SZ%,"@mmres.dll,-5867"
HKO,"AppEvents\EventLabels\RestoreDown",,%REG_SZ%,"Restore Down"
HKO,"AppEvents\EventLabels\RestoreDown","DispFileName",%REG_SZ%,"@mmres.dll,-5841"
HKO,"AppEvents\EventLabels\RestoreUp",,%REG_SZ%,"Restore Up"
HKO,"AppEvents\EventLabels\RestoreUp","DispFileName",%REG_SZ%,"@mmres.dll,-5842"
HKO,"AppEvents\EventLabels\SecurityBand",,%REG_SZ%,"Information Bar"
HKO,"AppEvents\EventLabels\SecurityBand","DispFileName",%REG_SZ%,"@ieframe.dll,-10326"
HKO,"AppEvents\EventLabels\ShowBand",,%REG_SZ%,"Show Toolbar Band"
HKO,"AppEvents\EventLabels\ShowBand","DispFileName",%REG_SZ%,"@ieframe.dll,-10324"
HKO,"AppEvents\EventLabels\SystemAsterisk",,%REG_SZ%,"Asterisk"
HKO,"AppEvents\EventLabels\SystemAsterisk","DispFileName",%REG_SZ%,"@mmres.dll,-5843"
HKO,"AppEvents\EventLabels\SystemExclamation",,%REG_SZ%,"Exclamation"
HKO,"AppEvents\EventLabels\SystemExclamation","DispFileName",%REG_SZ%,"@mmres.dll,-5845"
HKO,"AppEvents\EventLabels\SystemExit",,%REG_SZ%,"Exit Windows"
HKO,"AppEvents\EventLabels\SystemExit","DispFileName",%REG_SZ%,"@mmres.dll,-5846"
HKO,"AppEvents\EventLabels\SystemExit","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\SystemHand",,%REG_SZ%,"Critical Stop"
HKO,"AppEvents\EventLabels\SystemHand","DispFileName",%REG_SZ%,"@mmres.dll,-5847"
HKO,"AppEvents\EventLabels\SystemNotification",,%REG_SZ%,"System Notification"
HKO,"AppEvents\EventLabels\SystemNotification","DispFileName",%REG_SZ%,"@mmres.dll,-5848"
HKO,"AppEvents\EventLabels\SystemQuestion",,%REG_SZ%,"Question"
HKO,"AppEvents\EventLabels\SystemQuestion","DispFileName",%REG_SZ%,"@mmres.dll,-5849"
HKO,"AppEvents\EventLabels\WindowsLogoff",,%REG_SZ%,"Windows Logoff"
HKO,"AppEvents\EventLabels\WindowsLogoff","DispFileName",%REG_SZ%,"@mmres.dll,-5852"
HKO,"AppEvents\EventLabels\WindowsLogoff","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\WindowsLogon",,%REG_SZ%,"Windows Logon"
HKO,"AppEvents\EventLabels\WindowsLogon","DispFileName",%REG_SZ%,"@mmres.dll,-5853"
HKO,"AppEvents\EventLabels\WindowsLogon","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\EventLabels\WindowsUAC",,%REG_SZ%,"Windows User Account Control"
HKO,"AppEvents\EventLabels\WindowsUAC","DispFileName",%REG_SZ%,"@mmres.dll,-5859"
HKO,"AppEvents\EventLabels\WindowsUnlock",,%REG_SZ%,"Windows Unlock"
HKO,"AppEvents\EventLabels\WindowsUnlock","DispFileName",%REG_SZ%,"@mmres.dll,-5869"
HKO,"AppEvents\EventLabels\WindowsUnlock","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001
HKO,"AppEvents\Schemes",,%REG_SZ%,".Default"
HKO,"AppEvents\Schemes\Apps\.Default",,%REG_SZ%,"Windows"
HKO,"AppEvents\Schemes\Apps\.Default","DispFileName",%REG_SZ%,"@mmres.dll,-5856"
HKO,"AppEvents\Schemes\Apps\.Default\.Default\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav"
HKO,"AppEvents\Schemes\Apps\.Default\.Default\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav"
HKO,"AppEvents\Schemes\Apps\.Default\AppGPFault\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\AppGPFault\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\CCSelect",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\ChangeTheme\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\ChangeTheme\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\Close\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\Close\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\CriticalBatteryAlarm\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Foreground.wav"
HKO,"AppEvents\Schemes\Apps\.Default\CriticalBatteryAlarm\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Foreground.wav"
HKO,"AppEvents\Schemes\Apps\.Default\DeviceConnect\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Hardware Insert.wav"
HKO,"AppEvents\Schemes\Apps\.Default\DeviceConnect\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Hardware Insert.wav"
HKO,"AppEvents\Schemes\Apps\.Default\DeviceDisconnect\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Hardware Remove.wav"
HKO,"AppEvents\Schemes\Apps\.Default\DeviceDisconnect\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Hardware Remove.wav"
HKO,"AppEvents\Schemes\Apps\.Default\DeviceFail\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Hardware Fail.wav"
HKO,"AppEvents\Schemes\Apps\.Default\DeviceFail\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Hardware Fail.wav"
HKO,"AppEvents\Schemes\Apps\.Default\FaxBeep\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Email.wav"
HKO,"AppEvents\Schemes\Apps\.Default\FaxBeep\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Email.wav"
HKO,"AppEvents\Schemes\Apps\.Default\LowBatteryAlarm\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav"
HKO,"AppEvents\Schemes\Apps\.Default\LowBatteryAlarm\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav"
HKO,"AppEvents\Schemes\Apps\.Default\MailBeep\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Email.wav"
HKO,"AppEvents\Schemes\Apps\.Default\MailBeep\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Email.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Maximize\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\Maximize\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\MenuCommand\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\MenuCommand\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\MenuPopup\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\MenuPopup\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\MessageNudge\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Message Nudge.wav"
HKO,"AppEvents\Schemes\Apps\.Default\MessageNudge\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Message Nudge.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Minimize\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\Minimize\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Default\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify System Generic.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Default\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify System Generic.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.IM\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Messaging.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.IM\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Messaging.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm01.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm01.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm10\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm10.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm10\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm10.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm2\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm02.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm2\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm02.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm3\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm03.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm3\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm03.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm4\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm04.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm4\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm04.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm5\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm05.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm5\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm05.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm6\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm06.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm6\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm06.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm7\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm07.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm7\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm07.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm8\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm08.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm8\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm08.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm9\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm09.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm9\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm09.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring01.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring01.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call10\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring10.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call10\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring10.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call2\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring02.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call2\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring02.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call3\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring03.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call3\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring03.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call4\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring04.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call4\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring04.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call5\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring05.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call5\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring05.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call6\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring06.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call6\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring06.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call7\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring07.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call7\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring07.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call8\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring08.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call8\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring08.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call9\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring09.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call9\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring09.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Mail\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Email.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Mail\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Email.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Proximity\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Proximity Notification.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Proximity\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Proximity Notification.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Reminder\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Calendar.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.Reminder\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Calendar.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.SMS\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Messaging.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Notification.SMS\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Messaging.wav"
HKO,"AppEvents\Schemes\Apps\.Default\Open\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\Open\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\PrintComplete\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\PrintComplete\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\ProximityConnection\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Proximity Connection.wav"
HKO,"AppEvents\Schemes\Apps\.Default\ProximityConnection\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Proximity Connection.wav"
HKO,"AppEvents\Schemes\Apps\.Default\RestoreDown\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\RestoreDown\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\RestoreUp\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\RestoreUp\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\ShowBand",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\SystemAsterisk\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav"
HKO,"AppEvents\Schemes\Apps\.Default\SystemAsterisk\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav"
HKO,"AppEvents\Schemes\Apps\.Default\SystemExclamation\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav"
HKO,"AppEvents\Schemes\Apps\.Default\SystemExclamation\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav"
HKO,"AppEvents\Schemes\Apps\.Default\SystemExit\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\SystemExit\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\SystemHand\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Foreground.wav"
HKO,"AppEvents\Schemes\Apps\.Default\SystemHand\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Foreground.wav"
HKO,"AppEvents\Schemes\Apps\.Default\SystemNotification\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav"
HKO,"AppEvents\Schemes\Apps\.Default\SystemNotification\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav"
HKO,"AppEvents\Schemes\Apps\.Default\SystemQuestion\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\SystemQuestion\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\WindowsLogoff\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\WindowsLogoff\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\.Default\WindowsLogon\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Logon.wav"
HKO,"AppEvents\Schemes\Apps\.Default\WindowsLogon\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Logon.wav"
HKO,"AppEvents\Schemes\Apps\.Default\WindowsUAC\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows User Account Control.wav"
HKO,"AppEvents\Schemes\Apps\.Default\WindowsUAC\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows User Account Control.wav"
HKO,"AppEvents\Schemes\Apps\.Default\WindowsUnlock\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Unlock.wav"
HKO,"AppEvents\Schemes\Apps\.Default\WindowsUnlock\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Unlock.wav"
HKO,"AppEvents\Schemes\Apps\Explorer",,%REG_SZ%,"File Explorer"
HKO,"AppEvents\Schemes\Apps\Explorer","DispFileName",%REG_SZ%,"@mmres.dll,-5854"
HKO,"AppEvents\Schemes\Apps\Explorer\ActivatingDocument",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\Explorer\BlockedPopup\.current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\Explorer\BlockedPopup\.default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\Explorer\FeedDiscovered\.current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\Explorer\FeedDiscovered\.default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\Explorer\MoveMenuItem",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\Explorer\Navigating\.Current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\Explorer\Navigating\.Default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\Explorer\SecurityBand\.current",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\Explorer\SecurityBand\.default",,%REG_KEYONLY%
HKO,"AppEvents\Schemes\Apps\sapisvr",,%REG_SZ%,"Speech Recognition"
HKO,"AppEvents\Schemes\Apps\sapisvr","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5555"
HKO,"AppEvents\Schemes\Apps\sapisvr\DisNumbersSound\.current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Disambiguation.wav"
HKO,"AppEvents\Schemes\Apps\sapisvr\DisNumbersSound\.default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Disambiguation.wav"
HKO,"AppEvents\Schemes\Apps\sapisvr\HubOffSound\.current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Off.wav"
HKO,"AppEvents\Schemes\Apps\sapisvr\HubOffSound\.default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Off.wav"
HKO,"AppEvents\Schemes\Apps\sapisvr\HubOnSound\.current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech On.wav"
HKO,"AppEvents\Schemes\Apps\sapisvr\HubOnSound\.default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech On.wav"
HKO,"AppEvents\Schemes\Apps\sapisvr\HubSleepSound\.current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Sleep.wav"
HKO,"AppEvents\Schemes\Apps\sapisvr\HubSleepSound\.default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Sleep.wav"
HKO,"AppEvents\Schemes\Apps\sapisvr\MisrecoSound\.current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Misrecognition.wav"
HKO,"AppEvents\Schemes\Apps\sapisvr\MisrecoSound\.default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Misrecognition.wav"
HKO,"AppEvents\Schemes\Apps\sapisvr\PanelSound\.current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Disambiguation.wav"
HKO,"AppEvents\Schemes\Apps\sapisvr\PanelSound\.default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Disambiguation.wav"
HKO,"AppEvents\Schemes\Names\.Default",,%REG_SZ%,"@mmres.dll,-800"
HKO,"AppEvents\Schemes\Names\.None",,%REG_SZ%,"@mmres.dll,-801"
HKO,"Console","ColorTable00",%REG_DWORD%,789516 ; 0x000c0c0c
HKO,"Console","ColorTable01",%REG_DWORD%,14300928 ; 0x00da3700
HKO,"Console","ColorTable02",%REG_DWORD%,958739 ; 0x000ea113
HKO,"Console","ColorTable03",%REG_DWORD%,14521914 ; 0x00dd963a
HKO,"Console","ColorTable04",%REG_DWORD%,2035653 ; 0x001f0fc5
HKO,"Console","ColorTable05",%REG_DWORD%,9967496 ; 0x00981788
HKO,"Console","ColorTable06",%REG_DWORD%,40129 ; 0x00009cc1
HKO,"Console","ColorTable07",%REG_DWORD%,13421772 ; 0x00cccccc
HKO,"Console","ColorTable08",%REG_DWORD%,7763574 ; 0x00767676
HKO,"Console","ColorTable09",%REG_DWORD%,16742459 ; 0x00ff783b
HKO,"Console","ColorTable10",%REG_DWORD%,837142 ; 0x000cc616
HKO,"Console","ColorTable11",%REG_DWORD%,14079585 ; 0x00d6d661
HKO,"Console","ColorTable12",%REG_DWORD%,5654759 ; 0x005648e7
HKO,"Console","ColorTable13",%REG_DWORD%,10354868 ; 0x009e00b4
HKO,"Console","ColorTable14",%REG_DWORD%,10875385 ; 0x00a5f1f9
HKO,"Console","ColorTable15",%REG_DWORD%,15921906 ; 0x00f2f2f2
HKO,"Console","CtrlKeyShortcutsDisabled",%REG_DWORD%,0 ; 0x00000000
HKO,"Console","CursorColor",%REG_DWORD%,4294967295 ; 0xffffffff
HKO,"Console","CursorSize",%REG_DWORD%,25 ; 0x00000019
HKO,"Console","DefaultBackground",%REG_DWORD%,4294967295 ; 0xffffffff
HKO,"Console","DefaultForeground",%REG_DWORD%,4294967295 ; 0xffffffff
HKO,"Console","EnableColorSelection",%REG_DWORD%,0 ; 0x00000000
HKO,"Console","ExtendedEditKey",%REG_DWORD%,1 ; 0x00000001
HKO,"Console","ExtendedEditKeyCustom",%REG_DWORD%,0 ; 0x00000000
HKO,"Console","FaceName",%REG_SZ%,"__DefaultTTFont__"
HKO,"Console","FilterOnPaste",%REG_DWORD%,1 ; 0x00000001
HKO,"Console","FontFamily",%REG_DWORD%,0 ; 0x00000000
HKO,"Console","FontSize",%REG_DWORD%,1048576 ; 0x00100000
HKO,"Console","FontWeight",%REG_DWORD%,0 ; 0x00000000
HKO,"Console","ForceV2",%REG_DWORD%,1 ; 0x00000001
HKO,"Console","FullScreen",%REG_DWORD%,0 ; 0x00000000
HKO,"Console","HistoryBufferSize",%REG_DWORD%,50 ; 0x00000032
HKO,"Console","HistoryNoDup",%REG_DWORD%,0 ; 0x00000000
HKO,"Console","InsertMode",%REG_DWORD%,1 ; 0x00000001
HKO,"Console","LineSelection",%REG_DWORD%,1 ; 0x00000001
HKO,"Console","LineWrap",%REG_DWORD%,1 ; 0x00000001
HKO,"Console","LoadConIme",%REG_DWORD%,1 ; 0x00000001
HKO,"Console","NumberOfHistoryBuffers",%REG_DWORD%,4 ; 0x00000004
HKO,"Console","PopupColors",%REG_DWORD%,245 ; 0x000000f5
HKO,"Console","QuickEdit",%REG_DWORD%,1 ; 0x00000001
HKO,"Console","ScreenBufferSize",%REG_DWORD%,589889656 ; 0x23290078
HKO,"Console","ScreenColors",%REG_DWORD%,7 ; 0x00000007
HKO,"Console","ScrollScale",%REG_DWORD%,1 ; 0x00000001
HKO,"Console","TerminalScrolling",%REG_DWORD%,0 ; 0x00000000
HKO,"Console","TrimLeadingZeros",%REG_DWORD%,0 ; 0x00000000
HKO,"Console","WindowAlpha",%REG_DWORD%,255 ; 0x000000ff
HKO,"Console","WindowSize",%REG_DWORD%,1966200 ; 0x001e0078
HKO,"Console","WordDelimiters",%REG_DWORD%,0 ; 0x00000000
HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","ColorTable05",%REG_DWORD%,5645313 ; 0x00562401
HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","ColorTable06",%REG_DWORD%,15789550 ; 0x00f0edee
HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","FaceName",%REG_SZ%,"Lucida Console"
HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","FontFamily",%REG_DWORD%,54 ; 0x00000036
HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","FontWeight",%REG_DWORD%,400 ; 0x00000190
HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","PopupColors",%REG_DWORD%,243 ; 0x000000f3
HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","QuickEdit",%REG_DWORD%,1 ; 0x00000001
HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","ScreenBufferSize",%REG_DWORD%,196608120 ; 0x0bb80078
HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","ScreenColors",%REG_DWORD%,86 ; 0x00000056
HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","WindowSize",%REG_DWORD%,3276920 ; 0x00320078
HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","ColorTable05",%REG_DWORD%,5645313 ; 0x00562401
HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","ColorTable06",%REG_DWORD%,15789550 ; 0x00f0edee
HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","FaceName",%REG_SZ%,"Lucida Console"
HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","FontFamily",%REG_DWORD%,54 ; 0x00000036
HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","FontWeight",%REG_DWORD%,400 ; 0x00000190
HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","PopupColors",%REG_DWORD%,243 ; 0x000000f3
HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","QuickEdit",%REG_DWORD%,1 ; 0x00000001
HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","ScreenBufferSize",%REG_DWORD%,196608120 ; 0x0bb80078
HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","ScreenColors",%REG_DWORD%,86 ; 0x00000056
HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","WindowSize",%REG_DWORD%,3276920 ; 0x00320078
HKO,"Control Panel\Accessibility","MessageDuration",%REG_DWORD%,5 ; 0x00000005
HKO,"Control Panel\Accessibility","MinimumHitRadius",%REG_DWORD%,0 ; 0x00000000
HKO,"Control Panel\Accessibility\AudioDescription","Locale",%REG_SZ%,""
HKO,"Control Panel\Accessibility\AudioDescription","On",%REG_SZ%,"0"
HKO,"Control Panel\Accessibility\Blind Access","On",%REG_SZ%,"0"
HKO,"Control Panel\Accessibility\HighContrast","Flags",%REG_SZ%,"126"
HKO,"Control Panel\Accessibility\HighContrast","High Contrast Scheme",%REG_SZ%,""
HKO,"Control Panel\Accessibility\Keyboard Preference","On",%REG_SZ%,"0"
HKO,"Control Panel\Accessibility\Keyboard Response","AutoRepeatDelay",%REG_SZ%,"1000"
HKO,"Control Panel\Accessibility\Keyboard Response","AutoRepeatRate",%REG_SZ%,"500"
HKO,"Control Panel\Accessibility\Keyboard Response","BounceTime",%REG_SZ%,"0"
HKO,"Control Panel\Accessibility\Keyboard Response","DelayBeforeAcceptance",%REG_SZ%,"1000"
HKO,"Control Panel\Accessibility\Keyboard Response","Flags",%REG_SZ%,"126"
HKO,"Control Panel\Accessibility\Keyboard Response","Last BounceKey Setting",%REG_DWORD%,0 ; 0x00000000
HKO,"Control Panel\Accessibility\Keyboard Response","Last Valid Delay",%REG_DWORD%,0 ; 0x00000000
HKO,"Control Panel\Accessibility\Keyboard Response","Last Valid Repeat",%REG_DWORD%,0 ; 0x00000000
HKO,"Control Panel\Accessibility\Keyboard Response","Last Valid Wait",%REG_DWORD%,1000 ; 0x000003e8
HKO,"Control Panel\Accessibility\MouseKeys","Flags",%REG_SZ%,"62"
HKO,"Control Panel\Accessibility\MouseKeys","MaximumSpeed",%REG_SZ%,"80"
HKO,"Control Panel\Accessibility\MouseKeys","TimeToMaximumSpeed",%REG_SZ%,"3000"
HKO,"Control Panel\Accessibility\On","Locale",%REG_DWORD%,0 ; 0x00000000
HKO,"Control Panel\Accessibility\On","On",%REG_DWORD%,0 ; 0x00000000
HKO,"Control Panel\Accessibility\ShowSounds","On",%REG_SZ%,"0"
HKO,"Control Panel\Accessibility\SlateLaunch","ATapp",%REG_SZ%,"narrator"
HKO,"Control Panel\Accessibility\SlateLaunch","LaunchAT",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\Accessibility\SoundSentry","Flags",%REG_SZ%,"2"
HKO,"Control Panel\Accessibility\SoundSentry","FSTextEffect",%REG_SZ%,"0"
HKO,"Control Panel\Accessibility\SoundSentry","TextEffect",%REG_SZ%,"0"
HKO,"Control Panel\Accessibility\SoundSentry","WindowsEffect",%REG_SZ%,"1"
HKO,"Control Panel\Accessibility\StickyKeys","Flags",%REG_SZ%,"510"
HKO,"Control Panel\Accessibility\TimeOut","Flags",%REG_SZ%,"2"
HKO,"Control Panel\Accessibility\TimeOut","TimeToWait",%REG_SZ%,"300000"
HKO,"Control Panel\Accessibility\ToggleKeys","Flags",%REG_SZ%,"62"
HKO,"Control Panel\Appearance\New Schemes",,%REG_KEYONLY%
HKO,"Control Panel\Appearance\Schemes","@themeui.dll,-850",%REG_BINARY%,02,00,00,00,46,00,00,00,01,00,00,00,11,00,00,00,11,00,00,00,14,00,00,00,14,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,fc,7f,22,14,fc,7f,b0,fe,12,00,00,00,00,00,00,00,00,00,98,23,eb,77,0f,00,00,00,0f,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,f0,77,00,20,14,00,00,00,00,10,80,05,14,00,f0,1f,14,00,00,00,14,00,12,00,00,00,12,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,88,fb,e8,77,02,02,00,00,ac,b9,f0,77,00,00,00,00,20,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,7c,6b,e8,77,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,06,00,00,00,18,00,00,00,ff,ff,ff,ff,f0,4b,21,fc,00,c4,f0,77,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,0b,00,00,00,00,ff,12,00,50,00,00,00,c0,fe,12,00,0c,10,00,01,00,00,00,00,00,00,00,00,00,00,ff,00,00,ff,ff,00,00,00,00,00,00,00,00,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,00,00,ff,ff,ff,00,00,00,ff,00,00,ff,ff,00,00,00,00,00,00,80,00,00,ff,ff,ff,00,00,00,00,00,80,80,80,00,00,ff,00,00,ff,ff,ff,00,00,00,00,00,c0,c0,c0,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,00,00,00,00,00,00,c0,c0,c0,00,80,80,ff,00,00,00,ff,00,00,ff,ff,00
HKO,"Control Panel\Appearance\Schemes","@themeui.dll,-851",%REG_BINARY%,02,00,00,00,46,00,00,00,01,00,00,00,11,00,00,00,11,00,00,00,14,00,00,00,14,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,fc,7f,22,14,fc,7f,b0,fe,12,00,00,00,00,00,00,00,00,00,98,23,eb,77,0f,00,00,00,0f,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,f0,77,00,20,14,00,00,00,00,10,80,05,14,00,f0,1f,14,00,00,00,14,00,12,00,00,00,12,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,88,fb,e8,77,02,02,00,00,ac,b9,f0,77,00,00,00,00,20,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,7c,6b,e8,77,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,06,00,00,00,18,00,00,00,ff,ff,ff,ff,f0,4b,21,fc,00,c4,f0,77,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,0b,00,00,00,00,ff,12,00,50,00,00,00,c0,fe,12,00,0c,10,00,01,00,00,00,00,00,00,00,00,00,ff,ff,00,00,00,ff,00,00,00,00,00,00,00,00,00,ff,ff,ff,00,00,ff,00,00,00,ff,00,00,00,00,00,00,00,ff,ff,00,00,00,ff,00,ff,ff,ff,00,00,00,ff,00,ff,ff,ff,00,00,00,00,00,80,80,80,00,c0,c0,c0,00,00,ff,00,00,ff,ff,ff,00,c0,c0,c0,00,ff,ff,ff,00,ff,ff,ff,00,00,00,00,00,ff,ff,00,00,c0,c0,c0,00,80,80,ff,00,00,ff,ff,00,00,00,ff,00
HKO,"Control Panel\Appearance\Schemes","@themeui.dll,-852",%REG_BINARY%,02,00,00,00,46,00,00,00,01,00,00,00,11,00,00,00,11,00,00,00,14,00,00,00,14,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,fc,7f,22,14,fc,7f,b0,fe,12,00,00,00,00,00,00,00,00,00,98,23,eb,77,0f,00,00,00,0f,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,f0,77,00,20,14,00,00,00,00,10,80,05,14,00,f0,1f,14,00,00,00,14,00,12,00,00,00,12,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,88,fb,e8,77,02,02,00,00,ac,b9,f0,77,00,00,00,00,20,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,7c,6b,e8,77,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,06,00,00,00,18,00,00,00,ff,ff,ff,ff,f0,4b,21,fc,00,c4,f0,77,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,0b,00,00,00,00,ff,12,00,50,00,00,00,c0,fe,12,00,0c,10,00,01,00,00,00,00,00,00,00,00,80,00,80,00,00,80,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,00,00,00,80,00,00,00,00,00,00,80,00,80,00,ff,ff,ff,00,00,00,00,00,80,80,80,00,00,ff,00,00,ff,ff,ff,00,ff,ff,ff,00,c0,c0,c0,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,ff,00,00,00,00,00,c0,c0,c0,00,80,80,ff,00,80,00,80,00,00,80,00,00
HKO,"Control Panel\Appearance\Schemes","@themeui.dll,-853",%REG_BINARY%,02,00,00,00,46,00,00,00,01,00,00,00,11,00,00,00,11,00,00,00,14,00,00,00,14,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,fc,7f,22,14,fc,7f,b0,fe,12,00,00,00,00,00,00,00,00,00,98,23,eb,77,0f,00,00,00,0f,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,f0,77,00,20,14,00,00,00,00,10,80,05,14,00,f0,1f,14,00,00,00,14,00,12,00,00,00,12,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,88,fb,e8,77,02,02,00,00,ac,b9,f0,77,00,00,00,00,20,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,7c,6b,e8,77,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,06,00,00,00,18,00,00,00,ff,ff,ff,ff,f0,4b,21,fc,00,c4,f0,77,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,0b,00,00,00,00,ff,12,00,50,00,00,00,c0,fe,12,00,0c,10,00,01,ff,ff,ff,00,ff,ff,ff,00,00,00,00,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,00,80,80,80,00,c0,c0,c0,00,80,80,80,00,00,00,00,00,ff,ff,ff,00,ff,ff,ff,00,80,80,80,00,00,80,00,00,00,00,00,00,00,00,00,00,c0,c0,c0,00,00,00,00,00,c0,c0,c0,00,00,00,00,00,ff,ff,ff,00,c0,c0,c0,00,00,00,00,00,00,00,00,00,ff,ff,ff,00
HKO,"Control Panel\Appearance\Schemes","@themeui.dll,-854",%REG_BINARY%,02,00,00,00,f4,01,00,00,01,00,00,00,10,00,00,00,10,00,00,00,12,00,00,00,12,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,0c,00,00,00,0f,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,12,00,00,00,12,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,d4,d0,c8,00,3a,6e,a5,00,0a,24,6a,00,80,80,80,00,d4,d0,c8,00,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,00,d4,d0,c8,00,d4,d0,c8,00,80,80,80,00,0a,24,6a,00,ff,ff,ff,00,d4,d0,c8,00,80,80,80,00,80,80,80,00,00,00,00,00,d4,d0,c8,00,ff,ff,ff,00,40,40,40,00,d4,d0,c8,00,00,00,00,00,ff,ff,e1,00,b5,b5,b5,00,00,00,80,00,a6,ca,f0,00,c0,c0,c0,00
HKO,"Control Panel\Colors","ActiveBorder",%REG_SZ%,"180 180 180"
HKO,"Control Panel\Colors","ActiveTitle",%REG_SZ%,"153 180 209"
HKO,"Control Panel\Colors","AppWorkspace",%REG_SZ%,"171 171 171"
HKO,"Control Panel\Colors","Background",%REG_SZ%,"0 0 0"
HKO,"Control Panel\Colors","ButtonAlternateFace",%REG_SZ%,"0 0 0"
HKO,"Control Panel\Colors","ButtonDkShadow",%REG_SZ%,"105 105 105"
HKO,"Control Panel\Colors","ButtonFace",%REG_SZ%,"240 240 240"
HKO,"Control Panel\Colors","ButtonHilight",%REG_SZ%,"255 255 255"
HKO,"Control Panel\Colors","ButtonLight",%REG_SZ%,"227 227 227"
HKO,"Control Panel\Colors","ButtonShadow",%REG_SZ%,"160 160 160"
HKO,"Control Panel\Colors","ButtonText",%REG_SZ%,"0 0 0"
HKO,"Control Panel\Colors","GradientActiveTitle",%REG_SZ%,"185 209 234"
HKO,"Control Panel\Colors","GradientInactiveTitle",%REG_SZ%,"215 228 242"
HKO,"Control Panel\Colors","GrayText",%REG_SZ%,"109 109 109"
HKO,"Control Panel\Colors","Hilight",%REG_SZ%,"51 153 255"
HKO,"Control Panel\Colors","HilightText",%REG_SZ%,"255 255 255"
HKO,"Control Panel\Colors","HotTrackingColor",%REG_SZ%,"0 102 204"
HKO,"Control Panel\Colors","InactiveBorder",%REG_SZ%,"244 247 252"
HKO,"Control Panel\Colors","InactiveTitle",%REG_SZ%,"191 205 219"
HKO,"Control Panel\Colors","InactiveTitleText",%REG_SZ%,"0 0 0"
HKO,"Control Panel\Colors","InfoText",%REG_SZ%,"0 0 0"
HKO,"Control Panel\Colors","InfoWindow",%REG_SZ%,"255 255 225"
HKO,"Control Panel\Colors","Menu",%REG_SZ%,"240 240 240"
HKO,"Control Panel\Colors","MenuBar",%REG_SZ%,"240 240 240"
HKO,"Control Panel\Colors","MenuHilight",%REG_SZ%,"51 153 255"
HKO,"Control Panel\Colors","MenuText",%REG_SZ%,"0 0 0"
HKO,"Control Panel\Colors","Scrollbar",%REG_SZ%,"200 200 200"
HKO,"Control Panel\Colors","TitleText",%REG_SZ%,"0 0 0"
HKO,"Control Panel\Colors","Window",%REG_SZ%,"255 255 255"
HKO,"Control Panel\Colors","WindowFrame",%REG_SZ%,"100 100 100"
HKO,"Control Panel\Colors","WindowText",%REG_SZ%,"0 0 0"
HKO,"Control Panel\Cursors","AppStarting",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_working.ani"
HKO,"Control Panel\Cursors","Arrow",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_arrow.cur"
HKO,"Control Panel\Cursors","ContactVisualization",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\Cursors","Crosshair",%REG_EXPAND_SZ%,""
HKO,"Control Panel\Cursors","CursorBaseSize",%REG_DWORD%,32 ; 0x00000020
HKO,"Control Panel\Cursors","GestureVisualization",%REG_DWORD%,31 ; 0x0000001f
HKO,"Control Panel\Cursors","Hand",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_link.cur"
HKO,"Control Panel\Cursors","Help",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_helpsel.cur"
HKO,"Control Panel\Cursors","IBeam",%REG_EXPAND_SZ%,""
HKO,"Control Panel\Cursors","No",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_unavail.cur"
HKO,"Control Panel\Cursors","NWPen",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_pen.cur"
HKO,"Control Panel\Cursors","Scheme Source",%REG_DWORD%,2 ; 0x00000002
HKO,"Control Panel\Cursors","SizeAll",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_move.cur"
HKO,"Control Panel\Cursors","SizeNESW",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_nesw.cur"
HKO,"Control Panel\Cursors","SizeNS",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_ns.cur"
HKO,"Control Panel\Cursors","SizeNWSE",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_nwse.cur"
HKO,"Control Panel\Cursors","SizeWE",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_ew.cur"
HKO,"Control Panel\Cursors","UpArrow",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_up.cur"
HKO,"Control Panel\Cursors","Wait",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_busy.ani"
HKO,"Control Panel\Desktop","ActiveWndTrackTimeout",%REG_DWORD%,0 ; 0x00000000
HKO,"Control Panel\Desktop","BlockSendInputResets",%REG_SZ%,"0"
HKO,"Control Panel\Desktop","CaretTimeout",%REG_DWORD%,5000 ; 0x00001388
HKO,"Control Panel\Desktop","CaretWidth",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\Desktop","ClickLockTime",%REG_DWORD%,1200 ; 0x000004b0
HKO,"Control Panel\Desktop","CoolSwitchColumns",%REG_SZ%,"7"
HKO,"Control Panel\Desktop","CoolSwitchRows",%REG_SZ%,"3"
HKO,"Control Panel\Desktop","CursorBlinkRate",%REG_SZ%,"530"
HKO,"Control Panel\Desktop","DockMoving",%REG_SZ%,"1"
HKO,"Control Panel\Desktop","DragFromMaximize",%REG_SZ%,"1"
HKO,"Control Panel\Desktop","DragFullWindows",%REG_SZ%,"1"
HKO,"Control Panel\Desktop","DragHeight",%REG_SZ%,"4"
HKO,"Control Panel\Desktop","DragWidth",%REG_SZ%,"4"
HKO,"Control Panel\Desktop","FocusBorderHeight",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\Desktop","FocusBorderWidth",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\Desktop","FontSmoothing",%REG_SZ%,"2"
HKO,"Control Panel\Desktop","FontSmoothingGamma",%REG_DWORD%,0 ; 0x00000000
HKO,"Control Panel\Desktop","FontSmoothingOrientation",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\Desktop","FontSmoothingType",%REG_DWORD%,2 ; 0x00000002
HKO,"Control Panel\Desktop","ForegroundFlashCount",%REG_DWORD%,7 ; 0x00000007
HKO,"Control Panel\Desktop","ForegroundLockTimeout",%REG_DWORD%,200000 ; 0x00030d40
HKO,"Control Panel\Desktop","LeftOverlapChars",%REG_SZ%,"3"
HKO,"Control Panel\Desktop","MenuShowDelay",%REG_SZ%,"400"
HKO,"Control Panel\Desktop","MouseWheelRouting",%REG_DWORD%,2 ; 0x00000002
HKO,"Control Panel\Desktop","PaintDesktopVersion",%REG_DWORD%,0 ; 0x00000000
HKO,"Control Panel\Desktop","Pattern",%REG_DWORD%,0 ; 0x00000000
HKO,"Control Panel\Desktop","RightOverlapChars",%REG_SZ%,"3"
HKO,"Control Panel\Desktop","ScreenSaveActive",%REG_SZ%,"1"
HKO,"Control Panel\Desktop","SnapSizing",%REG_SZ%,"1"
HKO,"Control Panel\Desktop","TileWallpaper",%REG_SZ%,"0"
HKO,"Control Panel\Desktop","WallPaper",%REG_SZ%,"C:\Windows\Web\Wallpaper\Windows\img0.jpg"
HKO,"Control Panel\Desktop","WallpaperOriginX",%REG_DWORD%,0 ; 0x00000000
HKO,"Control Panel\Desktop","WallpaperOriginY",%REG_DWORD%,0 ; 0x00000000
HKO,"Control Panel\Desktop","WallpaperStyle",%REG_SZ%,"10"
HKO,"Control Panel\Desktop","WheelScrollChars",%REG_SZ%,"3"
HKO,"Control Panel\Desktop","WheelScrollLines",%REG_SZ%,"3"
HKO,"Control Panel\Desktop","WindowArrangementActive",%REG_SZ%,"1"
HKO,"Control Panel\Desktop\Colors","ActiveBorder",%REG_SZ%,"212 208 200"
HKO,"Control Panel\Desktop\Colors","ActiveTitle",%REG_SZ%,"10 36 106"
HKO,"Control Panel\Desktop\Colors","AppWorkSpace",%REG_SZ%,"128 128 128"
HKO,"Control Panel\Desktop\Colors","ButtonAlternateFace",%REG_SZ%,"181 181 181"
HKO,"Control Panel\Desktop\Colors","ButtonDkShadow",%REG_SZ%,"64 64 64"
HKO,"Control Panel\Desktop\Colors","ButtonFace",%REG_SZ%,"212 208 200"
HKO,"Control Panel\Desktop\Colors","ButtonHiLight",%REG_SZ%,"255 255 255"
HKO,"Control Panel\Desktop\Colors","ButtonLight",%REG_SZ%,"212 208 200"
HKO,"Control Panel\Desktop\Colors","ButtonShadow",%REG_SZ%,"128 128 128"
HKO,"Control Panel\Desktop\Colors","ButtonText",%REG_SZ%,"0 0 0"
HKO,"Control Panel\Desktop\Colors","GradientActiveTitle",%REG_SZ%,"166 202 240"
HKO,"Control Panel\Desktop\Colors","GradientInactiveTitle",%REG_SZ%,"192 192 192"
HKO,"Control Panel\Desktop\Colors","GrayText",%REG_SZ%,"128 128 128"
HKO,"Control Panel\Desktop\Colors","Hilight",%REG_SZ%,"10 36 106"
HKO,"Control Panel\Desktop\Colors","HilightText",%REG_SZ%,"255 255 255"
HKO,"Control Panel\Desktop\Colors","HotTrackingColor",%REG_SZ%,"0 0 128"
HKO,"Control Panel\Desktop\Colors","InactiveBorder",%REG_SZ%,"212 208 200"
HKO,"Control Panel\Desktop\Colors","InactiveTitle",%REG_SZ%,"128 128 128"
HKO,"Control Panel\Desktop\Colors","InactiveTitleText",%REG_SZ%,"212 208 200"
HKO,"Control Panel\Desktop\Colors","InfoText",%REG_SZ%,"0 0 0"
HKO,"Control Panel\Desktop\Colors","InfoWindow",%REG_SZ%,"255 255 255"
HKO,"Control Panel\Desktop\Colors","Menu",%REG_SZ%,"212 208 200"
HKO,"Control Panel\Desktop\Colors","MenuText",%REG_SZ%,"0 0 0"
HKO,"Control Panel\Desktop\Colors","Scrollbar",%REG_SZ%,"212 208 200"
HKO,"Control Panel\Desktop\Colors","TitleText",%REG_SZ%,"255 255 255"
HKO,"Control Panel\Desktop\Colors","Window",%REG_SZ%,"255 255 255"
HKO,"Control Panel\Desktop\Colors","WindowFrame",%REG_SZ%,"0 0 0"
HKO,"Control Panel\Desktop\Colors","WindowText",%REG_SZ%,"0 0 0"
HKO,"Control Panel\Desktop\WindowMetrics","BorderWidth",%REG_SZ%,"#USR:Control Panel\Desktop\WindowMetrics"
HKO,"Control Panel\Desktop\WindowMetrics","CaptionFont",%REG_BINARY%,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
HKO,"Control Panel\Desktop\WindowMetrics","CaptionHeight",%REG_SZ%,"-270"
HKO,"Control Panel\Desktop\WindowMetrics","CaptionWidth",%REG_SZ%,"-270"
HKO,"Control Panel\Desktop\WindowMetrics","IconFont",%REG_BINARY%,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
HKO,"Control Panel\Desktop\WindowMetrics","IconTitleWrap",%REG_SZ%,"1"
HKO,"Control Panel\Desktop\WindowMetrics","MenuFont",%REG_BINARY%,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
HKO,"Control Panel\Desktop\WindowMetrics","MenuHeight",%REG_SZ%,"-270"
HKO,"Control Panel\Desktop\WindowMetrics","MenuWidth",%REG_SZ%,"-270"
HKO,"Control Panel\Desktop\WindowMetrics","MessageFont",%REG_BINARY%,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
HKO,"Control Panel\Desktop\WindowMetrics","ScrollHeight",%REG_SZ%,"-240"
HKO,"Control Panel\Desktop\WindowMetrics","ScrollWidth",%REG_SZ%,"-240"
HKO,"Control Panel\Desktop\WindowMetrics","Shell Icon Size",%REG_SZ%,"32"
HKO,"Control Panel\Desktop\WindowMetrics","SmCaptionFont",%REG_BINARY%,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
HKO,"Control Panel\Desktop\WindowMetrics","SmCaptionHeight",%REG_SZ%,"-180"
HKO,"Control Panel\Desktop\WindowMetrics","SmCaptionWidth",%REG_SZ%,"-180"
HKO,"Control Panel\Desktop\WindowMetrics","StatusFont",%REG_BINARY%,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
HKO,"Control Panel\Input Method","Show Status",%REG_SZ%,"1"
HKO,"Control Panel\Input Method\Hot Keys\00000010","Key Modifiers",%REG_BINARY%,02,c0,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000010","Target IME",%REG_BINARY%,00,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000010","Virtual Key",%REG_BINARY%,20,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000011","Key Modifiers",%REG_BINARY%,04,c0,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000011","Target IME",%REG_BINARY%,00,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000011","Virtual Key",%REG_BINARY%,20,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000012","Key Modifiers",%REG_BINARY%,02,c0,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000012","Target IME",%REG_BINARY%,00,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000012","Virtual Key",%REG_BINARY%,be,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000070","Key Modifiers",%REG_BINARY%,02,c0,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000070","Target IME",%REG_BINARY%,00,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000070","Virtual Key",%REG_BINARY%,20,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000071","Key Modifiers",%REG_BINARY%,04,c0,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000071","Target IME",%REG_BINARY%,00,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000071","Virtual Key",%REG_BINARY%,20,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000072","Key Modifiers",%REG_BINARY%,03,c0,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000072","Target IME",%REG_BINARY%,00,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000072","Virtual Key",%REG_BINARY%,bc,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000104","Key Modifiers",%REG_BINARY%,06,c0,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000104","Target IME",%REG_BINARY%,11,04,01,e0
HKO,"Control Panel\Input Method\Hot Keys\00000104","Virtual Key",%REG_BINARY%,30,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000200","Key Modifiers",%REG_BINARY%,03,c0,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000200","Target IME",%REG_BINARY%,00,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000200","Virtual Key",%REG_BINARY%,47,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000201","Key Modifiers",%REG_BINARY%,03,c0,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000201","Target IME",%REG_BINARY%,00,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000201","Virtual Key",%REG_BINARY%,4b,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000202","Key Modifiers",%REG_BINARY%,03,c0,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000202","Target IME",%REG_BINARY%,00,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000202","Virtual Key",%REG_BINARY%,4c,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000203","Key Modifiers",%REG_BINARY%,03,c0,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000203","Target IME",%REG_BINARY%,00,00,00,00
HKO,"Control Panel\Input Method\Hot Keys\00000203","Virtual Key",%REG_BINARY%,56,00,00,00
HKO,"Control Panel\International","Locale",%REG_SZ%,"00000407"
HKO,"Control Panel\International","LocaleName",%REG_SZ%,"de-DE"
HKO,"Control Panel\International","s1159",%REG_SZ%,""
HKO,"Control Panel\International","s2359",%REG_SZ%,""
HKO,"Control Panel\International","sCurrency",%REG_SZ%,"€"
HKO,"Control Panel\International","sDate",%REG_SZ%,"."
HKO,"Control Panel\International","sDecimal",%REG_SZ%,","
HKO,"Control Panel\International","sGrouping",%REG_SZ%,"3;0"
HKO,"Control Panel\International","sLanguage",%REG_SZ%,"DEU"
HKO,"Control Panel\International","sList",%REG_SZ%,";"
HKO,"Control Panel\International","sLongDate",%REG_SZ%,"dddd, d. MMMM yyyy"
HKO,"Control Panel\International","sMonDecimalSep",%REG_SZ%,","
HKO,"Control Panel\International","sMonGrouping",%REG_SZ%,"3;0"
HKO,"Control Panel\International","sMonThousandSep",%REG_SZ%,"."
HKO,"Control Panel\International","sNativeDigits",%REG_SZ%,"0123456789"
HKO,"Control Panel\International","sNegativeSign",%REG_SZ%,"-"
HKO,"Control Panel\International","sPositiveSign",%REG_SZ%,""
HKO,"Control Panel\International","sShortDate",%REG_SZ%,"dd.MM.yyyy"
HKO,"Control Panel\International","sThousand",%REG_SZ%,"."
HKO,"Control Panel\International","sTime",%REG_SZ%,":"
HKO,"Control Panel\International","sTimeFormat",%REG_SZ%,"HH:mm:ss"
HKO,"Control Panel\International","sShortTime",%REG_SZ%,"HH:mm"
HKO,"Control Panel\International","sYearMonth",%REG_SZ%,"MMMM yyyy"
HKO,"Control Panel\International","iCalendarType",%REG_SZ%,"1"
HKO,"Control Panel\International","iCountry",%REG_SZ%,"49"
HKO,"Control Panel\International","iCurrDigits",%REG_SZ%,"2"
HKO,"Control Panel\International","iCurrency",%REG_SZ%,"3"
HKO,"Control Panel\International","iDate",%REG_SZ%,"1"
HKO,"Control Panel\International","iDigits",%REG_SZ%,"2"
HKO,"Control Panel\International","NumShape",%REG_SZ%,"1"
HKO,"Control Panel\International","iFirstDayOfWeek",%REG_SZ%,"0"
HKO,"Control Panel\International","iFirstWeekOfYear",%REG_SZ%,"2"
HKO,"Control Panel\International","iLZero",%REG_SZ%,"1"
HKO,"Control Panel\International","iMeasure",%REG_SZ%,"0"
HKO,"Control Panel\International","iNegCurr",%REG_SZ%,"8"
HKO,"Control Panel\International","iNegNumber",%REG_SZ%,"1"
HKO,"Control Panel\International","iPaperSize",%REG_SZ%,"9"
HKO,"Control Panel\International","iTime",%REG_SZ%,"1"
HKO,"Control Panel\International","iTimePrefix",%REG_SZ%,"0"
HKO,"Control Panel\International","iTLZero",%REG_SZ%,"1"
HKO,"Control Panel\International\Geo","Nation",%REG_SZ%,"94"
HKO,"Control Panel\International\Geo","Name",%REG_SZ%,"DE"
HKO,"Control Panel\International\User Profile","Languages",%REG_MULTI_SZ%,"de-DE"
HKO,"Control Panel\International\User Profile","ShowAutoCorrection",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\International\User Profile","ShowTextPrediction",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\International\User Profile","ShowCasing",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\International\User Profile","ShowShiftLock",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\International\User Profile\de-DE","0407:00000407",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\International\User Profile System Backup","Languages",%REG_MULTI_SZ%,"de-DE"
HKO,"Control Panel\International\User Profile System Backup","ShowAutoCorrection",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\International\User Profile System Backup","ShowTextPrediction",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\International\User Profile System Backup","ShowCasing",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\International\User Profile System Backup","ShowShiftLock",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\International\User Profile System Backup\de-DE","0407:00000407",%REG_DWORD%,1 ; 0x00000001
HKO,"Control Panel\Keyboard","InitialKeyboardIndicators",%REG_SZ%,"2147483648"
HKO,"Control Panel\Keyboard","KeyboardDelay",%REG_SZ%,"1"
HKO,"Control Panel\Keyboard","KeyboardSpeed",%REG_SZ%,"31"
HKO,"Control Panel\Mouse","ActiveWindowTracking",%REG_DWORD%,0 ; 0x00000000
HKO,"Control Panel\Mouse","Beep",%REG_SZ%,"No"
HKO,"Control Panel\Mouse","DoubleClickHeight",%REG_SZ%,"4"
HKO,"Control Panel\Mouse","DoubleClickSpeed",%REG_SZ%,"500"
HKO,"Control Panel\Mouse","DoubleClickWidth",%REG_SZ%,"4"
HKO,"Control Panel\Mouse","ExtendedSounds",%REG_SZ%,"No"
HKO,"Control Panel\Mouse","MouseHoverHeight",%REG_SZ%,"4"
HKO,"Control Panel\Mouse","MouseHoverTime",%REG_SZ%,"400"
HKO,"Control Panel\Mouse","MouseHoverWidth",%REG_SZ%,"4"
HKO,"Control Panel\Mouse","MouseSensitivity",%REG_SZ%,"10"
HKO,"Control Panel\Mouse","MouseSpeed",%REG_SZ%,"1"
HKO,"Control Panel\Mouse","MouseThreshold1",%REG_SZ%,"6"
HKO,"Control Panel\Mouse","MouseThreshold2",%REG_SZ%,"10"
HKO,"Control Panel\Mouse","MouseTrails",%REG_SZ%,"0"
HKO,"Control Panel\Mouse","SmoothMouseXCurve",%REG_BINARY%,00,00,00,00,00,00,00,00,15,6e,00,00,00,00,00,00,00,40,01,00,00,00,00,00,29,dc,03,00,00,00,00,00,00,00,28,00,00,00,00,00
HKO,"Control Panel\Mouse","SmoothMouseYCurve",%REG_BINARY%,00,00,00,00,00,00,00,00,fd,11,01,00,00,00,00,00,00,24,04,00,00,00,00,00,00,fc,12,00,00,00,00,00,00,c0,bb,01,00,00,00,00
HKO,"Control Panel\Mouse","SnapToDefaultButton",%REG_SZ%,"0"
HKO,"Control Panel\Mouse","SwapMouseButtons",%REG_SZ%,"0"
HKO,"Control Panel\PowerCfg","CurrentPowerPolicy",%REG_SZ%,"0"
HKO,"Control Panel\PowerCfg\GlobalPowerPolicy","Policies",%REG_BINARY%,01,00,00,00,00,00,00,00,03,00,00,00,10,00,00,00,00,00,00,00,03,00,00,00,10,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,03,00,00,00,03,00,00,00,00,00,00,c0,01,00,00,00,05,00,00,00,01,00,00,00,0a,00,00,00,00,00,00,00,03,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,16,00,00,00
HKO,"Control Panel\PowerCfg\PowerPolicies\0","Description",%REG_SZ%,"This scheme is suited to most home or desktop computers that are left plugged in all the time."
HKO,"Control Panel\PowerCfg\PowerPolicies\0","Name",%REG_SZ%,"Home/Office Desk"
HKO,"Control Panel\PowerCfg\PowerPolicies\0","Policies",%REG_BINARY%,01,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,2c,01,00,00,32,32,00,03,04,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,b0,04,00,00,2c,01,00,00,00,00,00,00,58,02,00,00,01,01,64,50,64,64,00,00
HKO,"Control Panel\PowerCfg\PowerPolicies\1","Description",%REG_SZ%,"This scheme is designed for extended battery life for portable computers on the road."
HKO,"Control Panel\PowerCfg\PowerPolicies\1","Name",%REG_SZ%,"Portable/Laptop"
HKO,"Control Panel\PowerCfg\PowerPolicies\1","Policies",%REG_BINARY%,01,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,b0,04,00,00,2c,01,00,00,32,32,03,03,04,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,84,03,00,00,2c,01,00,00,08,07,00,00,2c,01,00,00,01,01,64,50,64,64,00,00
HKO,"Control Panel\PowerCfg\PowerPolicies\2","Description",%REG_SZ%,"This scheme keeps the monitor on for doing presentations."
HKO,"Control Panel\PowerCfg\PowerPolicies\2","Name",%REG_SZ%,"Presentation"
HKO,"Control Panel\PowerCfg\PowerPolicies\2","Policies",%REG_BINARY%,01,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,84,03,00,00,32,32,03,02,04,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,2c,01,00,00,01,01,50,50,64,64,00,00
HKO,"Control Panel\PowerCfg\PowerPolicies\3","Description",%REG_SZ%,"This scheme keeps the computer running so that it can be accessed from the network.  Use this scheme if you do not have network wakeup hardware."
HKO,"Control Panel\PowerCfg\PowerPolicies\3","Name",%REG_SZ%,"Always On"
HKO,"Control Panel\PowerCfg\PowerPolicies\3","Policies",%REG_BINARY%,01,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,32,32,00,00,04,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,b0,04,00,00,84,03,00,00,00,00,00,00,08,07,00,00,00,01,64,64,64,64,00,00
HKO,"Control Panel\PowerCfg\PowerPolicies\4","Description",%REG_SZ%,"This scheme keeps the computer on and optimizes it for high performance."
HKO,"Control Panel\PowerCfg\PowerPolicies\4","Name",%REG_SZ%,"Minimal Power Management"
HKO,"Control Panel\PowerCfg\PowerPolicies\4","Policies",%REG_BINARY%,01,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,2c,01,00,00,32,32,03,03,04,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,84,03,00,00,2c,01,00,00,00,00,00,00,84,03,00,00,00,01,64,64,64,64,00,00
HKO,"Control Panel\PowerCfg\PowerPolicies\5","Description",%REG_SZ%,"This scheme is extremely aggressive for saving power."
HKO,"Control Panel\PowerCfg\PowerPolicies\5","Name",%REG_SZ%,"Max Battery"
HKO,"Control Panel\PowerCfg\PowerPolicies\5","Policies",%REG_BINARY%,01,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,05,00,00,00,00,00,00,00,b0,04,00,00,78,00,00,00,32,32,03,02,04,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,84,03,00,00,3c,00,00,00,00,00,00,00,b4,00,00,00,01,01,64,32,64,64,00,00
HKO,"Control Panel\Quick Actions\Pinned",,%REG_KEYONLY%
HKO,"Control Panel\Sound","Beep",%REG_SZ%,"yes"
HKO,"Control Panel\Sound","ExtendedSounds",%REG_SZ%,"yes"
HKO,"Environment","Path",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local\Microsoft\WindowsApps;"
HKO,"Environment","TEMP",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local\Temp"
HKO,"Environment","TMP",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local\Temp"
HKO,"EUDC\932","SystemDefaultEUDCFont",%REG_SZ%,"EUDC.TTE"
HKO,"EUDC\936","SystemDefaultEUDCFont",%REG_SZ%,"EUDC.TTE"
HKO,"EUDC\949","SystemDefaultEUDCFont",%REG_SZ%,"EUDC.TTE"
HKO,"EUDC\950","SystemDefaultEUDCFont",%REG_SZ%,"EUDC.TTE"
HKO,"Keyboard Layout\Preload","1",%REG_SZ%,"00000407"
HKO,"Keyboard Layout\Substitutes",,%REG_KEYONLY%
HKO,"Keyboard Layout\Toggle",,%REG_KEYONLY%
HKO,"Network",,%REG_KEYONLY%
HKO,"SOFTWARE\Google\Chrome\NativeMessagingHosts\com.microsoft.browsercore",,%REG_SZ%,"C:\Program Files\Windows Security\BrowserCore\manifest.json"
HKO,"SOFTWARE\Microsoft\Accessibility",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","FirstTimeHelppaneStartup",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","Height",%REG_DWORD%,340 ; 0x00000154
HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","ImplicitFeedback",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","OnlineAssist",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","PositionX",%REG_DWORD%,4294967295 ; 0xffffffff
HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","PositionY",%REG_DWORD%,4294967295 ; 0xffffffff
HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","UserID",%REG_SZ%,""
HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","Width",%REG_DWORD%,510 ; 0x000001fe
HKO,"SOFTWARE\Microsoft\Avalon.Graphics",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\CommsAPHost\Test",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\CTF\Assemblies\0x00000407\{34745C63-B2F0-4784-8B67-5E12C8701A31}","Default",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}"
HKO,"SOFTWARE\Microsoft\CTF\Assemblies\0x00000407\{34745C63-B2F0-4784-8B67-5E12C8701A31}","Profile",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}"
HKO,"SOFTWARE\Microsoft\CTF\Assemblies\0x00000407\{34745C63-B2F0-4784-8B67-5E12C8701A31}","KeyboardLayout",%REG_DWORD%,67568647 ; 0x04070407
HKO,"SOFTWARE\Microsoft\CTF\DirectSwitchHotkeys",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\CTF\HiddenDummyLayouts",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\CTF\SortOrder\AssemblyItem\0x00000407\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000","CLSID",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}"
HKO,"SOFTWARE\Microsoft\CTF\SortOrder\AssemblyItem\0x00000407\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000","KeyboardLayout",%REG_DWORD%,67568647 ; 0x04070407
HKO,"SOFTWARE\Microsoft\CTF\SortOrder\AssemblyItem\0x00000407\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000","Profile",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}"
HKO,"SOFTWARE\Microsoft\CTF\SortOrder\Language","00000000",%REG_SZ%,"00000407"
HKO,"SOFTWARE\Microsoft\CTF\TIP",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Fax\FaxOptions",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Fax\fxsclnt\Archive",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Fax\fxsclnt\Confirm",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Fax\Setup",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Fax\UserInfo",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\GameBarApi",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\IME",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Input\TIPC",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Input\TSF\Tsf3Override",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\InputMethod",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\InputPersonalization","RestrictImplicitInkCollection",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\InputPersonalization","RestrictImplicitTextCollection",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore","HarvestContacts",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Internet Connection Wizard","Completed",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Internet Explorer\Document Windows","height",%REG_BINARY%,00,00,00,00
HKO,"SOFTWARE\Microsoft\Internet Explorer\Document Windows","Maximized",%REG_SZ%,"no"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Document Windows","width",%REG_BINARY%,00,00,00,80
HKO,"SOFTWARE\Microsoft\Internet Explorer\Document Windows","x",%REG_BINARY%,00,00,00,80
HKO,"SOFTWARE\Microsoft\Internet Explorer\Document Windows","y",%REG_BINARY%,00,00,00,00
HKO,"SOFTWARE\Microsoft\Internet Explorer\International","AcceptLanguage",%REG_SZ%,"de-DE,de;q=0.5"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Anchor Underline",%REG_SZ%,"yes"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Cache_Update_Frequency",%REG_SZ%,"yes"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Disable Script Debugger",%REG_SZ%,"yes"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","DisableScriptDebuggerIE",%REG_SZ%,"yes"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Display Inline Images",%REG_SZ%,"yes"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Do404Search",%REG_BINARY%,01,00,00,00
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Local Page",%REG_SZ%,"%%11%%\blank.htm"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Save_Session_History_On_Exit",%REG_SZ%,"no"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Search Page",%REG_SZ%,"http://go.microsoft.com/fwlink/?LinkId=54896"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Show_FullURL",%REG_SZ%,"no"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Show_StatusBar",%REG_SZ%,"yes"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Show_ToolBar",%REG_SZ%,"yes"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Show_URLinStatusBar",%REG_SZ%,"yes"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Show_URLToolBar",%REG_SZ%,"yes"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Use_DlgBox_Colors",%REG_SZ%,"yes"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","UseClearType",%REG_SZ%,"no"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","XMLHTTP",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Internet Explorer\New Windows","PopupMgr",%REG_SZ%,"yes"
HKO,"SOFTWARE\Microsoft\Internet Explorer\New Windows","Use Anchor Hover Color",%REG_SZ%,"1"
HKO,"SOFTWARE\Microsoft\Internet Explorer\New Windows","UseSecBand",%REG_SZ%,"1"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Security","Safety Warning Level",%REG_SZ%,"Query"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Security","Sending_Security",%REG_SZ%,"Medium"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Security","Viewing_Security",%REG_SZ%,"Low"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Services",,%REG_SZ%,""
HKO,"SOFTWARE\Microsoft\Internet Explorer\Settings","Anchor Color",%REG_SZ%,"0,0,255"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Settings","Anchor Color Visited",%REG_SZ%,"128,0,128"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Settings","Background Color",%REG_SZ%,"192,192,192"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Settings","Text Color",%REG_SZ%,"0,0,0"
HKO,"SOFTWARE\Microsoft\Internet Explorer\Settings","Use Anchor Hover Color",%REG_SZ%,"No"
HKO,"SOFTWARE\Microsoft\Internet Explorer\TypedURLs","url1",%REG_SZ%,"http://go.microsoft.com/fwlink/p/?LinkId=255141"
HKO,"SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks","{CFBFAE00-17A6-11D0-99CB-00C04FD64497}",%REG_SZ%,""
HKO,"SOFTWARE\Microsoft\MobilePC\AdaptableSettings",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Multimedia\Audio\DefaultEndpoint",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Narrator\NoRoam","RunningState",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\OneDrive","EnableDownlevelInstallOnBluePlus",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\OneDrive","EnableTHDFFeatures",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Osk","RunningState",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\PeerNet\Event_Config",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Personalization\Settings","AcceptedPrivacyPolicy",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Phone\ShellUI",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Remote Assistance",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\ScreenMagnifier","RunningState",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Sensors",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Speech\Preferences\AppCompatDisableDictation","dwm.exe",%REG_SZ%,""
HKO,"SOFTWARE\Microsoft\Speech\Preferences\AppCompatDisableDictation","tabtip.exe",%REG_SZ%,""
HKO,"SOFTWARE\Microsoft\Speech\Preferences\AppCompatDisableMSAA","devenv.exe",%REG_SZ%,""
HKO,"SOFTWARE\Microsoft\Speech\Preferences\AppCompatDisableMSAA","taskmgr.exe",%REG_SZ%,""
HKO,"SOFTWARE\Microsoft\TabletTip\1.7",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\UEV\Agent","UserConsoleVersion",%REG_SZ%,"10.0.19041.1387"
HKO,"SOFTWARE\Microsoft\WAB\WAB4\Wab File Name",,%REG_SZ%,""
HKO,"SOFTWARE\Microsoft\WcmSvc\Tethering\Roaming",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\wfs\DraftsView",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\wfs\InboxView",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\wfs\IncomingView",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\wfs\OutboxView",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\wfs\SentItemsView",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\DoubleClickBelowLock","Override",%REG_DWORD%,5 ; 0x00000005
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\DoubleClickBelowLock","PenWorkspaceVerb",%REG_DWORD%,3 ; 0x00000003
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\LongPressBelowLock","Override",%REG_DWORD%,5 ; 0x00000005
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\LongPressBelowLock","PenWorkspaceVerb",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\SingleClickBelowLock","Override",%REG_DWORD%,8 ; 0x00000008
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\SingleClickBelowLock","PenWorkspaceVerb",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","FeatureManagementEnabled",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","OemPreInstalledAppsEnabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","PreInstalledAppsEnabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","RotatingLockScreenEnabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","RotatingLockScreenOverlayEnabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","SilentInstalledAppsEnabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","SoftLandingEnabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","SystemPaneSuggestionsEnabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","SlideshowEnabled",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-310091","Version",%REG_SZ%,"2"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-310092","Version",%REG_SZ%,"2"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-338380","Version",%REG_SZ%,"2"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-338381","Version",%REG_SZ%,"2"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-338387","Version",%REG_SZ%,"2"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-338388","Version",%REG_SZ%,"2"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced","Start_SearchFiles",%REG_DWORD%,2 ; 0x00000002
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers","DisableAutoplay",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection",,%REG_SZ%,""
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers",,%REG_SZ%,""
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon","empty",%REG_EXPAND_SZ%,"%%SystemRoot%%\System32\imageres.dll,-55"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon","full",%REG_EXPAND_SZ%,"%%SystemRoot%%\System32\imageres.dll,-54"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","BreadCrumbBarSearchDefault",%REG_SZ%,"MSNSearch"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","DisableAutoNavigateURL",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","DisableAutoResolveEmailAddrs",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","DisableResultsInNewWindow",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","DisableTabbedBrowsing",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","EditSavedSearch",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","IEAddressBarSearchDefault",%REG_SZ%,"MSNSearch"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders","!Do not use this registry key",%REG_SZ%,"Use the SHGetFolderPath or SHGetKnownFolderPath function instead"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","AppData",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Cache",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local\Microsoft\Windows\INetCache"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Cookies",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local\Microsoft\Windows\INetCookies"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Desktop",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Desktop"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Favorites",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Favorites"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","History",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local\Microsoft\Windows\History"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Local AppData",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","My Music",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Music"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","My Pictures",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Pictures"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","My Video",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Videos"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","NetHood",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Network Shortcuts"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Personal",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Documents"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","PrintHood",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Printer Shortcuts"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Programs",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Recent",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Recent"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","SendTo",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\SendTo"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Start Menu",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Startup",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Templates",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Templates"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","{374DE290-123F-4565-9164-39C4925E467B}",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Downloads"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\FileHistory\RestoreUI","FolderViewType",%REG_SZ%,"MediumIcons"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\FileHistory\RestoreUI","SearchResultsViewType",%REG_SZ%,"Content"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\FileHistory\RestoreUI","WindowLocation",%REG_SZ%,""
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Holographic","FirstRunSucceeded",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Holographic\StageManagement","DisableQuickRoomSetup",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Holographic\StageManagement","DisableStageNearbyRequirement",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ActiveLearning",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","AnsiChar",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","AutoCandState",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","BallonUI",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","BeepEnable",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Big5CharOnly",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","CandidateLargeFont",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","CandidateSortType",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ChangJie.All.ActiveAlphaNum",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ChangJie.All.ZkeyAsWildCard",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ChangJie.AssociatedWord",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ChangJie.IsOfflineReading",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ChangJie.ReadLayout",%REG_SZ%,"0x00010030"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","CharMode",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","CustomLayout",%REG_BINARY%,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","DefaultLanguage",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Delemiter",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Domain",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","EnableCNSReading",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","EnableExtensionA_Char",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","EnableExtensionB_Char",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","EudpSCK",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Fuzzy",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","HFTLearning",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Intellegnt.Eudp",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Intelligent.AssociatedWord",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Intelligent.AutoFinalize",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Intelligent.AutoInputSwitch",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Intelligent.EnableFinal",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Intelligent.EscapeFunc",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","LeadingIndicator",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Legacy.AutoFinalize",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Legacy.AutoInputSwitch",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Legacy.EnableFinal",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Legacy.EscapeFunc",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Legacy.Eudp",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Legacy.Modeless",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","MaxCharPerSentence",%REG_SZ%,"0x00000020"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","NewChangJie.Modeless",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","NewPhonetic.IntCharMode",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","NewPhonetic.Modeless",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","NewQuick.Modeless",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Phonetic.All.ActiveAlphaNum",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Phonetic.All.ZkeyAsWildCard",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Phonetic.AssociatedWord",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Phonetic.IntCharMode",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Phonetic.IsOfflineReading",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Phonetic.ReadLayout",%REG_SZ%,"0x00020010"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","PhrManEudpSortType",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","PhrManSelfLearnSortType",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","PluginLexiconInfo",%REG_BINARY%,00,00,00,00,00,00,00,00
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","PuncEnable",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Quick.AssociatedWord",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Quick.ZkeyAsWildCard",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ReconvertLength",%REG_SZ%,"0x00000020"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ReservedWord",%REG_BINARY%,08,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,2f,00,2f,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,66,00,69,00,6c,00,65,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,66,00,74,00,70,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,68,00,74,00,74,00,70,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,6d,00,61,00,69,00,6c,00,74,00,6f,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,6e,00,65,00,77,00,73,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,77,00,69,00,6e,00,64,00,6f,00,77,00,73,00,00,00,00,00,00,00,00,00,00,00,00,00,77,00,77,00,77,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ReversedReadingType",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","SelfLearning",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","SharedEudp",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ShiftLeft",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ShiftRight",%REG_SZ%,"0x00000001"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Surrogate",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Trigram",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","UserSymbolMapping",%REG_BINARY%,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,20,00,31,00,32,00,33,00,34,00,35,00,36,00,37,00,38,00,39,00,30,00,61,00,62,00,63,00,64,00,65,00,66,00,67,00,68,00,69,00,6a,00,6b,00,6c,00,6d,00,6e,00,6f,00,70,00,71,00,72,00,73,00,74,00,75,00,76,00,77,00,78,00,79,00,7a,00,2d,00,3d,00,5c,00,5b,00,5d,00,3b,00,27,00,2c,00,2e,00,2f,00,60,00,00,30,11,ff,12,ff,13,ff,14,ff,15,ff,16,ff,17,ff,18,ff,19,ff,10,ff,41,ff,42,ff,43,ff,44,ff,45,ff,46,ff,47,ff,48,ff,49,ff,4a,ff,4b,ff,4c,ff,4d,ff,4e,ff,4f,ff,50,ff,51,ff,52,ff,53,ff,54,ff,55,ff,56,ff,57,ff,58,ff,59,ff,5a,ff,00,25,1d,ff,3c,ff,14,30,15,30,54,fe,19,20,0c,ff,02,30,0f,ff,35,20,20,00,21,00,40,00,23,00,24,00,25,00,5e,00,26,00,2a,00,28,00,29,00,41,00,42,00,43,00,44,00,45,00,46,00,47,00,48,00,49,00,4a,00,4b,00,4c,00,4d,00,4e,00,4f,00,50,00,51,00,52,00,53,00,54,00,55,00,56,00,57,00,58,00,59,00,5a,00,5f,00,2b,00,7c,00,7b,00,7d,00,3a,00,22,00,3c,00,3e,00,3f,00,7e,00,00,30,01,ff,20,ff,03,ff,04,ff,05,ff,3f,fe,06,ff,0a,ff,08,ff,09,ff,21,ff,22,ff,23,ff,24,ff,25,ff,26,ff,27,ff,28,ff,29,ff,2a,ff,2b,ff,2c,ff,2d,ff,2e,ff,2f,ff,30,ff,31,ff,32,ff,33,ff,34,ff,35,ff,36,ff,37,ff,38,ff,39,ff,3a,ff,3f,ff,0b,ff,5c,ff,5b,ff,5d,ff,1a,ff,1d,20,1c,ff,1e,ff,1f,ff,5e,ff,20,00,31,00,32,00,33,00,34,00,35,00,36,00,37,00,38,00,39,00,30,00,61,00,62,00,63,00,64,00,65,00,66,00,67,00,68,00,69,00,6a,00,6b,00,6c,00,6d,00,6e,00,6f,00,70,00,71,00,72,00,73,00,74,00,75,00,76,00,77,00,78,00,79,00,7a,00,2d,00,3d,00,5c,00,5b,00,5d,00,3b,00,27,00,2c,00,2e,00,2f,00,60,00,00,30,11,ff,12,ff,13,ff,14,ff,15,ff,16,ff,17,ff,18,ff,19,ff,10,ff,41,ff,42,ff,43,ff,44,ff,45,ff,46,ff,47,ff,48,ff,49,ff,4a,ff,4b,ff,4c,ff,4d,ff,4e,ff,4f,ff,50,ff,51,ff,52,ff,53,ff,54,ff,55,ff,56,ff,57,ff,58,ff,59,ff,5a,ff,00,25,1d,ff,3c,ff,14,30,15,30,54,fe,19,20,0c,ff,02,30,0f,ff,35,20,20,00,21,00,40,00,23,00,24,00,25,00,5e,00,26,00,2a,00,28,00,29,00,41,00,42,00,43,00,44,00,45,00,46,00,47,00,48,00,49,00,4a,00,4b,00,4c,00,4d,00,4e,00,4f,00,50,00,51,00,52,00,53,00,54,00,55,00,56,00,57,00,58,00,59,00,5a,00,5f,00,2b,00,7c,00,7b,00,7d,00,3a,00,22,00,3c,00,3e,00,3f,00,7e,00,00,30,01,ff,20,ff,03,ff,04,ff,05,ff,3f,fe,06,ff,0a,ff,08,ff,09,ff,21,ff,22,ff,23,ff,24,ff,25,ff,26,ff,27,ff,28,ff,29,ff,2a,ff,2b,ff,2c,ff,2d,ff,2e,ff,2f,ff,30,ff,31,ff,32,ff,33,ff,34,ff,35,ff,36,ff,37,ff,38,ff,39,ff,3a,ff,3f,ff,0b,ff,5c,ff,5b,ff,5d,ff,1a,ff,1d,20,1c,ff,1e,ff,1f,ff,5e,ff,20,00,31,00,32,00,33,00,34,00,35,00,36,00,37,00,38,00,39,00,30,00,61,00,62,00,63,00,64,00,65,00,66,00,67,00,68,00,69,00,6a,00,6b,00,6c,00,6d,00,6e,00,6f,00,70,00,71,00,72,00,73,00,74,00,75,00,76,00,77,00,78,00,79,00,7a,00,2d,00,3d,00,5c,00,5b,00,5d,00,3b,00,27,00,2c,00,2e,00,2f,00,60,00,00,30,11,ff,12,ff,13,ff,14,ff,15,ff,16,ff,17,ff,18,ff,19,ff,10,ff,41,ff,42,ff,43,ff,44,ff,45,ff,46,ff,47,ff,48,ff,49,ff,4a,ff,4b,ff,4c,ff,4d,ff,4e,ff,4f,ff,50,ff,51,ff,52,ff,53,ff,54,ff,55,ff,56,ff,57,ff,58,ff,59,ff,5a,ff,00,25,1d,ff,3c,ff,14,30,15,30,54,fe,19,20,0c,ff,02,30,0f,ff,35,20,20,00,21,00,40,00,23,00,24,00,25,00,5e,00,26,00,2a,00,28,00,29,00,41,00,42,00,43,00,44,00,45,00,46,00,47,00,48,00,49,00,4a,00,4b,00,4c,00,4d,00,4e,00,4f,00,50,00,51,00,52,00,53,00,54,00,55,00,56,00,57,00,58,00,59,00,5a,00,5f,00,2b,00,7c,00,7b,00,7d,00,3a,00,22,00,3c,00,3e,00,3f,00,7e,00,00,30,01,ff,20,ff,03,ff,04,ff,05,ff,3f,fe,06,ff,0a,ff,08,ff,09,ff,21,ff,22,ff,23,ff,24,ff,25,ff,26,ff,27,ff,28,ff,29,ff,2a,ff,2b,ff,2c,ff,2d,ff,2e,ff,2f,ff,30,ff,31,ff,32,ff,33,ff,34,ff,35,ff,36,ff,37,ff,38,ff,39,ff,3a,ff,3f,ff,0b,ff,5c,ff,5b,ff,5d,ff,1a,ff,1d,20,1c,ff,1e,ff,1f,ff,5e,ff
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","VirtualInputMode",%REG_SZ%,"0x00000000"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\FuzzyScheme","Data",%REG_BINARY%,87,3f,00,00
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\FuzzyScheme","Name",%REG_SZ%,"{EF8C6C27-997A-4af2-BC0E-A15C84790F8C}"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings","CertificateRevocation",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings","DisableCachingOfSSLPages",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings","IE5_UA_Backup_Flag",%REG_SZ%,"5.0"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings","PrivacyAdvanced",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings","SecureProtocols",%REG_DWORD%,2688 ; 0x00000a80
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings","User Agent",%REG_SZ%,"Mozilla/5.0 (compatible; MSIE 9.0; Win32)"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache","Persistent",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen","LockAppAumId",%REG_SZ%,"Microsoft.LockApp_cw5n1h2txyewy!WindowsDefaultLockScreen"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Mobility",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PenWorkspace\Notes","NotesApp",%REG_SZ%,"Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe!App"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","AAPThreshold",%REG_DWORD%,2 ; 0x00000002
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","CursorSpeed",%REG_DWORD%,10 ; 0x0000000a
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","EnableEdgy",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","LeaveOnWithMouse",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","PanEnabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","RightClickZoneEnabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","ScrollDirection",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","TapAndDrag",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","TapsEnabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","TwoFingerTapEnabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","ZoomEnabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad\Status","Enabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy","TailoredExperiencesWithDiagnosticDataEnabled",%REG_DWORD%,2 ; 0x00000002
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncher","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncher","Capabilities",%REG_DWORD%,9471 ; 0x000024ff
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncher","PackageMoniker",%REG_SZ%,"System"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncherCustom","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncherCustom","Capabilities",%REG_DWORD%,9471 ; 0x000024ff
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncherCustom","PackageMoniker",%REG_SZ%,"System"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.DisplaySettings","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.DisplaySettings","Capabilities",%REG_DWORD%,9471 ; 0x000024ff
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.DisplaySettings","PackageMoniker",%REG_SZ%,"System"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.FodHelper","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.FodHelper","Capabilities",%REG_DWORD%,9471 ; 0x000024ff
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.FodHelper","PackageMoniker",%REG_SZ%,"System"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.MobilityExperience","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.MobilityExperience","Capabilities",%REG_DWORD%,9471 ; 0x000024ff
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.MobilityExperience","PackageMoniker",%REG_SZ%,"System"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.Suggested","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.Suggested","Capabilities",%REG_DWORD%,9471 ; 0x000024ff
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.Suggested","PackageMoniker",%REG_SZ%,"System"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.WindowsTip","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.WindowsTip","Capabilities",%REG_DWORD%,9471 ; 0x000024ff
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.WindowsTip","PackageMoniker",%REG_SZ%,"System"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\RADAR","CLResolutionInterval",%REG_DWORD%,5 ; 0x00000005
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\RADAR","DisplayInterval",%REG_DWORD%,1440 ; 0x000005a0
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Run","OneDriveSetup",%REG_SZ%,"C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\Bubbles\Screen 1",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\Bubbles\Screen 2",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\Mystify\Screen 1",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\Mystify\Screen 2",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\Ribbons\Screen 1",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\Ribbons\Screen 2",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\ssText3d\Screen 1",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\ssText3d\Screen 2",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync","Enabled",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\SmartGlass","UserAuthPolicy",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities","RequestMakeCall",%REG_SZ%,"DIALER.EXE"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities\MediaModes",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager","DllName",%REG_EXPAND_SZ%,"%%SystemRoot%%\resources\themes\Aero\Aero.msstyles"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager","PrePolicy-DllName",%REG_SZ%,"C:\Windows\resources\themes\Aero\Aero.msstyles"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes","InstallVisualStyleColor",%REG_SZ%,"NormalColor"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes","InstallVisualStyleSize",%REG_SZ%,"NormalSize"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes","LastHighContrastTheme",%REG_EXPAND_SZ%,"%%SystemRoot%%\resources\Ease of Access Themes\hcblack.theme"
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes","ThemeChangesDesktopIcons",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes","ThemeChangesMousePointers",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize","ColorPrevalence",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize","EnableTransparency",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing","State",%REG_DWORD%,146432 ; 0x00023c00
HKO,"SOFTWARE\Microsoft\Windows\DWM","Composition",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows\TabletPC\Snipping Tool",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\TabletPC\TabSetup",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices","Microsoft XPS Document Writer",%REG_SZ%,"winspool,Ne00:"
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices","Microsoft Print to PDF",%REG_SZ%,"winspool,Ne01:"
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices","Fax",%REG_SZ%,"winspool,Ne02:"
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\MsiCorruptedFileRecovery\RepairedProducts","AnyIdMax",%REG_DWORD%,5 ; 0x00000005
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\MsiCorruptedFileRecovery\RepairedProducts","SameIdMax",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\MsiCorruptedFileRecovery\RepairedProducts","TimeWindowMinutes",%REG_DWORD%,1440 ; 0x000005a0
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts","Microsoft XPS Document Writer",%REG_SZ%,"winspool,Ne00:,15,45"
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts","Microsoft Print to PDF",%REG_SZ%,"winspool,Ne01:,15,45"
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts","Fax",%REG_SZ%,"winspool,Ne02:,15,45"
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows","Device",%REG_SZ%,""
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows","IsMRUEstablished",%REG_DWORD%,4294967295 ; 0xffffffff
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows","LegacyDefaultPrinterMode",%REG_DWORD%,4294967295 ; 0xffffffff
HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Pen","PenArbitrationType",%REG_DWORD%,3 ; 0x00000003
HKO,"SOFTWARE\Microsoft\Wisp\MultiTouch",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","DblDist",%REG_DWORD%,20 ; 0x00000014
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","DblTime",%REG_DWORD%,300 ; 0x0000012c
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","EraseEnable",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","FlickMode",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","FlickTolerance",%REG_DWORD%,50 ; 0x00000032
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","HoldMode",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","HoldTime",%REG_DWORD%,2300 ; 0x000008fc
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","RightMaskEnable",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","Splash",%REG_DWORD%,50 ; 0x00000032
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","TapTime",%REG_DWORD%,100 ; 0x00000064
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","WaitTime",%REG_DWORD%,300 ; 0x0000012c
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\CustomFlickCommands",,%REG_KEYONLY%
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","down",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}"
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","downLeft",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}"
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","downRight",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}"
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","left",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}"
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","right",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}"
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","up",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}"
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","upLeft",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}"
HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","upRight",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}"
HKO,"SOFTWARE\Microsoft\Wisp\Touch","Bouncing",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Wisp\Touch","Friction",%REG_DWORD%,50 ; 0x00000032
HKO,"SOFTWARE\Microsoft\Wisp\Touch","Inertia",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Wisp\Touch","TouchMode_hold",%REG_DWORD%,1 ; 0x00000001
HKO,"SOFTWARE\Microsoft\Wisp\Touch","TouchModeN_DtapDist",%REG_DWORD%,50 ; 0x00000032
HKO,"SOFTWARE\Microsoft\Wisp\Touch","TouchModeN_DtapTime",%REG_DWORD%,50 ; 0x00000032
HKO,"SOFTWARE\Microsoft\Wisp\Touch","TouchModeN_HoldTime_Animation",%REG_DWORD%,50 ; 0x00000032
HKO,"SOFTWARE\Microsoft\Wisp\Touch","TouchModeN_HoldTime_BeforeAnimation",%REG_DWORD%,50 ; 0x00000032
HKO,"SOFTWARE\Microsoft\Wisp\Touch","TouchUI",%REG_DWORD%,0 ; 0x00000000
HKO,"SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache",,%REG_KEYONLY%
HKO,"SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache",,%REG_KEYONLY%
HKO,"SOFTWARE\Policies\Power\PowerSettings",,%REG_KEYONLY%
HKO,"System\CurrentControlSet\Control\Network\NetworkLocationWizard","ShowCount",%REG_DWORD%,0 ; 0x00000000

; EOF

Downloads

The console application is available in two functional identical forms: OFFREG.EXE, a big form with embedded application manifest, version information, icon plus time-stamped digital signature, and OFFREG.COM, a small form without these extras.

Implementation and Build Details

Offline Registry Reader is a pure Win32 console application, written in ANSI C, built with the Platform SDK for Windows Server 2003 R2 Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows 2000 and newer versions of Windows NT as well as Windows PE 1.0 and newer versions.

Note: due to the design and implementation of Windows’ (classic alias legacy) console, the Win32 function WriteConsole() can only write to a console, not to a file nor a pipe, i.e. redirection of standard error is not supported!

The MSDN article Console Handles provides background information.

Source and Build Instructions

Perform the following 2 simple steps to build the console application Offline Registry Reader from the source presented hereafter.

  1. Create the text file OFFREG.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

// * The software is provided "as is" without any warranty, neither express
//   nor implied.
// * In no event will the author be held liable for any damage(s) arising
//   from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
//   and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
//   as an agent, (independent) contractor, employee, member or officer of
//   a business, corporation or organization (commercial or non-commercial)
//   does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
//   for a business, for commercial, corporate, governmental, military or
//   organizational purposes of any kind, or in a commercial, corporate,
//   governmental, military or organizational environment of any kind.

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <shellapi.h>
#include <sddl.h>
#include <offreg.h>

#define memcpy	__movsb
#define wmemcpy	__movsw

#define MAX_DEPTH		512UL
#define MAX_KEY_LENGTH		255UL
#define MAX_VALUE_NAME		16383UL
#define MAX_VALUE_DATA		1048576UL

typedef	unsigned long long	QWORD, *LPQWORD;

BYTE	cbData[MAX_VALUE_DATA];
WCHAR	szKey[(MAX_KEY_LENGTH + 1) * MAX_DEPTH];
WCHAR	szValue[MAX_VALUE_NAME + 1];

__declspec(safebuffers)
BOOL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

__declspec(safebuffers)
BOOL	PrintFormat(HANDLE hFile, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	LPBYTE	lpOutput;
	DWORD	dwOutput;
	DWORD	dwFile;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	dwOutput *= sizeof(*szOutput);
	lpOutput = (LPBYTE) szOutput;

	do
	{
		if (!WriteFile(hFile, lpOutput, dwOutput, &dwFile, (LPOVERLAPPED) NULL))
			return FALSE;

		lpOutput += dwFile;
		dwOutput -= dwFile;
	} while (dwOutput > 0);

	return TRUE;
}

#define PrintString(HANDLE, LITERAL)	PrintDirect(HANDLE, LITERAL, sizeof(LITERAL) / sizeof(*LITERAL) - 1UL)

__inline
BOOL	WINAPI	PrintDirect(HANDLE hFile, LPCWSTR lpString, DWORD dwString)
{
	DWORD	dwFile;

	dwString *= sizeof(*lpString);

	do
	{
		if (!WriteFile(hFile, lpString, dwString, &dwFile, (LPOVERLAPPED) NULL))
			return FALSE;

		lpString = (LPCWSTR) ((LPBYTE) lpString + dwFile);
		dwString -= dwFile;
	} while (dwString > 0);

	return TRUE;
}

__inline
LPCWSTR	WINAPI	InfEscape(LPCWSTR lpString)
{
	do
		if ((*lpString == L'"')
		 || (*lpString == L'%'))
			return lpString;
	while (*lpString++ != L'\0');

	return NULL;
}

#ifndef TINY
const	WCHAR	szBytes[256][4] = {L",00", L",01", L",02", L",03", L",04", L",05", L",06", L",07", L",08", L",09", L",0a", L",0b", L",0c", L",0d", L",0e", L",0f",
		                   L",10", L",11", L",12", L",13", L",14", L",15", L",16", L",17", L",18", L",19", L",1a", L",1b", L",1c", L",1d", L",1e", L",1f",
		                   L",20", L",21", L",22", L",23", L",24", L",25", L",26", L",27", L",28", L",29", L",2a", L",2b", L",2c", L",2d", L",2e", L",2f",
		                   L",30", L",31", L",32", L",33", L",34", L",35", L",36", L",37", L",38", L",39", L",3a", L",3b", L",3c", L",3d", L",3e", L",3f",
		                   L",40", L",41", L",42", L",43", L",44", L",45", L",46", L",47", L",48", L",49", L",4a", L",4b", L",4c", L",4d", L",4e", L",4f",
		                   L",50", L",51", L",52", L",53", L",54", L",55", L",56", L",57", L",58", L",59", L",5a", L",5b", L",5c", L",5d", L",5e", L",5f",
		                   L",60", L",61", L",62", L",63", L",64", L",65", L",66", L",67", L",68", L",69", L",6a", L",6b", L",6c", L",6d", L",6e", L",6f",
		                   L",70", L",71", L",72", L",73", L",74", L",75", L",76", L",77", L",78", L",79", L",7a", L",7b", L",7c", L",7d", L",7e", L",7f",
		                   L",80", L",81", L",82", L",83", L",84", L",85", L",86", L",87", L",88", L",89", L",8a", L",8b", L",8c", L",8d", L",8e", L",8f",
		                   L",90", L",91", L",92", L",93", L",94", L",95", L",96", L",97", L",98", L",99", L",9a", L",9b", L",9c", L",9d", L",9e", L",9f",
		                   L",a0", L",a1", L",a2", L",a3", L",a4", L",a5", L",a6", L",a7", L",a8", L",a9", L",aa", L",ab", L",ac", L",ad", L",ae", L",af",
		                   L",b0", L",b1", L",b2", L",b3", L",b4", L",b5", L",b6", L",b7", L",b8", L",b9", L",ba", L",bb", L",bc", L",bd", L",be", L",bf",
		                   L",c0", L",c1", L",c2", L",c3", L",c4", L",c5", L",c6", L",c7", L",c8", L",c9", L",ca", L",cb", L",cc", L",cd", L",ce", L",cf",
		                   L",d0", L",d1", L",d2", L",d3", L",d4", L",d5", L",d6", L",d7", L",d8", L",d9", L",da", L",db", L",dc", L",dd", L",de", L",df",
		                   L",e0", L",e1", L",e2", L",e3", L",e4", L",e5", L",e6", L",e7", L",e8", L",e9", L",ea", L",eb", L",ec", L",ed", L",ee", L",ef",
		                   L",f0", L",f1", L",f2", L",f3", L",f4", L",f5", L",f6", L",f7", L",f8", L",f9", L",fa", L",fb", L",fc", L",fd", L",fe", L",ff"};
#endif

const	LPCWSTR	szType[12] = {L"NONE",
		              L"SZ",
		              L"EXPAND_SZ",
		              L"BINARY",
		              L"DWORD",		// alias DWORD_LITTLE_ENDIAN
		              L"DWORD_BIG_ENDIAN",
		              L"LINK",
		              L"MULTI_SZ",
		              L"RESOURCE_LIST",
		              L"FULL_RESOURCE_DESCRIPTOR",
		              L"RESOURCE_REQUIREMENTS_LIST",
		              L"QWORD"};	// alias QWORD_LITTLE_ENDIAN

DWORD	WINAPI	Offline(HANDLE hConsole, HANDLE hOutput, ORHKEY hkKey, DWORD dwKey)
{
	BOOL	bOutput;
	ORHKEY	hkSubKey;
	LPCWSTR	lpSubKey = szKey + dwKey + 1;
	LPCWSTR	lpData, lpEscape, lpLast, lpMulti;
#ifdef SANITY
	LPCWSTR	lpCount;
	DWORD	dwCount, dwChars;
#endif
	DWORD	dwError;
	DWORD	dwSubKeys, dwSubKey;
	DWORD	dwValues, dwValue, dwType, dwData, dwBytes;
#ifdef SECURITY
	dwData = sizeof(cbData);

	dwError = ORGetKeySecurity(hkKey,
	                           OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION,
	                           cbData,
	                           &dwData);

	if (dwError != ERROR_SUCCESS)
		PrintConsole(hConsole,
		             L"ORGetKeySecurity() returned error %lu for registry key \'%ls\'\n",
		             dwError, szKey);
	else
		if (!ConvertSecurityDescriptorToStringSecurityDescriptor(cbData,
		                                                         SDDL_REVISION_1,
		                                                         OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION,
		                                                         &lpData,
		                                                         (LPDWORD) NULL))
			PrintConsole(hConsole,
			             L"ConvertSecurityDescriptorToStringSecurityDescriptor() returned error %lu for registry key \'%ls\'\n",
			             dwError = GetLastError(), szKey);
		else
		{
			if (dwKey < sizeof("HKEY_OFFLINE"))
				bOutput = PrintString(hOutput,
				                      L"HKO,,,%REG_KEYONLY%\r\n");
			else
				bOutput = PrintFormat(hOutput,
				                      L"HKO,\"%ls\",,%%REG_KEYONLY%%\r\n",
				                      szKey + sizeof("HKEY_OFFLINE"));

			bOutput &= PrintString(hOutput, L"; ");
			bOutput &= PrintDirect(hOutput, lpData, wcslen(lpData));
			bOutput &= PrintString(hOutput, L"\r\n");

			if (!bOutput)
				PrintConsole(hConsole,
				             L"WriteFile() returned error %lu for registry key \'%ls\'\n",
				             dwError = GetLastError(), szKey);

			if (LocalFree(lpData) != NULL)
				PrintConsole(hConsole,
				             L"LocalFree() returned error %lu\n",
				             GetLastError());
		}
#endif
	for (dwValues = 0;; dwValues++)
	{
	//	*szValue = L'\0';
		dwValue = sizeof(szValue) / sizeof(*szValue);
		dwData = sizeof(cbData);

		dwError = OREnumValue(hkKey,
		                      dwValues,
		                      szValue,
		                      &dwValue,
		                      &dwType,
		                      cbData,
		                      &dwData);

		if (dwError == ERROR_NO_MORE_ITEMS)
			break;

		if (dwError != ERROR_SUCCESS)
			PrintConsole(hConsole,
			             L"OREnumValue() returned error %lu for registry key \'%ls\'\n",
			             dwError, szKey);
		else
		{
#ifdef SANITY
			dwChars = wcslen(szValue);

			if (dwValue < dwChars)
				PrintConsole(hConsole,
				             L"ERROR: size (%lu characters) of value name \'%ls\' in registry key \'%ls\' smaller than actual string length (%lu characters)!\n",
				             dwValue, szValue, dwChars, szKey);
			else if (dwValue > dwChars)
				PrintConsole(hConsole,
				             L"WARNING: size (%lu characters) of value name \'%ls\' in registry key \'%ls\' greater than actual string length (%lu characters)\n",
				             dwValue, szValue, dwChars, szKey);

			if (dwData == 0)
				PrintConsole(hConsole,
				             L"WARNING: no value data for value name \'%ls\' in registry key \'%ls\'\n",
				             szValue, szKey);
			else
				switch (dwType)
				{
				case REG_LINK:

					if (dwData % sizeof(L'\0') != 0)
						PrintConsole(hConsole,
						             L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' not a multiple of WCHAR size!\n",
						             dwData, szValue, szKey);
					break;

				case REG_DWORD_BIG_ENDIAN:
				case REG_DWORD_LITTLE_ENDIAN:
			//	case REG_DWORD:

					if (dwData < sizeof(DWORD))
						PrintConsole(hConsole,
						             L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than DWORD size!\n",
						             dwData, szValue, szKey);
					else if (dwData > sizeof(DWORD))
						PrintConsole(hConsole,
						             L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than DWORD size\n",
						             dwData, szValue, szKey);
					break;

				case REG_QWORD_LITTLE_ENDIAN:
			//	case REG_QWORD:

					if (dwData < sizeof(QWORD))
						PrintConsole(hConsole,
						             L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than QWORD size!\n",
						             dwData, szValue, szKey);
					else if (dwData > sizeof(QWORD))
						PrintConsole(hConsole,
						             L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than QWORD size\n",
						             dwData, szValue, szKey);
					break;

				case REG_SZ:
				case REG_EXPAND_SZ:

					dwChars = wcslen((LPCWSTR) cbData);
					dwBytes = (dwChars + 1) * sizeof(L'\0');

					if (dwData < dwBytes)
						PrintConsole(hConsole,
						             L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than actual string length (%lu + 1 characters = %lu bytes)\n",
						             dwData, szValue, szKey, dwChars, dwBytes);
					else if (dwData > dwBytes)
						PrintConsole(hConsole,
						             L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than actual string length (%lu + 1 characters = %lu bytes)\n",
						             dwData, szValue, szKey, dwChars, dwBytes);
					break;

				case REG_MULTI_SZ:

					dwChars = 0;
					dwCount = 1;
					lpCount = (LPCWSTR) cbData;

					while (*lpCount != L'\0')
					{
						dwChars += wcslen(lpCount);
						dwCount++;
						lpCount += wcslen(lpCount) + 1;
					}

					dwBytes = (dwChars + dwCount) * sizeof(L'\0');

					if (dwData < dwBytes)
						PrintConsole(hConsole,
						             L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than sum of actual string lengths (%lu + %lu characters = %lu bytes)\n",
						             dwData, szValue, szKey, dwChars, dwCount, dwBytes);
					else if (dwData > dwBytes)
						PrintConsole(hConsole,
						             L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than sum of actual string lengths (%lu + %lu characters = %lu bytes)\n",
						             dwData, szValue, szKey, dwChars, dwCount, dwBytes);
					break;

			//	case REG_NONE:
			//	case REG_BINARY:
			//	case REG_RESOURCE_LIST:
			//	case REG_FULL_RESOURCE_DESCRIPTOR:
			//	case REG_RESOURCE_REQUIREMENTS_LIST:
				}
#ifdef UNKNOWN
			if (dwType > REG_QWORD)
				PrintConsole(hConsole,
				             L"WARNING: unknown data type (0x%08lx) for value name \'%ls\' in registry key \'%ls\'\n",
				             dwType, szValue, szKey);
#endif
#endif // SANITY
			if (dwKey < sizeof("HKEY_OFFLINE"))
				bOutput = PrintFormat(hOutput,
				                      L"HKO,,");
			else
				bOutput = PrintFormat(hOutput,
				                      L"HKO,\"%ls\",",
				                      szKey + sizeof("HKEY_OFFLINE"));

			if (dwType < sizeof(szType) / sizeof(*szType))
				if (dwValue == 0)
					bOutput &= PrintFormat(hOutput, L",%%REG_%ls%%", szType[dwType]);
				else
					bOutput &= PrintFormat(hOutput, L"\"%ls\",%%REG_%ls%%", szValue, szType[dwType]);
			else
				if (dwValue == 0)
					bOutput &= PrintFormat(hOutput, L",0x%08lx", dwType);
				else
					bOutput &= PrintFormat(hOutput, L"\"%ls\",0x%08lx", szValue, dwType);

			if (dwData == 0)
				bOutput &= PrintString(hOutput, L"\r\n");
			else
				switch (dwType)
				{
				case REG_LINK:

					if (dwData % sizeof(L'\0') != 0)
						goto DEFAULT;

					bOutput &= PrintString(hOutput, L",\"");
					bOutput &= PrintDirect(hOutput, (LPCWSTR) cbData, dwData / sizeof(L'\0'));
					bOutput &= PrintString(hOutput, L"\"\r\n");

					break;

				case REG_SZ:
				case REG_EXPAND_SZ:

					if (dwData % sizeof(L'\0') != 0)
						goto DEFAULT;

					if (*(LPCWSTR) cbData == L'\0')
						bOutput &= PrintString(hOutput, L",\"\"\r\n");
					else
					{
						lpData = (LPCWSTR) cbData;
						((LPWSTR) lpData)[dwData / sizeof(L'\0')] = L'\0';

						dwData = wcslen(lpData);

						bOutput &= PrintString(hOutput, L",\"");

						for (lpEscape = InfEscape(lpData); lpEscape != NULL; lpData = lpEscape, lpEscape = InfEscape(lpEscape + 1))
							bOutput &= PrintDirect(hOutput, lpData, lpEscape + 1 - lpData);

						bOutput &= PrintDirect(hOutput, lpData, (LPCWSTR) cbData + dwData - lpData);
						bOutput &= PrintString(hOutput, L"\"\r\n");
					}

					break;

				case REG_MULTI_SZ:

					if (dwData % sizeof(L'\0') != 0)
						goto DEFAULT;

					if ((dwData == sizeof(L'\0'))
					 && (*(LPCWSTR) cbData == L'\0'))
						bOutput &= PrintString(hOutput, L";\r\n");
					else
					{
						lpData = (LPCWSTR) cbData;
						dwData /= sizeof(L'\0');
						lpLast = lpData + dwData;

						if ((dwData > 1)
						 && (lpData[dwData - 1] == L'\0')
						 && (lpData[dwData - 2] == L'\0'))
							lpLast--;
						else
							*(LPWSTR) lpLast = L'\0';

						do
							if (*lpData == L'\0')
								bOutput &= PrintString(hOutput, L";\"\"");
							else
							{
								dwData = wcslen(lpData);

								bOutput &= PrintString(hOutput, L",\"");

								for (lpEscape = InfEscape(lpMulti = lpData), lpData += dwData;
								     lpEscape != NULL; lpMulti = lpEscape,
								     lpEscape = InfEscape(lpEscape + 1))
									bOutput &= PrintDirect(hOutput, lpMulti, lpEscape + 1 - lpMulti);

								bOutput &= PrintDirect(hOutput, lpMulti, lpData - lpMulti);
								bOutput &= PrintString(hOutput, L"\"");
							}
						while (++lpData < lpLast);

						bOutput &= PrintString(hOutput, L"\r\n");
					}

					break;

				case REG_DWORD_BIG_ENDIAN:

					if (dwData != sizeof(DWORD))
						goto DEFAULT;
#if 0
					bOutput &= PrintFormat(hOutput, L",%lu\r\n", _byteswap_ulong(*(LPDWORD) cbData));
#else
					bOutput &= PrintFormat(hOutput, L",%lu ; 0x%08lx\r\n", _byteswap_ulong(*(LPDWORD) cbData), *(LPDWORD) cbData);
#endif
					break;

				case REG_DWORD_LITTLE_ENDIAN:
			//	case REG_DWORD:

					if (dwData != sizeof(DWORD))
						goto DEFAULT;
#if 0
					bOutput &= PrintFormat(hOutput, L",%lu\r\n", *(LPDWORD) cbData);
#else
					bOutput &= PrintFormat(hOutput, L",%lu ; 0x%08lx\r\n", *(LPDWORD) cbData, *(LPDWORD) cbData);
#endif
					break;

				case REG_QWORD_LITTLE_ENDIAN:
			//	case REG_QWORD:

					if (dwData != sizeof(QWORD))
						goto DEFAULT;
#if 0
					bOutput &= PrintFormat(hOutput, L",%I64u\r\n", *(LPQWORD) cbData);
#else
					bOutput &= PrintFormat(hOutput, L",%I64u ; 0x%016I64x\r\n", *(LPQWORD) cbData, *(LPQWORD) cbData);
#endif
					break;

			//	case REG_NONE:
			//	case REG_BINARY:
			//	case REG_RESOURCE_LIST:
			//	case REG_FULL_RESOURCE_DESCRIPTOR:
			//	case REG_RESOURCE_REQUIREMENTS_LIST:
				default:
				DEFAULT:
					for (dwBytes = 0; dwBytes < dwData; dwBytes++)
#ifdef TINY
						bOutput &= PrintFormat(hOutput, L",%02x", cbData[dwBytes]);
#else
						bOutput &= PrintDirect(hOutput, szBytes[cbData[dwBytes]], 3);
#endif
					bOutput &= PrintString(hOutput, L"\r\n");
				}

			if (!bOutput)
				PrintConsole(hConsole,
				             L"WriteFile() returned error %lu for value \'%ls\' of registry key \'%ls\'\n",
				             dwError = GetLastError(), szValue, szKey);
		}
	}

	for (dwSubKeys = 0;; dwSubKeys++)
	{
		dwSubKey = sizeof(szKey) / sizeof(*szKey) - dwKey - 1;

		dwError = OREnumKey(hkKey,
		                    dwSubKeys,
		                    lpSubKey,
		                    &dwSubKey,
		                    (LPWSTR) NULL,
		                    (LPDWORD) NULL,
		                    (LPFILETIME) NULL);

		if (dwError == ERROR_NO_MORE_ITEMS)
			break;

		if (dwError != ERROR_SUCCESS)
			PrintConsole(hConsole,
			             L"OREnumKey() returned error %lu for registry key \'%ls\'\n",
			             dwError, szKey);
		else
		{
#ifdef SANITY
			dwChars = wcslen(lpSubKey);

			if (dwChars > dwSubKey)
				PrintConsole(hConsole,
				             L"ERROR: size (%lu characters) of subkey name \'%ls\' in registry key \'%ls\' smaller than actual string length (%lu characters)\n",
				             dwSubKey, lpSubKey, szKey, dwChars);
			else if (dwChars < dwSubKey)
				PrintConsole(hConsole,
				             L"WARNING: size (%lu characters) of subkey name \'%ls\' in registry key \'%ls\' greater than actual string length (%lu characters)\n",
				             dwSubKey, lpSubKey, szKey, dwChars);
#endif // SANITY
			szKey[dwKey] = L'\\';

			dwError = OROpenKey(hkKey,
			                    lpSubKey,
			                    &hkSubKey);

			if (dwError != ERROR_SUCCESS)
				PrintConsole(hConsole,
				             L"OROpenKey() returned error %lu for registry key \'%ls\'\n",
				             dwError, szKey);
			else
			{
				dwError = Offline(hConsole, hOutput, hkSubKey, dwKey + 1 + dwSubKey);

				dwValue = ORCloseKey(hkSubKey);

				if (dwValue != ERROR_SUCCESS)
					PrintConsole(hConsole,
					             L"ORCloseKey() returned error %lu for registry key \'%ls\'\n",
					             dwValue, szKey);
			}

			szKey[dwKey] = L'\0';
		}
	}
#ifndef SECURITY
	if ((dwValues == 0) && (dwSubKeys == 0))
	{
		if (dwKey < sizeof("HKEY_OFFLINE"))
			bOutput = PrintString(hOutput,
			                      L"HKO,,,%REG_KEYONLY%\r\n");
		else
			bOutput = PrintFormat(hOutput,
			                      L"HKO,\"%ls\",,%%REG_KEYONLY%%\r\n",
			                      szKey + sizeof("HKEY_OFFLINE"));

		if (!bOutput)
			PrintConsole(hConsole,
			             L"WriteFile() returned error %lu for empty registry key \'%ls\'\n",
			             dwError = GetLastError(), szKey);
	}
#endif
	return dwError;
}

__declspec(noreturn)
VOID	WINAPI	wmainCRTStartup(VOID)
{
	SYSTEMTIME	st;

	LPWSTR	*lpArguments;
	INT	nArguments;
	DWORD	dwError = ERROR_BAD_ARGUMENTS;
	DWORD	dwMajor, dwMinor;
	HKEY	hkRoot;
	HANDLE	hOutput;
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);

		if (lpArguments == NULL)
			PrintConsole(hConsole,
			             L"CommandLineToArgv() returned error %lu\n",
			             dwError = GetLastError());
		else
		{
			if (nArguments != 2)
				PrintConsole(hConsole,
				             L"Bad arguments: a single file or path name of a registry hive must be given!\n");
			else
			{
				hOutput = GetStdHandle(STD_OUTPUT_HANDLE);

				if (hOutput == INVALID_HANDLE_VALUE)
					PrintConsole(hConsole,
					             L"GetStdHandle() returned error %lu\n",
					             dwError = GetLastError());
				else
				{
					if (!FlushFileBuffers(hOutput))
						PrintConsole(hConsole,
						             L"FlushFileBuffers() returned error %lu: standard output is not redirected to a file!\n",
						             dwError = GetLastError());
					else
					{
						ORGetVersion(&dwMajor, &dwMinor);

						PrintConsole(hConsole,
						             L"OFFREG.DLL version %lu.%lu\n",
						             dwMajor, dwMinor);

						dwError = OROpenHive(lpArguments[1], &hkRoot);

						if (dwError != ERROR_SUCCESS)
							PrintConsole(hConsole,
							             L"OROpenHive() returned error %lu\n",
							             dwError);
						else
						{
							GetSystemTime(&st);

							if (!PrintFormat(hOutput,
							                 L"\xFEFF"	// UTF-16LE BOM
							                 L"[Version]\r\n"
							                 L"DriverVer = %02hu/%02hu/%04hu,%02hu.%02hu.%02hu.%03hu ; UTC\r\n"
							                 L"Provider  = \"Stefan Kanthak\"\r\n"
							                 L"Signature = \"$Windows NT$\"\r\n"
							                 L"\r\n"
							                 L"[Strings]\r\n"
							                 L"REG_SZ                         = 0x00000000\r\n"
							                 L"REG_BINARY                     = 0x00000001\r\n"
							                 L"REG_KEYONLY                    = 0x00000010\r\n"
							                 L"REG_MULTI_SZ                   = 0x00010000\r\n"
							                 L"REG_DWORD                      = 0x00010001\r\n"
							                 L"REG_EXPAND_SZ                  = 0x00020000\r\n"
							                 L"REG_NONE                       = 0x00020001\r\n"
							                 L"REG_COMPATIBLE                 = 0x00030001 ; same as REG_BINARY\r\n"
							                 L"REG_DWORD_LITTLE_ENDIAN        = 0x00040001 ; same as REG_DWORD\r\n"
							                 L"REG_DWORD_BIG_ENDIAN           = 0x00050001\r\n"
							                 L"REG_LINK                       = 0x00060000\r\n"
							                 L"REG_RESOURCE_LIST              = 0x00080001\r\n"
							                 L"REG_FULL_RESOURCE_DESCRIPTOR   = 0x00090001\r\n"
							                 L"REG_RESOURCE_REQUIREMENTS_LIST = 0x000a0001\r\n"
							                 L"REG_QWORD                      = 0x000b0001\r\n"
							                 L"REG_QWORD_LITTLE_ENDIAN        = 0x000b0001 ; same as REG_QWORD\r\n"
							                 L"\r\n"
							                 L"[DefaultInstall.NT]\r\n"
							                 L";AddReg = AddReg.HKO\r\n"
							                 L"\r\n"
							                 L"[AddReg.HKO]\r\n",
							                 st.wMonth, st.wDay, st.wYear, st.wHour, st.wMinute, st.wSecond, st.wMilliseconds))
								PrintConsole(hConsole,
								             L"WriteFile() returned error %lu\n",
								             dwError = GetLastError());
#if 0
							wmemcpy(szKey, L"HKEY_OFFLINE", sizeof("HKEY_OFFLINE"));
#else
							memcpy(szKey, L"HKEY_OFFLINE", sizeof(L"HKEY_OFFLINE"));
#endif
							dwError = Offline(hConsole, hOutput, hkRoot, sizeof("HKEY_OFFLINE") - 1);

							if (!PrintString(hOutput,
							                 L"\r\n"
							                 L"; EOF\r\n"))
								PrintConsole(hConsole,
								             L"WriteFile() returned error %lu\n",
								             dwError = GetLastError());

							dwError = ORCloseHive(hkRoot);

							if (dwError != ERROR_SUCCESS)
								PrintConsole(hConsole,
								             L"ORCloseHive() returned error %lu\n",
								             dwError);
						}
					}

					if (!CloseHandle(hOutput))
						PrintConsole(hConsole,
						             L"CloseHandle() returned error %lu\n",
						             GetLastError());
				}
			}

			if (LocalFree(lpArguments) != NULL)
				PrintConsole(hConsole,
				             L"LocalFree() returned error %lu\n",
				             GetLastError());
		}

		if (!CloseHandle(hConsole))
			PrintConsole(hConsole,
			             L"CloseHandle() returned error %lu\n",
			             GetLastError());
	}

	ExitProcess(dwError);
}
    Note: with the preprocessor macro SANITY defined, several consistency and sanity checks regarding the size of key and value names as well as value data and value data types are performed.

    Note: with the preprocessor macro SECURITY defined, the security descriptors of enumerated keys are printed in Security Descriptor Definition Language notation.

    Note: with the preprocessor macro TINY defined, the application gets 2036 bytes smaller, but also a little slower!

  2. Run the following four command lines to compile the source file OFFREG.C created in step 1., link the compiled object file OFFREG.OBJ and cleanup afterwards: 

    SET CL=/GAFS /Gy /O1isy /W4 /Zl
SET LINK=/DEFAULTLIB:ADVAPI32.LIB /DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:OFFREG.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:mainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815
CL.EXE /FeOFFREG.COM OFFREG.C
ERASE OFFREG.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: the command lines can be copied and pasted as block into a Command Processor window! 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

OFFREG.C
OFFREG.C(523) : warning C4090: 'function' : different 'const' qualifiers

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…

Registry INF Dumper

Purpose
Synopsis
Demonstration
Downloads
Implementation and Build Details
Source, Build Instructions and Demonstration

Purpose

Enumerate all keys and values of one or more predefined Registry branches (HKCC, HKCR, HKCU, HKLM, HKLS, HKPD, HKU) and print them as an .inf file in UTF-16LE encoding on standard output (which must be redirected to a file or piped into an application that reads from standard input, like Clip, Find or More).

Note: to dump the entire Registry specify the branches HKLM and HKU.

Synopsis

REGISTRY.COM { HKCC | HKEY_CURRENT_CONFIG | HKCR | HKEY_CLASSES_ROOT | HKCU | HKEY_CURRENT_USER | HKDD | HKEY_DYN_DATA | HKLM | HKEY_LOCAL_MACHINE | HKLS | HKEY_CURRENT_USER_LOCAL_SETTINGS | HKPD | HKEY_PERFORMANCE_DATA | HKU | HKEY_USERS } … >‹output file name›
REGISTRY.COM { HKCC | HKEY_CURRENT_CONFIG | HKCR | HKEY_CLASSES_ROOT | HKCU | HKEY_CURRENT_USER | HKDD | HKEY_DYN_DATA | HKLM | HKEY_LOCAL_MACHINE | HKLS | HKEY_CURRENT_USER_LOCAL_SETTINGS | HKPD | HKEY_PERFORMANCE_DATA | HKU | HKEY_USERS } … | MORE.COM
Note: when run under a user account which has the privilege SeBackupPrivilege assigned, the Registry INF Dumper enables it to enumerate all registry keys below the specified branch(es).

Note: when run under a user account which has the privilege SeSecurityPrivilege assigned, the Registry INF Dumper enables it to include the system access control list in the optionally printed security descriptors.

Demonstration

Dump the HKCC branch of the registry to the file HKCC.inf and display it afterwards: 
VER
.\REGISTRY.COM HKCC 1>HKCC.inf
NET.EXE HelpMsg %ERRORLEVEL%
TYPE HKCC.inf
Microsoft Windows [Version 6.1.7601]

The operation completed successfully.

; Registry of 'AMNESIAC'

[Version]
DriverVer = 04/27/2022,08.15.00.815 ; UTC
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[Strings]
REG_SZ                         = 0x00000000
REG_BINARY                     = 0x00000001
REG_KEYONLY                    = 0x00000010
REG_MULTI_SZ                   = 0x00010000
REG_DWORD                      = 0x00010001
REG_EXPAND_SZ                  = 0x00020000
REG_NONE                       = 0x00020001
REG_COMPATIBLE                 = 0x00030001 ; same as REG_BINARY
REG_DWORD_LITTLE_ENDIAN        = 0x00040001 ; same as REG_DWORD
REG_DWORD_BIG_ENDIAN           = 0x00050001
REG_LINK                       = 0x00060000
REG_RESOURCE_LIST              = 0x00080001
REG_FULL_RESOURCE_DESCRIPTOR   = 0x00090001
REG_RESOURCE_REQUIREMENTS_LIST = 0x000a0001
REG_QWORD                      = 0x000b0001
REG_QWORD_LITTLE_ENDIAN        = 0x000b0001 ; same as REG_QWORD

[DefaultInstall.NT]
;AddReg = AddReg.HKU,AddReg.HKLM;AddReg.HKCU,AddReg.HKCR

[AddReg.HKCC]
HKCC,"Software\Fonts","LogPixels",%REG_DWORD%,96 ; 0x00000060
HKCC,"System\CurrentControlSet\Control\Print\Printers",,%REG_KEYONLY%;
HKCC,"System\CurrentControlSet\Control\VIDEO",,%REG_KEYONLY%;
HKCC,"System\CurrentControlSet\Enum\IDE\DISKFUJITSU_MHZ2320BJ_G2____________________0000001E\5&2223391E&0&0.0.0","CSConfigFlags",%REG_DWORD%,0 ; 0x00000000
HKCC,"System\CurrentControlSet\Enum\USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\4E0B595B&0","CSConfigFlags",%REG_DWORD%,0 ; 0x00000000
HKCC,"System\CurrentControlSet\SERVICES\TSDDD\DEVICE0","Attach.ToDesktop",%REG_DWORD%,1 ; 0x00000001
HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","Attach.ToDesktop",%REG_DWORD%,1 ; 0x00000001
HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.BitsPerPel",%REG_DWORD%,32 ; 0x00000020
HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.XResolution",%REG_DWORD%,1920 ; 0x00000780
HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.YResolution",%REG_DWORD%,1200 ; 0x000004b0
HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.VRefresh",%REG_DWORD%,1 ; 0x00000001
HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.Flags",%REG_DWORD%,0 ; 0x00000000
HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.XPanning",%REG_DWORD%,0 ; 0x00000000
HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.YPanning",%REG_DWORD%,0 ; 0x00000000
HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.Orientation",%REG_DWORD%,0 ; 0x00000000
HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.FixedOutput",%REG_DWORD%,0 ; 0x00000000
HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","Attach.RelativeX",%REG_DWORD%,0 ; 0x00000000
HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","Attach.RelativeY",%REG_DWORD%,0 ; 0x00000000

; EOF

Downloads

The console application is available in two functional identical forms: REGISTRY.EXE, a big form with embedded application manifest, version information, icon plus time-stamped digital signature, and REGISTRY.COM, a small form without these extras.

Implementation and Build Details

Registry INF Dumper is a pure Win32 console application, written in ANSI C, built with the Platform SDK for Windows Server 2003 R2 Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows 2000 and newer versions of Windows NT as well as Windows PE 1.0 and newer versions.

Note: due to the design and implementation of Windows’ (classic alias legacy) console, the Win32 function WriteConsole() can only write to a console, not to a file nor a pipe, i.e. redirection of standard error is not supported!

The MSDN article Console Handles provides background information.

Source, Build Instructions and Demonstration

Perform the following 2 (plus 2 optional) simple steps to build the console application Registry INF Dumper from the source presented hereafter.

  1. Create the text file REGISTRY.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2023, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

// * The software is provided "as is" without any warranty, neither express
//   nor implied.
// * In no event will the author be held liable for any damage(s) arising
//   from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
//   and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
//   as an agent, (independent) contractor, employee, member or officer of
//   a business, corporation or organization (commercial or non-commercial)
//   does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
//   for a business, for commercial, corporate, governmental, military or
//   organizational purposes of any kind, or in a commercial, corporate,
//   governmental, military or organizational environment of any kind.

#define _CRT_SECURE_NO_WARNINGS
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <shellapi.h>
#include <sddl.h>

#define memcpy	__movsb
#define wmemcpy	__movsw

#define MAX_DEPTH		512UL
#define MAX_KEY_LENGTH		255UL
#define MAX_VALUE_NAME		16383UL
#define MAX_VALUE_DATA		1048576UL

#define SE_SECURITY_PRIVILEGE	8UL	// "SeSecurityPrivilege"
#define SE_BACKUP_PRIVILEGE	17UL	// "SeBackupPrivilege"

const	TOKEN_PRIVILEGES	tpBackup = {1, {SE_BACKUP_PRIVILEGE, 0, SE_PRIVILEGE_ENABLED}};

#ifdef SECURITY
const	TOKEN_PRIVILEGES	tpSecurity = {1, {SE_SECURITY_PRIVILEGE, 0, SE_PRIVILEGE_ENABLED}};
#endif

typedef	unsigned long long	QWORD, *LPQWORD;

BYTE	cbData[MAX_VALUE_DATA];
WCHAR	szKey[(MAX_KEY_LENGTH + 1) * MAX_DEPTH];
WCHAR	szValue[MAX_VALUE_NAME + 1];

__declspec(safebuffers)
BOOL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

__declspec(safebuffers)
BOOL	PrintFormat(HANDLE hFile, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	LPBYTE	lpOutput;
	DWORD	dwOutput;
	DWORD	dwFile;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	dwOutput *= sizeof(*szOutput);
	lpOutput = (LPBYTE) szOutput;

	do
	{
		if (!WriteFile(hFile, lpOutput, dwOutput, &dwFile, (LPOVERLAPPED) NULL))
			return FALSE;

		lpOutput += dwFile;
		dwOutput -= dwFile;
	} while (dwOutput > 0);

	return TRUE;
}

#define PrintString(HANDLE, LITERAL)	PrintDirect(HANDLE, LITERAL, sizeof(LITERAL) / sizeof(*LITERAL) - 1UL)

__inline
BOOL	WINAPI	PrintDirect(HANDLE hFile, LPCWSTR lpString, DWORD dwString)
{
	DWORD	dwFile;

	dwString *= sizeof(*lpString);

	do
	{
		if (!WriteFile(hFile, lpString, dwString, &dwFile, (LPOVERLAPPED) NULL))
			return FALSE;

		lpString = (LPCWSTR) ((LPBYTE) lpString + dwFile);
		dwString -= dwFile;
	} while (dwString > 0);

	return TRUE;
}

__inline
LPCWSTR	WINAPI	InfEscape(LPCWSTR lpString)
{
	do
		if ((*lpString == L'"')
		 || (*lpString == L'%'))
			return lpString;
	while (*lpString++ != L'\0');

	return NULL;
}

#ifndef TINY
const	WCHAR	szBytes[256][4] = {L",00", L",01", L",02", L",03", L",04", L",05", L",06", L",07", L",08", L",09", L",0a", L",0b", L",0c", L",0d", L",0e", L",0f",
		                   L",10", L",11", L",12", L",13", L",14", L",15", L",16", L",17", L",18", L",19", L",1a", L",1b", L",1c", L",1d", L",1e", L",1f",
		                   L",20", L",21", L",22", L",23", L",24", L",25", L",26", L",27", L",28", L",29", L",2a", L",2b", L",2c", L",2d", L",2e", L",2f",
		                   L",30", L",31", L",32", L",33", L",34", L",35", L",36", L",37", L",38", L",39", L",3a", L",3b", L",3c", L",3d", L",3e", L",3f",
		                   L",40", L",41", L",42", L",43", L",44", L",45", L",46", L",47", L",48", L",49", L",4a", L",4b", L",4c", L",4d", L",4e", L",4f",
		                   L",50", L",51", L",52", L",53", L",54", L",55", L",56", L",57", L",58", L",59", L",5a", L",5b", L",5c", L",5d", L",5e", L",5f",
		                   L",60", L",61", L",62", L",63", L",64", L",65", L",66", L",67", L",68", L",69", L",6a", L",6b", L",6c", L",6d", L",6e", L",6f",
		                   L",70", L",71", L",72", L",73", L",74", L",75", L",76", L",77", L",78", L",79", L",7a", L",7b", L",7c", L",7d", L",7e", L",7f",
		                   L",80", L",81", L",82", L",83", L",84", L",85", L",86", L",87", L",88", L",89", L",8a", L",8b", L",8c", L",8d", L",8e", L",8f",
		                   L",90", L",91", L",92", L",93", L",94", L",95", L",96", L",97", L",98", L",99", L",9a", L",9b", L",9c", L",9d", L",9e", L",9f",
		                   L",a0", L",a1", L",a2", L",a3", L",a4", L",a5", L",a6", L",a7", L",a8", L",a9", L",aa", L",ab", L",ac", L",ad", L",ae", L",af",
		                   L",b0", L",b1", L",b2", L",b3", L",b4", L",b5", L",b6", L",b7", L",b8", L",b9", L",ba", L",bb", L",bc", L",bd", L",be", L",bf",
		                   L",c0", L",c1", L",c2", L",c3", L",c4", L",c5", L",c6", L",c7", L",c8", L",c9", L",ca", L",cb", L",cc", L",cd", L",ce", L",cf",
		                   L",d0", L",d1", L",d2", L",d3", L",d4", L",d5", L",d6", L",d7", L",d8", L",d9", L",da", L",db", L",dc", L",dd", L",de", L",df",
		                   L",e0", L",e1", L",e2", L",e3", L",e4", L",e5", L",e6", L",e7", L",e8", L",e9", L",ea", L",eb", L",ec", L",ed", L",ee", L",ef",
		                   L",f0", L",f1", L",f2", L",f3", L",f4", L",f5", L",f6", L",f7", L",f8", L",f9", L",fa", L",fb", L",fc", L",fd", L",fe", L",ff"};
#endif

const	LPCWSTR	szHKey[8] = {L"HKCR",
		             L"HKCU",
		             L"HKLM",
		             L"HKU",
		             L"HKPD",
		             L"HKCC",
		             L"HKDD",
		             L"HKLS"};

const	LPCWSTR	szHKEY[8] = {L"HKEY_CLASSES_ROOT",
		             L"HKEY_CURRENT_USER",
		             L"HKEY_LOCAL_MACHINE",
		             L"HKEY_USERS",
		             L"HKEY_PERFORMANCE_DATA",
		             L"HKEY_CURRENT_CONFIG",
		             L"HKEY_DYN_DATA",
		             L"HKEY_CURRENT_USER_LOCAL_SETTINGS"};

const	DWORD	dwHKEY[8] = {sizeof("HKEY_CLASSES_ROOT"),
		             sizeof("HKEY_CURRENT_USER"),
		             sizeof("HKEY_LOCAL_MACHINE"),
		             sizeof("HKEY_USERS"),
		             sizeof("HKEY_PERFORMANCE_DATA"),
		             sizeof("HKEY_CURRENT_CONFIG"),
		             sizeof("HKEY_DYN_DATA"),
		             sizeof("HKEY_CURRENT_USER_LOCAL_SETTINGS")};

const	LPCWSTR	szType[12] = {L"NONE",
		              L"SZ",
		              L"EXPAND_SZ",
		              L"BINARY",
		              L"DWORD",		// alias DWORD_LITTLE_ENDIAN
		              L"DWORD_BIG_ENDIAN",
		              L"LINK",
		              L"MULTI_SZ",
		              L"RESOURCE_LIST",
		              L"FULL_RESOURCE_DESCRIPTOR",
		              L"RESOURCE_REQUIREMENTS_LIST",
		              L"QWORD"};	// alias QWORD_LITTLE_ENDIAN

DWORD	WINAPI	Registry(HANDLE hConsole, HANDLE hOutput, QWORD qwPrivileges, HKEY hkHKEY, DWORD dwKey)
{
	HKEY	hkKey;
	BOOL	bOutput;
	DWORD	dwError;
	DWORD	dwIndex = (DWORD) hkHKEY ^ (DWORD) HKEY_CLASSES_ROOT;
	DWORD	dwSubKeys, dwSubKey;
	DWORD	dwValues, dwValue, dwType, dwData, dwBytes;
#ifdef SANITY
	DWORD	dwCount, dwChars;
	LPCWSTR	lpCount;
#endif
	LPCWSTR	lpHKey = szHKey[dwIndex];
	LPCWSTR	lpKey = dwKey < dwHKEY[dwIndex] ? NULL : szKey + dwHKEY[dwIndex];
	LPCWSTR	lpSubKey = szKey + dwKey + 1;
	LPCWSTR	lpData, lpEscape, lpLast, lpMulti;

	dwError = RegOpenKeyEx(hkHKEY,
	                       lpKey,
	                       qwPrivileges & (1ULL << SE_BACKUP_PRIVILEGE) ? REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK : REG_OPTION_OPEN_LINK,
#ifdef SECURITY
	                       qwPrivileges & (1ULL << SE_SECURITY_PRIVILEGE) ? ACCESS_SYSTEM_SECURITY | KEY_READ | KEY_WOW64_64KEY : KEY_READ | KEY_WOW64_64KEY,
#else
	                       KEY_READ | KEY_WOW64_64KEY,
#endif
	                       &hkKey);

	if (dwError != ERROR_SUCCESS)
		PrintConsole(hConsole,
		             L"RegOpenKeyEx() returned error %lu for registry key \'%ls\'\n",
		             dwError, szKey);
	else
	{
#ifdef SECURITY
		dwData = sizeof(cbData);

		dwError = RegGetKeySecurity(hkHKEY,
		                            qwPrivileges & (1ULL << SE_SECURITY_PRIVILEGE) ? OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION : OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION,
		                            cbData,
		                            &dwData);

		if (dwError != ERROR_SUCCESS)
			PrintConsole(hConsole,
			             L"RegGetKeySecurity() returned error %lu for registry key \'%ls\'\n",
			             dwError, szKey);
		else
			if (!ConvertSecurityDescriptorToStringSecurityDescriptor(cbData,
			                                                         SDDL_REVISION_1,
			                                                         OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION,
			                                                         &lpData,
			                                                         (LPDWORD) NULL))
				PrintConsole(hConsole,
				             L"ConvertSecurityDescriptorToStringSecurityDescriptor() returned error %lu for registry key \'%ls\'\n",
				             dwError = GetLastError(), szKey);
			else
			{
				if (lpKey == NULL)
					bOutput = PrintFormat(hOutput,
					                      L"%ls,,,%%REG_KEYONLY%%\r\n",
					                      lpHKey);
				else
					bOutput = PrintFormat(hOutput,
					                      L"%ls,\"%ls\",,%%REG_KEYONLY%%\r\n",
					                      lpHKey, lpKey);

				bOutput &= PrintString(hOutput, L"; ");
				bOutput &= PrintDirect(hOutput, lpData, wcslen(lpData));
				bOutput &=