Group Policy Scripts Client Registration MSVC Helper Library MSVC Helper Library
Debug String Monitor Directory Change Notifier Privilege Twiddler
Really Known SIDs Enumerator Security Descriptor Inspector
Registry INF Dumper Registry Policy Reader Offline Registry Reader
SCRIPTS.INF
and save it in an arbitrary directory, then right-click the
downloaded file to display its context menu and click Installto run it.
Note: on Windows Vista and newer
versions of Windows NT,
InfDefaultInstall.exe
,
the application registered for the Install
verb of
*.inf
files, requests administrative privileges and
access rights.
client programswhich can be selected by every user as the
default programfor their associated file types and URL protocols.
CLIENTS.INF
and save it in an arbitrary directory, then right-click the
downloaded file to display its context menu and click Installto run it.
Note: on Windows Vista and newer
versions of Windows NT,
InfDefaultInstall.exe
,
the application registered for the Install
verb of
*.inf
files, requests administrative privileges.
_alldiv()
,
_alldvrm()
,
_allmul()
,
_allrem()
, _allshl()
and
_allshr()
for signed 64-bit integer
arithmetic and shift operations, to
_aulldiv()
,
_aulldvrm()
, _aullrem()
and
_aullshr()
for unsigned 64-bit integer
arithmetic and shift operations,
...
_alloca()
,
_chkstk()
...
_CIacos()
,
_CIasin()
,
_CIatan()
,
_CIatan2()
,
_CIcos()
,
_CIcosh()
,
_CIexp()
,
_CIfmod()
,
_CIlog()
,
_CIlog10()
,
_CIpow()
,
_CIsin()
,
_CIsinh()
,
_CIsqrt()
,
_CItan()
,
_CItanh()
,
_ftol()
,
...
Additionally
...
memchr()
,
memcmp()
,
memcpy()
,
memmove()
,
memset()
,
...
strcat()
,
strcat_s()
,
strchr()
,
strcmp()
,
strcpy()
,
strcpy_s()
,
strcspn()
,
strlen()
,
strncat()
,
strncat_s()
,
strncmp()
,
strncpy()
,
strncpy_s()
,
strnlen()
,
strpbrk()
,
strrchr()
,
strspn()
,
strstr()
,
strtok_s()
,
strtol()
,
strtoul()
,
...
wcscat()
,
wcscat_s()
,
wcschr()
,
wcscmp()
,
wcscpy()
,
wcscpy_s()
,
wcscspn()
,
wcslen()
,
wcsncat()
,
wcsncat_s()
,
wcsncmp()
,
wcsncpy()
,
wcsncpy_s()
,
wcsnlen()
,
wcspbrk()
,
wcsrchr()
,
wcsspn()
,
wcsstr()
,
wcstol()
,
wcstoul()
,
...
available from
...
on MSDN.
...
Shipped in the MSVCRT libraries, for static linkage. ...
Exported from NTDLL.dll
, ...
...
Caveat: the routines for 64-bit integer arithmetic are but SLOW, and the trigonometric floating-point routines are MUCH less accurate than claimed by Intel in their Software Developer’s Manuals.
My article Fast(est) 128÷128-bit and 64÷64-bit Integer Division presents division routines that are 4 to 6 times faster and a (branch-free) multiplication routine that is 3 to 9 times faster!
MSC_I386.LIB
and cleanup afterwards:
LINK.EXE /LIB /DEF /EXPORT:_CIcos /EXPORT:_CIlog /EXPORT:_CIpow /EXPORT:_CIsin /EXPORT:_CIsqrt /EXPORT:_alldiv /EXPORT:_alldvrm /EXPORT:_allmul /EXPORT:_alloca_probe /EXPORT:_alloca_probe_8 /EXPORT:_alloca_probe_16 /EXPORT:_allrem /EXPORT:_allshl /EXPORT:_allshr /EXPORT:_aulldiv /EXPORT:_aulldvrm /EXPORT:_aullrem /EXPORT:_aullshr /EXPORT:_chkstk /EXPORT:_fltused /EXPORT:_ftol /EXPORT:memchr /EXPORT:memcmp /EXPORT:memcpy /EXPORT:memmove /EXPORT:memset /MACHINE:I386 /NAME:NTDLL /NODEFAULTLIB /OUT:MSC_I386.LIB ERASE MSC_I386.EXPNote: if necessary, see the MSDN article
Use the Microsoft C++ toolset from the command linefor an introduction.
Microsoft (R) Library Manager Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. Creating library msc_i386.lib and object msc_i386.exp
MSC_I386.LIB
instead of or
before the
MSVCRT
libraries.
Floating-point intrinsics ...
Compiler Security Checks In Depth
/GS (Buffer Security Check)
_load_config_used
referenced in
/SAFESEH (Image has Safe Exception Handlers)
IMAGE_LOAD_CONFIG_DIRECTORY32
__security_check_cookie()
__fastcall
__fastfail()
64-bit integer arithmetic intrinsics ...
Memory ... ...
Stack ... ...
Thread-local storage
Thread Local Storage (TLS)
Rules and Limitations for TLS
...
variables declared with
__declspec
(thread)
...
...
FPU_I386.OBJ
, GS_I386.OBJ
,
I64_I386.OBJ
, MEM_I386.OBJ
,
STK_I386.OBJ
and TLS_I386.OBJ
from the
sources presented hereafter, then create the object library
MSC_I386.LIB
:
Create the text file FPU_I386.ASM
with the following
content in an arbitrary, preferable empty directory:
; Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
.686
.model flat, C
single record sign:1, exponent:8, mantissa:23
bias equ 1 shl (width exponent - 1) - 1
.const
public _fltused
_fltused dword 9876h
.code
; MSC internal intrinsic _CIacos():
; receives argument in FPU st(0), returns result in FPU st(0)
; NOTE: _CIacos() returns correct result for ±0.0 and ±1.0
_CIacos proc public
fld st(0) ; st(0) = st(1) = argument
fmul st(0), st(0) ; st(0) = argument**2,
; st(1) = argument
fld1 ; st(0) = 1.0,
; st(1) = argument**2,
; st(2) = argument
fsubrp st(1), st(0) ; st(0) = 1.0 - argument**2,
; st(1) = argument
fsqrt ; st(0) = square root of (1.0 - argument**2),
; st(1) = argument
fxch st(1) ; st(0) = argument,
; st(1) = square root of (1.0 - argument**2)
fpatan ; st(0) = inverse circular cosine of argument
ret
_CIacos endp
; MSC internal intrinsic _CIasin():
; receives argument in FPU st(0), returns result in FPU st(0)
; NOTE: _CIasin() returns correct result for ±0.0 and ±1.0
_CIasin proc public
fld st(0) ; st(0) = st(1) = argument
fmul st(0), st(0) ; st(0) = argument**2,
; st(1) = argument
fld1 ; st(0) = 1.0,
; st(1) = argument**2,
; st(2) = argument
fsubrp st(1), st(0) ; st(0) = 1.0 - argument**2,
; st(1) = argument
fsqrt ; st(0) = square root of (1.0 - argument**2),
; st(1) = argument
fpatan ; st(0) = inverse circular sine of argument
ret
_CIasin endp
; MSC internal intrinsic _CIatan():
; receives argument in FPU st(0), returns result in FPU st(0)
; NOTE: _CIatan() returns correct result for ±0.0 and ±INFINITY
_CIatan proc public
fld1 ; st(0) = 1.0,
; st(1) = argument
fpatan ; st(0) = inverse circular tangent of (argument / 1.0)
ret
_CIatan endp
; MSC internal intrinsic _CIatan2():
; receives arguments in FPU st(0) and st(1), returns result in FPU st(0)
; NOTE: _CIatan2() returns correct result for ±0.0 and ±INFINITY
_CIatan2 proc public
fxch st(1) ; st(0) = denominator,
; st(1) = numerator
fpatan ; st(0) = inverse circular tangent of (numerator / denominator)
ret
_CIatan2 endp
; MSC internal intrinsic _CIcos():
; receives argument in FPU st(0), returns result in FPU st(0)
_CIcos proc public
fcos ; st(0) = cosine of argument
fstsw ax ; ax = FPU status word,
; ah = B:C3:T:O:P:C2:C1:C0
sahf ; SF:ZF:0:AF:0:PF:1:CF = ah
jnp short exit ; |argument| < 2**63?
tau:
fld1 ; st(0) = 1.0,
; st(1) = argument
fldpi ; st(0) = pi,
; st(1) = 1.0,
; st(2) = argument
fscale ; st(0) = pi * 2**1,
; st(1) = 1.0,
; st(2) = argument
fstp st(1) ; st(0) = pi * 2**1,
; st(1) = argument
fxch st(1) ; st(0) = argument,
; st(1) = pi * 2**1
reduce:
fprem1 ; st(0) = argument modulo (pi * 2**1)
; = argument',
; st(1) = pi * 2**1
fstsw ax ; ax = FPU status word,
; ah = B:C3:T:O:P:C2:C1:C0
sahf ; SF:ZF:0:AF:0:PF:1:CF = ah
jp short reduce ; |argument'| > pi?
fstp st(1) ; st(0) = argument'
fcos ; st(0) = cosine of argument'
exit:
ret
_CIcos endp
; MSC internal intrinsic _CIcosh():
; receives argument in FPU st(0), returns result in FPU st(0)
_CIcosh proc public
call _CIexp ; st(0) = e**argument
fld1 ; st(0) = 1.0,
; st(1) = e**argument
fdiv st(0), st(1) ; st(0) = 1.0 / e**argument = e**-argument,
; st(1) = e**argument
faddp st(1), st(0) ; st(0) = e**argument + e**-argument
push (bias - 1) shl width mantissa
; [esp] = 0x3F000000
; = 0.5F
fmul real4 ptr [esp] ; st(0) = hyperbolic cosine of argument
pop eax
ret
_CIcosh endp
; MSC internal intrinsic _CIexp():
; receives argument in FPU st(0), returns result in FPU st(0)
; NOTE: _CIexp() returns correct result for ±INFINITY
_CIexp proc public
fldl2e ; st(0) = log2(e),
; st(1) = exponent
fmulp st(1), st(0) ; st(0) = exponent * log2(e)
if 0
fld1 ; st(0) = 1.0,
; st(1) = exponent * log2(e)
fld st(1) ; st(0) = exponent * log2(e),
; st(1) = 1.0,
; st(2) = exponent * log2(e)
fprem ; st(0) = (exponent * log2(e)) modulo 1.0,
; st(1) = 1.0,
; st(2) = exponent * log2(e)
f2xm1 ; st(0) = 2.0**((exponent * log2(e)) modulo 1.0) - 1.0,
; st(1) = 1.0,
; st(2) = exponent * log2(e)
faddp st(1), st(0) ; st(0) = 2.0**((exponent * log2(e)) modulo 1.0),
; st(1) = exponent * log2(e)
fscale ; st(0) = e**exponent,
; st(1) = exponent * log2(e)
else
fld st(0) ; st(0) = st(1) = exponent * log2(e)
frndint ; st(0) = integer(exponent * log2(e)),
; st(1) = exponent * log2(e)
fsub st(1), st(0) ; st(0) = integer(exponent * log2(e)),
; st(1) = fraction(exponent * log2(e))
fxch st(1) ; st(0) = fraction(exponent * log2(e)),
; st(1) = integer(exponent * log2(e))
f2xm1 ; st(0) = 2.0**fraction(exponent * log2(e)) - 1.0,
; st(1) = integer(exponent * log2(e))
fld1 ; st(0) = 1.0,
; st(1) = 2.0**fraction(exponent * log2(e)) - 1.0,
; st(2) = integer(exponent * log2(e))
faddp st(1), st(0) ; st(0) = 2.0**fraction(exponent * log2(e)),
; st(1) = integer(exponent * log2(e))
fscale ; st(0) = e**exponent,
; st(1) = integer(exponent * log2(e))
endif
fstp st(1) ; st(0) = e**exponent
ret
_CIexp endp
; MSC internal intrinsic _CIfmod():
; receives arguments in FPU st(0) and st(1), returns result in FPU st(0)
_CIfmod proc public
reduce:
fprem ; st(0) = remainder,
; st(1) = divisor
fstsw ax ; ax = FPU status word,
; ah = B:C3:T:O:P:C2:C1:C0
sahf ; SF:ZF:0:AF:0:PF:1:CF = ah
jp short reduce
fstp st(1) ; st(0) = remainder
ret
_CIfmod endp
; MSC internal intrinsic _CIlog():
; receives argument in FPU st(0), returns result in FPU st(0)
_CIlog proc public
fldln2 ; st(0) = ln(2.0),
; st(1) = argument
fxch st(1) ; st(0) = argument,
; st(1) = ln(2.0)
fyl2x ; st(0) = natural logarithm of argument
ret
_CIlog endp
; MSC internal intrinsic _CIlog10():
; receives argument in FPU st(0), returns result in FPU st(0)
_CIlog10 proc public
fldlg2 ; st(0) = log10(2.0),
; st(1) = argument
fxch st(1) ; st(0) = argument,
; st(1) = log10(2.0)
fyl2x ; st(0) = logarithm to base 10 of argument
ret
_CIlog10 endp
; MSC internal intrinsic _CIpow():
; receives arguments in FPU st(0) and st(1), returns result in FPU st(0)
_CIpow proc public
fxch st(1) ; st(0) = base,
; st(1) = exponent
fyl2x ; st(0) = exponent * log2(base)
fld1 ; st(0) = 1.0,
; st(1) = exponent * log2(base)
fld st(1) ; st(0) = exponent * log2(base),
; st(1) = 1.0,
; st(2) = exponent * log2(base)
fprem ; st(0) = (exponent * log2(base)) modulo 1.0
; = fraction(exponent * log2(base)),
; st(1) = 1.0,
; st(2) = exponent * log2(base)
f2xm1 ; st(0) = 2.0**fraction(exponent * log2(base)) - 1.0,
; st(1) = 1.0,
; st(2) = exponent * log2(base)
faddp st(1), st(0) ; st(0) = 2.0**fraction(exponent * log2(base)),
; st(1) = exponent * log2(base)
fscale ; st(0) = base**exponent,
; st(1) = exponent * log2(base)
fstp st(1) ; st(0) = base**exponent
ret
_CIpow endp
; MSC internal intrinsic _CIsin():
; receives argument in FPU st(0), returns result in FPU st(0)
_CIsin proc public
fsin ; st(0) = sine of argument
fstsw ax ; ax = FPU status word,
; ah = B:C3:T:O:P:C2:C1:C0
sahf ; SF:ZF:0:AF:0:PF:1:CF = ah
jnp short exit ; |argument| < 2**63?
tau:
fld1 ; st(0) = 1.0,
; st(1) = argument
fldpi ; st(0) = pi,
; st(1) = 1.0,
; st(2) = argument
fscale ; st(0) = pi * 2**1,
; st(1) = 1.0,
; st(2) = argument
fstp st(1) ; st(0) = pi * 2**1,
; st(1) = argument
fxch st(1) ; st(0) = argument,
; st(1) = pi * 2**1
reduce:
fprem1 ; st(0) = argument modulo (pi * 2**1)
; = argument',
; st(1) = pi * 2**1
fstsw ax ; ax = FPU status word,
; ah = B:C3:T:O:P:C2:C1:C0
sahf ; SF:ZF:0:AF:0:PF:1:CF = ah
jp short reduce ; |argument'| > pi?
fstp st(1) ; st(0) = argument'
fsin ; st(0) = sine of argument'
exit:
ret
_CIsin endp
; MSC internal intrinsic _CIsinh():
; receives argument in FPU st(0), returns result in FPU st(0)
_CIsinh proc public
call _CIexp ; st(0) = e**argument
fld1 ; st(0) = 1.0,
; st(1) = e**argument
fdiv st(0), st(1) ; st(0) = 1.0 / e**argument = e**-argument,
; st(1) = e**argument
fsubp st(1), st(0) ; st(0) = e**argument - e**-argument
push (bias - 1) shl width mantissa
; [esp] = 0x3F000000
; = 0.5F
fmul real4 ptr [esp] ; st(0) = hyperbolic sine of argument
pop eax
ret
_CIsinh endp
; MSC internal intrinsic _CIsqrt():
; receives argument in FPU st(0), returns result in FPU st(0)
_CIsqrt proc public
fsqrt ; st(0) = square root of radicand
ret
_CIsqrt endp
; MSC internal intrinsic _CItan():
; receives argument in FPU st(0), returns result in FPU st(0)
_CItan proc public
fptan ; st(0) = 1.0,
; st(1) = tangent of argument
fstsw ax ; ax = FPU status word,
; ah = B:C3:T:O:P:C2:C1:C0
sahf ; SF:ZF:0:AF:0:PF:1:CF = ah
jnp short done ; |argument| < 2**63?
tau:
fld1 ; st(0) = 1.0,
; st(1) = argument
fldpi ; st(0) = pi,
; st(1) = 1.0,
; st(2) = argument
fscale ; st(0) = pi * 2**1,
; st(1) = 1.0,
; st(2) = argument
fstp st(1) ; st(0) = pi * 2**1,
; st(1) = argument
fxch st(1) ; st(0) = argument,
; st(1) = pi * 2**1
reduce:
fprem1 ; st(0) = argument modulo (pi * 2**1)
; = argument',
; st(1) = pi * 2**1
fstsw ax ; ax = FPU status word,
; ah = B:C3:T:O:P:C2:C1:C0
sahf ; SF:ZF:0:AF:0:PF:1:CF = ah
jp short reduce ; |argument'| > pi?
fstp st(1) ; st(0) = argument'
fptan ; st(0) = 1.0,
; st(1) = tangent of argument'
done:
fstp st(0) ; st(0) = tangent of argument
ret
_CItan endp
; MSC internal intrinsic _CItanh():
; receives argument in FPU st(0), returns result in FPU st(0)
_CItanh proc public
call _CIexp ; st(0) = e**argument
fmul st(0), st(0) ; st(0) = e**argument * e**argument
; = e**(argument + argument)
fld1 ; st(0) = 1.0,
; st(1) = e**(argument + argument)
fadd st(1), st(0) ; st(0) = 1.0,
; st(1) = e**(argument + argument) + 1.0
fadd st(0), st(0) ; st(0) = 2.0,
; st(1) = e**(argument + argument) + 1.0
fdivrp st(1), st(0) ; st(0) = 2.0 / (e**(argument + argument) + 1.0)
fld1 ; st(0) = 1.0,
; st(1) = 2.0 / (e**(argument + argument) + 1.0)
fsubrp st(1), st(0) ; st(0) = 1.0 - 2.0 / (e**(argument + argument) + 1.0)
; = hyperbolic tangent of argument
ret
_CItanh endp
; MSC internal intrinsic _ftol():
; receives argument in FPU st(0), returns result in eax
; NOTE: fistp rounds to nearest (even) integer!
_ftol proc public
push eax
fistp dword ptr [esp] ; [esp] = integer(argument)
pop eax ; eax = integer(argument)
ret
_ftol endp
; MSC internal intrinsic _ftol2():
; receives argument in FPU st(0), returns result in edx:eax
; NOTE: fistp rounds to nearest (even) integer!
_ftol2 proc public
push edx
push eax
fistp qword ptr [esp] ; [esp] = integer(argument)
pop eax
pop edx ; edx:eax = integer(argument)
ret
_ftol2 endp
; MSC internal intrinsic _ftol2_sse():
; receives argument in FPU st(0), returns result in edx:eax
; NOTE: fisttp truncates, i.e. rounds towards ±0!
_ftol2_sse proc public
push edx
push eax
fisttp qword ptr [esp] ; [esp] = integer(argument)
pop eax
pop edx ; edx:eax = integer(argument)
ret
_ftol2_sse endp
end
Create the text file GS_I386.ASM
with the following
content in the same directory:
; Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
.586
.model flat; C
extern ___safe_se_handler_count:abs
extern ___safe_se_handler_table:dword
_lcu_32 struct 4 ; IMAGE_LOAD_CONFIG_DIRECTORY32
dword sizeof _lcu_32
dword "VOID"
word 0, 815
dword 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
word 0, 2048
dword 0
dword offset ___security_cookie
dword offset ___safe_se_handler_table
dword offset ___safe_se_handler_count
dword 0, 0, 0, 0, 0
_lcu_32 ends
.const
public __load_config_used
__load_config_used \
_lcu_32 <>
.data
public ___security_cookie
___security_cookie \
dword 3141592654
.code
@__security_check_cookie@4 \
proc public ; void __fastcall __security_check_cookie(dword cookie)
cmp ecx, ___security_cookie
jne short fastfail
ret
fastfail:
xor ecx, ecx
int 41
@__security_check_cookie@4 \
endp
___security_init_cookie \
proc public ; void __cdecl __security_init_cookie(void)
mov eax, ___security_cookie
cmp eax, 3141592654
je short init
test eax, eax
jne short exit
init:
rdtsc ; eax = low dword of time stamp counter,
; edx = high dword of time stamp counter
xor eax, edx ; eax = pseudo random number
mov ___security_cookie, eax
exit:
ret
___security_init_cookie \
endp
end
Create the text file I64_I386.ASM
with the following
content in the same directory:
; Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
.386
.model flat, C
.code
; MSC internal _alldiv():
; receives arguments on stack, returns quotient in edx:eax
; NOTE: _alldiv() can raise 'division by zero' exception; it prevents
; quotient overflow and does not raise 'integer overflow' exception,
; but returns ±2**63 for -2**63 / -1!
_alldiv proc public ; sqword _alldiv(sqword dividend, sqword divisor)
push ebx
; determine sign of dividend and compute |dividend|
mov edx, [esp+12] ; edx = high dword of dividend
mov eax, [esp+8] ; eax = low dword of dividend
mov ebx, edx
sar ebx, 31 ; ebx = (dividend < 0) ? -1 : 0
xor eax, ebx
xor edx, ebx ; edx:eax = (dividend < 0) ? ~dividend : dividend
sub eax, ebx
sbb edx, ebx ; edx:eax = (dividend < 0) ? -dividend : dividend
; = |dividend|
mov [esp+8], eax ; write |dividend| back on stack
mov [esp+12], edx
; determine sign of divisor and compute |divisor|
mov edx, [esp+20] ; edx = high dword of divisor
mov eax, [esp+16] ; eax = low dword of divisor
mov ecx, edx
sar ecx, 31 ; ecx = (divisor < 0) ? -1 : 0
xor eax, ecx
xor edx, ecx ; edx:eax = (divisor < 0) ? ~divisor : divisor
sub eax, ecx
sbb edx, ecx ; edx:eax = (divisor < 0) ? -divisor : divisor
; = |divisor|
mov [esp+16], eax ; write |divisor| back on stack
mov [esp+20], edx
xor ecx, ebx ; ecx = sign of dividend ^ sign of divisor
; = sign of quotient
push ecx ; save sign of quotient on stack
ifdef TRIVIAL
mov ecx, [esp+16] ; ecx = high dword of dividend
cmp ecx, edx
jb short trivial ; (high dword of) dividend < (high dword of) divisor?
endif
bsr ecx, edx ; ecx = index of leading '1' bit in high dword of divisor
jnz short extended ; high dword of divisor <> 0?
; high dword of divisor = 0 (so high dword of remainder will be 0 too)
mov ecx, eax ; ecx = (low dword of) divisor
mov eax, [esp+16] ; eax = high dword of dividend
cmp eax, ecx
jae short long ; high dword of dividend >= divisor?
; perform normal division
normal:
mov edx, eax ; edx = high dword of dividend
mov eax, [esp+12] ; edx:eax = dividend
div ecx ; eax = (low dword of) quotient,
; edx = (low dword of) remainder
;; xor edx, edx ; edx:eax = |quotient|
pop edx ; edx = sign of quotient
xor eax, edx
sub eax, edx
sbb edx, edx ; edx:eax = quotient
pop ebx
ret 16 ; callee restores stack
; perform "long" alias "schoolbook" division
long:
;; xor edx, edx ; edx:eax = high dword of dividend
div ecx ; eax = high dword of quotient,
; edx = high dword of remainder'
mov ebx, eax ; ebx = high dword of quotient
mov eax, [esp+12] ; eax = low dword of dividend
div ecx ; eax = low dword of quotient,
; edx = (low dword of) remainder
mov edx, ebx ; edx:eax = |quotient|
pop ecx ; ecx = sign of quotient
xor eax, ecx
xor edx, ecx
sub eax, ecx
sbb edx, ecx ; edx:eax = quotient
pop ebx
ret 16 ; callee restores stack
; high dword of divisor <> 0 (so high dword of quotient will be 0):
; perform "extended & adjusted" division
extended:
push edi
not ecx ; ecx = number of leading '0' bits in (high dword of) divisor
shld edx, eax, cl ; edx = divisor / 2**(index + 1)
; = divisor'
;; shl eax, cl
mov ebx, edx ; ebx = divisor'
mov edx, [esp+20] ; edx = high dword of dividend
mov eax, [esp+16] ; eax = low dword of dividend
ifndef JCCLESS
xor edi, edi ; edi = high dword of quotient' = 0
cmp edx, ebx
jb short @f ; high dword of dividend < divisor'?
; high dword of dividend >= divisor':
; subtract divisor' from high dword of dividend to prevent possible
; division overflow and set most significant bit of quotient"
sub edx, ebx ; edx = high dword of dividend - divisor'
; = high dword of dividend'
inc edi ; edi = high dword of quotient' = 1
@@:
else
sub edx, ebx ; edx = high dword of dividend - divisor'
sbb edi, edi ; edi = (high dword of dividend < divisor') ? -1 : 0
and edi, ebx ; edi = (high dword of dividend < divisor') ? divisor' : 0
add edx, edi ; edx = high dword of dividend
; - (high dword of dividend < divisor') ? 0 : divisor'
; = high dword of dividend'
neg edi ; CF = (high dword of dividend < divisor')
sbb edi, edi ; edi = (high dword of dividend < divisor') ? -1 : 0
inc edi ; edi = (high dword of dividend < divisor') ? 0 : 1
; = high dword of quotient'
endif ; JCCLESS
; high dword of dividend' < divisor'
div ebx ; eax = dividend' / divisor'
; = low dword of quotient',
; edx = remainder'
shld edi, eax, cl ; edi = quotient' / 2**(index + 1)
; = dividend / divisor
; = quotient"
;; shl eax, cl
mov eax, [esp+24] ; eax = low dword of divisor
mul edi ; edx:eax = low dword of divisor * quotient"
mov ecx, [esp+16]
mov ebx, [esp+20] ; ebx:ecx = dividend
sub ecx, eax
sbb ebx, edx ; ebx:ecx = dividend - low dword of divisor * quotient"
mov eax, [esp+28] ; eax = high dword of divisor
imul eax, edi ; eax = high dword of divisor * quotient"
sub ebx, eax ; ebx:ecx = dividend - divisor * quotient"
; = remainder"
sbb eax, eax ; eax = (remainder" < 0) ? -1 : 0
add eax, edi ; eax = quotient" - (remainder" < 0)
; = (low dword of) |quotient|
;; xor edx, edx ; edx:eax = |quotient|
pop edi
pop edx ; edx = sign of quotient
xor eax, edx
sub eax, edx
sbb edx, edx ; edx:eax = quotient
pop ebx
ret 16 ; callee restores stack
_alldiv endp
; MSC internal _alldvrm():
; receives arguments on stack, returns quotient in edx:eax and remainder in ebx:ecx
; NOTE: _alldvrm() can raise 'division by zero' exception; it prevents
; quotient overflow and does not raise 'integer overflow' exception,
; but returns ±2**63 for -2**63 / -1!
_alldvrm proc public ; sqword _alldvrm(sqword dividend, sqword divisor)
push edi
; determine sign of dividend and compute |dividend|
mov edx, [esp+12] ; edx = high dword of dividend
mov eax, [esp+8] ; eax = low dword of dividend
mov edi, edx
sar edi, 31 ; edi = (dividend < 0) ? -1 : 0
; = sign of dividend
; = sign of remainder
xor eax, edi
xor edx, edi ; edx:eax = (dividend < 0) ? ~dividend : dividend
sub eax, edi
sbb edx, edi ; edx:eax = (dividend < 0) ? -dividend : dividend
; = |dividend|
mov [esp+8], eax ; write |dividend| back on stack
mov [esp+12], edx
; determine sign of divisor and compute |divisor|
mov edx, [esp+20] ; edx = high dword of divisor
mov eax, [esp+16] ; eax = low dword of divisor
mov ecx, edx
sar ecx, 31 ; ecx = (divisor < 0) ? -1 : 0
xor eax, ecx
xor edx, ecx ; edx:eax = (divisor < 0) ? ~divisor : divisor
sub eax, ecx
sbb edx, ecx ; edx:eax = (divisor < 0) ? -divisor : divisor
; = |divisor|
mov [esp+16], eax ; write |divisor| back on stack
mov [esp+20], edx
xor ecx, edi ; ecx = sign of divisor ^ sign of dividend
; = sign of quotient
push ecx ; save sign of quotient on stack
ifdef TRIVIAL
mov ecx, [esp+16] ; ecx = high dword of dividend
cmp ecx, edx
jb short trivial ; (high dword of) dividend < (high dword of) divisor?
endif
bsr ecx, edx ; ecx = index of leading '1' bit in high dword of divisor
jnz short extended ; high dword of divisor <> 0?
; high dword of divisor = 0 (so high dword of remainder will be 0 too)
mov ecx, eax ; ecx = (low dword of) divisor
mov eax, [esp+16] ; eax = high dword of dividend
cmp eax, ecx
jae short long ; high dword of dividend >= divisor?
; perform normal division
normal:
mov edx, eax ; edx = high dword of dividend
xor ebx, ebx ; ebx = high dword of quotient = 0
jmp short next
; perform "long" alias "schoolbook" division
long:
;; xor edx, edx ; edx:eax = high dword of dividend
div ecx ; eax = high dword of quotient,
; edx = high dword of remainder'
mov ebx, eax ; ebx = high dword of quotient
next:
mov eax, [esp+12] ; eax = low dword of dividend
div ecx ; eax = low dword of quotient,
; edx = (low dword of) remainder
mov ecx, edx ; ecx = (low dword of) |remainder|
mov edx, ebx ; edx:eax = |quotient|
;; xor ebx, ebx ; ebx:ecx = |remainder|
pop ebx ; ebx = sign of quotient
xor eax, ebx
xor edx, ebx
sub eax, ebx
sbb edx, ebx ; edx:eax = quotient
mov ebx, edi ; ebx = sign of remainder
xor ecx, ebx
sub ecx, ebx
sbb ebx, ebx ; ebx:ecx = remainder
pop edi
ret 16 ; callee restores stack
; high dword of divisor <> 0 (so high dword of quotient will be 0):
; perform "extended & adjusted" division
extended:
push edi ; save sign of remainder
not ecx ; ecx = number of leading '0' bits in (high dword of) divisor
shld edx, eax, cl ; edx = divisor / 2**(index + 1)
; = divisor'
;; shl eax, cl
mov ebx, edx ; ebx = divisor'
mov edx, [esp+20] ; edx = high dword of dividend
mov eax, [esp+16] ; eax = low dword of dividend
ifndef JCCLESS
xor edi, edi ; edi = high dword of quotient' = 0
cmp edx, ebx
jb short @f ; high dword of dividend < divisor'?
; high dword of dividend >= divisor':
; subtract divisor' from high dword of dividend to prevent possible
; division overflow and set most significant bit of quotient"
sub edx, ebx ; edx = high dword of dividend - divisor'
; = high dword of dividend'
inc edi ; edi = high dword of quotient' = 1
@@:
else
sub edx, ebx ; edx = high dword of dividend - divisor'
sbb edi, edi ; edi = (high dword of dividend < divisor') ? -1 : 0
and edi, ebx ; edi = (high dword of dividend < divisor') ? divisor' : 0
add edx, edi ; edx = high dword of dividend
; - (high dword of dividend < divisor') ? 0 : divisor'
; = high dword of dividend'
neg edi ; CF = (high dword of dividend < divisor')
sbb edi, edi ; edi = (high dword of dividend < divisor') ? -1 : 0
inc edi ; edi = (high dword of dividend < divisor') ? 0 : 1
; = high dword of quotient'
endif ; JCCLESS
; high dword of dividend' < divisor'
div ebx ; eax = dividend' / divisor'
; = low dword of quotient',
; edx = remainder'
shld edi, eax, cl ; edi = quotient' / 2**(index + 1)
; = dividend / divisor
; = quotient"
;; shl eax, cl
mov eax, [esp+24] ; eax = low dword of divisor
mul edi ; edx:eax = low dword of divisor * quotient"
mov ecx, [esp+16]
mov ebx, [esp+20] ; ebx:ecx = dividend
sub ecx, eax
sbb ebx, edx ; ebx:ecx = dividend - low dword of divisor * quotient"
mov eax, [esp+28] ; eax = high dword of divisor
imul eax, edi ; eax = high dword of divisor * quotient"
sub ebx, eax ; ebx:ecx = dividend - divisor * quotient"
; = remainder"
ifndef JCCLESS
jnb short @f ; remainder" >= 0?
; with borrow, it is off by divisor,
; and quotient" is off by 1
if 0
sbb edi, 0 ; edi = quotient" - 1
; = |quotient|
else
dec edi ; edi = quotient" - 1
; = |quotient|
endif
add ecx, [esp+24]
adc ebx, [esp+28] ; ebx:ecx = remainder" + divisor
; = dividend - divisor * (quotient" - 1)
; = dividend - divisor * quotient
; = |remainder|
@@:
else
sbb eax, eax ; eax = (remainder" < 0) ? -1 : 0
cdq ; edx = (remainder" < 0) ? -1 : 0
add edi, eax ; edi = quotient" - 1
; = |quotient|
and eax, [esp+24]
and edx, [esp+28] ; edx:eax = (remainder" < 0) ? divisor : 0
add ecx, eax
adc ebx, edx ; ebx:ecx = remainder" + divisor
; = dividend - divisor * (quotient" - 1)
; = dividend - divisor * quotient
; = |remainder|
endif ; JCCLESS
mov eax, edi ; eax = (low dword of) |quotient|
;; xor edx, edx ; edx:eax = |quotient|
pop edi ; edi = sign of remainder
pop edx ; edx = sign of quotient
xor eax, edx
sub eax, edx
sbb edx, edx ; edx:eax = quotient
xor ecx, edi
xor ebx, edi
sub ecx, edi
sbb ebx, edi ; ebx:ecx = remainder
pop edi
ret 16 ; callee restores stack
_alldvrm endp
; MSC internal _allmul():
; receives arguments on stack, returns product in edx:eax
_allmul proc public ; sqword _allmul(sqword multiplicand, sqword multiplier)
push ebx
mov eax, [esp+8] ; eax = low dword of multiplicand
mov ecx, [esp+12] ; ecx = high dword of multiplicand
mov edx, [esp+16] ; edx = low dword of multiplier
mov ebx, [esp+20] ; ebx = high dword of multiplier
imul ecx, edx ; ecx = high dword of multiplicand
; * low dword of multiplier
imul ebx, eax ; ebx = high dword of multiplier
; * low dword of multiplicand
mul edx ; edx:eax = low dword of multiplicand
; * low dword of multiplier
add ecx, ebx ; ecx = high dword of multiplicand
; * low dword of multiplier
; + high dword of multiplier
; * low dword of multiplicand
add edx, ecx ; edx:eax = product % 2**64
pop ebx
ret 16 ; callee restores stack
_allmul endp
; MSC internal _allrem():
; receives arguments on stack, returns remainder in edx:eax
; NOTE: _allrem() can raise 'division by zero' exception; it prevents
; quotient overflow and does not raise 'integer overflow' exception!
_allrem proc public ; sqword _allrem(sqword dividend, sqword divisor)
; determine sign of dividend and compute |dividend|
mov eax, [esp+8] ; eax = high dword of dividend
mov ecx, [esp+4] ; ecx = low dword of dividend
cdq ; edx = (dividend < 0) ? -1 : 0
xor ecx, edx
xor eax, edx ; ecx:eax = (dividend < 0) ? ~dividend : dividend
sub ecx, edx
sbb eax, edx ; ecx:eax = (dividend < 0) ? -dividend : dividend
; = |dividend|
mov [esp+4], ecx ; write |dividend| back on stack
mov [esp+8], eax
push edx ; save sign of dividend on stack
; determine sign of divisor and compute |divisor|
mov edx, [esp+20] ; edx = high dword of divisor
mov eax, [esp+16] ; eax = low dword of divisor
mov ecx, edx
sar ecx, 31 ; ecx = (divisor < 0) ? -1 : 0
xor eax, ecx
xor edx, ecx ; edx:eax = (divisor < 0) ? ~divisor : divisor
sub eax, ecx
sbb edx, ecx ; edx:eax = (divisor < 0) ? -divisor : divisor
; = |divisor|
mov [esp+16], eax ; write |divisor| back on stack
mov [esp+20], edx
ifdef TRIVIAL
mov ecx, [esp+12] ; ecx = high dword of dividend
cmp ecx, edx
jb short trivial ; (high dword of) dividend < (high dword of) divisor?
endif
bsr ecx, edx ; ecx = index of leading '1' bit in high dword of divisor
jnz short extended ; high dword of divisor <> 0?
; high dword of divisor = 0 (so high dword of remainder will be 0 too)
mov ecx, eax ; ecx = (low dword of) divisor
mov eax, [esp+12] ; eax = high dword of dividend
cmp eax, ecx
jae short long ; high dword of dividend >= divisor?
; perform normal division
normal:
mov edx, eax ; edx = high dword of dividend
jmp short next
; perform "long" alias "schoolbook" division
long:
;; xor edx, edx ; edx:eax = high dword of dividend
div ecx ; eax = high dword of quotient,
; edx = high dword of remainder'
next:
mov eax, [esp+8] ; eax = low dword of dividend
div ecx ; eax = low dword of quotient,
; edx = (low dword of) remainder
mov eax, edx ; eax = (low dword of) |remainder|
;; xor edx, edx ; edx:eax = |remainder|
pop edx ; edx = sign of remainder
xor eax, edx
sub eax, edx
sbb edx, edx ; edx:eax = remainder
ret 16 ; callee restores stack
; high dword of divisor <> 0 (so high dword of quotient will be 0):
; perform "extended & adjusted" division
extended:
push ebx
push edi
not ecx ; ecx = number of leading '0' bits in (high dword of) divisor
shld edx, eax, cl ; edx = divisor / 2**(index + 1)
; = divisor'
;; shl eax, cl
mov ebx, edx ; ebx = divisor'
mov edx, [esp+20] ; edx = high dword of dividend
mov eax, [esp+16] ; eax = low dword of dividend
ifndef JCCLESS
xor edi, edi ; edi = high dword of quotient' = 0
cmp edx, ebx
jb short @f ; high dword of dividend < divisor'?
; high dword of dividend >= divisor':
; subtract divisor' from high dword of dividend to prevent possible
; division overflow and set most significant bit of quotient"
sub edx, ebx ; edx = high dword of dividend - divisor'
; = high dword of dividend'
inc edi ; edi = high dword of quotient' = 1
@@:
else
sub edx, ebx ; edx = high dword of dividend - divisor'
sbb edi, edi ; edi = (high dword of dividend < divisor') ? -1 : 0
and edi, ebx ; edi = (high dword of dividend < divisor') ? divisor' : 0
add edx, edi ; edx = high dword of dividend
; - (high dword of dividend < divisor') ? 0 : divisor'
; = high dword of dividend'
neg edi ; CF = (high dword of dividend < divisor')
sbb edi, edi ; edi = (high dword of dividend < divisor') ? -1 : 0
inc edi ; edi = (high dword of dividend < divisor') ? 0 : 1
; = high dword of quotient'
endif ; JCCLESS
; high dword of dividend' < divisor'
div ebx ; eax = dividend' / divisor'
; = low dword of quotient',
; edx = remainder'
shld edi, eax, cl ; edi = quotient' / 2**(index + 1)
; = dividend / divisor
; = quotient"
;; shl eax, cl
mov eax, [esp+24] ; eax = low dword of divisor
mul edi ; edx:eax = low dword of divisor * quotient"
mov ecx, [esp+16]
mov ebx, [esp+20] ; ebx:ecx = dividend
sub ecx, eax
sbb ebx, edx ; ebx:ecx = dividend - low dword of divisor * quotient"
mov eax, [esp+28] ; eax = high dword of divisor
imul eax, edi ; eax = high dword of divisor * quotient"
sub ebx, eax ; ebx:ecx = dividend - divisor * quotient"
; = remainder"
ifndef JCCLESS
jnb short @f ; remainder" >= 0?
; with borrow, it is off by divisor
; (and quotient" is off by 1)
add ecx, [esp+24]
adc ebx, [esp+28] ; ebx:ecx = remainder" + divisor
; = dividend - divisor * (quotient" - 1)
; = dividend - divisor * quotient
; = remainder
@@:
mov eax, ecx
mov edx, ebx ; edx:eax = |remainder|
else
sbb eax, eax ; eax = (remainder" < 0) ? -1 : 0
cdq ; edx = (remainder" < 0) ? -1 : 0
and eax, [esp+24]
and edx, [esp+28] ; edx:eax = (remainder" < 0) ? divisor : 0
add eax, ecx
adc edx, ebx ; edx:eax = remainder" + divisor
; = dividend - divisor * (quotient" - 1)
; = dividend - divisor * quotient
; = |remainder|
endif ; JCCLESS
pop edi
pop ebx
pop ecx ; ecx = sign of remainder
xor eax, ecx
xor edx, ecx
sub eax, ecx
sbb edx, ecx ; edx:eax = remainder
ret 16 ; callee restores stack
_allrem endp
; MSC internal _allshl():
; receives arguments in edx:eax and cl, returns result in edx:eax
; NOTE: _allshl() applies shift count modulo 64
_allshl proc public ; sqword _allshl(sqword value, byte count)
test cl, 32
jnz short @f ; count > 31?
shld edx, eax, cl
shl eax, cl
ret
@@:
mov edx, eax
shl edx, cl
xor eax, eax
ret
_allshl endp
; MSC internal _allshr():
; receives arguments in edx:eax and cl, returns result in edx:eax
; NOTE: _allshr() applies shift count modulo 64
_allshr proc public ; sqword _allshr(sqword value, byte count)
test cl, 32
jnz short @f ; count > 31?
shrd eax, edx, cl
sar edx, cl
ret
@@:
mov eax, edx
sar eax, cl
sar edx, 31
ret
_allshr endp
; MSC internal _aulldiv():
; receives arguments on stack, returns quotient in edx:eax
; NOTE: _aulldiv() can raise 'division by zero' exception!
_aulldiv proc public ; qword _aulldiv(qword dividend, qword divisor)
mov edx, [esp+16] ; edx = high dword of divisor
ifdef TRIVIAL
mov eax, [esp+8] ; eax = high dword of dividend
cmp eax, edx
jb short trivial ; (high dword of) dividend < (high dword of) divisor?
endif
bsr ecx, edx ; ecx = index of leading '1' bit in high dword of divisor
jnz short extended ; high dword of divisor <> 0?
; high dword of divisor = 0 (so high dword of remainder will be 0 too)
mov ecx, [esp+12] ; ecx = (low dword of) divisor
ifndef TRIVIAL
mov eax, [esp+8] ; eax = high dword of dividend
endif
cmp eax, ecx
jae short long ; high dword of dividend >= divisor?
; perform normal division
normal:
mov edx, eax ; edx = high dword of dividend
mov eax, [esp+4] ; edx:eax = dividend
div ecx ; eax = (low dword of) quotient,
; edx = (low dword of) remainder
xor edx, edx ; edx:eax = quotient
ret 16 ; callee restores stack
; perform "long" alias "schoolbook" division
long:
;; xor edx, edx ; edx:eax = high dword of dividend
div ecx ; eax = high dword of quotient,
; edx = high dword of remainder'
push eax ; [esp] = high dword of quotient
mov eax, [esp+8] ; eax = low dword of dividend
div ecx ; eax = low dword of quotient,
; edx = (low dword of) remainder
pop edx ; edx:eax = quotient
ret 16 ; callee restores stack
ifdef TRIVIAL
; dividend < divisor
trivial:
xor eax, eax
xor edx, edx ; edx:eax = quotient = 0
ret 16 ; callee restores stack
endif
; high dword of divisor <> 0 (so high dword of quotient will be 0):
; perform "extended & adjusted" division
extended:
push ebx
push edi
mov eax, [esp+20] ; edx:eax = divisor
not ecx ; ecx = number of leading '0' bits in (high dword of) divisor
shld edx, eax, cl ; edx = divisor / 2**(index + 1)
; = divisor'
;; shl eax, cl
mov ebx, edx ; ebx = divisor'
mov edx, [esp+16] ; edx = high dword of dividend
mov eax, [esp+12] ; eax = low dword of dividend
ifndef JCCLESS
xor edi, edi ; edi = high dword of quotient' = 0
cmp edx, ebx
jb short @f ; high dword of dividend < divisor'?
; high dword of dividend >= divisor':
; subtract divisor' from high dword of dividend to prevent possible
; division overflow and set most significant bit of quotient"
sub edx, ebx ; edx = high dword of dividend - divisor'
; = high dword of dividend'
inc edi ; edi = high dword of quotient' = 1
@@:
else
sub edx, ebx ; edx = high dword of dividend - divisor'
sbb edi, edi ; edi = (high dword of dividend < divisor') ? -1 : 0
and edi, ebx ; edi = (high dword of dividend < divisor') ? divisor' : 0
add edx, edi ; edx = high dword of dividend
; - (high dword of dividend < divisor') ? 0 : divisor'
; = high dword of dividend'
neg edi ; CF = (high dword of dividend < divisor')
sbb edi, edi ; edi = (high dword of dividend < divisor') ? -1 : 0
inc edi ; edi = (high dword of dividend < divisor') ? 0 : 1
; = high dword of quotient'
endif ; JCCLESS
; high dword of dividend' < divisor'
div ebx ; eax = dividend' / divisor'
; = low dword of quotient',
; edx = remainder'
shld edi, eax, cl ; edi = quotient' / 2**(index + 1)
; = dividend / divisor
; = quotient"
;; shl eax, cl
mov eax, [esp+20] ; eax = low dword of divisor
mul edi ; edx:eax = low dword of divisor * quotient"
mov ecx, [esp+12]
mov ebx, [esp+16] ; ebx:ecx = dividend
sub ecx, eax
sbb ebx, edx ; ebx:ecx = dividend - low dword of divisor * quotient"
mov eax, [esp+24] ; eax = high dword of divisor
imul eax, edi ; eax = high dword of divisor * quotient"
if 0
sub ebx, eax ; ebx:ecx = dividend - divisor * quotient"
; = remainder"
sbb eax, eax ; eax = (remainder" < 0) ? -1 : 0
add eax, edi ; eax = quotient" - (remainder" < 0)
; = (low dword of) quotient
xor edx, edx ; edx:eax = quotient
else
xor edx, edx ; edx = high dword of quotient = 0
sub ebx, eax ; ebx:ecx = dividend - divisor * quotient"
; = remainder"
mov eax, edi ; eax = quotient"
sbb eax, edx ; eax = quotient" - (remainder" < 0)
; = (low dword of) quotient
endif
pop edi
pop ebx
ret 16 ; callee restores stack
_aulldiv endp
; MSC internal _aulldvrm():
; receives arguments on stack, returns quotient in edx:eax and remainder in ebx:ecx
; NOTE: _aulldvrm() can raise 'division by zero' exception!
_aulldvrm proc public ; qword _aulldvrm(qword dividend, qword divisor)
mov edx, [esp+16] ; edx = high dword of divisor
ifdef TRIVIAL
mov eax, [esp+8] ; eax = high dword of dividend
cmp eax, edx
jb short trivial ; (high dword of) dividend < (high dword of) divisor?
endif
bsr ecx, edx ; ecx = index of leading '1' bit in high dword of divisor
jnz short extended ; high dword of divisor <> 0?
; high dword of divisor = 0 (so high dword of remainder will be 0 too)
mov ecx, [esp+12] ; ecx = (low dword of) divisor
ifndef TRIVIAL
mov eax, [esp+8] ; eax = high dword of dividend
endif
cmp eax, ecx
jae short long ; high dword of dividend >= divisor?
; perform normal division
normal:
mov edx, eax ; edx = high dword of dividend
mov eax, [esp+4] ; edx:eax = dividend
div ecx ; eax = (low dword of) quotient,
; edx = (low dword of) remainder
mov ecx, edx ; ecx = (low dword of) remainder
xor ebx, ebx ; ebx:ecx = remainder
xor edx, edx ; edx:eax = quotient
ret 16 ; callee restores stack
; perform "long" alias "schoolbook" division
long:
;; xor edx, edx ; edx:eax = high dword of dividend
div ecx ; eax = high dword of quotient,
; edx = high dword of remainder'
mov ebx, eax ; ebx = high dword of quotient
mov eax, [esp+4] ; eax = low dword of dividend
div ecx ; eax = low dword of quotient,
; edx = (low dword of) remainder
mov ecx, edx ; ecx = (low dword of) remainder
mov edx, ebx ; edx:eax = quotient
xor ebx, ebx ; ebx:ecx = remainder
ret 16 ; callee restores stack
ifdef TRIVIAL
; dividend < divisor
trivial:
mov ecx, [esp+4] ; ecx = low dword of dividend
mov ebx, eax ; ebx:ecx = remainder = dividend
xor eax, eax
xor edx, edx ; edx:eax = quotient = 0
ret 16 ; callee restores stack
endif
; high dword of divisor <> 0 (so high dword of quotient will be 0):
; perform "extended & adjusted" division
extended:
push edi
mov eax, [esp+16] ; edx:eax = divisor
not ecx ; ecx = number of leading '0' bits in (high dword of) divisor
shld edx, eax, cl ; edx = divisor / 2**(index + 1)
; = divisor'
;; shl eax, cl
mov ebx, edx ; ebx = divisor'
mov edx, [esp+12] ; edx = high dword of dividend
mov eax, [esp+8] ; eax = low dword of dividend
ifndef JCCLESS
xor edi, edi ; edi = high dword of quotient' = 0
cmp edx, ebx
jb short @f ; high dword of dividend < divisor'?
; high dword of dividend >= divisor':
; subtract divisor' from high dword of dividend to prevent possible
; division overflow and set most significant bit of quotient"
sub edx, ebx ; edx = high dword of dividend - divisor'
; = high dword of dividend'
inc edi ; edi = high dword of quotient' = 1
@@:
else
sub edx, ebx ; edx = high dword of dividend - divisor'
sbb edi, edi ; edi = (high dword of dividend < divisor') ? -1 : 0
and edi, ebx ; edi = (high dword of dividend < divisor') ? divisor' : 0
add edx, edi ; edx = high dword of dividend
; - (high dword of dividend < divisor') ? 0 : divisor'
; = high dword of dividend'
neg edi ; CF = (high dword of dividend < divisor')
sbb edi, edi ; edi = (high dword of dividend < divisor') ? -1 : 0
inc edi ; edi = (high dword of dividend < divisor') ? 0 : 1
; = high dword of quotient'
endif ; JCCLESS
; high dword of dividend' < divisor'
div ebx ; eax = dividend' / divisor'
; = low dword of quotient',
; edx = remainder'
shld edi, eax, cl ; edi = quotient' / 2**(index + 1)
; = dividend / divisor
; = quotient"
;; shl eax, cl
mov eax, [esp+16] ; eax = low dword of divisor
mul edi ; edx:eax = low dword of divisor * quotient"
mov ecx, [esp+8]
mov ebx, [esp+12] ; ebx:ecx = dividend
sub ecx, eax
sbb ebx, edx ; ebx:ecx = dividend - low dword of divisor * quotient"
mov eax, [esp+20] ; eax = high dword of divisor
imul eax, edi ; eax = high dword of divisor * quotient"
sub ebx, eax ; ebx:ecx = dividend - divisor * quotient"
; = remainder"
ifndef JCCLESS
jnb short @f ; remainder" >= 0?
; with borrow, it is off by divisor,
; and quotient" is off by 1
if 0
sbb edi, 0 ; edi = quotient" - 1
; = quotient
else
dec edi ; edi = quotient" - 1
; = quotient
endif
add ecx, [esp+16]
adc ebx, [esp+20] ; ebx:ecx = remainder" + divisor
; = dividend - divisor * (quotient" - 1)
; = dividend - divisor * quotient
; = remainder
@@:
else
sbb eax, eax ; eax = (remainder" < 0) ? -1 : 0
cdq ; edx = (remainder" < 0) ? -1 : 0
add edi, eax ; edi = quotient" - 1
; = quotient
and eax, [esp+16]
and edx, [esp+20] ; edx:eax = (remainder" < 0) ? divisor : 0
add ecx, eax
adc ebx, edx ; ebx:ecx = remainder" + divisor
; = dividend - divisor * (quotient" - 1)
; = dividend - divisor * quotient
; = remainder
endif ; JCCLESS
mov eax, edi ; eax = (low dword of) quotient
xor edx, edx ; edx:eax = quotient
pop edi
ret 16 ; callee restores stack
_aulldvrm endp
; MSC internal _aullrem():
; receives arguments on stack, returns remainder in edx:eax
; NOTE: _aullrem() can raise 'division by zero' exception!
_aullrem proc public ; qword _aullrem(qword dividend, qword divisor)
mov edx, [esp+16] ; edx = high dword of divisor
ifdef TRIVIAL
mov eax, [esp+8] ; eax = high dword of dividend
cmp eax, edx
jb short trivial ; (high dword of) dividend < (high dword of) divisor?
endif
bsr ecx, edx ; ecx = index of leading '1' bit in high dword of divisor
jnz short extended ; high dword of divisor <> 0?
; high dword of divisor = 0 (so high dword of remainder will be 0 too)
mov ecx, [esp+12] ; ecx = (low dword of) divisor
ifndef TRIVIAL
mov eax, [esp+8] ; eax = high dword of dividend
endif
cmp eax, ecx
jae short long ; high dword of dividend >= divisor?
; perform normal division
normal:
mov edx, eax ; edx = high dword of dividend
mov eax, [esp+4] ; edx:eax = dividend
div ecx ; eax = (low dword of) quotient,
; edx = (low dword of) remainder
mov eax, edx ; eax = (low dword of) remainder
xor edx, edx ; edx:eax = remainder
ret 16 ; callee restores stack
; perform "long" alias "schoolbook" division
long:
;; xor edx, edx ; edx:eax = high dword of dividend
div ecx ; eax = high dword of quotient,
; edx = high dword of remainder'
mov eax, [esp+4] ; eax = low dword of dividend
div ecx ; eax = low dword of quotient,
; edx = (low dword of) remainder
mov eax, edx ; eax = (low dword of) remainder
xor edx, edx ; edx:eax = remainder
ret 16 ; callee restores stack
ifdef TRIVIAL
; dividend < divisor
trivial:
mov edx, eax
mov eax, [esp+4] ; edx:eax = remainder = dividend
ret 16 ; callee restores stack
endif
; high dword of divisor <> 0 (so high dword of quotient will be 0):
; perform "extended & adjusted" division
extended:
push ebx
push edi
mov eax, [esp+20] ; edx:eax = divisor
not ecx ; ecx = number of leading '0' bits in (high dword of) divisor
shld edx, eax, cl ; edx = divisor / 2**(index + 1)
; = divisor'
;; shl eax, cl
mov ebx, edx ; ebx = divisor'
mov edx, [esp+16] ; edx = high dword of dividend
mov eax, [esp+12] ; eax = low dword of dividend
ifndef JCCLESS
xor edi, edi ; edi = high dword of quotient' = 0
cmp edx, ebx
jb short @f ; high dword of dividend < divisor'?
; high dword of dividend >= divisor':
; subtract divisor' from high dword of dividend to prevent possible
; division overflow and set most significant bit of quotient"
sub edx, ebx ; edx = high dword of dividend - divisor'
; = high dword of dividend'
inc edi ; edi = high dword of quotient' = 1
@@:
else
sub edx, ebx ; edx = high dword of dividend - divisor'
sbb edi, edi ; edi = (high dword of dividend < divisor') ? -1 : 0
and edi, ebx ; edi = (high dword of dividend < divisor') ? divisor' : 0
add edx, edi ; edx = high dword of dividend
; - (high dword of dividend < divisor') ? 0 : divisor'
; = high dword of dividend'
neg edi ; CF = (high dword of dividend < divisor')
sbb edi, edi ; edi = (high dword of dividend < divisor') ? -1 : 0
inc edi ; edi = (high dword of dividend < divisor') ? 0 : 1
; = high dword of quotient'
endif ; JCCLESS
; high dword of dividend' < divisor'
div ebx ; eax = dividend' / divisor'
; = low dword of quotient',
; edx = remainder'
shld edi, eax, cl ; edi = quotient' / 2**(index + 1)
; = dividend / divisor
; = quotient"
;; shl eax, cl
mov eax, [esp+20] ; eax = low dword of divisor
mul edi ; edx:eax = low dword of divisor * quotient"
mov ecx, [esp+12]
mov ebx, [esp+16] ; ebx:ecx = dividend
sub ecx, eax
sbb ebx, edx ; ebx:ecx = dividend - low dword of divisor * quotient"
mov eax, [esp+24] ; eax = high dword of divisor
imul eax, edi ; eax = high dword of divisor * quotient"
sub ebx, eax ; ebx:ecx = dividend - divisor * quotient"
; = remainder"
ifndef JCCLESS
jnb short @f ; remainder" >= 0?
; with borrow, it is off by divisor
; (and quotient" is off by 1)
add ecx, [esp+20]
adc ebx, [esp+24] ; ebx:ecx = remainder" + divisor
; = dividend - divisor * (quotient" - 1)
; = dividend - divisor * quotient
; = remainder
@@:
mov eax, ecx
mov edx, ebx ; edx:eax = remainder
else
sbb eax, eax ; eax = (remainder" < 0) ? -1 : 0
cdq ; edx = (remainder" < 0) ? -1 : 0
and eax, [esp+20]
and edx, [esp+24] ; edx:eax = (remainder" < 0) ? divisor : 0
add eax, ecx
adc edx, ebx ; edx:eax = remainder" + divisor
; = dividend - divisor * (quotient" - 1)
; = dividend - divisor * quotient
; = remainder
endif ; JCCLESS
pop edi
pop ebx
ret 16 ; callee restores stack
_aullrem endp
; MSC internal _aullshr():
; receives arguments in edx:eax and cl, returns result in edx:eax
; NOTE: _aullshr() applies shift count modulo 64
_aullshr proc public ; qword _aullshr(qword value, byte count)
test cl, 32
jnz short @f ; count > 31?
shrd eax, edx, cl
shr edx, cl
ret
@@:
mov eax, edx
shr eax, cl
xor edx, edx
ret
_aullshr endp
end
Create the text file MEM_I386.ASM
with the following
content in the same directory:
; Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
.386
.model flat, C
.code
memchr proc public ; void *memchr(void *buffer, int cb, size_t count)
mov edx, edi
mov ecx, [esp+12] ; ecx = count
mov eax, [esp+8] ; eax = cb
mov edi, [esp+4] ; edi = buffer
repne scasb
neg ecx
sbb eax, eax ; eax = (ecx = 0) ? 0 : -1
add edi, eax ; edi = (ecx = 0) ? * : memchr
and eax, edi ; eax = (ecx = 0) ? 0 : memchr
mov edi, edx
ret
memchr endp
memcmp proc public ; int memcmp(void *left, void *right, size_t count)
mov ecx, [esp+12] ; ecx = count
mov edx, [esp+8] ; edx = right
mov eax, [esp+4] ; eax = left
cmp eax, edx
je short same ; left = right?
push edi
push esi
mov edi, eax ; edi = left
mov esi, edx ; esi = right
xor eax, eax ; eax = 0,
; CF = 0, ZF = 1 (required when ecx is zero)
repe cmpsb
pop esi
pop edi
seta al ; eax = (left > right) ? 1 : 0
sbb eax, 0 ; eax = (left > right) ? 1 : (left < right) ? -1 : 0
ret
same:
xor eax, eax
ret
memcmp endp
memcpy proc public ; void *memcpy(void *destination, void *source, size_t count)
mov ecx, [esp+12] ; ecx = count
mov edx, [esp+8] ; edx = source
mov eax, [esp+4] ; eax = destination
cmp eax, edx
je short same ; destination = source?
push edi
push esi
mov edi, eax ; edi = destination
mov esi, edx ; esi = source
rep movsb
pop esi
pop edi
same:
ret
memcpy endp
memmove proc public ; void *memmove(void *destination, void *source, size_t count)
mov ecx, [esp+12] ; ecx = count
mov edx, [esp+8] ; edx = source
mov eax, [esp+4] ; eax = destination
cmp eax, edx
je short same ; destination = source?
push edi
push esi
mov edi, eax ; edi = destination
mov esi, edx ; esi = source
jb short default ; destination < source?
;; add edx, ecx
;; cmp edx, eax
;; jbe short default ; source + count <= destination?
overlap:
add edi, ecx
add esi, ecx
dec edi
dec esi
std
default:
rep movsb
cld
pop esi
pop edi
same:
ret
memmove endp
memrchr proc public ; void *memrchr(void *buffer, int cb, size_t count)
mov edx, edi
mov ecx, [esp+12] ; ecx = count
mov eax, [esp+8] ; eax = cb
mov edi, [esp+4] ; edi = buffer
lea edi, [edi+ecx-1]; edi = end of buffer
std
repne scasb
cld
neg ecx
sbb eax, eax ; eax = (ecx = 0) ? 0 : -1
sub edi, eax ; edi = (ecx = 0) ? * : memrchr
and eax, edi ; eax = (ecx = 0) ? 0 : memrchr
mov edi, edx
ret
memrchr endp
memset proc public ; void *memset(void *buffer, int cb, size_t count)
mov edx, edi
mov ecx, [esp+12] ; ecx = count
mov eax, [esp+8] ; eax = cb
mov edi, [esp+4] ; edi = buffer
rep stosb
mov eax, [esp+4] ; eax = buffer
mov edi, edx
ret
memset endp
end
Create the text file STK_I386.ASM
with the following
content in the same directory:
; Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
.686
.model flat, C
_nt_tib struct 4 ; thread information block
chain dword ? ; address of first exception registration record
base dword ? ; stack base
limit dword ? ; stack limit
dword ? ; address of subsystem thread information block
fiber dword ? ; fiber data
pointer dword ? ; arbitrary user pointer
self dword ? ; address of _nt_tib
_nt_tib ends
.code
; MSC internal intrinsic _alloca() alias _chkstk():
; receives argument in eax, returns result in esp
; NOTE: _alloca() must preserve ALL argument registers;
; it can raise 'stack overflow' exception!
;; alias <_chkstk> = <_alloca_probe_16>
_alloca_probe_16 proc public ; void *_alloca_probe_16(dword size)
_chkstk proc public ; void _chkstk(dword size)
push ebx ; decrement stack pointer, save register
lea ebx, [esp+8] ; ebx = stack pointer of caller
sub ebx, eax ; ebx = new (unaligned) stack pointer
sbb eax, eax ; eax = (ebx < 0) ? -1 : 0
not eax ; eax = (ebx < 0) ? 0 : -1
shl eax, 4 ; eax = (ebx < 0) ? 0 : -16
and eax, ebx ; eax = (ebx < 0) ? 0 : new (aligned) stack pointer
assume fs:nothing
mov ebx, fs:[_nt_tib.limit]
; ebx = (current) stack limit
cmp ebx, eax
jna short done ; stack limit not above new stack pointer?
probe:
sub ebx, 4096 ; ebx = next stack page
test ebx, [ebx] ; probe next stack page, eventually raise
; 'guard page' or 'stack overflow' exception
cmp ebx, eax
ja short probe ; stack limit above new stack pointer?
done:
pop ebx ; restore register
xchg eax, esp ; esp = new stack pointer,
; eax = old stack pointer
push [eax]
ret
_chkstk endp
_alloca_probe_16 endp
end
Create the text file TLS_I386.ASM
with the following
content in the same directory:
; Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
.386
.model flat, C
public _tls_array
_tls_array equ 44 ; offset of 'ThreadLocalStoragePointer' member in TEB
_tls_32 struct 4 ; IMAGE_TLS_DIRECTORY32
dword offset _tls_start
dword offset _tls_end
dword offset _tls_index
dword 0 ; no callback functions!
dword 0 ; BUG: the module loader does NOT support the 'SizeOfZeroFill' member!
dword 0
_tls_32 ends
_tls_start segment alias(".tls")
_tls_start ends
_tls_end segment alias(".tls$zzz") byte
_tls_end ends
_tls_data segment alias(".data$T") dword
public _tls_index
_tls_index dword -1 ; NOTE: updated by the module loader!
_tls_data ends
_tls_rdata segment alias(".rdata$T") dword readonly
public _tls_used
_tls_used _tls_32 <>
_tls_rdata ends
end
Run the following command lines to generate the object modules
FPU_I386.OBJ
, GS_I386.OBJ
,
I64_I386.OBJ
, MEM_I386.OBJ
,
STK_I386.OBJ
and TLS_I386.OBJ
from the
assembly source files created in steps 1. to 6., build the
object library MSC_I386.LIB
and cleanup afterwards:
SET ML=/Cp /Cx /c /safeseh /W3 /X ML.EXE FPU_I386.ASM ML.EXE GS_I386.ASM ML.EXE /DJCCLESS I64_I386.ASM ML.EXE MEM_I386.ASM ML.EXE STK_I386.ASM ML.EXE TLS_I386.ASM LINK.EXE /LIB /MACHINE:I386 /NODEFAULTLIB /OUT:MSC_I386.LIB FPU_I386.OBJ GS_I386.OBJ I64_I386.OBJ MEM_I386.OBJ STK_I386.OBJ TLS_I386.OBJ ERASE FPU_I386.OBJ GS_I386.OBJ I64_I386.OBJ MEM_I386.OBJ STK_I386.OBJ TLS_I386.OBJ
Microsoft (R) Macro Assembler Version 10.00.40219.01 Copyright (C) Microsoft Corporation. All rights reserved. Assembling: FPU_I386.ASM Microsoft (R) Macro Assembler Version 10.00.40219.01 Copyright (C) Microsoft Corporation. All rights reserved. Assembling: GS_I386.ASM Microsoft (R) Macro Assembler Version 10.00.40219.01 Copyright (C) Microsoft Corporation. All rights reserved. Assembling: I64_I386.ASM Microsoft (R) Macro Assembler Version 10.00.40219.01 Copyright (C) Microsoft Corporation. All rights reserved. Assembling: MEM_I386.ASM Microsoft (R) Macro Assembler Version 10.00.40219.01 Copyright (C) Microsoft Corporation. All rights reserved. Assembling: STK_I386.ASM Microsoft (R) Macro Assembler Version 10.00.40219.01 Copyright (C) Microsoft Corporation. All rights reserved. Assembling: TLS_I386.ASM Microsoft (R) Library Manager Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved.
MSC_I386.LIB
instead of or
before the
MSVCRT
libraries.
debug stringswritten from all processes running in the current (user) session with the Win32 function
OutputDebugString()
.
debug stringswritten with the Win32 function
OutputDebugString()
are catched and typically displayed by the debugger.
In Win32 processes that are not run under a debugger,
the Win32 function
OutputDebugString()
checks whether the shared memory section DBWIN_BUFFER
as well as the events DBWIN_BUFFER_READY
and
DBWIN_DATA_READY
exist; if yes, it waits until the
event DBWIN_BUFFER_READY
is signaled, writes the
process identification and its argument into the shared memory
section DBWIN_BUFFER
, signals the event
DBWIN_DATA_READY
and returns to its caller.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
Create the text file DBWINNER.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
const LPCSTR szCtrlType[] = {"Ctrl-C",
"Ctrl-Break",
"Ctrl-Close",
NULL,
NULL,
"Ctrl-Logoff",
"Ctrl-Shutdown"};
BOOL WINAPI CtrlHandler(DWORD dwCtrlType)
{
switch (dwCtrlType)
{
case CTRL_C_EVENT:
case CTRL_BREAK_EVENT:
case CTRL_CLOSE_EVENT:
case CTRL_LOGOFF_EVENT:
case CTRL_SHUTDOWN_EVENT:
OutputDebugStringA(szCtrlType[dwCtrlType]);
return TRUE;
default:
return FALSE;
}
}
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, LPCWSTR lpFormat, ...)
{
WCHAR szBuffer[1025];
DWORD dwBuffer;
DWORD dwConsole;
va_list vaInserts;
va_start(vaInserts, lpFormat);
dwBuffer = wvsprintf(szBuffer, lpFormat, vaInserts);
va_end(vaInserts);
if (dwBuffer == 0)
return FALSE;
if (!WriteConsole(hConsole, szBuffer, dwBuffer, &dwConsole, NULL))
return FALSE;
return dwConsole == dwBuffer;
}
typedef struct _dbwin_buffer
{
DWORD dwProcessId;
CHAR szString[4096 - sizeof(DWORD)];
} DBWIN_BUFFER;
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
DBWIN_BUFFER *lpDBWin;
HANDLE hDBWin;
HANDLE hDBWinBuffer;
HANDLE hDBWinData;
DWORD dwDBWinData;
DWORD dwString;
DWORD dwError = ERROR_SUCCESS;
DWORD dwProcessId = 0;
DWORD dwCurrentProcessId = GetCurrentProcessId();
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
hDBWin = CreateFileMapping(INVALID_HANDLE_VALUE,
(LPSECURITY_ATTRIBUTES) NULL,
PAGE_READWRITE,
0,
sizeof(DBWIN_BUFFER),
L"DBWIN_BUFFER");
dwError = GetLastError();
if (hDBWin == NULL)
PrintConsole(hConsole,
L"CreateFileMapping() returned error %lu\n",
dwError);
else
{
if (dwError == ERROR_ALREADY_EXISTS)
PrintConsole(hConsole,
L"Shared section \'DBWIN_BUFFER\' already created by another process!\n");
else
{
hDBWinBuffer = CreateEvent((LPSECURITY_ATTRIBUTES) NULL,
FALSE,
FALSE,
L"DBWIN_BUFFER_READY");
dwError = GetLastError();
if (hDBWinBuffer == NULL)
PrintConsole(hConsole,
L"CreateEvent() returned error %lu\n",
dwError);
else
{
if (dwError == ERROR_ALREADY_EXISTS)
PrintConsole(hConsole,
L"Event \'DBWIN_BUFFER_READY\' already created by another process!\n");
else
{
hDBWinData = CreateEvent((LPSECURITY_ATTRIBUTES) NULL,
FALSE,
FALSE,
L"DBWIN_DATA_READY");
dwError = GetLastError();
if (hDBWinData == NULL)
PrintConsole(hConsole,
L"CreateEvent() returned error %lu\n",
dwError);
else
{
if (dwError == ERROR_ALREADY_EXISTS)
PrintConsole(hConsole,
L"Event \'DBWIN_DATA_READY\' already created by another process!\n");
else
{
lpDBWin = MapViewOfFile(hDBWin,
SECTION_MAP_READ | SECTION_MAP_WRITE,
0, 0, 0);
if (lpDBWin == NULL)
PrintConsole(hConsole,
L"MapViewOfFile() returned error %lu\n",
dwError = GetLastError());
else
{
if (!SetConsoleCtrlHandler(CtrlHandler, TRUE))
PrintConsole(hConsole,
L"SetConsoleCtrlHandler() returned error %lu\n",
dwError = GetLastError());
PrintConsole(hConsole,
L"Press \'Ctrl-C\' or \'Ctrl-Break\' to terminate!\n"
L"\n"
L"Process\tDebug String\n");
do
{
dwDBWinData = SignalObjectAndWait(hDBWinBuffer,
hDBWinData,
INFINITE,
FALSE);
if (dwDBWinData != WAIT_OBJECT_0)
break;
dwString = strlen(lpDBWin->szString);
while ((dwString-- > 0)
&& ((lpDBWin->szString[dwString] == ' ')
|| (lpDBWin->szString[dwString] == '\a')
|| (lpDBWin->szString[dwString] == '\b')
|| (lpDBWin->szString[dwString] == '\f')
|| (lpDBWin->szString[dwString] == '\n')
|| (lpDBWin->szString[dwString] == '\r')
|| (lpDBWin->szString[dwString] == '\t')
|| (lpDBWin->szString[dwString] == '\v')))
/* lpDBWin->szString[dwString] = '\0' */;
lpDBWin->szString[++dwString] = '\0';
if (lpDBWin->dwProcessId != dwProcessId)
PrintConsole(hConsole,
L"\n"
L"%7lu\t%hs\n",
dwProcessId = lpDBWin->dwProcessId,
lpDBWin->szString);
else
PrintConsole(hConsole,
L"\t%hs\n",
lpDBWin->szString);
}
while (dwProcessId != dwCurrentProcessId);
if (dwDBWinData == WAIT_FAILED)
PrintConsole(hConsole,
L"SignalObjectAndWait() returned error %lu\n",
dwError = GetLastError());
if (!SetConsoleCtrlHandler(CtrlHandler, FALSE))
PrintConsole(hConsole,
L"SetConsoleCtrlHandler() returned error %lu\n",
GetLastError());
if (!UnmapViewOfFile(lpDBWin))
PrintConsole(hConsole,
L"UnmapViewOfFile() returned error %lu\n",
GetLastError());
}
}
if (!CloseHandle(hDBWinData))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
if (!CloseHandle(hDBWinBuffer))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
if (!CloseHandle(hDBWin))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Run the following four command lines to compile the source file
DBWINNER.C
created in step 1., link the compiled
object file DBWINNER.OBJ
and cleanup afterwards:
SET CL=/GA /GF /GS /Gy /O1 /Oi /Os /Oy /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:USER32.LIB /DYNAMICBASE /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NXCOMPAT /OSVERSION:5.0 /OUT:"Debug String Monitor.com" /RELEASE /SUBSYSTEM:CONSOLE,5.0 /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE DBWINNER.C ERASE DBWINNER.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. DBWINNER.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved.
Create the text file DBWINNER.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 32 2c 20 53 74 65 66 61 6e 20 4b 61 -2022, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 04 00 00 ......#.........
00 08 00 00 00 00 00 00 b0 10 00 00 00 10 00 00 ................
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 30 00 00 00 02 00 00 3e 62 00 00 03 00 00 85 .0......>b......
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
5c 25 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 \%..<...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 20 00 00 40 00 00 00 ......... ..@...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
8c 03 00 00 00 10 00 00 00 04 00 00 00 02 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 ee 06 00 00 00 20 00 00 .const....... ..
00 08 00 00 00 06 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
8b 44 24 04 83 f8 06 77 24 0f b6 88 3c 10 40 00 .D$....w$...<.@.
ff 24 8d 34 10 40 00 8b 14 85 7c 20 40 00 52 ff .$.4.@....| @.R.
15 00 20 40 00 b8 01 00 00 00 c2 04 00 33 c0 c2 .. @.........3..
04 00 8b ff 17 10 40 00 2d 10 40 00 00 00 00 01 ......@.-.@.....
01 00 00 cc cc cc cc cc cc cc cc cc cc cc cc cc ................
8b 4c 24 08 81 ec 08 08 00 00 56 8d 84 24 18 08 .L$.......V..$..
00 00 50 51 8d 54 24 10 52 ff 15 38 20 40 00 8b ..PQ.T$.R..8 @..
f0 85 f6 75 0a 33 c0 5e 81 c4 08 08 00 00 c3 8b ...u.3.^........
94 24 10 08 00 00 6a 00 8d 44 24 08 50 56 8d 4c .$....j..D$.PV.L
24 14 51 52 ff 15 04 20 40 00 85 c0 74 d7 33 c0 $.QR... @...t.3.
39 74 24 04 5e 0f 94 c0 81 c4 08 08 00 00 c3 cc 9t$.^...........
83 ec 14 53 57 33 db ff 15 30 20 40 00 6a f4 89 ...SW3...0 @.j..
44 24 1c ff 15 2c 20 40 00 8b f8 83 ff ff 75 0f D$..., @......u.
ff 15 28 20 40 00 89 44 24 08 e9 a0 02 00 00 55 ..( @..D$......U
56 68 40 25 40 00 68 00 10 00 00 6a 00 6a 04 6a Vh@%@.h....j.j.j
00 6a ff ff 15 24 20 40 00 8b 2d 28 20 40 00 8b .j...$ @..-( @..
f0 89 74 24 1c ff d5 89 44 24 10 85 f6 75 0b 50 ..t$....D$...u.P
68 f0 24 40 00 e9 5a 02 00 00 3d b7 00 00 00 75 h.$@..Z...=....u
13 68 68 24 40 00 57 e8 24 ff ff ff 83 c4 08 e9 .hh$@.W.$.......
29 02 00 00 8b 35 20 20 40 00 68 3c 24 40 00 6a )....5 @.h<$@.j
00 6a 00 6a 00 ff d6 89 44 24 14 ff d5 89 44 24 .j.j....D$....D$
10 39 5c 24 14 75 0b 50 68 f8 23 40 00 e9 f2 01 .9\$.u.Ph.#@....
00 00 3d b7 00 00 00 75 13 68 78 23 40 00 57 e8 ..=....u.hx#@.W.
dc fe ff ff 83 c4 08 e9 c1 01 00 00 68 54 23 40 ............hT#@
00 6a 00 6a 00 6a 00 ff d6 8b f0 89 74 24 18 ff .j.j.j......t$..
d5 89 44 24 10 85 f6 75 0b 50 68 f8 23 40 00 e9 ..D$...u.Ph.#@..
90 01 00 00 3d b7 00 00 00 75 13 68 d8 22 40 00 ....=....u.h."@.
57 e8 9a fe ff ff 83 c4 08 e9 63 01 00 00 8b 44 W.........c....D
24 1c 6a 00 6a 00 6a 00 6a 06 50 ff 15 1c 20 40 $.j.j.j.j.P... @
00 8b e8 85 ed 75 15 ff 15 28 20 40 00 50 89 44 .....u...( @.P.D
24 14 68 90 22 40 00 e9 26 01 00 00 6a 01 68 00 $.h."@..&...j.h.
10 40 00 ff 15 18 20 40 00 85 c0 75 19 ff 15 28 .@.... @...u...(
20 40 00 50 68 38 22 40 00 57 89 44 24 1c e8 3d @.Ph8"@.W.D$..=
fe ff ff 83 c4 0c 68 a8 21 40 00 57 e8 2f fe ff ......h.!@.W./..
ff 83 c4 08 8b 4c 24 14 6a 00 6a ff 56 51 ff 15 .....L$.j.j.VQ..
14 20 40 00 85 c0 0f 85 7b 00 00 00 8d 75 04 8b . @.....{....u..
c6 8d 50 01 8a 08 40 84 c9 75 f9 2b c2 8b c8 90 ..P...@..u.+....
8b d1 49 85 d2 74 23 8a 04 0e 3c 20 74 f2 3c 07 ..I..t#...< t.<.
74 ee 3c 08 74 ea 3c 0c 74 e6 3c 0a 74 e2 3c 0d t.<.t.<.t.<.t.<.
74 de 3c 09 74 da 3c 0b 74 d6 c6 44 29 05 00 8b t.<.t.<.t..D)...
45 00 56 3b c3 74 13 8b d8 53 68 90 21 40 00 57 E.V;.t...Sh.!@.W
e8 bb fd ff ff 83 c4 10 eb 0e 68 84 21 40 00 57 ..........h.!@.W
e8 ab fd ff ff 83 c4 0c 8b 74 24 18 3b 5c 24 20 .........t$.;\$
74 23 e9 6d ff ff ff 83 f8 ff 75 19 ff 15 28 20 t#.m......u...(
40 00 50 68 30 21 40 00 57 89 44 24 1c e8 7e fd @.Ph0!@.W.D$..~.
ff ff 83 c4 0c 6a 00 68 00 10 40 00 ff 15 18 20 .....j.h..@....
40 00 85 c0 75 15 ff 15 28 20 40 00 50 68 38 22 @...u...( @.Ph8"
40 00 57 e8 58 fd ff ff 83 c4 0c 55 ff 15 10 20 @.W.X......U...
40 00 85 c0 75 15 ff 15 28 20 40 00 50 68 e0 20 @...u...( @.Ph.
40 00 57 e8 38 fd ff ff 83 c4 0c 8b 2d 28 20 40 @.W.8.......-( @
00 56 ff 15 0c 20 40 00 85 c0 75 11 ff d5 50 68 .V... @...u...Ph
98 20 40 00 57 e8 16 fd ff ff 83 c4 0c 8b 44 24 . @.W.........D$
14 50 ff 15 0c 20 40 00 85 c0 75 11 ff d5 50 68 .P... @...u...Ph
98 20 40 00 57 e8 f6 fc ff ff 83 c4 0c 8b 4c 24 . @.W.........L$
1c 51 ff 15 0c 20 40 00 85 c0 75 11 ff d5 50 68 .Q... @...u...Ph
98 20 40 00 57 e8 d6 fc ff ff 83 c4 0c 5e 5d 8b . @.W........^].
54 24 08 52 ff 15 08 20 40 00 5f 5b 00 00 00 00 T$.R... @._[....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
d8 25 00 00 ee 25 00 00 fe 25 00 00 0c 26 00 00 .%...%...%...&..
1a 26 00 00 2c 26 00 00 42 26 00 00 5a 26 00 00 .&..,&..B&..Z&..
6a 26 00 00 7a 26 00 00 90 26 00 00 a0 26 00 00 j&..z&...&...&..
b0 26 00 00 00 00 00 00 d4 26 00 00 00 00 00 00 .&.......&......
43 74 72 6c 2d 53 68 75 74 64 6f 77 6e 00 00 00 Ctrl-Shutdown...
43 74 72 6c 2d 4c 6f 67 6f 66 66 00 43 74 72 6c Ctrl-Logoff.Ctrl
2d 43 6c 6f 73 65 00 00 43 74 72 6c 2d 42 72 65 -Close..Ctrl-Bre
61 6b 00 00 43 74 72 6c 2d 43 00 00 74 20 40 00 ak..Ctrl-C..t @.
68 20 40 00 5c 20 40 00 00 00 00 00 00 00 00 00 h @.\ @.........
50 20 40 00 40 20 40 00 43 00 6c 00 6f 00 73 00 P @.@ @.C.l.o.s.
65 00 48 00 61 00 6e 00 64 00 6c 00 65 00 28 00 e.H.a.n.d.l.e.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 0a 00 00 00 00 00 00 00 .%.l.u.........
55 00 6e 00 6d 00 61 00 70 00 56 00 69 00 65 00 U.n.m.a.p.V.i.e.
77 00 4f 00 66 00 46 00 69 00 6c 00 65 00 28 00 w.O.f.F.i.l.e.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 0a 00 00 00 00 00 00 00 .%.l.u.........
53 00 69 00 67 00 6e 00 61 00 6c 00 4f 00 62 00 S.i.g.n.a.l.O.b.
6a 00 65 00 63 00 74 00 41 00 6e 00 64 00 57 00 j.e.c.t.A.n.d.W.
61 00 69 00 74 00 28 00 29 00 20 00 72 00 65 00 a.i.t.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
0a 00 00 00 09 00 25 00 68 00 73 00 0a 00 00 00 ......%.h.s.....
0a 00 25 00 37 00 6c 00 75 00 09 00 25 00 68 00 ..%.7.l.u...%.h.
73 00 0a 00 00 00 00 00 50 00 72 00 65 00 73 00 s.......P.r.e.s.
73 00 20 00 27 00 43 00 74 00 72 00 6c 00 2d 00 s. .'.C.t.r.l.-.
43 00 27 00 20 00 6f 00 72 00 20 00 27 00 43 00 C.'. .o.r. .'.C.
74 00 72 00 6c 00 2d 00 42 00 72 00 65 00 61 00 t.r.l.-.B.r.e.a.
6b 00 27 00 20 00 74 00 6f 00 20 00 74 00 65 00 k.'. .t.o. .t.e.
72 00 6d 00 69 00 6e 00 61 00 74 00 65 00 21 00 r.m.i.n.a.t.e.!.
0a 00 0a 00 50 00 72 00 6f 00 63 00 65 00 73 00 ....P.r.o.c.e.s.
73 00 09 00 44 00 65 00 62 00 75 00 67 00 20 00 s...D.e.b.u.g. .
4d 00 65 00 73 00 73 00 61 00 67 00 65 00 0a 00 M.e.s.s.a.g.e...
00 00 00 00 00 00 00 00 53 00 65 00 74 00 43 00 ........S.e.t.C.
6f 00 6e 00 73 00 6f 00 6c 00 65 00 43 00 74 00 o.n.s.o.l.e.C.t.
72 00 6c 00 48 00 61 00 6e 00 64 00 6c 00 65 00 r.l.H.a.n.d.l.e.
72 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 r.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
4d 00 61 00 70 00 56 00 69 00 65 00 77 00 4f 00 M.a.p.V.i.e.w.O.
66 00 46 00 69 00 6c 00 65 00 28 00 29 00 20 00 f.F.i.l.e.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 0a 00 00 00 45 00 76 00 65 00 6e 00 l.u.....E.v.e.n.
74 00 20 00 27 00 44 00 42 00 57 00 49 00 4e 00 t. .'.D.B.W.I.N.
5f 00 44 00 41 00 54 00 41 00 5f 00 52 00 45 00 _.D.A.T.A._.R.E.
41 00 44 00 59 00 27 00 20 00 61 00 6c 00 72 00 A.D.Y.'. .a.l.r.
65 00 61 00 64 00 79 00 20 00 63 00 72 00 65 00 e.a.d.y. .c.r.e.
61 00 74 00 65 00 64 00 20 00 62 00 79 00 20 00 a.t.e.d. .b.y. .
61 00 6e 00 6f 00 74 00 68 00 65 00 72 00 20 00 a.n.o.t.h.e.r. .
70 00 72 00 6f 00 63 00 65 00 73 00 73 00 21 00 p.r.o.c.e.s.s.!.
0a 00 00 00 44 00 42 00 57 00 49 00 4e 00 5f 00 ....D.B.W.I.N._.
44 00 41 00 54 00 41 00 5f 00 52 00 45 00 41 00 D.A.T.A._.R.E.A.
44 00 59 00 00 00 00 00 45 00 76 00 65 00 6e 00 D.Y.....E.v.e.n.
74 00 20 00 27 00 44 00 42 00 57 00 49 00 4e 00 t. .'.D.B.W.I.N.
5f 00 42 00 55 00 46 00 46 00 45 00 52 00 5f 00 _.B.U.F.F.E.R._.
52 00 45 00 41 00 44 00 59 00 27 00 20 00 61 00 R.E.A.D.Y.'. .a.
6c 00 72 00 65 00 61 00 64 00 79 00 20 00 63 00 l.r.e.a.d.y. .c.
72 00 65 00 61 00 74 00 65 00 64 00 20 00 62 00 r.e.a.t.e.d. .b.
79 00 20 00 61 00 6e 00 6f 00 74 00 68 00 65 00 y. .a.n.o.t.h.e.
72 00 20 00 70 00 72 00 6f 00 63 00 65 00 73 00 r. .p.r.o.c.e.s.
73 00 21 00 0a 00 00 00 43 00 72 00 65 00 61 00 s.!.....C.r.e.a.
74 00 65 00 45 00 76 00 65 00 6e 00 74 00 28 00 t.e.E.v.e.n.t.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 0a 00 00 00 44 00 42 00 .%.l.u.....D.B.
57 00 49 00 4e 00 5f 00 42 00 55 00 46 00 46 00 W.I.N._.B.U.F.F.
45 00 52 00 5f 00 52 00 45 00 41 00 44 00 59 00 E.R._.R.E.A.D.Y.
00 00 00 00 00 00 00 00 53 00 68 00 61 00 72 00 ........S.h.a.r.
65 00 64 00 20 00 73 00 65 00 63 00 74 00 69 00 e.d. .s.e.c.t.i.
6f 00 6e 00 20 00 27 00 44 00 42 00 57 00 49 00 o.n. .'.D.B.W.I.
4e 00 5f 00 42 00 55 00 46 00 46 00 45 00 52 00 N._.B.U.F.F.E.R.
27 00 20 00 61 00 6c 00 72 00 65 00 61 00 64 00 '. .a.l.r.e.a.d.
79 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 y. .c.r.e.a.t.e.
64 00 20 00 62 00 79 00 20 00 61 00 6e 00 6f 00 d. .b.y. .a.n.o.
74 00 68 00 65 00 72 00 20 00 70 00 72 00 6f 00 t.h.e.r. .p.r.o.
63 00 65 00 73 00 73 00 21 00 0a 00 00 00 00 00 c.e.s.s.!.......
43 00 72 00 65 00 61 00 74 00 65 00 46 00 69 00 C.r.e.a.t.e.F.i.
6c 00 65 00 4d 00 61 00 70 00 70 00 69 00 6e 00 l.e.M.a.p.p.i.n.
67 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 g.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
44 00 42 00 57 00 49 00 4e 00 5f 00 42 00 55 00 D.B.W.I.N._.B.U.
46 00 46 00 45 00 52 00 00 00 00 00 98 25 00 00 F.F.E.R......%..
00 00 00 00 00 00 00 00 c6 26 00 00 00 20 00 00 .........&... ..
d0 25 00 00 00 00 00 00 00 00 00 00 e2 26 00 00 .%...........&..
38 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8 ..............
00 00 00 00 00 00 00 00 d8 25 00 00 ee 25 00 00 .........%...%..
fe 25 00 00 0c 26 00 00 1a 26 00 00 2c 26 00 00 .%...&...&..,&..
42 26 00 00 5a 26 00 00 6a 26 00 00 7a 26 00 00 B&..Z&..j&..z&..
90 26 00 00 a0 26 00 00 b0 26 00 00 00 00 00 00 .&...&...&......
d4 26 00 00 00 00 00 00 89 03 4f 75 74 70 75 74 .&........Output
44 65 62 75 67 53 74 72 69 6e 67 41 00 00 24 05 DebugStringA..$.
57 72 69 74 65 43 6f 6e 73 6f 6c 65 57 00 19 01 WriteConsoleW...
45 78 69 74 50 72 6f 63 65 73 73 00 52 00 43 6c ExitProcess.R.Cl
6f 73 65 48 61 6e 64 6c 65 00 d6 04 55 6e 6d 61 oseHandle...Unma
70 56 69 65 77 4f 66 46 69 6c 65 00 b0 04 53 69 pViewOfFile...Si
67 6e 61 6c 4f 62 6a 65 63 74 41 6e 64 57 61 69 gnalObjectAndWai
74 00 2d 04 53 65 74 43 6f 6e 73 6f 6c 65 43 74 t.-.SetConsoleCt
72 6c 48 61 6e 64 6c 65 72 00 57 03 4d 61 70 56 rlHandler.W.MapV
69 65 77 4f 66 46 69 6c 65 00 85 00 43 72 65 61 iewOfFile...Crea
74 65 45 76 65 6e 74 57 00 00 8c 00 43 72 65 61 teEventW....Crea
74 65 46 69 6c 65 4d 61 70 70 69 6e 67 57 00 00 teFileMappingW..
02 02 47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 ..GetLastError..
64 02 47 65 74 53 74 64 48 61 6e 64 6c 65 00 00 d.GetStdHandle..
c1 01 47 65 74 43 75 72 72 65 6e 74 50 72 6f 63 ..GetCurrentProc
65 73 73 49 64 00 4b 45 52 4e 45 4c 33 32 2e 64 essId.KERNEL32.d
6c 6c 00 00 35 03 77 76 73 70 72 69 6e 74 66 57 ll..5.wvsprintfW
00 00 55 53 45 52 33 32 2e 64 6c 6c 00 00 00 00 ..USER32.dll....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file DBWINNER.TXT
created in
step 3. to recreate the console application
Debug String Monitor:
CERTUTIL.EXE /DecodeHex /V DBWINNER.TXT DBWINNER.COM
Input Length = 15232 Output Length = 3584 CertUtil: -decodehex command completed successfully.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
Create the text file NOTIFIER.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#define FILE_NOTIFY_CHANGE_UNDOCUMENTED 0x00000E80UL
#define FILE_NOTIFY_CHANGE_ANY 0x00000FFFUL
#define FILE_NOTIFY_CHANGE_INVALID 0xFFFFF000UL
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, LPCWSTR lpFormat, ...)
{
WCHAR szBuffer[1025];
DWORD dwBuffer;
DWORD dwConsole;
va_list vaInserts;
va_start(vaInserts, lpFormat);
dwBuffer = wvsprintf(szBuffer, lpFormat, vaInserts);
va_end(vaInserts);
if (dwBuffer == 0)
return FALSE;
if (!WriteConsole(hConsole, szBuffer, dwBuffer, &dwConsole, NULL))
return FALSE;
return dwConsole == dwBuffer;
}
HANDLE hThreads[MAXIMUM_WAIT_OBJECTS];
DWORD dwThreads = 0;
const LPCWSTR szCtrlType[] = {L"C",
L"Break",
L"Close",
NULL,
NULL,
L"Logoff",
L"Shutdown"};
BOOL WINAPI CtrlHandler(DWORD dwCtrlType)
{
DWORD dwThread = dwThreads;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
switch (dwCtrlType)
{
case CTRL_C_EVENT:
case CTRL_BREAK_EVENT:
case CTRL_CLOSE_EVENT:
case CTRL_LOGOFF_EVENT:
case CTRL_SHUTDOWN_EVENT:
PrintConsole(hConsole,
L"Ctrl-%ls\n",
szCtrlType[dwCtrlType]);
while (dwThread-- > 0)
if (!CancelSynchronousIo(hThreads[dwThread]))
PrintConsole(hConsole,
L"CancelSynchronousIo() returned error %lu for thread 0x%p\n",
GetLastError(), hThreads[dwThread]);
return TRUE;
default:
return FALSE;
}
}
const LPCWSTR lpAction[] = {NULL,
L"Added",
L"Removed",
L"Modified",
L"Renamed from",
L"Renamed to"};
__declspec(safebuffers)
DWORD WINAPI ThreadProc(LPCWSTR lpArgument)
{
FILE_NOTIFY_INFORMATION *lpEntry;
#if 0
BY_HANDLE_FILE_INFORMATION bhfi;
#else
FILE_ATTRIBUTE_TAG_INFO fati;
#endif
HANDLE hArgument;
WCHAR szArgument[MAX_PATH];
DWORD dwArgument;
DWORD dwError = ERROR_SUCCESS;
DWORD dwEntry;
DWORD dwBuffer[65536 / sizeof(DWORD)];
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
hArgument = CreateFile(lpArgument,
FILE_LIST_DIRECTORY,
FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE,
(LPSECURITY_ATTRIBUTES) NULL,
OPEN_EXISTING,
FILE_FLAG_BACKUP_SEMANTICS,
(HANDLE) NULL);
if (hArgument == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"CreateFile() returned error %lu for argument \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
{
#if 0
if (!GetFileInformationByHandle(hArgument,
&bhfi))
PrintConsole(hConsole,
L"GetFileInformationByHandle() returned error %lu for argument \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
if (((bhfi.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != FILE_ATTRIBUTE_DIRECTORY)
|| ((bhfi.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) == FILE_ATTRIBUTE_REPARSE_POINT))
#else
if (!GetFileInformationByHandleEx(hArgument,
FileAttributeTagInfo,
&fati,
sizeof(fati)))
PrintConsole(hConsole,
L"GetFileInformationByHandleEx() returned error %lu for argument \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
if (((fati.FileAttributes & FILE_ATTRIBUTE_DIRECTORY) != FILE_ATTRIBUTE_DIRECTORY)
|| ((fati.FileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) == FILE_ATTRIBUTE_REPARSE_POINT))
#endif
PrintConsole(hConsole,
L"Argument \'%ls\' is not a directory!\n",
lpArgument);
else
{
dwArgument = GetFinalPathNameByHandle(hArgument,
szArgument,
sizeof(szArgument) / sizeof(*szArgument),
FILE_NAME_NORMALIZED | VOLUME_NAME_DOS);
if (dwArgument == 0)
PrintConsole(hConsole,
L"GetFinalPathNameByHandle() returned error %lu for argument \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
{
while (ReadDirectoryChangesW(hArgument,
dwBuffer,
sizeof(dwBuffer),
TRUE,
#ifdef FILE_NOTIFY_CHANGE_ALL
FILE_NOTIFY_CHANGE_ALL,
#else
FILE_NOTIFY_CHANGE_ATTRIBUTES | FILE_NOTIFY_CHANGE_CREATION | FILE_NOTIFY_CHANGE_DIR_NAME | FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_LAST_ACCESS | FILE_NOTIFY_CHANGE_LAST_WRITE | FILE_NOTIFY_CHANGE_SECURITY | FILE_NOTIFY_CHANGE_SIZE,
#endif
&dwEntry,
(LPOVERLAPPED) NULL,
(LPOVERLAPPED_COMPLETION_ROUTINE) NULL))
for (lpEntry = (PFILE_NOTIFY_INFORMATION) dwBuffer; dwEntry != 0; (LPBYTE) lpEntry += dwEntry)
{
dwEntry = lpEntry->NextEntryOffset;
lpEntry->FileName[lpEntry->FileNameLength / sizeof(lpEntry->FileName[0])] = L'\0';
PrintConsole(hConsole,
L"%ls %ls\\%ls\n",
lpAction[lpEntry->Action], szArgument + 4, lpEntry->FileName);
}
PrintConsole(hConsole,
L"ReadDirectoryChanges() returned error %lu for directory \'%ls\'\n",
dwError = GetLastError(), szArgument + 4);
}
}
if (!CloseHandle(hArgument))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
return dwError;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
LPWSTR *lpArguments;
INT nArguments;
INT nArgument = 1;
DWORD dwError = ERROR_BAD_ARGUMENTS;
DWORD dwThreadId;
HANDLE hThread;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
if (nArguments < 2)
PrintConsole(hConsole,
L"Too few arguments: at least one directory name must be given!\n");
else if (nArguments > sizeof(hThreads) / sizeof(*hThreads) + 1)
PrintConsole(hConsole,
L"Too many arguments: at most %lu directory names may be given!\n",
sizeof(hThreads) / sizeof(*hThreads));
else
{
do
{
hThread = CreateThread((LPSECURITY_ATTRIBUTES) NULL,
(SIZE_T) 65536,
ThreadProc,
lpArguments[nArgument],
0,
&dwThreadId);
if (hThread == NULL)
PrintConsole(hConsole,
L"CreateThread() returned error %lu\n",
dwError = GetLastError());
else
{
hThreads[dwThreads++] = hThread;
PrintConsole(hConsole,
L"Thread %lu created for argument \'%ls\'\n",
dwThreadId, lpArguments[nArgument]);
}
} while (++nArgument < nArguments);
if (dwThreads > 0)
{
if (!SetConsoleCtrlHandler(CtrlHandler, TRUE))
PrintConsole(hConsole,
L"SetConsoleCtrlHandler() returned error %lu\n",
dwError = GetLastError());
PrintConsole(hConsole,
L"Press \'Ctrl-C\' or \'Ctrl-Break\' to terminate!\n"
L"\n");
if (WaitForMultipleObjects(dwThreads,
hThreads,
TRUE,
INFINITE) == WAIT_FAILED)
PrintConsole(hConsole,
L"WaitForMultipleObjects() returned error %lu\n",
dwError = GetLastError());
else
do
if (!CloseHandle(hThreads[--dwThreads]))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
while (dwThreads > 0);
if (!SetConsoleCtrlHandler(CtrlHandler, FALSE))
PrintConsole(hConsole,
L"SetConsoleCtrlHandler() returned error %lu\n",
GetLastError());
}
}
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
ReadDirectoryChangesW()
Run the following four command lines to compile the source file
NOTIFIER.C
created in step 1., link the compiled
object file NOTIFIER.OBJ
and cleanup afterwards:
SET CL=/GA /GF /GS /Gs69632 /Gy /O1 /Oi /Os /Oy /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /DYNAMICBASE /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NXCOMPAT /OSVERSION:6.0 /OUT:"Directory Change Notifier.com" /RELEASE /SUBSYSTEM:CONSOLE,6.0 /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE NOTIFIER.C ERASE NOTIFIER.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. NOTIFIER.C NOTIFIER.C(185) : warning C4213: nonstandard extension used : cast on l-value Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved.
Create the text file NOTIFIER.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 32 2c 20 53 74 65 66 61 6e 20 4b 61 -2022, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 03 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 06 00 00 ......#.........
00 0c 00 00 00 00 00 00 f0 12 00 00 00 10 00 00 ................
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
06 00 00 00 00 00 2f 03 06 00 00 00 00 00 00 00 ....../.........
00 40 00 00 00 02 00 00 b9 9a 00 00 03 00 00 85 .@..............
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
a0 37 00 00 50 00 00 00 00 00 00 00 00 00 00 00 .7..P...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 30 00 00 50 00 00 00 .........0..P...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
00 05 00 00 00 10 00 00 00 06 00 00 00 02 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 64 61 74 61 00 00 00 20 01 00 00 00 20 00 00 .data... .... ..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 c0 2e 63 6f 6e 73 74 00 00 ....@....const..
ae 09 00 00 00 30 00 00 00 0a 00 00 00 08 00 00 .....0..........
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ............@..@
8b 4c 24 08 81 ec 08 08 00 00 56 8d 84 24 18 08 .L$.......V..$..
00 00 50 51 8d 54 24 10 52 ff 15 48 30 40 00 8b ..PQ.T$.R..H0@..
f0 85 f6 75 0a 33 c0 5e 81 c4 08 08 00 00 c3 8b ...u.3.^........
94 24 10 08 00 00 6a 00 8d 44 24 08 50 56 8d 4c .$....j..D$.PV.L
24 14 51 52 ff 15 00 30 40 00 85 c0 74 d7 33 c0 $.QR...0@...t.3.
39 74 24 04 5e 0f 94 c0 81 c4 08 08 00 00 c3 cc 9t$.^...........
56 8b 35 00 20 40 00 57 6a f4 ff 15 0c 30 40 00 V.5. @.Wj....0@.
8b f8 8b 44 24 0c 83 f8 06 77 6e 0f b6 88 f8 10 ...D$....wn.....
40 00 ff 24 8d f0 10 40 00 8b 14 85 f4 30 40 00 @..$...@.....0@.
52 68 9c 31 40 00 57 e8 64 ff ff ff 83 c4 0c 85 Rh.1@.W.d.......
f6 74 3c 53 8b 1d 08 30 40 00 55 8b 2d 04 30 40 .t<S...0@.U.-.0@
00 8b 04 b5 1c 20 40 00 4e 50 ff d5 85 c0 75 19 ..... @.NP....u.
8b 0c b5 20 20 40 00 51 ff d3 50 68 28 31 40 00 ... @.Q..Ph(1@.
57 e8 2a ff ff ff 83 c4 10 85 f6 75 d4 5d 5b 5f W.*........u.][_
b8 01 00 00 00 5e c2 04 00 5f 33 c0 5e c2 04 00 .....^..._3.^...
89 10 40 00 e9 10 40 00 00 00 00 01 01 00 00 cc ..@...@.........
81 ec 14 02 01 00 56 57 6a f4 33 f6 ff 15 0c 30 ......VWj.3....0
40 00 8b f8 83 ff ff 75 11 ff 15 08 30 40 00 5f @......u....0@._
5e 81 c4 14 02 01 00 c2 04 00 53 8b 9c 24 24 02 ^.........S..$$.
01 00 55 6a 00 68 00 00 00 02 6a 03 6a 00 6a 07 ..Uj.h....j.j.j.
6a 01 53 ff 15 20 30 40 00 8b e8 83 fd ff 75 27 j.S.. 0@......u'
ff 15 08 30 40 00 53 8b f0 56 68 f8 33 40 00 57 ...0@.S..Vh.3@.W
e8 9b fe ff ff 83 c4 10 5d 5b 5f 8b c6 5e 81 c4 ........][_..^..
14 02 01 00 c2 04 00 6a 08 8d 44 24 18 50 6a 09 .......j..D$.Pj.
55 ff 15 1c 30 40 00 85 c0 75 1d ff 15 08 30 40 U...0@...u....0@
00 53 8b f0 56 68 68 33 40 00 57 e8 60 fe ff ff .S..Vhh3@.W.`...
83 c4 10 e9 17 01 00 00 8b 44 24 14 a8 10 0f 84 .........D$.....
fc 00 00 00 a9 00 04 00 00 0f 85 f1 00 00 00 6a ...............j
00 68 04 01 00 00 8d 4c 24 24 51 55 ff 15 18 30 .h.....L$$QU...0
40 00 85 c0 75 1d ff 15 08 30 40 00 53 8b f0 56 @...u....0@.S..V
68 e0 32 40 00 57 e8 15 fe ff ff 83 c4 10 e9 cc h.2@.W..........
00 00 00 8b 1d 14 30 40 00 6a 00 6a 00 8d 54 24 ......0@.j.j..T$
18 52 68 ff 0f 00 00 6a 01 68 00 00 01 00 8d 84 .Rh....j.h......
24 3c 02 00 00 50 55 ff d3 85 c0 74 75 8d 49 00 $<...PU....tu.I.
83 7c 24 10 00 8d b4 24 24 02 00 00 74 40 8b ff .|$....$$...t@..
8b 0e 89 4c 24 10 8b 56 08 d1 ea 33 c0 66 89 44 ...L$..V...3.f.D
56 0c 8b 46 04 8d 4e 0c 51 8b 0c 85 10 31 40 00 V..F..N.Q....1@.
8d 54 24 28 52 51 68 c0 32 40 00 57 e8 9f fd ff .T$(RQh.2@.W....
ff 8b 44 24 24 83 c4 14 03 f0 85 c0 75 c2 6a 00 ..D$$.......u.j.
6a 00 8d 54 24 18 52 68 ff 0f 00 00 6a 01 68 00 j..T$.Rh....j.h.
00 01 00 8d 84 24 3c 02 00 00 50 55 ff d3 85 c0 .....$<...PU....
75 8e ff 15 08 30 40 00 8d 4c 24 24 51 8b f0 56 u....0@..L$$Q..V
68 40 32 40 00 57 e8 55 fd ff ff 83 c4 10 eb 0f h@2@.W.U........
53 68 f8 31 40 00 57 e8 44 fd ff ff 83 c4 0c 55 Sh.1@.W.D......U
ff 15 10 30 40 00 85 c0 75 15 ff 15 08 30 40 00 ...0@...u....0@.
50 68 b0 31 40 00 57 e8 24 fd ff ff 83 c4 0c 5d Ph.1@.W.$......]
5b 5f 8b c6 5e 81 c4 14 02 01 00 c2 04 00 cc cc [_..^...........
83 ec 0c 53 55 57 6a f4 bb 01 00 00 00 bd a0 00 ...SUWj.........
00 00 c7 44 24 14 00 00 00 00 ff 15 0c 30 40 00 ...D$........0@.
8b f8 83 ff ff 75 0a ff 15 08 30 40 00 8b e8 eb .....u....0@....
72 8d 44 24 14 50 ff 15 38 30 40 00 50 ff 15 40 r.D$.P..80@.P..@
30 40 00 89 44 24 0c 85 c0 75 19 ff 15 08 30 40 0@..D$...u....0@
00 8b e8 55 68 50 37 40 00 57 e8 b1 fc ff ff 83 ...UhP7@.W......
c4 0c eb 3f 8b 4c 24 14 56 83 f9 02 7d 3f 68 d0 ...?.L$.V...}?h.
36 40 00 57 e8 97 fc ff ff 83 c4 08 8b 35 08 30 6@.W.........5.0
40 00 8b 54 24 10 52 ff 15 34 30 40 00 85 c0 74 @..T$.R..40@...t
11 ff d6 50 68 90 36 40 00 57 e8 71 fc ff ff 83 ...Ph.6@.W.q....
c4 0c 5e 55 ff 15 30 30 40 00 5f 5d 5b 83 f9 41 ..^U..00@._][..A
76 16 6a 40 68 10 36 40 00 57 e8 51 fc ff ff 83 v.j@h.6@.W.Q....
c4 0c eb b8 8b 44 24 10 8b 14 98 8d 4c 24 14 51 .....D$.....L$.Q
6a 00 52 68 00 11 40 00 68 00 00 01 00 6a 00 ff j.Rh..@.h....j..
15 2c 30 40 00 8b f0 85 f6 75 19 ff 15 08 30 40 .,0@.....u....0@
00 8b e8 55 68 c8 35 40 00 57 e8 11 fc ff ff 83 ...Uh.5@.W......
c4 0c eb 2d 8b 44 24 10 8b 0c 98 8b 54 24 14 51 ...-.D$.....T$.Q
52 68 78 35 40 00 57 e8 f4 fb ff ff a1 00 20 40 Rhx5@.W....... @
00 83 c4 10 89 34 85 20 20 40 00 40 a3 00 20 40 .....4. @.@.. @
00 43 3b 5c 24 18 72 8c 83 3d 00 20 40 00 00 0f .C;\$.r..=. @...
86 37 ff ff ff 6a 01 68 60 10 40 00 ff 15 28 30 .7...j.h`.@...(0
40 00 8b 35 08 30 40 00 85 c0 75 13 ff d6 8b e8 @..5.0@...u.....
55 68 20 35 40 00 57 e8 a4 fb ff ff 83 c4 0c 68 Uh 5@.W........h
c0 34 40 00 57 e8 96 fb ff ff a1 00 20 40 00 83 .4@.W....... @..
c4 08 6a ff 6a 01 68 20 20 40 00 50 ff 15 24 30 ..j.j.h @.P..$0
40 00 83 f8 ff 75 15 ff d6 8b e8 55 68 60 34 40 @....u.....Uh`4@
00 57 e8 69 fb ff ff 83 c4 0c eb 39 8b 1d 10 30 .W.i.......9...0
40 00 a1 00 20 40 00 8b 0c 85 1c 20 40 00 48 51 @... @..... @.HQ
a3 00 20 40 00 ff d3 85 c0 75 11 ff d6 50 68 b0 .. @.....u...Ph.
31 40 00 57 e8 37 fb ff ff 83 c4 0c a1 00 20 40 1@.W.7........ @
00 85 c0 75 d2 6a 00 68 60 10 40 00 ff 15 28 30 ...u.j.h`.@...(0
40 00 85 c0 0f 85 88 fe ff ff ff d6 50 68 20 35 @...........Ph 5
40 00 57 e8 08 fb ff ff 83 c4 0c e9 72 fe ff ff @.W.........r...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
40 38 00 00 50 38 00 00 66 38 00 00 76 38 00 00 @8..P8..f8..v8..
86 38 00 00 94 38 00 00 ac 38 00 00 c8 38 00 00 .8...8...8...8..
e8 38 00 00 f6 38 00 00 10 39 00 00 28 39 00 00 .8...8...9..(9..
38 39 00 00 46 39 00 00 52 39 00 00 00 00 00 00 89..F9..R9......
72 39 00 00 00 00 00 00 94 39 00 00 00 00 00 00 r9.......9......
52 00 65 00 6e 00 61 00 6d 00 65 00 64 00 20 00 R.e.n.a.m.e.d. .
74 00 6f 00 00 00 00 00 52 00 65 00 6e 00 61 00 t.o.....R.e.n.a.
6d 00 65 00 64 00 20 00 66 00 72 00 6f 00 6d 00 m.e.d. .f.r.o.m.
00 00 00 00 4d 00 6f 00 64 00 69 00 66 00 69 00 ....M.o.d.i.f.i.
65 00 64 00 00 00 00 00 52 00 65 00 6d 00 6f 00 e.d.....R.e.m.o.
76 00 65 00 64 00 00 00 41 00 64 00 64 00 65 00 v.e.d...A.d.d.e.
64 00 00 00 53 00 68 00 75 00 74 00 64 00 6f 00 d...S.h.u.t.d.o.
77 00 6e 00 00 00 00 00 4c 00 6f 00 67 00 6f 00 w.n.....L.o.g.o.
66 00 66 00 00 00 00 00 43 00 6c 00 6f 00 73 00 f.f.....C.l.o.s.
65 00 00 00 42 00 72 00 65 00 61 00 6b 00 00 00 e...B.r.e.a.k...
43 00 00 00 f0 30 40 00 e4 30 40 00 d8 30 40 00 C....0@..0@..0@.
00 00 00 00 00 00 00 00 c8 30 40 00 b4 30 40 00 .........0@..0@.
00 00 00 00 a8 30 40 00 98 30 40 00 84 30 40 00 .....0@..0@..0@.
68 30 40 00 50 30 40 00 43 00 61 00 6e 00 63 00 h0@.P0@.C.a.n.c.
65 00 6c 00 53 00 79 00 6e 00 63 00 68 00 72 00 e.l.S.y.n.c.h.r.
6f 00 6e 00 6f 00 75 00 73 00 49 00 6f 00 28 00 o.n.o.u.s.I.o.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 72 00 .%.l.u. .f.o.r.
20 00 74 00 68 00 72 00 65 00 61 00 64 00 20 00 .t.h.r.e.a.d. .
30 00 78 00 25 00 70 00 0a 00 00 00 43 00 74 00 0.x.%.p.....C.t.
72 00 6c 00 2d 00 25 00 6c 00 73 00 0a 00 00 00 r.l.-.%.l.s.....
43 00 6c 00 6f 00 73 00 65 00 48 00 61 00 6e 00 C.l.o.s.e.H.a.n.
64 00 6c 00 65 00 28 00 29 00 20 00 72 00 65 00 d.l.e.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
0a 00 00 00 00 00 00 00 41 00 72 00 67 00 75 00 ........A.r.g.u.
6d 00 65 00 6e 00 74 00 20 00 27 00 25 00 6c 00 m.e.n.t. .'.%.l.
73 00 27 00 20 00 69 00 73 00 20 00 6e 00 6f 00 s.'. .i.s. .n.o.
74 00 20 00 61 00 20 00 64 00 69 00 72 00 65 00 t. .a. .d.i.r.e.
63 00 74 00 6f 00 72 00 79 00 21 00 0a 00 00 00 c.t.o.r.y.!.....
52 00 65 00 61 00 64 00 44 00 69 00 72 00 65 00 R.e.a.d.D.i.r.e.
63 00 74 00 6f 00 72 00 79 00 43 00 68 00 61 00 c.t.o.r.y.C.h.a.
6e 00 67 00 65 00 73 00 28 00 29 00 20 00 72 00 n.g.e.s.(.). .r.
65 00 74 00 75 00 72 00 6e 00 65 00 64 00 20 00 e.t.u.r.n.e.d. .
65 00 72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 e.r.r.o.r. .%.l.
75 00 20 00 66 00 6f 00 72 00 20 00 64 00 69 00 u. .f.o.r. .d.i.
72 00 65 00 63 00 74 00 6f 00 72 00 79 00 20 00 r.e.c.t.o.r.y. .
27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 '.%.l.s.'.......
25 00 6c 00 73 00 20 00 25 00 6c 00 73 00 5c 00 %.l.s. .%.l.s.\.
25 00 6c 00 73 00 0a 00 00 00 00 00 00 00 00 00 %.l.s...........
47 00 65 00 74 00 46 00 69 00 6e 00 61 00 6c 00 G.e.t.F.i.n.a.l.
50 00 61 00 74 00 68 00 4e 00 61 00 6d 00 65 00 P.a.t.h.N.a.m.e.
42 00 79 00 48 00 61 00 6e 00 64 00 6c 00 65 00 B.y.H.a.n.d.l.e.
28 00 29 00 20 00 72 00 65 00 74 00 75 00 72 00 (.). .r.e.t.u.r.
6e 00 65 00 64 00 20 00 65 00 72 00 72 00 6f 00 n.e.d. .e.r.r.o.
72 00 20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 r. .%.l.u. .f.o.
72 00 20 00 61 00 72 00 67 00 75 00 6d 00 65 00 r. .a.r.g.u.m.e.
6e 00 74 00 20 00 27 00 25 00 6c 00 73 00 27 00 n.t. .'.%.l.s.'.
0a 00 00 00 00 00 00 00 47 00 65 00 74 00 46 00 ........G.e.t.F.
69 00 6c 00 65 00 49 00 6e 00 66 00 6f 00 72 00 i.l.e.I.n.f.o.r.
6d 00 61 00 74 00 69 00 6f 00 6e 00 42 00 79 00 m.a.t.i.o.n.B.y.
48 00 61 00 6e 00 64 00 6c 00 65 00 45 00 78 00 H.a.n.d.l.e.E.x.
28 00 29 00 20 00 72 00 65 00 74 00 75 00 72 00 (.). .r.e.t.u.r.
6e 00 65 00 64 00 20 00 65 00 72 00 72 00 6f 00 n.e.d. .e.r.r.o.
72 00 20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 r. .%.l.u. .f.o.
72 00 20 00 61 00 72 00 67 00 75 00 6d 00 65 00 r. .a.r.g.u.m.e.
6e 00 74 00 20 00 27 00 25 00 6c 00 73 00 27 00 n.t. .'.%.l.s.'.
0a 00 00 00 00 00 00 00 43 00 72 00 65 00 61 00 ........C.r.e.a.
74 00 65 00 46 00 69 00 6c 00 65 00 28 00 29 00 t.e.F.i.l.e.(.).
20 00 72 00 65 00 74 00 75 00 72 00 6e 00 65 00 .r.e.t.u.r.n.e.
64 00 20 00 65 00 72 00 72 00 6f 00 72 00 20 00 d. .e.r.r.o.r. .
25 00 6c 00 75 00 20 00 66 00 6f 00 72 00 20 00 %.l.u. .f.o.r. .
61 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 a.r.g.u.m.e.n.t.
20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 .'.%.l.s.'.....
57 00 61 00 69 00 74 00 46 00 6f 00 72 00 4d 00 W.a.i.t.F.o.r.M.
75 00 6c 00 74 00 69 00 70 00 6c 00 65 00 4f 00 u.l.t.i.p.l.e.O.
62 00 6a 00 65 00 63 00 74 00 73 00 28 00 29 00 b.j.e.c.t.s.(.).
20 00 72 00 65 00 74 00 75 00 72 00 6e 00 65 00 .r.e.t.u.r.n.e.
64 00 20 00 65 00 72 00 72 00 6f 00 72 00 20 00 d. .e.r.r.o.r. .
25 00 6c 00 75 00 0a 00 00 00 00 00 00 00 00 00 %.l.u...........
50 00 72 00 65 00 73 00 73 00 20 00 27 00 43 00 P.r.e.s.s. .'.C.
74 00 72 00 6c 00 2d 00 43 00 27 00 20 00 6f 00 t.r.l.-.C.'. .o.
72 00 20 00 27 00 43 00 74 00 72 00 6c 00 2d 00 r. .'.C.t.r.l.-.
42 00 72 00 65 00 61 00 6b 00 27 00 20 00 74 00 B.r.e.a.k.'. .t.
6f 00 20 00 74 00 65 00 72 00 6d 00 69 00 6e 00 o. .t.e.r.m.i.n.
61 00 74 00 65 00 21 00 0a 00 0a 00 00 00 00 00 a.t.e.!.........
53 00 65 00 74 00 43 00 6f 00 6e 00 73 00 6f 00 S.e.t.C.o.n.s.o.
6c 00 65 00 43 00 74 00 72 00 6c 00 48 00 61 00 l.e.C.t.r.l.H.a.
6e 00 64 00 6c 00 65 00 72 00 28 00 29 00 20 00 n.d.l.e.r.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 0a 00 00 00 54 00 68 00 72 00 65 00 l.u.....T.h.r.e.
61 00 64 00 20 00 25 00 6c 00 75 00 20 00 63 00 a.d. .%.l.u. .c.
72 00 65 00 61 00 74 00 65 00 64 00 20 00 66 00 r.e.a.t.e.d. .f.
6f 00 72 00 20 00 61 00 72 00 67 00 75 00 6d 00 o.r. .a.r.g.u.m.
65 00 6e 00 74 00 20 00 27 00 25 00 6c 00 73 00 e.n.t. .'.%.l.s.
27 00 0a 00 00 00 00 00 43 00 72 00 65 00 61 00 '.......C.r.e.a.
74 00 65 00 54 00 68 00 72 00 65 00 61 00 64 00 t.e.T.h.r.e.a.d.
28 00 29 00 20 00 72 00 65 00 74 00 75 00 72 00 (.). .r.e.t.u.r.
6e 00 65 00 64 00 20 00 65 00 72 00 72 00 6f 00 n.e.d. .e.r.r.o.
72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 00 00 r. .%.l.u.......
54 00 6f 00 6f 00 20 00 6d 00 61 00 6e 00 79 00 T.o.o. .m.a.n.y.
20 00 61 00 72 00 67 00 75 00 6d 00 65 00 6e 00 .a.r.g.u.m.e.n.
74 00 73 00 3a 00 20 00 61 00 74 00 20 00 6d 00 t.s.:. .a.t. .m.
6f 00 73 00 74 00 20 00 25 00 6c 00 75 00 20 00 o.s.t. .%.l.u. .
64 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 d.i.r.e.c.t.o.r.
79 00 20 00 6e 00 61 00 6d 00 65 00 73 00 20 00 y. .n.a.m.e.s. .
6d 00 61 00 79 00 20 00 62 00 65 00 20 00 67 00 m.a.y. .b.e. .g.
69 00 76 00 65 00 6e 00 21 00 0a 00 00 00 00 00 i.v.e.n.!.......
4c 00 6f 00 63 00 61 00 6c 00 46 00 72 00 65 00 L.o.c.a.l.F.r.e.
65 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 e.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
54 00 6f 00 6f 00 20 00 66 00 65 00 77 00 20 00 T.o.o. .f.e.w. .
61 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 a.r.g.u.m.e.n.t.
73 00 3a 00 20 00 61 00 74 00 20 00 6c 00 65 00 s.:. .a.t. .l.e.
61 00 73 00 74 00 20 00 6f 00 6e 00 65 00 20 00 a.s.t. .o.n.e. .
64 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 d.i.r.e.c.t.o.r.
79 00 20 00 6e 00 61 00 6d 00 65 00 20 00 6d 00 y. .n.a.m.e. .m.
75 00 73 00 74 00 20 00 62 00 65 00 20 00 67 00 u.s.t. .b.e. .g.
69 00 76 00 65 00 6e 00 21 00 0a 00 00 00 00 00 i.v.e.n.!.......
43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 4c 00 C.o.m.m.a.n.d.L.
69 00 6e 00 65 00 54 00 6f 00 41 00 72 00 67 00 i.n.e.T.o.A.r.g.
76 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 v.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
f0 37 00 00 00 00 00 00 00 00 00 00 64 39 00 00 .7..........d9..
00 30 00 00 30 38 00 00 00 00 00 00 00 00 00 00 .0..08..........
88 39 00 00 40 30 00 00 38 38 00 00 00 00 00 00 .9..@0..88......
00 00 00 00 a2 39 00 00 48 30 00 00 00 00 00 00 .....9..H0......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
40 38 00 00 50 38 00 00 66 38 00 00 76 38 00 00 @8..P8..f8..v8..
86 38 00 00 94 38 00 00 ac 38 00 00 c8 38 00 00 .8...8...8...8..
e8 38 00 00 f6 38 00 00 10 39 00 00 28 39 00 00 .8...8...9..(9..
38 39 00 00 46 39 00 00 52 39 00 00 00 00 00 00 89..F9..R9......
72 39 00 00 00 00 00 00 94 39 00 00 00 00 00 00 r9.......9......
24 05 57 72 69 74 65 43 6f 6e 73 6f 6c 65 57 00 $.WriteConsoleW.
44 00 43 61 6e 63 65 6c 53 79 6e 63 68 72 6f 6e D.CancelSynchron
6f 75 73 49 6f 00 02 02 47 65 74 4c 61 73 74 45 ousIo...GetLastE
72 72 6f 72 00 00 64 02 47 65 74 53 74 64 48 61 rror..d.GetStdHa
6e 64 6c 65 00 00 52 00 43 6c 6f 73 65 48 61 6e ndle..R.CloseHan
64 6c 65 00 bf 03 52 65 61 64 44 69 72 65 63 74 dle...ReadDirect
6f 72 79 43 68 61 6e 67 65 73 57 00 f5 01 47 65 oryChangesW...Ge
74 46 69 6e 61 6c 50 61 74 68 4e 61 6d 65 42 79 tFinalPathNameBy
48 61 6e 64 6c 65 57 00 ed 01 47 65 74 46 69 6c HandleW...GetFil
65 49 6e 66 6f 72 6d 61 74 69 6f 6e 42 79 48 61 eInformationByHa
6e 64 6c 65 45 78 00 00 8f 00 43 72 65 61 74 65 ndleEx....Create
46 69 6c 65 57 00 f7 04 57 61 69 74 46 6f 72 4d FileW...WaitForM
75 6c 74 69 70 6c 65 4f 62 6a 65 63 74 73 00 00 ultipleObjects..
2d 04 53 65 74 43 6f 6e 73 6f 6c 65 43 74 72 6c -.SetConsoleCtrl
48 61 6e 64 6c 65 72 00 b5 00 43 72 65 61 74 65 Handler...Create
54 68 72 65 61 64 00 00 19 01 45 78 69 74 50 72 Thread....ExitPr
6f 63 65 73 73 00 48 03 4c 6f 63 61 6c 46 72 65 ocess.H.LocalFre
65 00 87 01 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 e...GetCommandLi
6e 65 57 00 4b 45 52 4e 45 4c 33 32 2e 64 6c 6c neW.KERNEL32.dll
00 00 06 00 43 6f 6d 6d 61 6e 64 4c 69 6e 65 54 ....CommandLineT
6f 41 72 67 76 57 00 00 53 48 45 4c 4c 33 32 2e oArgvW..SHELL32.
64 6c 6c 00 35 03 77 76 73 70 72 69 6e 74 66 57 dll.5.wvsprintfW
00 00 55 53 45 52 33 32 2e 64 6c 6c 00 00 00 00 ..USER32.dll....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file NOTIFIER.TXT
created in
step 3. to recreate the console application
Directory Change Notifier;
CERTUTIL.EXE /DecodeHex /V NOTIFIER.TXT NOTIFIER.COM
Input Length = 19584 Output Length = 4608 CertUtil: -decodehex command completed successfully.
.pol
, are used either to store the
Registry keys and entries (to be) applied by
Group Policies as well as
Local Security Policies, or to restore the previous
contents of Registry keys and entries modified by
Group Policies as well as
Local Security Policies.
The MSDN article Registry Policy File Format documents their format.
The MSKB
article
How to add, modify, or delete registry subkeys and values by using a .reg file
documents the format of Registry Editor script files,
typically created with the extension .reg
.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
Create the text file POLYGLOT.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#define REGFILE_SIGNATURE 'geRP'
#define REGISTRY_FILE_VERSION 1UL
typedef unsigned __int64 QWORD, *LPQWORD;
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, LPCWSTR lpFormat, ...)
{
WCHAR szBuffer[1025];
DWORD dwBuffer;
DWORD dwConsole;
va_list vaInserts;
va_start(vaInserts, lpFormat);
dwBuffer = wvsprintf(szBuffer, lpFormat, vaInserts);
va_end(vaInserts);
if (dwBuffer == 0)
return FALSE;
if (!WriteConsole(hConsole, szBuffer, dwBuffer, &dwConsole, NULL))
return FALSE;
return dwConsole == dwBuffer;
}
const LPCWSTR szHKEY[8] = {L"HKEY_CLASSES_ROOT",
L"HKEY_CURRENT_USER",
L"HKEY_LOCAL_MACHINE",
L"HKEY_USERS",
L"HKEY_PERFORMANCE_DATA",
L"HKEY_CURRENT_CONFIG",
L"HKEY_DYN_DATA",
L"HKEY_CURRENT_USER_LOCAL_SETTINGS"};
const LPCWSTR szTYPE[12] = {L"NONE",
L"SZ",
L"EXPAND_SZ",
L"BINARY",
L"DWORD", // alias DWORD_LITTLE_ENDIAN
L"DWORD_BIG_ENDIAN",
L"LINK",
L"MULTI_SZ",
L"RESOURCE_LIST",
L"FULL_RESOURCE_DESCRIPTOR",
L"RESOURCE_REQUIREMENTS_LIST",
L"QWORD"}; // alias QWORD_LITTLE_ENDIAN
const LPCWSTR szType[12] = {L"none:",
L"",
L"expand:",
L"hex:",
L"dword:",
L"dword:",
L"link:",
L"multi:",
L"hex(8):",
L"hex(9):",
L"hex(a):",
L"qword:"};
DWORD WINAPI Polyglot(HANDLE hConsole, HKEY hkHKEY, LPCWSTR lpArgument)
{
#ifdef REGISTRY
LPCWSTR lpHKEY = szHKEY[(DWORD) hkHKEY ^ (DWORD) HKEY_CLASSES_ROOT];
HKEY hkKey;
BYTE cbData[65536];
#endif
HANDLE hInput;
DWORD dwInput;
LPCWSTR lpInput;
WCHAR cwInput;
HANDLE hPolicy;
DWORD dwPolicy;
LPDWORD lpPolicy;
LPCWSTR lpKey, lpValue, lpData, lp;
DWORD dwKey, dwValue, dwData, dwType, dwSize;
DWORD dwError = ERROR_SUCCESS;
hInput = CreateFile(lpArgument,
FILE_READ_DATA,
FILE_SHARE_READ,
(LPSECURITY_ATTRIBUTES) NULL,
OPEN_EXISTING,
FILE_FLAG_SEQUENTIAL_SCAN,
(HANDLE) NULL);
if (hInput == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"CreateFile() returned error %lu for file \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
{
dwInput = GetFileSize(hInput, (LPDWORD) NULL);
if (dwInput == INVALID_FILE_SIZE)
PrintConsole(hConsole,
L"GetFileSize() returned error %lu for file \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
{
hPolicy = CreateFileMapping(hInput,
(LPSECURITY_ATTRIBUTES) NULL,
PAGE_READONLY,
0, 0,
(LPCWSTR) NULL);
if (hPolicy == NULL)
PrintConsole(hConsole,
L"CreateFileMapping() returned error %lu for file \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
{
lpPolicy = MapViewOfFile(hPolicy,
FILE_MAP_READ,
0, 0,
(SIZE_T) 0);
if (lpPolicy == NULL)
PrintConsole(hConsole,
L"MapViewOfFile() returned error %lu for file \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
{
if ((lpPolicy[0] != REGFILE_SIGNATURE)
|| (lpPolicy[1] != REGISTRY_FILE_VERSION))
PrintConsole(hConsole,
L"Signature \'PReg\\x01\\0\\0\\0\' missing in file \'%ls\'!\n",
lpArgument);
else
{
PrintConsole(hConsole,
L"Windows Registry Editor Version 5.00\n"
L"\n"
L"; Registry Policy File \'%ls\'\n",
lpArgument);
// L'[' key L']'
// L'[' key L';' value L';' type L';' size L';' data L']'
// L'[' key L';' L"**Del." value L';' type L';' size L';' data L']'
// L'[' key L';' L"**DeleteKeys" { L';' key } ... L']'
// L'[' key L';' L"**DeleteVals" L']'
// L'[' key L';' L"**DeleteValues" { L';' value } ... L']'
// L'[' key L';' L"**SecureKey=0" L']'
// L'[' key L';' L"**SecureKey=1" L']'
//
// WCHAR key[] NUL-terminated path of registry key beneath
// HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
//
// WCHAR value[] NUL-terminated name of registry entry
//
// DWORD type registry data type
//
// DWORD size size of registry data in bytes
//
// BYTE data[] registry data
lpInput = (LPCWSTR) (lpPolicy + 2);
lpKey = NULL;
dwKey = 0;
dwPolicy = dwInput;
while ((LPBYTE) lpInput < (LPBYTE) lpPolicy + dwPolicy)
{
if (*lpInput++ != L'[')
break;
dwInput = wcslen(lpInput);
if ((dwKey == 0)
|| (dwKey != dwInput)
|| (memcmp(lpInput, lpKey, dwKey * sizeof(L'\0')) != 0))
PrintConsole(hConsole,
L"\n"
L"[HKEY_RELATIVE\\%ls]\n",
lpInput);
lpKey = lpInput;
dwKey = dwInput;
lpInput += dwInput + 1;
cwInput = *lpInput++;
if (cwInput == L']')
continue;
if (cwInput != L';')
break;
lpValue = lpInput;
dwValue = wcslen(lpInput);
lpInput += dwValue + 1;
if ((dwValue == sizeof("**securekey=1") - 1)
&& ((memcmp(lpValue, L"**securekey=1", sizeof(L"**securekey=1") - sizeof(L"")) == 0)
|| (memcmp(lpValue, L"**SecureKey=1", sizeof(L"**securekey=1") - sizeof(L"")) == 0)))
{
PrintConsole(hConsole,
L"; SecureKey=1\n");
if (*lpInput++ != L']')
break;
}
else if ((dwValue == sizeof("**securekey=0") - 1)
&& ((memcmp(lpValue, L"**securekey=0", sizeof(L"**securekey=0") - sizeof(L"")) == 0)
|| (memcmp(lpValue, L"**SecureKey=0", sizeof(L"**securekey=0") - sizeof(L"")) == 0)))
{
PrintConsole(hConsole,
L"; SecureKey=0\n");
if (*lpInput++ != L']')
break;
}
else if ((dwValue == sizeof("**deletevals") - 1)
&& ((memcmp(lpValue, L"**deletevals", sizeof(L"**deletevals") - sizeof(L"")) == 0)
|| (memcmp(lpValue, L"**Deletevals", sizeof(L"**Deletevals") - sizeof(L"")) == 0)))
{
PrintConsole(hConsole,
L"*=-\n");
if (*lpInput++ != L']')
break;
}
else if ((dwValue == sizeof("**deletevalues") - 1)
&& ((memcmp(lpValue, L"**deletevalues", sizeof(L"**deletevalues") - sizeof(L"")) == 0)
|| (memcmp(lpValue, L"**Deletevalues", sizeof(L"**Deletevalues") - sizeof(L"")) == 0)))
{
while (*lpInput == L';')
{
PrintConsole(hConsole,
L"\'%ls\'=-\n",
++lpInput);
lpInput += wcslen(lpInput) + 1;
}
if (*lpInput++ != L']')
break;
}
else if ((dwValue == sizeof("**deletekeys") - 1)
&& ((memcmp(lpValue, L"**deletekeys", sizeof(L"**deletekeys") - sizeof(L"")) == 0)
|| (memcmp(lpValue, L"**Deletekeys", sizeof(L"**Deletekeys") - sizeof(L"")) == 0)))
{
while (*lpInput == L';')
{
PrintConsole(hConsole,
L"[-HKEY_RELATIVE\\%ls\\%ls]\n",
lpKey, ++lpInput);
lpInput += wcslen(lpInput) + 1;
}
if (*lpInput++ != L']')
break;
}
else
{
if ((dwValue > sizeof("**del."))
&& ((memcmp(lpValue, L"**del.", sizeof(L"**del.") - sizeof(L"")) == 0)
|| (memcmp(lpValue, L"**Del.", sizeof(L"**Del.") - sizeof(L"")) == 0)))
{
lpValue += sizeof("**Del.") - 1;
if (dwValue == sizeof("**Del.") - 1)
PrintConsole(hConsole,
L"@=- ; =");
else
PrintConsole(hConsole,
L"\'%ls\'=- ; =", lpValue);
}
else
if (dwValue == 0)
PrintConsole(hConsole,
L"@=");
else
PrintConsole(hConsole,
L"\'%ls\'=", lpValue);
cwInput = *lpInput++;
if (cwInput == L']')
continue;
if (cwInput != L';')
break;
dwType = *((LPDWORD) lpInput)++;
if (dwType > sizeof(szType) / sizeof(*szType))
PrintConsole(hConsole,
L"hex(%lx):", dwType);
else
PrintConsole(hConsole,
L"%ls", szType[dwType]);
cwInput = *lpInput++;
if (cwInput == L']')
continue;
if (cwInput != L';')
break;
dwSize = *((LPDWORD) lpInput)++;
cwInput = *lpInput++;
if (cwInput == L']')
continue;
if (cwInput != L';')
break;
lpData = lpInput;
(LPBYTE) lpInput += dwSize;
switch (dwType)
{
case REG_SZ:
case REG_EXPAND_SZ:
case REG_LINK:
if (dwSize == 0)
goto NEWLINE;
PrintConsole(hConsole,
L"\'%ls\'\n",
lpData);
dwData = wcslen(lpData);
if (dwSize != (dwData + 1) * sizeof(L'\0'))
PrintConsole(hConsole,
L"Size %lu of REG_%ls value data not equal length %lu of string plus terminating \'NUL\' character!\n",
dwSize, szTYPE[dwType], dwData);
break;
case REG_DWORD_BIG_ENDIAN:
*(LPDWORD) lpData = _byteswap_ulong(*(LPDWORD) lpData);
case REG_DWORD_LITTLE_ENDIAN:
// case REG_DWORD:
PrintConsole(hConsole,
L"%08lx\n",
*(LPDWORD) lpData);
if (dwSize != sizeof(DWORD))
PrintConsole(hConsole,
L"Size %lu of REG_%ls value data not equal \'sizeof(DWORD)\'!\n",
dwSize, szTYPE[dwType]);
break;
case REG_QWORD_LITTLE_ENDIAN:
// case REG_QWORD:
PrintConsole(hConsole,
L"%016I64x\n",
*(LPQWORD) lpData);
if (dwSize != sizeof(QWORD))
PrintConsole(hConsole,
L"Size %lu of REG_QWORD value data not equal \'sizeof(QWORD)\'!\n",
dwSize);
break;
case REG_MULTI_SZ:
if (dwSize == 0)
goto NEWLINE;
for (lp = lpData; (lp < lpInput) && (*lp != L'\0'); lp += wcslen(lp) + 1)
PrintConsole(hConsole,
lp == lpData ? L"\'%ls\'" : L",\'%ls\'",
lp);
PrintConsole(hConsole,
L"\n");
if ((lp > lpInput) || (*lp != L'\0'))
PrintConsole(hConsole,
L"REG_MULTI_SZ value data not terminated with extra \'NUL\' character!\n");
else
lp++;
if (lp != lpInput)
PrintConsole(hConsole,
L"Size %lu of REG_MULTI_SZ value data not equal sum of string lengths plus terminating \'NUL\' characters!\n",
dwSize);
break;
// case REG_NONE:
// case REG_BINARY:
// case REG_RESOURCE_LIST:
// case REG_FULL_RESOURCE_DESCRIPTOR:
// case REG_RESOURCE_REQUIREMENTS_LIST:
default:
for (lp = lpData; lp < lpInput; (LPBYTE) lp += 1)
PrintConsole(hConsole,
lp == lpData ? L"%02x" : L",%02x",
*(LPBYTE) lp);
NEWLINE:
PrintConsole(hConsole,
L"\n");
}
#ifdef REGISTRY
if (hkHKEY != HKEY_CLASSES_ROOT)
{
dwError = RegOpenKeyEx(hkHKEY,
lpKey,
REG_OPTION_RESERVED,
KEY_QUERY_VALUE,
&hkKey);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"RegOpenKeyEx() returned error %lu for registry key \'%ls\\%ls\'\n",
dwError, lpHKEY, lpKey);
else
{
dwData = sizeof(cbData);
dwError = RegQueryValueEx(hkKey,
lpValue,
(LPDWORD) NULL,
&dwValue,
cbData,
&dwData);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"RegQueryValueEx() returned error %lu for value \'%ls\' of registry key \'%ls\\%ls\'\n",
dwError, lpValue, lpHKEY, lpKey);
else
if ((dwValue != dwType)
|| (dwData != dwSize)
|| (memcmp(lpData, cbData, dwData) != 0))
PrintConsole(hConsole,
L"MISMATCH: data type, size or value in policy file differs from registry!\n");
dwError = RegCloseKey(hkKey);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"RegCloseKey() returned error %lu for registry key \'%ls\\%ls\'\n",
dwError, lpHKEY, lpKey);
}
}
#endif // REGISTRY
if (*lpInput++ != L']')
break;
}
}
if ((LPBYTE) lpInput != (LPBYTE) lpPolicy + dwPolicy)
PrintConsole(hConsole,
L"Format error in policy file \'%ls\'!\n",
lpArgument);
}
if (!UnmapViewOfFile(lpPolicy))
PrintConsole(hConsole,
L"UnmapViewOfFile() returned error %lu for file \'%ls\'\n",
GetLastError(), lpArgument);
}
if (!CloseHandle(hPolicy))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu for file mapping \'%ls\'\n",
GetLastError(), lpArgument);
}
}
if (!CloseHandle(hInput))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu for file \'%ls\'\n",
GetLastError(), lpArgument);
}
return dwError;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
#ifdef WILDCARD
WIN32_FIND_DATA wfd;
HANDLE hWildCard;
DWORD dwWildCard;
WCHAR szWildCard[32768];
LPWSTR lpWildCard;
#endif
LPWSTR *lpArguments;
INT nArguments;
INT nArgument = 1;
DWORD dwError = ERROR_BAD_ARGUMENTS;
HKEY hkHKEY = HKEY_CLASSES_ROOT;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
#ifdef REGISTRY
if (nArguments > 2)
if (wcscmp(lpArguments[1], L"/MACHINE") == 0)
{
hkHKEY = HKEY_LOCAL_MACHINE;
nArgument = 2;
}
else if (wcscmp(lpArguments[1], L"/USER") == 0)
{
hkHKEY = HKEY_CURRENT_USER;
nArgument = 2;
}
else if (*lpArguments[1] == L'/')
PrintConsole(hConsole,
L"Optional first argument must be '/MACHINE' or '/USER'!\n");
#endif
if (nArguments < 2)
PrintConsole(hConsole,
L"No arguments: at least one \'.pol\' file name must be given!\n");
else
#ifndef WILDCARD
do
dwError = Polyglot(hConsole, hkHKEY, lpArguments[nArgument]);
while (++nArgument < nArguments);
#else
do
{
hWildCard = FindFirstFile(lpArguments[nArgument], &wfd);
if (hWildCard == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"FindFirstFile() returned error %lu for argument \'%ls\'\n",
dwError = GetLastError(), lpArguments[nArgument]);
else
{
wcscpy(szWildCard, lpArguments[nArgument]);
dwWildCard = 0;
lpWildCard = NULL;
do
if (szWildCard[dwWildCard] == L'\\')
lpWildCard = szWildCard + dwWildCard;
while (szWildCard[dwWildCard++] != L'\0');
if (dwWildCard > MAX_PATH)
PrintConsole(hConsole,
L"Argument \'%ls\' exceeds MAX_PATH!\n",
lpArguments[nArgument]);
if (lpWildCard != NULL)
lpWildCard++;
else
lpWildCard = szWildCard + 2 * (szWildCard[1] == L':');
dwWildCard = 0;
do
{
if ((wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0)
continue;
dwWildCard++;
wcscpy(lpWildCard, wfd.cFileName);
dwError = Polyglot(hConsole, hkHKEY, szWildCard);
}
while (FindNextFile(hWildCard, &wfd));
dwError = GetLastError();
if (dwError == ERROR_NO_MORE_FILES)
dwError = ERROR_SUCCESS;
else
PrintConsole(hConsole,
L"FindNextFile() returned error %lu for argument \'%ls\'\n",
dwError, lpArguments[nArgument]);
if (dwWildCard == 0)
PrintConsole(hConsole,
L"No match for argument \'%ls\'!\n",
lpArguments[nArgument]);
if (!FindClose(hWildCard))
PrintConsole(hConsole,
L"FindClose() returned error %lu for argument \'%ls\'\n",
GetLastError(), lpArguments[nArgument]);
}
} while (++nArgument < nArguments);
#endif // WILDCARD
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Note: with the preprocessor macro
REGISTRY
defined, an option /MACHINE
or
/USER
is accepted as first command line argument to
compare the settings against the HKEY_LOCAL_MACHINE
or
HKEY_CURRENT_USER
branch of the
Registry!
Note: with the preprocessor macro
WILDCARD
defined, wildcard expansion of matching file
names is performed for the command line arguments!
Run the following four command lines to compile the source file
POLYGLOT.C
created in step 1., link the compiled
object file POLYGLOT.OBJ
and cleanup afterwards:
SET CL=/GA /GF /GS /Gy /O1 /Oi /Os /Oy /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /DYNAMICBASE /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NXCOMPAT /OSVERSION:5.0 /OUT:"Registry Policy Reader.com" /RELEASE /SUBSYSTEM:CONSOLE,5.0 /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE POLYGLOT.C ERASE POLYGLOT.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. POLYGLOT.C POLYGLOT.C(313) : warning C4213: nonstandard extension used : cast on l-value POLYGLOT.C(330) : warning C4213: nonstandard extension used : cast on l-value POLYGLOT.C(341) : warning C4213: nonstandard extension used : cast on l-value POLYGLOT.C(425) : warning C4213: nonstandard extension used : cast on l-value POLYGLOT.C(89) : warning C4100: 'hkHKEY' : unreferenced formal parameter Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved.
Finally execute the console application
Registry Policy Reader.com
built in step 2. to
display the contents of some NTUser.pol
and
Registry.pol
files that eventually are (not yet)
present on your machine:
VER ".\Registry Policy Reader.com" "%USERPROFILE%\NTUser.pol" "%ALLUSERSPROFILE%\NTUser.pol" "%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol" "%SystemRoot%\System32\GroupPolicy\User\Registry.pol" NET.EXE HelpMsg %ERRORLEVEL%
Microsoft Windows [Version 10.0.19044] Windows Registry Editor Version 5.00 ; Registry Policy File 'C:\Users\Stefan\NTUser.pol' [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Group Policy Objects\Local Group Policy Objects] '**Comment:GPO Name: Local Group Policy Objects'= [HKEY_RELATIVE\Software\Microsoft\Windows\CurrentVersion\Policies\System] 'LogonHoursAction'=dword:00000002 'DontDisplayLogonHoursWarnings'=dword:00000001 Windows Registry Editor Version 5.00 ; Registry Policy File 'C:\ProgramData\NTUser.pol' [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Group Policy Objects\Local Group Policy Objects] '**Comment:GPO Name: Local Group Policy Objects'= Windows Registry Editor Version 5.00 ; Registry Policy File 'C:\Windows\System32\GroupPolicy\Machine\Registry.pol' [HKEY_RELATIVE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer] 'AuthentiCodeFlags'=dword:00000300 [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers] 'PolicyScope'=dword:00000001 'TransparentEnabled'=dword:00000002 'ExecutableTypes'=multi:'WSF','WSC','VBS','VBE','VB','TMP','SHS','SCR','PIF','PCD','OCX','MST','MSP','MSI','MDE','MDB','JSE','JS','ISP','INS','HTA','HLP','EXE','DLL','CRT','CPL','COM','CMD','BAT','BAS','AX','ADP','ADE' 'DefaultLevel'=dword:00000000 'Levels'=dword:00071000 'LogFileName'='C:\Windows\System32\LogFiles\SAFER.Log' 'AuthenticodeEnabled'=dword:00000001 [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes] @=none: [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}] 'LastModified'=qword:01cf68d87b202417 'Description'='' 'SaferFlags'=dword:00000000 'ItemData'=expand:'%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%' [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}] 'LastModified'=qword:01cf68d87b202417 'Description'='' 'SaferFlags'=dword:00000000 'ItemData'=expand:'%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%' [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{4fcf2556-cf02-4356-ad71-f82ca93ccd0b}] 'LastModified'=qword:01cf68d979215214 'Description'='' 'SaferFlags'=dword:00000000 'ItemData'=expand:'%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%' [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{21c0b260-2d89-4fe0-8275-1c76746b3d2b}] 'LastModified'=qword:01d57587bb48c5c4 'Description'='' 'SaferFlags'=dword:00000000 'ItemData'=expand:'%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir%' CreateFile() returned error 3 for file 'C:\Windows\System32\GroupPolicy\User\Registry.pol' The system cannot find the path specified.
Create the text file POLYGLOT.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 32 2c 20 53 74 65 66 61 6e 20 4b 61 -2022, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 0a 00 00 ......#.........
00 14 00 00 00 00 00 00 97 17 00 00 00 10 00 00 ................
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 40 00 00 00 02 00 00 e4 a4 00 00 03 00 00 85 .@..............
00 00 10 00 00 00 01 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
a8 31 00 00 64 00 00 00 00 00 00 00 00 00 00 00 .1..d...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 20 00 00 54 00 00 00 ......... ..T...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
fc 08 00 00 00 10 00 00 00 0a 00 00 00 02 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 a8 13 00 00 00 20 00 00 .const....... ..
00 14 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 4c 20 40 00 8b f0 .......P..L @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 10 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8b .t.3.9u....^..U.
ec 81 ec 38 00 01 00 8b 45 0c 53 8b 5d 10 56 57 ...8....E.S.].VW
33 ff 57 68 00 00 00 08 6a 03 57 6a 01 35 00 00 3.Wh....j.Wj.5..
00 80 8b 04 85 4c 23 40 00 6a 01 53 89 45 e4 89 .....L#@.j.S.E..
7d e8 ff 15 2c 20 40 00 8b f0 89 75 c8 83 fe ff }..., @....u....
75 14 ff 15 28 20 40 00 53 8b f0 56 68 b0 2f 40 u...( @.S..Vh./@
00 e9 c7 06 00 00 57 56 ff 15 24 20 40 00 89 45 ......WV..$ @..E
fc 83 f8 ff 75 14 ff 15 28 20 40 00 53 8b f0 56 ....u...( @.S..V
68 48 2f 40 00 e9 7e 06 00 00 57 57 57 6a 02 57 hH/@..~...WWWj.W
56 ff 15 20 20 40 00 89 45 d4 3b c7 75 14 ff 15 V.. @..E.;.u...
28 20 40 00 53 8b f0 56 68 d8 2e 40 00 e9 56 06 ( @.S..Vh..@..V.
00 00 57 57 57 6a 04 50 ff 15 1c 20 40 00 8b f0 ..WWWj.P... @...
89 75 d8 3b f7 75 1f ff 15 28 20 40 00 53 8b f0 .u.;.u...( @.S..
56 68 70 2e 40 00 ff 75 08 e8 e2 fe ff ff 83 c4 Vhp.@..u........
10 e9 08 06 00 00 81 3e 50 52 65 67 0f 85 4f 06 .......>PReg..O.
00 00 83 7e 04 01 0f 85 45 06 00 00 53 68 e8 2d ...~....E...Sh.-
40 00 ff 75 08 e8 b6 fe ff ff 8b 45 fc 03 c6 8d @..u.......E....
5e 08 83 c4 0c 89 7d f8 89 7d f0 89 45 dc 3b d8 ^.....}..}..E.;.
0f 83 86 05 00 00 eb 02 33 ff 66 8b 03 83 c3 02 ........3.f.....
66 83 f8 5b 0f 85 72 05 00 00 8b c3 8d 50 02 66 f..[..r......P.f
8b 08 83 c0 02 66 3b cf 75 f5 2b c2 d1 f8 89 45 .....f;.u.+....E
fc 39 7d f0 74 15 39 45 f0 75 10 8b 4d f0 8b 7d .9}.t.9E.u..M..}
f8 03 c9 8b f3 33 c0 f3 a6 74 11 53 68 b8 2d 40 .....3...t.Sh.-@
00 ff 75 08 e8 47 fe ff ff 83 c4 0c 8b 45 fc 89 ..u..G.......E..
5d f8 8d 5c 43 02 89 45 f0 0f b7 03 83 c3 02 83 ]..\C..E........
f8 5d 0f 84 0b 05 00 00 83 f8 3b 0f 85 0b 05 00 .]........;.....
00 8b d3 8b c3 89 55 f4 8d 70 02 66 8b 08 83 c0 ......U..p.f....
02 66 85 c9 75 f5 2b c6 d1 f8 6a 0d 59 89 45 ec .f..u.+...j.Y.E.
8d 5c 43 02 3b c1 75 60 bf 9c 2d 40 00 8b f2 33 .\C.;.u`..-@...3
c0 66 f3 a7 74 11 6a 0d 59 bf 80 2d 40 00 8b f2 .f..t.j.Y..-@...
33 c0 66 f3 a7 75 14 68 60 2d 40 00 ff 75 08 e8 3.f..u.h`-@..u..
cc fd ff ff 59 59 e9 9c 04 00 00 6a 0d 59 bf 44 ....YY.....j.Y.D
2d 40 00 8b f2 33 c0 66 f3 a7 74 15 6a 0d 59 bf -@...3.f..t.j.Y.
28 2d 40 00 8b f2 33 c0 66 f3 a7 0f 85 fa 00 00 (-@...3.f.......
00 68 08 2d 40 00 eb c4 83 f8 0c 75 27 6a 06 59 .h.-@......u'j.Y
bf ec 2c 40 00 8b f2 33 c0 f3 a7 74 10 6a 06 59 ..,@...3...t.j.Y
bf d0 2c 40 00 8b f2 33 c0 f3 a7 75 6d 68 c4 2c ..,@...3...umh.,
40 00 eb 98 83 f8 0e 0f 85 b9 00 00 00 6a 07 59 @............j.Y
bf a4 2c 40 00 8b f2 33 c0 f3 a7 74 42 6a 07 59 ..,@...3...tBj.Y
bf 84 2c 40 00 8b f2 33 c0 f3 a7 0f 85 9a 00 00 ..,@...3........
00 eb 2c 83 c3 02 53 68 70 2c 40 00 ff 75 08 e8 ..,...Shp,@..u..
2c fd ff ff 8b c3 83 c4 0c 8d 50 02 66 8b 08 83 ,.........P.f...
c0 02 66 85 c9 75 f5 2b c2 d1 f8 8d 5c 43 02 66 ..f..u.+....\C.f
83 3b 3b 74 ce e9 dd 03 00 00 6a 06 59 bf 54 2c .;;t......j.Y.T,
40 00 8b f2 33 c0 f3 a7 74 41 6a 06 59 bf 38 2c @...3...tAj.Y.8,
40 00 8b f2 33 c0 f3 a7 75 41 eb 2f 83 c3 02 53 @...3...uA./...S
ff 75 f8 68 04 2c 40 00 ff 75 08 e8 d0 fc ff ff .u.h.,@..u......
8b c3 83 c4 10 8d 48 02 66 8b 10 83 c0 02 66 85 ......H.f.....f.
d2 75 f5 2b c1 d1 f8 8d 5c 43 02 66 83 3b 3b 74 .u.+....\C.f.;;t
cb e9 81 03 00 00 83 f8 07 76 40 6a 03 59 bf f4 .........v@j.Y..
2b 40 00 8b f2 33 c0 f3 a7 74 10 6a 03 59 bf e4 +@...3...t.j.Y..
2b 40 00 8b f2 33 c0 f3 a7 75 1d 83 c2 0c 83 7d +@...3...u.....}
ec 06 89 55 f4 75 07 68 d4 2b 40 00 eb 16 ff 75 ...U.u.h.+@....u
f4 68 bc 2b 40 00 eb 20 8b 45 ec 85 c0 75 11 68 .h.+@.. .E...u.h
b4 2b 40 00 ff 75 08 e8 54 fc ff ff 59 59 eb 13 .+@..u..T...YY..
ff 75 f4 68 a4 2b 40 00 ff 75 08 e8 40 fc ff ff .u.h.+@..u..@...
83 c4 0c 0f b7 03 83 c3 02 83 f8 5d 0f 84 11 03 ...........]....
00 00 83 f8 3b 0f 85 11 03 00 00 8b 03 89 45 fc ....;.........E.
83 f8 0c 76 08 50 68 90 2b 40 00 eb 0c ff 34 85 ...v.Ph.+@....4.
9c 23 40 00 68 88 2b 40 00 ff 75 08 e8 ff fb ff .#@.h.+@..u.....
ff 0f b7 43 04 83 c4 0c 83 c3 06 83 f8 5d 0f 84 ...C.........]..
cf 02 00 00 83 f8 3b 0f 85 cf 02 00 00 0f b7 43 ......;........C
04 8b 3b 83 c3 06 89 7d d0 83 f8 5d 0f 84 b1 02 ..;....}...]....
00 00 83 f8 3b 0f 85 b1 02 00 00 8b 45 fc 8b f3 ....;.......E...
03 df 85 c0 0f 84 86 01 00 00 83 f8 02 0f 86 2b ...............+
01 00 00 83 f8 04 0f 84 e7 00 00 00 83 f8 05 0f ................
84 d8 00 00 00 83 f8 06 0f 84 10 01 00 00 83 f8 ................
07 74 3d 83 f8 0b 0f 85 54 01 00 00 ff 76 04 ff .t=.....T....v..
36 68 74 2b 40 00 ff 75 08 e8 72 fb ff ff 83 c4 6ht+@..u..r.....
10 83 ff 08 0f 84 6e 01 00 00 57 68 f8 2a 40 00 ......n...Wh.*@.
ff 75 08 e8 58 fb ff ff 83 c4 0c e9 58 01 00 00 .u..X.......X...
85 ff 0f 84 41 01 00 00 8b fe 3b f3 73 3d 66 83 ....A.....;.s=f.
3f 00 74 37 b8 ec 2a 40 00 3b fe 74 05 b8 dc 2a ?.t7..*@.;.t...*
40 00 57 50 ff 75 08 e8 24 fb ff ff 8b c7 83 c4 @.WP.u..$.......
0c 8d 50 02 66 8b 08 83 c0 02 66 85 c9 75 f5 2b ..P.f.....f..u.+
c2 d1 f8 8d 7c 47 02 3b fb 72 c3 68 d8 2a 40 00 ....|G.;.r.h.*@.
ff 75 08 e8 f8 fa ff ff 59 59 3b fb 77 0b 66 83 .u......YY;.w.f.
3f 00 75 05 83 c7 02 eb 0f 68 50 2a 40 00 ff 75 ?.u......hP*@..u
08 e8 da fa ff ff 59 59 3b fb 0f 84 d8 00 00 00 ......YY;.......
ff 75 d0 68 80 29 40 00 e9 63 ff ff ff 8b 06 0f .u.h.)@..c......
c8 89 06 ff 36 68 70 29 40 00 ff 75 08 e8 ae fa ....6hp)@..u....
ff ff 83 c4 0c 83 ff 04 0f 84 aa 00 00 00 8b 45 ...............E
fc ff 34 85 6c 23 40 00 57 68 f8 28 40 00 ff 75 ..4.l#@.Wh.(@..u
08 e8 8a fa ff ff 83 c4 10 e9 8a 00 00 00 85 ff ................
74 77 56 68 e4 28 40 00 ff 75 08 e8 70 fa ff ff twVh.(@..u..p...
8b c6 83 c4 0c 8d 50 02 66 8b 08 83 c0 02 66 85 ......P.f.....f.
c9 75 f5 2b c2 d1 f8 8d 4c 00 02 89 45 e0 3b f9 .u.+....L...E.;.
74 56 50 8b 45 fc ff 34 85 6c 23 40 00 57 68 20 tVP.E..4.l#@.Wh
28 40 00 ff 75 08 e8 35 fa ff ff 83 c4 14 eb 38 (@..u..5.......8
8b fe 3b f3 73 23 b8 10 28 40 00 3b fe 74 05 b8 ..;.s#..(@.;.t..
04 28 40 00 0f b6 0f 51 50 ff 75 08 e8 0f fa ff .(@....QP.u.....
ff 83 c4 0c 47 3b fb 72 dd 68 d8 2a 40 00 ff 75 ....G;.r.h.*@..u
08 e8 fa f9 ff ff 59 59 81 7d 0c 00 00 00 80 0f ......YY.}......
84 c2 00 00 00 8d 45 cc 50 6a 01 6a 00 ff 75 f8 ......E.Pj.j..u.
ff 75 0c ff 15 04 20 40 00 89 45 e8 85 c0 74 11 .u.... @..E...t.
ff 75 f8 ff 75 e4 50 68 88 27 40 00 e9 8b 00 00 .u..u.Ph.'@.....
00 8d 45 e0 50 8d 85 c8 ff fe ff 50 8d 45 ec 50 ..E.P......P.E.P
6a 00 ff 75 f4 c7 45 e0 00 00 01 00 ff 75 cc ff j..u..E......u..
15 00 20 40 00 85 c0 74 1c ff 75 f8 ff 75 e4 ff .. @...t..u..u..
75 f4 50 68 e8 26 40 00 ff 75 08 e8 80 f9 ff ff u.Ph.&@..u......
83 c4 18 eb 2b 8b 45 fc 39 45 ec 75 14 8b 4d e0 ....+.E.9E.u..M.
3b 4d d0 75 0c 8d bd c8 ff fe ff 33 c0 f3 a6 74 ;M.u.......3...t
0f 68 50 26 40 00 ff 75 08 e8 52 f9 ff ff 59 59 .hP&@..u..R...YY
ff 75 cc ff 15 08 20 40 00 89 45 e8 85 c0 74 17 .u.... @..E...t.
ff 75 f8 ff 75 e4 50 68 d0 25 40 00 ff 75 08 e8 .u..u.Ph.%@..u..
2c f9 ff ff 83 c4 14 66 8b 03 83 c3 02 66 83 f8 ,......f.....f..
5d 75 09 3b 5d dc 0f 82 7c fa ff ff 3b 5d dc 8b ]u.;]...|...;]..
5d 10 74 11 53 68 88 25 40 00 ff 75 08 e8 fe f8 ].t.Sh.%@..u....
ff ff 83 c4 0c 8b 75 d8 56 ff 15 18 20 40 00 85 ......u.V... @..
c0 75 18 53 ff 15 28 20 40 00 50 68 18 25 40 00 .u.S..( @.Ph.%@.
ff 75 08 e8 d8 f8 ff ff 83 c4 10 8b 75 e8 ff 75 .u..........u..u
d4 ff 15 14 20 40 00 85 c0 75 18 53 ff 15 28 20 .... @...u.S..(
40 00 50 68 a0 24 40 00 ff 75 08 e8 b0 f8 ff ff @.Ph.$@..u......
83 c4 10 ff 75 c8 ff 15 14 20 40 00 85 c0 75 18 ....u.... @...u.
53 ff 15 28 20 40 00 50 68 38 24 40 00 ff 75 08 S..( @.Ph8$@..u.
e8 8b f8 ff ff 83 c4 10 5f 8b c6 5e 5b c9 c2 0c ........_..^[...
00 53 68 d0 23 40 00 ff 75 08 e8 71 f8 ff ff 83 .Sh.#@..u..q....
c4 0c e9 71 ff ff ff 55 8b ec 83 ec 14 53 57 33 ...q...U.....SW3
ff 6a f4 47 c7 45 f8 a0 00 00 00 c7 45 f4 00 00 .j.G.E......E...
00 80 ff 15 3c 20 40 00 89 45 fc 83 f8 ff 75 0e ....< @..E....u.
ff 15 28 20 40 00 89 45 f8 e9 24 01 00 00 8d 45 ..( @..E..$....E
f0 50 ff 15 38 20 40 00 50 ff 15 44 20 40 00 89 .P..8 @.P..D @..
45 ec 85 c0 75 14 ff 15 28 20 40 00 50 89 45 f8 E...u...( @.P.E.
68 58 31 40 00 e9 ed 00 00 00 83 7d f0 02 0f 8e hX1@.......}....
9d 00 00 00 8b 58 04 b9 44 31 40 00 8b c3 66 8b .....X..D1@...f.
10 66 3b 11 75 1e 66 85 d2 74 15 66 8b 50 02 66 .f;.u.f..t.f.P.f
3b 51 02 75 0f 83 c0 04 83 c1 04 66 85 d2 75 de ;Q.u.......f..u.
33 c0 eb 05 1b c0 83 d8 ff 85 c0 75 09 c7 45 f4 3..........u..E.
02 00 00 80 eb 3d b9 38 31 40 00 8b c3 66 8b 10 .....=.81@...f..
66 3b 11 75 1e 66 85 d2 74 15 66 8b 50 02 66 3b f;.u.f..t.f.P.f;
51 02 75 0f 83 c0 04 83 c1 04 66 85 d2 75 de 33 Q.u.......f..u.3
c0 eb 05 1b c0 83 d8 ff 85 c0 75 0c c7 45 f4 01 ..........u..E..
00 00 80 6a 02 5f eb 15 66 83 3b 2f 75 0f 68 c8 ...j._..f.;/u.h.
30 40 00 ff 75 fc e8 65 f7 ff ff 59 59 83 7d f0 0@..u..e...YY.}.
02 7d 11 68 50 30 40 00 ff 75 fc e8 50 f7 ff ff .}.hP0@..u..P...
59 59 eb 1a 8b 45 ec ff 34 b8 ff 75 f4 ff 75 fc YY...E..4..u..u.
e8 89 f7 ff ff 47 89 45 f8 3b 7d f0 7c e6 ff 75 .....G.E.;}.|..u
ec ff 15 34 20 40 00 85 c0 74 17 ff 15 28 20 40 ...4 @...t...( @
00 50 68 10 30 40 00 ff 75 fc e8 11 f7 ff ff 83 .Ph.0@..u.......
c4 0c ff 75 f8 ff 15 30 20 40 00 cc 00 00 00 00 ...u...0 @......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
6e 32 00 00 82 32 00 00 60 32 00 00 00 00 00 00 n2...2..`2......
a0 32 00 00 b0 32 00 00 be 32 00 00 d0 32 00 00 .2...2...2...2..
e0 32 00 00 f6 32 00 00 04 33 00 00 14 33 00 00 .2...2...3...3..
22 33 00 00 30 33 00 00 3c 33 00 00 4e 33 00 00 "3..03..<3..N3..
00 00 00 00 6c 33 00 00 00 00 00 00 8e 33 00 00 ....l3.......3..
00 00 00 00 00 00 00 00 71 00 77 00 6f 00 72 00 ........q.w.o.r.
64 00 3a 00 00 00 00 00 68 00 65 00 78 00 28 00 d.:.....h.e.x.(.
61 00 29 00 3a 00 00 00 68 00 65 00 78 00 28 00 a.).:...h.e.x.(.
39 00 29 00 3a 00 00 00 68 00 65 00 78 00 28 00 9.).:...h.e.x.(.
38 00 29 00 3a 00 00 00 6d 00 75 00 6c 00 74 00 8.).:...m.u.l.t.
69 00 3a 00 00 00 00 00 6c 00 69 00 6e 00 6b 00 i.:.....l.i.n.k.
3a 00 00 00 64 00 77 00 6f 00 72 00 64 00 3a 00 :...d.w.o.r.d.:.
00 00 00 00 68 00 65 00 78 00 3a 00 00 00 00 00 ....h.e.x.:.....
65 00 78 00 70 00 61 00 6e 00 64 00 3a 00 00 00 e.x.p.a.n.d.:...
00 00 00 00 6e 00 6f 00 6e 00 65 00 3a 00 00 00 ....n.o.n.e.:...
51 00 57 00 4f 00 52 00 44 00 00 00 52 00 45 00 Q.W.O.R.D...R.E.
53 00 4f 00 55 00 52 00 43 00 45 00 5f 00 52 00 S.O.U.R.C.E._.R.
45 00 51 00 55 00 49 00 52 00 45 00 4d 00 45 00 E.Q.U.I.R.E.M.E.
4e 00 54 00 53 00 5f 00 4c 00 49 00 53 00 54 00 N.T.S._.L.I.S.T.
00 00 00 00 46 00 55 00 4c 00 4c 00 5f 00 52 00 ....F.U.L.L._.R.
45 00 53 00 4f 00 55 00 52 00 43 00 45 00 5f 00 E.S.O.U.R.C.E._.
44 00 45 00 53 00 43 00 52 00 49 00 50 00 54 00 D.E.S.C.R.I.P.T.
4f 00 52 00 00 00 00 00 52 00 45 00 53 00 4f 00 O.R.....R.E.S.O.
55 00 52 00 43 00 45 00 5f 00 4c 00 49 00 53 00 U.R.C.E._.L.I.S.
54 00 00 00 4d 00 55 00 4c 00 54 00 49 00 5f 00 T...M.U.L.T.I._.
53 00 5a 00 00 00 00 00 4c 00 49 00 4e 00 4b 00 S.Z.....L.I.N.K.
00 00 00 00 44 00 57 00 4f 00 52 00 44 00 5f 00 ....D.W.O.R.D._.
42 00 49 00 47 00 5f 00 45 00 4e 00 44 00 49 00 B.I.G._.E.N.D.I.
41 00 4e 00 00 00 00 00 44 00 57 00 4f 00 52 00 A.N.....D.W.O.R.
44 00 00 00 42 00 49 00 4e 00 41 00 52 00 59 00 D...B.I.N.A.R.Y.
00 00 00 00 45 00 58 00 50 00 41 00 4e 00 44 00 ....E.X.P.A.N.D.
5f 00 53 00 5a 00 00 00 53 00 5a 00 00 00 00 00 _.S.Z...S.Z.....
4e 00 4f 00 4e 00 45 00 00 00 00 00 00 00 00 00 N.O.N.E.........
48 00 4b 00 45 00 59 00 5f 00 43 00 55 00 52 00 H.K.E.Y._.C.U.R.
52 00 45 00 4e 00 54 00 5f 00 55 00 53 00 45 00 R.E.N.T._.U.S.E.
52 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 R._.L.O.C.A.L._.
53 00 45 00 54 00 54 00 49 00 4e 00 47 00 53 00 S.E.T.T.I.N.G.S.
00 00 00 00 48 00 4b 00 45 00 59 00 5f 00 44 00 ....H.K.E.Y._.D.
59 00 4e 00 5f 00 44 00 41 00 54 00 41 00 00 00 Y.N._.D.A.T.A...
48 00 4b 00 45 00 59 00 5f 00 43 00 55 00 52 00 H.K.E.Y._.C.U.R.
52 00 45 00 4e 00 54 00 5f 00 43 00 4f 00 4e 00 R.E.N.T._.C.O.N.
46 00 49 00 47 00 00 00 48 00 4b 00 45 00 59 00 F.I.G...H.K.E.Y.
5f 00 50 00 45 00 52 00 46 00 4f 00 52 00 4d 00 _.P.E.R.F.O.R.M.
41 00 4e 00 43 00 45 00 5f 00 44 00 41 00 54 00 A.N.C.E._.D.A.T.
41 00 00 00 48 00 4b 00 45 00 59 00 5f 00 55 00 A...H.K.E.Y._.U.
53 00 45 00 52 00 53 00 00 00 00 00 48 00 4b 00 S.E.R.S.....H.K.
45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 E.Y._.L.O.C.A.L.
5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 _.M.A.C.H.I.N.E.
00 00 00 00 48 00 4b 00 45 00 59 00 5f 00 43 00 ....H.K.E.Y._.C.
55 00 52 00 52 00 45 00 4e 00 54 00 5f 00 55 00 U.R.R.E.N.T._.U.
53 00 45 00 52 00 00 00 48 00 4b 00 45 00 59 00 S.E.R...H.K.E.Y.
5f 00 43 00 4c 00 41 00 53 00 53 00 45 00 53 00 _.C.L.A.S.S.E.S.
5f 00 52 00 4f 00 4f 00 54 00 00 00 28 23 40 00 _.R.O.O.T...(#@.
04 23 40 00 dc 22 40 00 c4 22 40 00 98 22 40 00 .#@.."@.."@.."@.
70 22 40 00 54 22 40 00 10 22 40 00 00 22 40 00 p"@.T"@.."@.."@.
f8 21 40 00 e4 21 40 00 d4 21 40 00 c8 21 40 00 .!@..!@..!@..!@.
a4 21 40 00 98 21 40 00 84 21 40 00 68 21 40 00 .!@..!@..!@.h!@.
34 21 40 00 fc 20 40 00 f0 20 40 00 e4 20 40 00 4!@.. @.. @.. @.
e0 20 40 00 d0 20 40 00 c4 20 40 00 b4 20 40 00 . @.. @.. @.. @.
b4 20 40 00 a8 20 40 00 98 20 40 00 88 20 40 00 . @.. @.. @.. @.
78 20 40 00 68 20 40 00 58 20 40 00 00 00 00 00 x @.h @.X @.....
53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 S.i.g.n.a.t.u.r.
65 00 20 00 27 00 50 00 52 00 65 00 67 00 5c 00 e. .'.P.R.e.g.\.
78 00 30 00 31 00 5c 00 30 00 5c 00 30 00 5c 00 x.0.1.\.0.\.0.\.
30 00 27 00 20 00 6d 00 69 00 73 00 73 00 69 00 0.'. .m.i.s.s.i.
6e 00 67 00 20 00 69 00 6e 00 20 00 66 00 69 00 n.g. .i.n. .f.i.
6c 00 65 00 20 00 27 00 25 00 6c 00 73 00 27 00 l.e. .'.%.l.s.'.
21 00 0a 00 00 00 00 00 43 00 6c 00 6f 00 73 00 !.......C.l.o.s.
65 00 48 00 61 00 6e 00 64 00 6c 00 65 00 28 00 e.H.a.n.d.l.e.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 72 00 .%.l.u. .f.o.r.
20 00 66 00 69 00 6c 00 65 00 20 00 27 00 25 00 .f.i.l.e. .'.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 00 00 l.s.'...........
43 00 6c 00 6f 00 73 00 65 00 48 00 61 00 6e 00 C.l.o.s.e.H.a.n.
64 00 6c 00 65 00 28 00 29 00 20 00 72 00 65 00 d.l.e.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
20 00 66 00 6f 00 72 00 20 00 66 00 69 00 6c 00 .f.o.r. .f.i.l.
65 00 20 00 6d 00 61 00 70 00 70 00 69 00 6e 00 e. .m.a.p.p.i.n.
67 00 20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 g. .'.%.l.s.'...
00 00 00 00 00 00 00 00 55 00 6e 00 6d 00 61 00 ........U.n.m.a.
70 00 56 00 69 00 65 00 77 00 4f 00 66 00 46 00 p.V.i.e.w.O.f.F.
69 00 6c 00 65 00 28 00 29 00 20 00 72 00 65 00 i.l.e.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
20 00 66 00 6f 00 72 00 20 00 66 00 69 00 6c 00 .f.o.r. .f.i.l.
65 00 20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 e. .'.%.l.s.'...
00 00 00 00 00 00 00 00 46 00 6f 00 72 00 6d 00 ........F.o.r.m.
61 00 74 00 20 00 65 00 72 00 72 00 6f 00 72 00 a.t. .e.r.r.o.r.
20 00 69 00 6e 00 20 00 70 00 6f 00 6c 00 69 00 .i.n. .p.o.l.i.
63 00 79 00 20 00 66 00 69 00 6c 00 65 00 20 00 c.y. .f.i.l.e. .
27 00 25 00 6c 00 73 00 27 00 21 00 0a 00 00 00 '.%.l.s.'.!.....
52 00 65 00 67 00 43 00 6c 00 6f 00 73 00 65 00 R.e.g.C.l.o.s.e.
4b 00 65 00 79 00 28 00 29 00 20 00 72 00 65 00 K.e.y.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
20 00 66 00 6f 00 72 00 20 00 72 00 65 00 67 00 .f.o.r. .r.e.g.
69 00 73 00 74 00 72 00 79 00 20 00 6b 00 65 00 i.s.t.r.y. .k.e.
79 00 20 00 27 00 25 00 6c 00 73 00 5c 00 25 00 y. .'.%.l.s.\.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 00 00 l.s.'...........
4d 00 49 00 53 00 4d 00 41 00 54 00 43 00 48 00 M.I.S.M.A.T.C.H.
3a 00 20 00 64 00 61 00 74 00 61 00 20 00 74 00 :. .d.a.t.a. .t.
79 00 70 00 65 00 2c 00 20 00 73 00 69 00 7a 00 y.p.e.,. .s.i.z.
65 00 20 00 6f 00 72 00 20 00 76 00 61 00 6c 00 e. .o.r. .v.a.l.
75 00 65 00 20 00 69 00 6e 00 20 00 70 00 6f 00 u.e. .i.n. .p.o.
6c 00 69 00 63 00 79 00 20 00 66 00 69 00 6c 00 l.i.c.y. .f.i.l.
65 00 20 00 64 00 69 00 66 00 66 00 65 00 72 00 e. .d.i.f.f.e.r.
73 00 20 00 66 00 72 00 6f 00 6d 00 20 00 72 00 s. .f.r.o.m. .r.
65 00 67 00 69 00 73 00 74 00 72 00 79 00 21 00 e.g.i.s.t.r.y.!.
0a 00 00 00 00 00 00 00 52 00 65 00 67 00 51 00 ........R.e.g.Q.
75 00 65 00 72 00 79 00 56 00 61 00 6c 00 75 00 u.e.r.y.V.a.l.u.
65 00 45 00 78 00 28 00 29 00 20 00 72 00 65 00 e.E.x.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
20 00 66 00 6f 00 72 00 20 00 76 00 61 00 6c 00 .f.o.r. .v.a.l.
75 00 65 00 20 00 27 00 25 00 6c 00 73 00 27 00 u.e. .'.%.l.s.'.
20 00 6f 00 66 00 20 00 72 00 65 00 67 00 69 00 .o.f. .r.e.g.i.
73 00 74 00 72 00 79 00 20 00 6b 00 65 00 79 00 s.t.r.y. .k.e.y.
20 00 27 00 25 00 6c 00 73 00 5c 00 25 00 6c 00 .'.%.l.s.\.%.l.
73 00 27 00 0a 00 00 00 52 00 65 00 67 00 4f 00 s.'.....R.e.g.O.
70 00 65 00 6e 00 4b 00 65 00 79 00 45 00 78 00 p.e.n.K.e.y.E.x.
28 00 29 00 20 00 72 00 65 00 74 00 75 00 72 00 (.). .r.e.t.u.r.
6e 00 65 00 64 00 20 00 65 00 72 00 72 00 6f 00 n.e.d. .e.r.r.o.
72 00 20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 r. .%.l.u. .f.o.
72 00 20 00 72 00 65 00 67 00 69 00 73 00 74 00 r. .r.e.g.i.s.t.
72 00 79 00 20 00 6b 00 65 00 79 00 20 00 27 00 r.y. .k.e.y. .'.
25 00 6c 00 73 00 5c 00 25 00 6c 00 73 00 27 00 %.l.s.\.%.l.s.'.
0a 00 00 00 2c 00 25 00 30 00 32 00 78 00 00 00 ....,.%.0.2.x...
25 00 30 00 32 00 78 00 00 00 00 00 00 00 00 00 %.0.2.x.........
53 00 69 00 7a 00 65 00 20 00 25 00 6c 00 75 00 S.i.z.e. .%.l.u.
20 00 6f 00 66 00 20 00 52 00 45 00 47 00 5f 00 .o.f. .R.E.G._.
25 00 6c 00 73 00 20 00 76 00 61 00 6c 00 75 00 %.l.s. .v.a.l.u.
65 00 20 00 64 00 61 00 74 00 61 00 20 00 6e 00 e. .d.a.t.a. .n.
6f 00 74 00 20 00 65 00 71 00 75 00 61 00 6c 00 o.t. .e.q.u.a.l.
20 00 6c 00 65 00 6e 00 67 00 74 00 68 00 20 00 .l.e.n.g.t.h. .
25 00 6c 00 75 00 20 00 6f 00 66 00 20 00 73 00 %.l.u. .o.f. .s.
74 00 72 00 69 00 6e 00 67 00 20 00 70 00 6c 00 t.r.i.n.g. .p.l.
75 00 73 00 20 00 74 00 65 00 72 00 6d 00 69 00 u.s. .t.e.r.m.i.
6e 00 61 00 74 00 69 00 6e 00 67 00 20 00 27 00 n.a.t.i.n.g. .'.
4e 00 55 00 4c 00 27 00 20 00 63 00 68 00 61 00 N.U.L.'. .c.h.a.
72 00 61 00 63 00 74 00 65 00 72 00 21 00 0a 00 r.a.c.t.e.r.!...
00 00 00 00 27 00 25 00 6c 00 73 00 27 00 0a 00 ....'.%.l.s.'...
00 00 00 00 00 00 00 00 53 00 69 00 7a 00 65 00 ........S.i.z.e.
20 00 25 00 6c 00 75 00 20 00 6f 00 66 00 20 00 .%.l.u. .o.f. .
52 00 45 00 47 00 5f 00 25 00 6c 00 73 00 20 00 R.E.G._.%.l.s. .
76 00 61 00 6c 00 75 00 65 00 20 00 64 00 61 00 v.a.l.u.e. .d.a.
74 00 61 00 20 00 6e 00 6f 00 74 00 20 00 65 00 t.a. .n.o.t. .e.
71 00 75 00 61 00 6c 00 20 00 27 00 73 00 69 00 q.u.a.l. .'.s.i.
7a 00 65 00 6f 00 66 00 28 00 44 00 57 00 4f 00 z.e.o.f.(.D.W.O.
52 00 44 00 29 00 27 00 21 00 0a 00 00 00 00 00 R.D.).'.!.......
25 00 30 00 38 00 6c 00 78 00 0a 00 00 00 00 00 %.0.8.l.x.......
53 00 69 00 7a 00 65 00 20 00 25 00 6c 00 75 00 S.i.z.e. .%.l.u.
20 00 6f 00 66 00 20 00 52 00 45 00 47 00 5f 00 .o.f. .R.E.G._.
4d 00 55 00 4c 00 54 00 49 00 5f 00 53 00 5a 00 M.U.L.T.I._.S.Z.
20 00 76 00 61 00 6c 00 75 00 65 00 20 00 64 00 .v.a.l.u.e. .d.
61 00 74 00 61 00 20 00 6e 00 6f 00 74 00 20 00 a.t.a. .n.o.t. .
65 00 71 00 75 00 61 00 6c 00 20 00 73 00 75 00 e.q.u.a.l. .s.u.
6d 00 20 00 6f 00 66 00 20 00 73 00 74 00 72 00 m. .o.f. .s.t.r.
69 00 6e 00 67 00 20 00 6c 00 65 00 6e 00 67 00 i.n.g. .l.e.n.g.
74 00 68 00 73 00 20 00 70 00 6c 00 75 00 73 00 t.h.s. .p.l.u.s.
20 00 74 00 65 00 72 00 6d 00 69 00 6e 00 61 00 .t.e.r.m.i.n.a.
74 00 69 00 6e 00 67 00 20 00 27 00 4e 00 55 00 t.i.n.g. .'.N.U.
4c 00 27 00 20 00 63 00 68 00 61 00 72 00 61 00 L.'. .c.h.a.r.a.
63 00 74 00 65 00 72 00 73 00 21 00 0a 00 00 00 c.t.e.r.s.!.....
52 00 45 00 47 00 5f 00 4d 00 55 00 4c 00 54 00 R.E.G._.M.U.L.T.
49 00 5f 00 53 00 5a 00 20 00 76 00 61 00 6c 00 I._.S.Z. .v.a.l.
75 00 65 00 20 00 64 00 61 00 74 00 61 00 20 00 u.e. .d.a.t.a. .
6e 00 6f 00 74 00 20 00 74 00 65 00 72 00 6d 00 n.o.t. .t.e.r.m.
69 00 6e 00 61 00 74 00 65 00 64 00 20 00 77 00 i.n.a.t.e.d. .w.
69 00 74 00 68 00 20 00 65 00 78 00 74 00 72 00 i.t.h. .e.x.t.r.
61 00 20 00 27 00 4e 00 55 00 4c 00 27 00 20 00 a. .'.N.U.L.'. .
63 00 68 00 61 00 72 00 61 00 63 00 74 00 65 00 c.h.a.r.a.c.t.e.
72 00 21 00 0a 00 00 00 0a 00 00 00 2c 00 27 00 r.!.........,.'.
25 00 6c 00 73 00 27 00 00 00 00 00 27 00 25 00 %.l.s.'.....'.%.
6c 00 73 00 27 00 00 00 53 00 69 00 7a 00 65 00 l.s.'...S.i.z.e.
20 00 25 00 6c 00 75 00 20 00 6f 00 66 00 20 00 .%.l.u. .o.f. .
52 00 45 00 47 00 5f 00 51 00 57 00 4f 00 52 00 R.E.G._.Q.W.O.R.
44 00 20 00 76 00 61 00 6c 00 75 00 65 00 20 00 D. .v.a.l.u.e. .
64 00 61 00 74 00 61 00 20 00 6e 00 6f 00 74 00 d.a.t.a. .n.o.t.
20 00 65 00 71 00 75 00 61 00 6c 00 20 00 27 00 .e.q.u.a.l. .'.
73 00 69 00 7a 00 65 00 6f 00 66 00 28 00 51 00 s.i.z.e.o.f.(.Q.
57 00 4f 00 52 00 44 00 29 00 27 00 21 00 0a 00 W.O.R.D.).'.!...
00 00 00 00 25 00 30 00 31 00 36 00 49 00 36 00 ....%.0.1.6.I.6.
34 00 78 00 0a 00 00 00 25 00 6c 00 73 00 00 00 4.x.....%.l.s...
68 00 65 00 78 00 28 00 25 00 6c 00 78 00 29 00 h.e.x.(.%.l.x.).
3a 00 00 00 27 00 25 00 6c 00 73 00 27 00 3d 00 :...'.%.l.s.'.=.
00 00 00 00 40 00 3d 00 00 00 00 00 27 00 25 00 ....@.=.....'.%.
6c 00 73 00 27 00 3d 00 2d 00 20 00 3b 00 20 00 l.s.'.=.-. .;. .
3d 00 00 00 40 00 3d 00 2d 00 20 00 3b 00 20 00 =...@.=.-. .;. .
3d 00 00 00 2a 00 2a 00 44 00 65 00 6c 00 2e 00 =...*.*.D.e.l...
00 00 00 00 2a 00 2a 00 64 00 65 00 6c 00 2e 00 ....*.*.d.e.l...
00 00 00 00 5b 00 2d 00 48 00 4b 00 45 00 59 00 ....[.-.H.K.E.Y.
5f 00 52 00 45 00 4c 00 41 00 54 00 49 00 56 00 _.R.E.L.A.T.I.V.
45 00 5c 00 25 00 6c 00 73 00 5c 00 25 00 6c 00 E.\.%.l.s.\.%.l.
73 00 5d 00 0a 00 00 00 2a 00 2a 00 44 00 65 00 s.].....*.*.D.e.
6c 00 65 00 74 00 65 00 6b 00 65 00 79 00 73 00 l.e.t.e.k.e.y.s.
00 00 00 00 2a 00 2a 00 64 00 65 00 6c 00 65 00 ....*.*.d.e.l.e.
74 00 65 00 6b 00 65 00 79 00 73 00 00 00 00 00 t.e.k.e.y.s.....
27 00 25 00 6c 00 73 00 27 00 3d 00 2d 00 0a 00 '.%.l.s.'.=.-...
00 00 00 00 2a 00 2a 00 44 00 65 00 6c 00 65 00 ....*.*.D.e.l.e.
74 00 65 00 76 00 61 00 6c 00 75 00 65 00 73 00 t.e.v.a.l.u.e.s.
00 00 00 00 2a 00 2a 00 64 00 65 00 6c 00 65 00 ....*.*.d.e.l.e.
74 00 65 00 76 00 61 00 6c 00 75 00 65 00 73 00 t.e.v.a.l.u.e.s.
00 00 00 00 2a 00 3d 00 2d 00 0a 00 00 00 00 00 ....*.=.-.......
2a 00 2a 00 44 00 65 00 6c 00 65 00 74 00 65 00 *.*.D.e.l.e.t.e.
76 00 61 00 6c 00 73 00 00 00 00 00 2a 00 2a 00 v.a.l.s.....*.*.
64 00 65 00 6c 00 65 00 74 00 65 00 76 00 61 00 d.e.l.e.t.e.v.a.
6c 00 73 00 00 00 00 00 3b 00 20 00 53 00 65 00 l.s.....;. .S.e.
63 00 75 00 72 00 65 00 4b 00 65 00 79 00 3d 00 c.u.r.e.K.e.y.=.
30 00 0a 00 00 00 00 00 2a 00 2a 00 53 00 65 00 0.......*.*.S.e.
63 00 75 00 72 00 65 00 4b 00 65 00 79 00 3d 00 c.u.r.e.K.e.y.=.
30 00 00 00 2a 00 2a 00 73 00 65 00 63 00 75 00 0...*.*.s.e.c.u.
72 00 65 00 6b 00 65 00 79 00 3d 00 30 00 00 00 r.e.k.e.y.=.0...
3b 00 20 00 53 00 65 00 63 00 75 00 72 00 65 00 ;. .S.e.c.u.r.e.
4b 00 65 00 79 00 3d 00 31 00 0a 00 00 00 00 00 K.e.y.=.1.......
2a 00 2a 00 53 00 65 00 63 00 75 00 72 00 65 00 *.*.S.e.c.u.r.e.
4b 00 65 00 79 00 3d 00 31 00 00 00 2a 00 2a 00 K.e.y.=.1...*.*.
73 00 65 00 63 00 75 00 72 00 65 00 6b 00 65 00 s.e.c.u.r.e.k.e.
79 00 3d 00 31 00 00 00 0a 00 5b 00 48 00 4b 00 y.=.1.....[.H.K.
45 00 59 00 5f 00 52 00 45 00 4c 00 41 00 54 00 E.Y._.R.E.L.A.T.
49 00 56 00 45 00 5c 00 25 00 6c 00 73 00 5d 00 I.V.E.\.%.l.s.].
0a 00 00 00 00 00 00 00 57 00 69 00 6e 00 64 00 ........W.i.n.d.
6f 00 77 00 73 00 20 00 52 00 65 00 67 00 69 00 o.w.s. .R.e.g.i.
73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 s.t.r.y. .E.d.i.
74 00 6f 00 72 00 20 00 56 00 65 00 72 00 73 00 t.o.r. .V.e.r.s.
69 00 6f 00 6e 00 20 00 35 00 2e 00 30 00 30 00 i.o.n. .5...0.0.
0a 00 0a 00 3b 00 20 00 52 00 65 00 67 00 69 00 ....;. .R.e.g.i.
73 00 74 00 72 00 79 00 20 00 50 00 6f 00 6c 00 s.t.r.y. .P.o.l.
69 00 63 00 79 00 20 00 46 00 69 00 6c 00 65 00 i.c.y. .F.i.l.e.
20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 .'.%.l.s.'.....
4d 00 61 00 70 00 56 00 69 00 65 00 77 00 4f 00 M.a.p.V.i.e.w.O.
66 00 46 00 69 00 6c 00 65 00 28 00 29 00 20 00 f.F.i.l.e.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 20 00 66 00 6f 00 72 00 20 00 66 00 l.u. .f.o.r. .f.
69 00 6c 00 65 00 20 00 27 00 25 00 6c 00 73 00 i.l.e. .'.%.l.s.
27 00 0a 00 00 00 00 00 43 00 72 00 65 00 61 00 '.......C.r.e.a.
74 00 65 00 46 00 69 00 6c 00 65 00 4d 00 61 00 t.e.F.i.l.e.M.a.
70 00 70 00 69 00 6e 00 67 00 28 00 29 00 20 00 p.p.i.n.g.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 20 00 66 00 6f 00 72 00 20 00 66 00 l.u. .f.o.r. .f.
69 00 6c 00 65 00 20 00 27 00 25 00 6c 00 73 00 i.l.e. .'.%.l.s.
27 00 0a 00 00 00 00 00 47 00 65 00 74 00 46 00 '.......G.e.t.F.
69 00 6c 00 65 00 53 00 69 00 7a 00 65 00 28 00 i.l.e.S.i.z.e.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 72 00 .%.l.u. .f.o.r.
20 00 66 00 69 00 6c 00 65 00 20 00 27 00 25 00 .f.i.l.e. .'.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 00 00 l.s.'...........
43 00 72 00 65 00 61 00 74 00 65 00 46 00 69 00 C.r.e.a.t.e.F.i.
6c 00 65 00 28 00 29 00 20 00 72 00 65 00 74 00 l.e.(.). .r.e.t.
75 00 72 00 6e 00 65 00 64 00 20 00 65 00 72 00 u.r.n.e.d. .e.r.
72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 20 00 r.o.r. .%.l.u. .
66 00 6f 00 72 00 20 00 66 00 69 00 6c 00 65 00 f.o.r. .f.i.l.e.
20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 .'.%.l.s.'.....
4c 00 6f 00 63 00 61 00 6c 00 46 00 72 00 65 00 L.o.c.a.l.F.r.e.
65 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 e.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
4e 00 6f 00 20 00 61 00 72 00 67 00 75 00 6d 00 N.o. .a.r.g.u.m.
65 00 6e 00 74 00 73 00 3a 00 20 00 61 00 74 00 e.n.t.s.:. .a.t.
20 00 6c 00 65 00 61 00 73 00 74 00 20 00 6f 00 .l.e.a.s.t. .o.
6e 00 65 00 20 00 27 00 2e 00 70 00 6f 00 6c 00 n.e. .'...p.o.l.
27 00 20 00 66 00 69 00 6c 00 65 00 20 00 6e 00 '. .f.i.l.e. .n.
61 00 6d 00 65 00 20 00 6d 00 75 00 73 00 74 00 a.m.e. .m.u.s.t.
20 00 62 00 65 00 20 00 67 00 69 00 76 00 65 00 .b.e. .g.i.v.e.
6e 00 21 00 0a 00 00 00 4f 00 70 00 74 00 69 00 n.!.....O.p.t.i.
6f 00 6e 00 61 00 6c 00 20 00 66 00 69 00 72 00 o.n.a.l. .f.i.r.
73 00 74 00 20 00 61 00 72 00 67 00 75 00 6d 00 s.t. .a.r.g.u.m.
65 00 6e 00 74 00 20 00 6d 00 75 00 73 00 74 00 e.n.t. .m.u.s.t.
20 00 62 00 65 00 20 00 27 00 2f 00 4d 00 41 00 .b.e. .'./.M.A.
43 00 48 00 49 00 4e 00 45 00 27 00 20 00 6f 00 C.H.I.N.E.'. .o.
72 00 20 00 27 00 2f 00 55 00 53 00 45 00 52 00 r. .'./.U.S.E.R.
27 00 21 00 0a 00 00 00 2f 00 55 00 53 00 45 00 '.!...../.U.S.E.
52 00 00 00 2f 00 4d 00 41 00 43 00 48 00 49 00 R.../.M.A.C.H.I.
4e 00 45 00 00 00 00 00 43 00 6f 00 6d 00 6d 00 N.E.....C.o.m.m.
61 00 6e 00 64 00 4c 00 69 00 6e 00 65 00 54 00 a.n.d.L.i.n.e.T.
6f 00 41 00 72 00 67 00 76 00 28 00 29 00 20 00 o.A.r.g.v.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 0a 00 00 00 0c 32 00 00 00 00 00 00 l.u......2......
00 00 00 00 92 32 00 00 00 20 00 00 1c 32 00 00 .....2... ...2..
00 00 00 00 00 00 00 00 5e 33 00 00 10 20 00 00 ........^3... ..
50 32 00 00 00 00 00 00 00 00 00 00 82 33 00 00 P2...........3..
44 20 00 00 58 32 00 00 00 00 00 00 00 00 00 00 D ..X2..........
9c 33 00 00 4c 20 00 00 00 00 00 00 00 00 00 00 .3..L ..........
00 00 00 00 00 00 00 00 00 00 00 00 6e 32 00 00 ............n2..
82 32 00 00 60 32 00 00 00 00 00 00 a0 32 00 00 .2..`2.......2..
b0 32 00 00 be 32 00 00 d0 32 00 00 e0 32 00 00 .2...2...2...2..
f6 32 00 00 04 33 00 00 14 33 00 00 22 33 00 00 .2...3...3.."3..
30 33 00 00 3c 33 00 00 4e 33 00 00 00 00 00 00 03..<3..N3......
6c 33 00 00 00 00 00 00 8e 33 00 00 00 00 00 00 l3.......3......
30 02 52 65 67 43 6c 6f 73 65 4b 65 79 00 6e 02 0.RegCloseKey.n.
52 65 67 51 75 65 72 79 56 61 6c 75 65 45 78 57 RegQueryValueExW
00 00 61 02 52 65 67 4f 70 65 6e 4b 65 79 45 78 ..a.RegOpenKeyEx
57 00 41 44 56 41 50 49 33 32 2e 64 6c 6c 00 00 W.ADVAPI32.dll..
24 05 57 72 69 74 65 43 6f 6e 73 6f 6c 65 57 00 $.WriteConsoleW.
52 00 43 6c 6f 73 65 48 61 6e 64 6c 65 00 d6 04 R.CloseHandle...
55 6e 6d 61 70 56 69 65 77 4f 66 46 69 6c 65 00 UnmapViewOfFile.
57 03 4d 61 70 56 69 65 77 4f 66 46 69 6c 65 00 W.MapViewOfFile.
8c 00 43 72 65 61 74 65 46 69 6c 65 4d 61 70 70 ..CreateFileMapp
69 6e 67 57 00 00 f0 01 47 65 74 46 69 6c 65 53 ingW....GetFileS
69 7a 65 00 02 02 47 65 74 4c 61 73 74 45 72 72 ize...GetLastErr
6f 72 00 00 8f 00 43 72 65 61 74 65 46 69 6c 65 or....CreateFile
57 00 19 01 45 78 69 74 50 72 6f 63 65 73 73 00 W...ExitProcess.
48 03 4c 6f 63 61 6c 46 72 65 65 00 87 01 47 65 H.LocalFree...Ge
74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 57 00 64 02 tCommandLineW.d.
47 65 74 53 74 64 48 61 6e 64 6c 65 00 00 4b 45 GetStdHandle..KE
52 4e 45 4c 33 32 2e 64 6c 6c 00 00 06 00 43 6f RNEL32.dll....Co
6d 6d 61 6e 64 4c 69 6e 65 54 6f 41 72 67 76 57 mmandLineToArgvW
00 00 53 48 45 4c 4c 33 32 2e 64 6c 6c 00 35 03 ..SHELL32.dll.5.
77 76 73 70 72 69 6e 74 66 57 00 00 55 53 45 52 wvsprintfW..USER
33 32 2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 32.dll..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file POLYGLOT.TXT
created in
step 3. to recreate the console application
Registry Policy Reader:
CERTUTIL.EXE /DecodeHex /V POLYGLOT.TXT POLYGLOT.COM
Input Length = 34816 Output Length = 8192 CertUtil: -decodehex command completed successfully.
offlineregistry hive formatted as .inf file in UTF-16LE encoding on
standard output(which must be redirected to a file).
ORCloseHive()
ORCloseKey()
ORCreateHive()
ORCreateKey()
ORDeleteKey()
ORDeleteValue()
OREnumKey()
OREnumValue()
ORGetKeySecurity()
ORGetValue()
ORGetVersion()
ORGetVirtualFlags()
OROpenHive()
OROpenKey()
ORQueryInfoKey()
ORSaveHive()
ORSetKeySecurity()
ORSetValue()
ORSetVirtualFlags()
Create the text file OFFREG.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#include <offreg.h>
#define MAX_DEPTH 512UL
#define MAX_KEY_LENGTH 255UL
#define MAX_VALUE_NAME 16383UL
#define MAX_VALUE_DATA 1048576UL
typedef unsigned __int64 QWORD, *LPQWORD;
BYTE cbData[MAX_VALUE_DATA];
WCHAR szKey[(MAX_KEY_LENGTH + 1) * MAX_DEPTH];
WCHAR szValue[MAX_VALUE_NAME + 1];
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, LPCWSTR lpFormat, ...)
{
WCHAR szBuffer[1025];
DWORD dwBuffer;
DWORD dwConsole;
va_list vaInserts;
va_start(vaInserts, lpFormat);
dwBuffer = wvsprintf(szBuffer, lpFormat, vaInserts);
va_end(vaInserts);
if (dwBuffer == 0)
return FALSE;
if (!WriteConsole(hConsole, szBuffer, dwBuffer, &dwConsole, NULL))
return FALSE;
return dwConsole == dwBuffer;
}
__declspec(safebuffers)
BOOL PrintFormat(HANDLE hFile, LPCWSTR lpFormat, ...)
{
WCHAR szBuffer[1025];
LPBYTE lpBuffer;
DWORD dwBuffer;
DWORD dwFile;
va_list vaInserts;
va_start(vaInserts, lpFormat);
dwBuffer = wvsprintf(szBuffer, lpFormat, vaInserts);
va_end(vaInserts);
if (dwBuffer == 0)
return FALSE;
dwBuffer *= sizeof(*szBuffer);
lpBuffer = (LPBYTE) szBuffer;
do
{
if (!WriteFile(hFile, lpBuffer, dwBuffer, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
lpBuffer += dwFile;
dwBuffer -= dwFile;
} while (dwBuffer > 0);
return TRUE;
}
__inline
BOOL WINAPI PrintString(HANDLE hFile, LPCWSTR lpString, DWORD dwString)
{
DWORD dwFile;
dwString *= sizeof(*lpString);
do
{
if (!WriteFile(hFile, lpString, dwString, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
(LPBYTE) lpString += dwFile;
dwString -= dwFile;
} while (dwString > 0);
return TRUE;
}
__inline
LPCWSTR WINAPI InfEscape(LPCWSTR lpString)
{
do
if ((*lpString == L'"')
|| (*lpString == L'%'))
return lpString;
while (*lpString++ != L'\0');
return NULL;
}
const WCHAR szBytes[256][4] = {L",00", L",01", L",02", L",03", L",04", L",05", L",06", L",07", L",08", L",09", L",0a", L",0b", L",0c", L",0d", L",0e", L",0f",
L",10", L",11", L",12", L",13", L",14", L",15", L",16", L",17", L",18", L",19", L",1a", L",1b", L",1c", L",1d", L",1e", L",1f",
L",20", L",21", L",22", L",23", L",24", L",25", L",26", L",27", L",28", L",29", L",2a", L",2b", L",2c", L",2d", L",2e", L",2f",
L",30", L",31", L",32", L",33", L",34", L",35", L",36", L",37", L",38", L",39", L",3a", L",3b", L",3c", L",3d", L",3e", L",3f",
L",40", L",41", L",42", L",43", L",44", L",45", L",46", L",47", L",48", L",49", L",4a", L",4b", L",4c", L",4d", L",4e", L",4f",
L",50", L",51", L",52", L",53", L",54", L",55", L",56", L",57", L",58", L",59", L",5a", L",5b", L",5c", L",5d", L",5e", L",5f",
L",60", L",61", L",62", L",63", L",64", L",65", L",66", L",67", L",68", L",69", L",6a", L",6b", L",6c", L",6d", L",6e", L",6f",
L",70", L",71", L",72", L",73", L",74", L",75", L",76", L",77", L",78", L",79", L",7a", L",7b", L",7c", L",7d", L",7e", L",7f",
L",80", L",81", L",82", L",83", L",84", L",85", L",86", L",87", L",88", L",89", L",8a", L",8b", L",8c", L",8d", L",8e", L",8f",
L",90", L",91", L",92", L",93", L",94", L",95", L",96", L",97", L",98", L",99", L",9a", L",9b", L",9c", L",9d", L",9e", L",9f",
L",a0", L",a1", L",a2", L",a3", L",a4", L",a5", L",a6", L",a7", L",a8", L",a9", L",aa", L",ab", L",ac", L",ad", L",ae", L",af",
L",b0", L",b1", L",b2", L",b3", L",b4", L",b5", L",b6", L",b7", L",b8", L",b9", L",ba", L",bb", L",bc", L",bd", L",be", L",bf",
L",c0", L",c1", L",c2", L",c3", L",c4", L",c5", L",c6", L",c7", L",c8", L",c9", L",ca", L",cb", L",cc", L",cd", L",ce", L",cf",
L",d0", L",d1", L",d2", L",d3", L",d4", L",d5", L",d6", L",d7", L",d8", L",d9", L",da", L",db", L",dc", L",dd", L",de", L",df",
L",e0", L",e1", L",e2", L",e3", L",e4", L",e5", L",e6", L",e7", L",e8", L",e9", L",ea", L",eb", L",ec", L",ed", L",ee", L",ef",
L",f0", L",f1", L",f2", L",f3", L",f4", L",f5", L",f6", L",f7", L",f8", L",f9", L",fa", L",fb", L",fc", L",fd", L",fe", L",ff"};
const LPCWSTR szType[12] = {L"NONE",
L"SZ",
L"EXPAND_SZ",
L"BINARY",
L"DWORD", // alias DWORD_LITTLE_ENDIAN
L"DWORD_BIG_ENDIAN",
L"LINK",
L"MULTI_SZ",
L"RESOURCE_LIST",
L"FULL_RESOURCE_DESCRIPTOR",
L"RESOURCE_REQUIREMENTS_LIST",
L"QWORD"}; // alias QWORD_LITTLE_ENDIAN
DWORD WINAPI Offline(HANDLE hConsole, HANDLE hOutput, ORHKEY hkKey, DWORD dwKey)
{
BOOL bOutput;
DWORD dwError;
DWORD dwSubKeys, dwSubKey;
DWORD dwValues, dwValue, dwType, dwData, dwBytes;
#ifdef SANITY
DWORD dwCount, dwChars;
LPCWSTR lpCount;
#endif
LPCWSTR lpData, lpEscape, lpLast, lpMulti;
LPCWSTR lpSubKey = szKey + dwKey + 1;
ORHKEY hkSubKey;
for (dwValues = 0;; dwValues++)
{
// *szValue = L'\0';
dwValue = sizeof(szValue) / sizeof(*szValue);
dwData = sizeof(cbData);
dwError = OREnumValue(hkKey,
dwValues,
szValue,
&dwValue,
&dwType,
cbData,
&dwData);
if (dwError == ERROR_NO_MORE_ITEMS)
break;
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"OREnumValue() returned error %lu for registry key \'%ls\'\n",
dwError, szKey);
else
{
#ifdef SANITY
dwChars = wcslen(szValue);
if (dwValue < dwChars)
PrintConsole(hConsole,
L"ERROR: size (%lu characters) of value name \'%ls\' in registry key \'%ls\' smaller than actual string length (%lu characters)!\n",
dwValue, szValue, dwChars, szKey);
else if (dwValue > dwChars)
PrintConsole(hConsole,
L"WARNING: size (%lu characters) of value name \'%ls\' in registry key \'%ls\' greater than actual string length (%lu characters)\n",
dwValue, szValue, dwChars, szKey);
if (dwData == 0)
PrintConsole(hConsole,
L"WARNING: no value data for value name \'%ls\' in registry key \'%ls\'\n",
szValue, szKey);
else
switch (dwType)
{
case REG_LINK:
if (dwData % sizeof(L'\0'))
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' not a multiple of WCHAR size!\n",
dwData, szValue, szKey);
break;
case REG_DWORD_BIG_ENDIAN:
case REG_DWORD_LITTLE_ENDIAN:
// case REG_DWORD:
if (dwData < sizeof(DWORD))
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than DWORD size!\n",
dwData, szValue, szKey);
else if (dwData > sizeof(DWORD))
PrintConsole(hConsole,
L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than DWORD size\n",
dwData, szValue, szKey);
break;
case REG_QWORD_LITTLE_ENDIAN:
// case REG_QWORD:
if (dwData < sizeof(QWORD))
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than QWORD size!\n",
dwData, szValue, szKey);
else if (dwData > sizeof(QWORD))
PrintConsole(hConsole,
L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than QWORD size\n",
dwData, szValue, szKey);
break;
case REG_SZ:
case REG_EXPAND_SZ:
dwChars = wcslen((LPCWSTR) cbData);
dwBytes = (dwChars + 1) * sizeof(L'\0');
if (dwData < dwBytes)
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than actual string length (%lu + 1 characters = %lu bytes)\n",
dwData, szValue, szKey, dwChars, dwBytes);
else if (dwData > dwBytes)
PrintConsole(hConsole,
L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than actual string length (%lu + 1 characters = %lu bytes)\n",
dwData, szValue, szKey, dwChars, dwBytes);
break;
case REG_MULTI_SZ:
dwChars = 0;
dwCount = 1;
lpCount = (LPCWSTR) cbData;
while (*lpCount != L'\0')
{
dwChars += wcslen(lpCount);
dwCount++;
lpCount += wcslen(lpCount) + 1;
}
dwBytes = (dwChars + dwCount) * sizeof(L'\0');
if (dwData < dwBytes)
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than sum of actual string lengths (%lu + %lu characters = %lu bytes)\n",
dwData, szValue, szKey, dwChars, dwCount, dwBytes);
else if (dwData > dwBytes)
PrintConsole(hConsole,
L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than sum of actual string lengths (%lu + %lu characters = %lu bytes)\n",
dwData, szValue, szKey, dwChars, dwCount, dwBytes);
break;
// case REG_NONE:
// case REG_BINARY:
// case REG_RESOURCE_LIST:
// case REG_FULL_RESOURCE_DESCRIPTOR:
// case REG_RESOURCE_REQUIREMENTS_LIST:
}
#ifdef UNKNOWN
if (dwType > REG_QWORD)
PrintConsole(hConsole,
L"WARNING: unknown data type (0x%08lx) for value name \'%ls\' in registry key \'%ls\'\n",
dwType, szValue, szKey);
#endif
#endif // SANITY
if (dwKey < sizeof("HKEY_OFFLINE"))
bOutput = PrintFormat(hOutput,
L"HKO,,");
else
bOutput = PrintFormat(hOutput,
L"HKO,\"%ls\",",
szKey + sizeof("HKEY_OFFLINE"));
if (dwType > sizeof(szType) / sizeof(*szType))
if (dwValue == 0)
bOutput &= PrintFormat(hOutput, L",0x%08lx", dwType);
else
bOutput &= PrintFormat(hOutput, L"\"%ls\",0x%08lx", szValue, dwType);
else
if (dwValue == 0)
bOutput &= PrintFormat(hOutput, L",%%REG_%ls%%", szType[dwType]);
else
bOutput &= PrintFormat(hOutput, L"\"%ls\",%%REG_%ls%%", szValue, szType[dwType]);
if (dwData == 0)
bOutput &= PrintString(hOutput, L"\r\n", 3);
else
switch (dwType)
{
case REG_LINK:
if (dwData % sizeof(L'\0'))
goto DEFAULT;
bOutput &= PrintString(hOutput, L",\"", 2);
bOutput &= PrintString(hOutput, (LPCWSTR) cbData, dwData / sizeof(L'\0'));
bOutput &= PrintString(hOutput, L"\"\r\n", 3);
break;
case REG_SZ:
case REG_EXPAND_SZ:
if (dwData % sizeof(L'\0'))
goto DEFAULT;
if (*(LPCWSTR) cbData == L'\0')
bOutput &= PrintString(hOutput, L",\"\"\r\n", 5);
else
{
lpData = (LPCWSTR) cbData;
((LPWSTR) lpData)[dwData / sizeof(L'\0')] = L'\0';
dwData = wcslen(lpData);
bOutput &= PrintString(hOutput, L",\"", 2);
for (lpEscape = InfEscape(lpData); lpEscape != NULL; lpData = lpEscape, lpEscape = InfEscape(lpEscape + 1))
bOutput &= PrintString(hOutput, lpData, lpEscape + 1 - lpData);
bOutput &= PrintString(hOutput, lpData, (LPCWSTR) cbData + dwData - lpData);
bOutput &= PrintString(hOutput, L"\"\r\n", 3);
}
break;
case REG_MULTI_SZ:
if (dwData % sizeof(L'\0'))
goto DEFAULT;
if ((dwData == sizeof(L'\0'))
&& (*(LPCWSTR) cbData == L'\0'))
bOutput &= PrintString(hOutput, L";\r\n", 3);
else
{
lpData = (LPCWSTR) cbData;
dwData /= sizeof(L'\0');
lpLast = lpData + dwData;
if ((dwData > 1)
&& (lpData[dwData - 1] == L'\0')
&& (lpData[dwData - 2] == L'\0'))
lpLast--;
else
*(LPWSTR) lpLast = L'\0';
do
if (*lpData == L'\0')
bOutput &= PrintString(hOutput, L";\"\"", 3);
else
{
dwData = wcslen(lpData);
bOutput &= PrintString(hOutput, L",\"", 2);
for (lpEscape = InfEscape(lpMulti = lpData), lpData += dwData;
lpEscape != NULL; lpMulti = lpEscape,
lpEscape = InfEscape(lpEscape + 1))
bOutput &= PrintString(hOutput, lpMulti, lpEscape + 1 - lpMulti);
bOutput &= PrintString(hOutput, lpMulti, lpData - lpMulti);
bOutput &= PrintString(hOutput, L"\"", 1);
}
while (++lpData < lpLast);
bOutput &= PrintString(hOutput, L"\r\n", 2);
}
break;
case REG_DWORD_BIG_ENDIAN:
if (dwData != sizeof(DWORD))
goto DEFAULT;
#if 0
bOutput &= PrintFormat(hOutput, L",%lu\r\n", _byteswap_ulong(*(LPDWORD) cbData));
#else
bOutput &= PrintFormat(hOutput, L",%lu ; 0x%08lx\r\n", _byteswap_ulong(*(LPDWORD) cbData), *(LPDWORD) cbData);
#endif
break;
case REG_DWORD_LITTLE_ENDIAN:
// case REG_DWORD:
if (dwData != sizeof(DWORD))
goto DEFAULT;
#if 0
bOutput &= PrintFormat(hOutput, L",%lu\r\n", *(LPDWORD) cbData);
#else
bOutput &= PrintFormat(hOutput, L",%lu ; 0x%08lx\r\n", *(LPDWORD) cbData, *(LPDWORD) cbData);
#endif
break;
case REG_QWORD_LITTLE_ENDIAN:
// case REG_QWORD:
if (dwData != sizeof(QWORD))
goto DEFAULT;
#if 0
bOutput &= PrintFormat(hOutput, L",%I64u\r\n", *(LPQWORD) cbData);
#else
bOutput &= PrintFormat(hOutput, L",%I64u ; 0x%016I64x\r\n", *(LPQWORD) cbData, *(LPQWORD) cbData);
#endif
break;
// case REG_NONE:
// case REG_BINARY:
// case REG_RESOURCE_LIST:
// case REG_FULL_RESOURCE_DESCRIPTOR:
// case REG_RESOURCE_REQUIREMENTS_LIST:
default:
DEFAULT:
for (dwBytes = 0; dwBytes < dwData; dwBytes++)
#if 0
bOutput &= PrintFormat(hOutput, L",%02x", cbData[dwBytes]);
#else
bOutput &= PrintString(hOutput, szBytes[cbData[dwBytes]], 3);
#endif
bOutput &= PrintString(hOutput, L"\r\n", 2);
}
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu for value \'%ls\' of registry key \'%ls\'\n",
dwError = GetLastError(), szValue, szKey);
}
}
for (dwSubKeys = 0;; dwSubKeys++)
{
dwSubKey = sizeof(szKey) / sizeof(*szKey) - dwKey - 1;
dwError = OREnumKey(hkKey,
dwSubKeys,
lpSubKey,
&dwSubKey,
(LPWSTR) NULL,
(LPDWORD) NULL,
(LPFILETIME) NULL);
if (dwError == ERROR_NO_MORE_ITEMS)
break;
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"OREnumKey() returned error %lu for registry key \'%ls\'\n",
dwError, szKey);
else
{
#ifdef SANITY
dwChars = wcslen(lpSubKey);
if (dwChars > dwSubKey)
PrintConsole(hConsole,
L"ERROR: size (%lu characters) of subkey name \'%ls\' in registry key \'%ls\' smaller than actual string length (%lu characters)\n",
dwSubKey, lpSubKey, szKey, dwChars);
else if (dwChars < dwSubKey)
PrintConsole(hConsole,
L"WARNING: size (%lu characters) of subkey name \'%ls\' in registry key \'%ls\' greater than actual string length (%lu characters)\n",
dwSubKey, lpSubKey, szKey, dwChars);
#endif // SANITY
szKey[dwKey] = L'\\';
dwError = OROpenKey(hkKey,
lpSubKey,
&hkSubKey);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"OROpenKey() returned error %lu for registry key \'%ls\'\n",
dwError, szKey);
else
{
dwError = Offline(hConsole, hOutput, hkSubKey, dwKey + 1 + dwSubKey);
dwValue = ORCloseKey(hkSubKey);
if (dwValue != ERROR_SUCCESS)
PrintConsole(hConsole,
L"ORCloseKey() returned error %lu for registry key \'%ls\'\n",
dwValue, szKey);
}
szKey[dwKey] = L'\0';
}
}
if ((dwValues == 0) && (dwSubKeys == 0))
{
if (dwKey < sizeof("HKEY_OFFLINE"))
bOutput = PrintFormat(hOutput,
L"HKO,,,%%REG_KEYONLY%%\r\n");
else
bOutput = PrintFormat(hOutput,
L"HKO,\"%ls\",,%%REG_KEYONLY%%\r\n",
szKey + sizeof("HKEY_OFFLINE"));
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu for empty registry key \'%ls\'\n",
dwError = GetLastError(), szKey);
}
return dwError;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
SYSTEMTIME st;
LPWSTR *lpArguments;
INT nArguments;
DWORD dwError = ERROR_BAD_ARGUMENTS;
DWORD dwMajor, dwMinor;
HKEY hkRoot;
HANDLE hOutput;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
if (nArguments < 2)
PrintConsole(hConsole,
L"No argument: a single filename of a registry hive must be given!\n");
else if (nArguments > 2)
PrintConsole(hConsole,
L"Too many arguments: a single filename of a registry hive must be given!\n");
else
{
hOutput = GetStdHandle(STD_OUTPUT_HANDLE);
if (hOutput == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"GetStdHandle() returned error %lu\n",
dwError = GetLastError());
else
{
if (!FlushFileBuffers(hOutput))
PrintConsole(hConsole,
L"FlushFileBuffers() returned error %lu: standard output is not redirected to a file!\n",
dwError = GetLastError());
else
{
ORGetVersion(&dwMajor, &dwMinor);
PrintConsole(hConsole,
L"OFFREG.DLL version %lu.%lu\n",
dwMajor, dwMinor);
dwError = OROpenHive(lpArguments[1], &hkRoot);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"OROpenHive() returned error %lu\n",
dwError);
else
{
GetSystemTime(&st);
if (!PrintFormat(hOutput,
L"\xfeff" // UTF-16LE BOM
L"[Version]\r\n"
L"DriverVer = %02hu/%02hu/%04hu,%02hu.%02hu.%02hu.%03hu ; UTC\r\n"
L"Provider = \"Stefan Kanthak\"\r\n"
L"Signature = \"$Windows NT$\"\r\n"
L"\r\n"
L"[Strings]\r\n"
L"REG_SZ = 0x00000000\r\n"
L"REG_BINARY = 0x00000001\r\n"
L"REG_KEYONLY = 0x00000010\r\n"
L"REG_MULTI_SZ = 0x00010000\r\n"
L"REG_DWORD = 0x00010001\r\n"
L"REG_EXPAND_SZ = 0x00020000\r\n"
L"REG_NONE = 0x00020001\r\n"
L"REG_COMPATIBLE = 0x00030001 ; same as REG_BINARY\r\n"
L"REG_DWORD_LITTLE_ENDIAN = 0x00040001 ; same as REG_DWORD\r\n"
L"REG_DWORD_BIG_ENDIAN = 0x00050001\r\n"
L"REG_LINK = 0x00060000\r\n"
L"REG_RESOURCE_LIST = 0x00080001\r\n"
L"REG_FULL_RESOURCE_DESCRIPTOR = 0x00090001\r\n"
L"REG_RESOURCE_REQUIREMENTS_LIST = 0x000a0001\r\n"
L"REG_QWORD = 0x000b0001\r\n"
L"REG_QWORD_LITTLE_ENDIAN = 0x000b0001 ; same as REG_QWORD\r\n"
L"\r\n"
L"[DefaultInstall.NT]\r\n"
L";AddReg = AddReg.HKO\r\n"
L"\r\n"
L"[AddReg.HKO]\r\n",
st.wMonth, st.wDay, st.wYear, st.wHour, st.wMinute, st.wSecond, st.wMilliseconds))
PrintConsole(hConsole,
L"WriteFile() returned error %lu\n",
dwError = GetLastError());
memcpy(szKey, L"HKEY_OFFLINE", sizeof(L"HKEY_OFFLINE"));
dwError = Offline(hConsole, hOutput, hkRoot, sizeof("HKEY_OFFLINE") - 1);
if (!PrintString(hOutput,
L"\r\n"
L"; EOF\r\n", 9))
PrintConsole(hConsole,
L"WriteFile() returned error %lu\n",
dwError = GetLastError());
dwError = ORCloseHive(hkRoot);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"ORCloseHive() returned error %lu\n",
dwError);
}
}
if (!CloseHandle(hOutput))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Run the following four command lines to compile the source file
OFFREG.C
created in step 1., link the compiled
object file OFFREG.OBJ
and cleanup afterwards:
SET CL=/GA /GF /GS /Gy /O1 /Oi /Os /Oy /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:OFFREG.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /DYNAMICBASE /ENTRY:mainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NXCOMPAT /OSVERSION:5.0 /OUT:"Offline Registry Reader.com" /RELEASE /SUBSYSTEM:CONSOLE,5.0 /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE OFFREG.C ERASE OFFREG.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. OFFREG.C OFFREG.C(106) : warning C4213: nonstandard extension used : cast on l-value OFFREG.C(470) : warning C4090: 'function' : different 'const' qualifiers Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved.
Create the text file OFFREG.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 32 2c 20 53 74 65 66 61 6e 20 4b 61 -2022, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 03 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 0a 00 00 ......#.........
00 9c 14 00 00 00 00 00 75 16 00 00 00 10 00 00 ........u.......
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 c0 14 00 00 02 00 00 31 f6 00 00 03 00 00 85 ........1.......
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
98 39 00 00 64 00 00 00 00 00 00 00 00 00 00 00 .9..d...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 20 00 00 58 00 00 00 ......... ..X...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
53 08 00 00 00 10 00 00 00 0a 00 00 00 02 00 00 S...............
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 96 1b 00 00 00 20 00 00 .const....... ..
00 1c 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ....@..@.data...
00 80 14 00 00 40 00 00 00 00 00 00 00 00 00 00 .....@..........
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 ............@...
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 50 20 40 00 8b f0 .......P..P @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 00 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8b .t.3.9u....^..U.
ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 0c 8d .......V.E.P.u..
b5 f8 f7 ff ff 8b c6 50 ff 15 50 20 40 00 85 c0 .......P..P @...
74 25 57 8d 3c 00 6a 00 8d 45 fc 50 57 56 ff 75 t%W.<.j..E.PWV.u
08 ff 15 04 20 40 00 85 c0 74 0f 03 75 fc 2b 7d .... @...t..u.+}
fc 75 e3 33 c0 40 5f 5e c9 c3 33 c0 eb f8 55 8b .u.3.@_^..3...U.
ec 56 8b 75 10 57 8b 7d 0c 03 f6 6a 00 8d 45 10 .V.u.W.}...j..E.
50 56 57 ff 75 08 ff 15 04 20 40 00 85 c0 74 11 PVW.u.... @...t.
03 7d 10 2b 75 10 75 e3 33 c0 40 5f 5e 5d c2 0c .}.+u.u.3.@_^]..
00 33 c0 eb f6 8b 44 24 04 0f b7 08 83 f9 22 74 .3....D$......"t
0f 83 f9 25 74 0a 83 c0 02 66 85 c9 75 eb 33 c0 ...%t....f..u.3.
c2 04 00 55 8b ec 83 ec 24 53 56 57 8d 45 fc 50 ...U....$SVW.E.P
be 00 c0 44 00 56 8d 45 e4 50 8d 45 f8 50 33 db ...D.V.E.P.E.P3.
68 00 40 44 00 53 ff 75 10 89 5d ec c7 45 f8 00 h.@D.S.u..]..E..
40 00 00 c7 45 fc 00 00 10 00 ff 15 34 20 40 00 @...E.......4 @.
bf 03 01 00 00 e9 e4 03 00 00 3b c3 74 1b 68 00 ..........;.t.h.
40 40 00 50 68 88 2d 40 00 ff 75 08 e8 af fe ff @@.Ph.-@..u.....
ff 83 c4 10 e9 96 03 00 00 83 7d 14 0d 73 11 68 ..........}..s.h
7c 2d 40 00 ff 75 0c e8 e2 fe ff ff 59 59 eb 15 |-@..u......YY..
68 1a 40 40 00 68 64 2d 40 00 ff 75 0c e8 cc fe h.@@.hd-@..u....
ff ff 83 c4 0c 8b d8 8b 45 e4 83 f8 0c 76 25 83 ........E....v%.
7d f8 00 50 75 12 68 50 2d 40 00 ff 75 0c e8 ab }..Pu.hP-@..u...
fe ff ff 83 c4 0c eb 35 68 00 40 44 00 68 34 2d .......5h.@D.h4-
40 00 eb 1e 83 7d f8 00 ff 34 85 78 29 40 00 75 @....}...4.x)@.u
07 68 18 2d 40 00 eb d3 68 00 40 44 00 68 f4 2c .h.-@...h.@D.h.,
40 00 ff 75 0c e8 74 fe ff ff 83 c4 10 23 d8 8b @..u..t......#..
45 fc 33 d2 3b c2 75 07 6a 03 e9 ca 02 00 00 8b E.3.;.u.j.......
4d e4 3b ca 0f 86 8d 02 00 00 83 f9 02 0f 86 df M.;.............
01 00 00 83 f9 04 0f 84 c5 01 00 00 83 f9 05 0f ................
84 95 01 00 00 83 f9 06 0f 84 56 01 00 00 83 f9 ..........V.....
07 74 36 83 f9 0b 0f 85 5b 02 00 00 83 f8 08 0f .t6.....[.......
85 52 02 00 00 a1 04 c0 44 00 8b 0d 00 c0 44 00 .R......D.....D.
50 51 50 51 68 c8 2c 40 00 ff 75 0c e8 fd fd ff PQPQh.,@..u.....
ff 83 c4 18 e9 6d 02 00 00 a8 01 0f 85 26 02 00 .....m.......&..
00 83 f8 02 75 15 66 39 15 00 c0 44 00 75 0c 6a ....u.f9...D.u.j
03 68 c0 2c 40 00 e9 43 02 00 00 d1 e8 8d 0c 45 .h.,@..C.......E
00 c0 44 00 8b fe 89 45 fc 89 4d e0 83 f8 01 76 ..D....E..M....v
19 8d 51 fe 66 83 3a 00 75 10 66 83 3c 45 fc bf ..Q.f.:.u.f.<E..
44 00 00 75 05 89 55 e0 eb 05 33 c0 66 89 01 66 D..u..U...3.f..f
83 3f 00 75 0c 6a 03 68 b8 2c 40 00 e9 84 00 00 .?.u.j.h.,@.....
00 8b c7 8d 50 02 66 8b 08 83 c0 02 66 85 c9 75 ....P.f.....f..u
f5 6a 02 2b c2 68 b0 2c 40 00 ff 75 0c d1 f8 89 .j.+.h.,@..u....
45 fc e8 b7 fd ff ff 57 23 d8 89 7d f4 e8 e3 fd E......W#..}....
ff ff 8b 4d fc 8d 3c 4f eb 28 8b 45 e8 2b 45 f4 ...M..<O.(.E.+E.
83 c0 02 d1 f8 50 ff 75 f4 ff 75 0c e8 8d fd ff .....P.u..u.....
ff 23 d8 8b 45 e8 89 45 f4 83 c0 02 50 e8 b3 fd .#..E..E....P...
ff ff 89 45 e8 85 c0 75 d1 8b c7 2b 45 f4 d1 f8 ...E...u...+E...
50 ff 75 f4 ff 75 0c e8 62 fd ff ff 6a 01 23 d8 P.u..u..b...j.#.
68 ac 2c 40 00 ff 75 0c e8 51 fd ff ff 83 c7 02 h.,@..u..Q......
23 d8 3b 7d e0 0f 82 54 ff ff ff 6a 02 68 a4 2c #.;}...T...j.h.,
40 00 ff 75 0c e8 34 fd ff ff bf 03 01 00 00 e9 @..u..4.........
52 01 00 00 a8 01 0f 85 0b 01 00 00 6a 02 68 b0 R...........j.h.
2c 40 00 ff 75 0c e8 13 fd ff ff 23 d8 8b 45 fc ,@..u......#..E.
d1 e8 50 56 ff 75 0c e8 02 fd ff ff 6a 03 23 d8 ..PV.u......j.#.
68 9c 2c 40 00 e9 14 01 00 00 83 f8 04 0f 85 d4 h.,@............
00 00 00 a1 00 c0 44 00 50 0f c8 50 68 78 2c 40 ......D.P..Phx,@
00 ff 75 0c e8 85 fc ff ff 83 c4 10 e9 f5 00 00 ..u.............
00 83 f8 04 0f 85 ad 00 00 00 a1 00 c0 44 00 50 .............D.P
eb d9 a8 01 0f 85 9d 00 00 00 66 39 15 00 c0 44 ..........f9...D
00 75 0c 6a 05 68 6c 2c 40 00 e9 bf 00 00 00 d1 .u.j.hl,@.......
e8 33 c9 66 89 0c 45 00 c0 44 00 8b c6 89 75 f4 .3.f..E..D....u.
8d 48 02 66 8b 10 83 c0 02 66 85 d2 75 f5 6a 02 .H.f.....f..u.j.
2b c1 68 b0 2c 40 00 ff 75 0c d1 f8 89 45 fc e8 +.h.,@..u....E..
6a fc ff ff 56 eb 1d 8b c7 2b 45 f4 83 c0 02 d1 j...V....+E.....
f8 50 ff 75 f4 ff 75 0c e8 51 fc ff ff 89 7d f4 .P.u..u..Q....}.
83 c7 02 57 23 d8 e8 7a fc ff ff 8b f8 85 ff 75 ...W#..z.......u
d6 8b 45 fc 03 c0 2b 45 f4 03 c6 d1 f8 50 ff 75 ..E...+E.....P.u
f4 ff 75 0c e8 25 fc ff ff 6a 03 23 d8 68 9c 2c ..u..%...j.#.h.,
40 00 e9 db fe ff ff 89 55 f4 3b c2 76 29 8b 45 @.......U.;.v).E
f4 0f b6 80 00 c0 44 00 6a 03 8d 04 c5 78 21 40 ......D.j....x!@
00 50 ff 75 0c e8 f4 fb ff ff 23 d8 ff 45 f4 8b .P.u......#..E..
45 f4 3b 45 fc 72 d7 6a 02 68 a4 2c 40 00 ff 75 E.;E.r.j.h.,@..u
0c e8 d8 fb ff ff 23 d8 85 db 75 21 ff 15 08 20 ......#...u!...
40 00 68 00 40 40 00 68 00 40 44 00 50 68 e0 2b @.h.@@.h.@D.Ph.+
40 00 ff 75 08 e8 16 fb ff ff 83 c4 14 33 db ff @..u.........3..
45 ec 8d 45 fc 50 56 8d 45 e4 50 8d 45 f8 50 68 E..E.PV.E.P.E.Ph
00 40 44 00 ff 75 ec c7 45 f8 00 40 00 00 ff 75 .@D..u..E..@...u
10 c7 45 fc 00 00 10 00 ff 15 34 20 40 00 3b c7 ..E.......4 @.;.
0f 85 14 fc ff ff 8b 75 14 53 b8 ff ff 01 00 2b .......u.S.....+
c6 53 89 45 e0 89 45 f0 53 8d 45 f0 50 8d 04 75 .S.E..E.S.E.P..u
02 40 40 00 50 89 5d f4 53 e9 b1 00 00 00 39 5d .@@.P.].S.....9]
14 74 1a 68 00 40 40 00 ff 75 14 68 70 2b 40 00 .t.h.@@..u.hp+@.
ff 75 08 e8 98 fa ff ff 83 c4 10 eb 77 6a 5c 58 .u..........wj\X
66 89 04 75 00 40 40 00 8d 45 dc 50 8d 04 75 02 f..u.@@..E.P..u.
40 40 00 50 ff 75 10 ff 15 30 20 40 00 3b c3 74 @@.P.u...0 @.;.t
0d 68 00 40 40 00 50 68 00 2b 40 00 eb 31 8b 45 .h.@@.Ph.+@..1.E
f0 8d 44 30 01 50 ff 75 dc ff 75 0c ff 75 08 e8 ..D0.P.u..u..u..
3f fb ff ff ff 75 dc ff 15 2c 20 40 00 89 45 f8 ?....u..., @..E.
3b c3 74 16 68 00 40 40 00 50 68 90 2a 40 00 ff ;.t.h.@@.Ph.*@..
75 08 e8 29 fa ff ff 83 c4 10 33 c0 66 89 04 75 u..)......3.f..u
00 40 40 00 8b 45 e0 ff 45 f4 53 53 89 45 f0 53 .@@..E..E.SS.E.S
8d 45 f0 50 8d 04 75 02 40 40 00 50 ff 75 f4 ff .E.P..u.@@.P.u..
75 10 ff 15 28 20 40 00 89 45 14 3b c7 0f 85 3b u...( @..E.;...;
ff ff ff 39 5d ec 75 53 39 5d f4 75 4e 83 fe 0d ...9].uS9].uN...
73 11 68 60 2a 40 00 ff 75 0c e8 1f fa ff ff 59 s.h`*@..u......Y
59 eb 15 68 1a 40 40 00 68 24 2a 40 00 ff 75 0c Y..h.@@.h$*@..u.
e8 09 fa ff ff 83 c4 0c 3b c3 75 1f ff 15 08 20 ........;.u....
40 00 68 00 40 40 00 50 68 a8 29 40 00 ff 75 08 @.h.@@.Ph.)@..u.
89 45 14 e8 98 f9 ff ff 83 c4 10 8b 45 14 5f 5e .E..........E._^
5b c9 c2 10 00 55 8b ec 83 ec 2c 53 56 57 8b 3d [....U....,SVW.=
20 20 40 00 6a f4 be a0 00 00 00 ff d7 89 45 fc @.j.........E.
83 f8 ff 75 0d ff 15 08 20 40 00 8b f0 e9 a9 01 ...u.... @......
00 00 8d 45 f8 50 ff 15 1c 20 40 00 50 ff 15 48 ...E.P... @.P..H
20 40 00 89 45 ec 85 c0 75 13 ff 15 08 20 40 00 @..E...u.... @.
8b f0 56 68 48 39 40 00 e9 73 01 00 00 83 7d f8 ..VhH9@..s....}.
02 8b 1d 08 20 40 00 7d 07 68 c0 38 40 00 eb 07 .... @.}.h.8@...
7e 14 68 28 38 40 00 ff 75 fc e8 11 f9 ff ff 59 ~.h(8@..u......Y
59 e9 35 01 00 00 6a f5 ff d7 8b f8 89 7d f4 83 Y.5...j......}..
ff ff 75 0f ff d3 8b f0 56 68 e0 37 40 00 e9 0d ..u.....Vh.7@...
01 00 00 57 ff 15 18 20 40 00 85 c0 75 0f ff d3 ...W... @...u...
8b f0 56 68 30 37 40 00 e9 f3 00 00 00 8d 45 e8 ..Vh07@.......E.
50 8d 45 e4 50 ff 15 40 20 40 00 ff 75 e8 ff 75 P.E.P..@ @..u..u
e4 68 f4 36 40 00 ff 75 fc e8 b2 f8 ff ff 83 c4 .h.6@..u........
10 8d 45 f0 50 8b 45 ec ff 70 04 ff 15 3c 20 40 ..E.P.E..p...< @
00 8b f0 85 f6 74 0b 56 68 b0 36 40 00 e9 ae 00 .....t.Vh.6@....
00 00 8d 45 d4 50 ff 15 14 20 40 00 0f b7 45 e2 ...E.P... @...E.
50 0f b7 45 e0 50 0f b7 45 de 50 0f b7 45 dc 50 P..E.P..E.P..E.P
0f b7 45 d4 50 0f b7 45 da 50 0f b7 45 d6 50 68 ..E.P..E.P..E.Ph
f8 2e 40 00 57 e8 a4 f8 ff ff 83 c4 24 85 c0 75 ..@.W.......$..u
13 ff d3 50 68 b8 2e 40 00 ff 75 fc e8 3f f8 ff ...Ph..@..u..?..
ff 83 c4 0c 6a 06 59 be 98 2e 40 00 bf 00 40 40 ....j.Y...@...@@
00 f3 a5 6a 0c ff 75 f0 66 a5 ff 75 f4 ff 75 fc ...j..u.f..u..u.
e8 0e f9 ff ff 6a 09 68 84 2e 40 00 ff 75 f4 e8 .....j.h..@..u..
aa f8 ff ff 85 c0 75 13 ff d3 50 68 b8 2e 40 00 ......u...Ph..@.
ff 75 fc e8 f8 f7 ff ff 83 c4 0c ff 75 f0 ff 15 .u..........u...
38 20 40 00 8b f0 85 f6 74 11 56 68 40 2e 40 00 8 @.....t.Vh@.@.
ff 75 fc e8 d8 f7 ff ff 83 c4 0c ff 75 ec ff 15 .u..........u...
10 20 40 00 85 c0 74 13 ff d3 50 68 00 2e 40 00 . @...t...Ph..@.
ff 75 fc e8 b8 f7 ff ff 83 c4 0c 56 ff 15 0c 20 .u.........V...
40 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 @...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 3a 00 00 64 3a 00 00 70 3a 00 00 80 3a 00 00 T:..d:..p:...:..
8e 3a 00 00 9a 3a 00 00 aa 3a 00 00 be 3a 00 00 .:...:...:...:..
d0 3a 00 00 00 00 00 00 ee 3a 00 00 fa 3a 00 00 .:.......:...:..
08 3b 00 00 14 3b 00 00 22 3b 00 00 30 3b 00 00 .;...;..";..0;..
3e 3b 00 00 00 00 00 00 5a 3b 00 00 00 00 00 00 >;......Z;......
7c 3b 00 00 00 00 00 00 51 00 57 00 4f 00 52 00 |;......Q.W.O.R.
44 00 00 00 52 00 45 00 53 00 4f 00 55 00 52 00 D...R.E.S.O.U.R.
43 00 45 00 5f 00 52 00 45 00 51 00 55 00 49 00 C.E._.R.E.Q.U.I.
52 00 45 00 4d 00 45 00 4e 00 54 00 53 00 5f 00 R.E.M.E.N.T.S._.
4c 00 49 00 53 00 54 00 00 00 00 00 46 00 55 00 L.I.S.T.....F.U.
4c 00 4c 00 5f 00 52 00 45 00 53 00 4f 00 55 00 L.L._.R.E.S.O.U.
52 00 43 00 45 00 5f 00 44 00 45 00 53 00 43 00 R.C.E._.D.E.S.C.
52 00 49 00 50 00 54 00 4f 00 52 00 00 00 00 00 R.I.P.T.O.R.....
52 00 45 00 53 00 4f 00 55 00 52 00 43 00 45 00 R.E.S.O.U.R.C.E.
5f 00 4c 00 49 00 53 00 54 00 00 00 4d 00 55 00 _.L.I.S.T...M.U.
4c 00 54 00 49 00 5f 00 53 00 5a 00 00 00 00 00 L.T.I._.S.Z.....
4c 00 49 00 4e 00 4b 00 00 00 00 00 44 00 57 00 L.I.N.K.....D.W.
4f 00 52 00 44 00 5f 00 42 00 49 00 47 00 5f 00 O.R.D._.B.I.G._.
45 00 4e 00 44 00 49 00 41 00 4e 00 00 00 00 00 E.N.D.I.A.N.....
44 00 57 00 4f 00 52 00 44 00 00 00 42 00 49 00 D.W.O.R.D...B.I.
4e 00 41 00 52 00 59 00 00 00 00 00 45 00 58 00 N.A.R.Y.....E.X.
50 00 41 00 4e 00 44 00 5f 00 53 00 5a 00 00 00 P.A.N.D._.S.Z...
53 00 5a 00 00 00 00 00 4e 00 4f 00 4e 00 45 00 S.Z.....N.O.N.E.
00 00 00 00 00 00 00 00 2c 00 30 00 30 00 00 00 ........,.0.0...
2c 00 30 00 31 00 00 00 2c 00 30 00 32 00 00 00 ,.0.1...,.0.2...
2c 00 30 00 33 00 00 00 2c 00 30 00 34 00 00 00 ,.0.3...,.0.4...
2c 00 30 00 35 00 00 00 2c 00 30 00 36 00 00 00 ,.0.5...,.0.6...
2c 00 30 00 37 00 00 00 2c 00 30 00 38 00 00 00 ,.0.7...,.0.8...
2c 00 30 00 39 00 00 00 2c 00 30 00 61 00 00 00 ,.0.9...,.0.a...
2c 00 30 00 62 00 00 00 2c 00 30 00 63 00 00 00 ,.0.b...,.0.c...
2c 00 30 00 64 00 00 00 2c 00 30 00 65 00 00 00 ,.0.d...,.0.e...
2c 00 30 00 66 00 00 00 2c 00 31 00 30 00 00 00 ,.0.f...,.1.0...
2c 00 31 00 31 00 00 00 2c 00 31 00 32 00 00 00 ,.1.1...,.1.2...
2c 00 31 00 33 00 00 00 2c 00 31 00 34 00 00 00 ,.1.3...,.1.4...
2c 00 31 00 35 00 00 00 2c 00 31 00 36 00 00 00 ,.1.5...,.1.6...
2c 00 31 00 37 00 00 00 2c 00 31 00 38 00 00 00 ,.1.7...,.1.8...
2c 00 31 00 39 00 00 00 2c 00 31 00 61 00 00 00 ,.1.9...,.1.a...
2c 00 31 00 62 00 00 00 2c 00 31 00 63 00 00 00 ,.1.b...,.1.c...
2c 00 31 00 64 00 00 00 2c 00 31 00 65 00 00 00 ,.1.d...,.1.e...
2c 00 31 00 66 00 00 00 2c 00 32 00 30 00 00 00 ,.1.f...,.2.0...
2c 00 32 00 31 00 00 00 2c 00 32 00 32 00 00 00 ,.2.1...,.2.2...
2c 00 32 00 33 00 00 00 2c 00 32 00 34 00 00 00 ,.2.3...,.2.4...
2c 00 32 00 35 00 00 00 2c 00 32 00 36 00 00 00 ,.2.5...,.2.6...
2c 00 32 00 37 00 00 00 2c 00 32 00 38 00 00 00 ,.2.7...,.2.8...
2c 00 32 00 39 00 00 00 2c 00 32 00 61 00 00 00 ,.2.9...,.2.a...
2c 00 32 00 62 00 00 00 2c 00 32 00 63 00 00 00 ,.2.b...,.2.c...
2c 00 32 00 64 00 00 00 2c 00 32 00 65 00 00 00 ,.2.d...,.2.e...
2c 00 32 00 66 00 00 00 2c 00 33 00 30 00 00 00 ,.2.f...,.3.0...
2c 00 33 00 31 00 00 00 2c 00 33 00 32 00 00 00 ,.3.1...,.3.2...
2c 00 33 00 33 00 00 00 2c 00 33 00 34 00 00 00 ,.3.3...,.3.4...
2c 00 33 00 35 00 00 00 2c 00 33 00 36 00 00 00 ,.3.5...,.3.6...
2c 00 33 00 37 00 00 00 2c 00 33 00 38 00 00 00 ,.3.7...,.3.8...
2c 00 33 00 39 00 00 00 2c 00 33 00 61 00 00 00 ,.3.9...,.3.a...
2c 00 33 00 62 00 00 00 2c 00 33 00 63 00 00 00 ,.3.b...,.3.c...
2c 00 33 00 64 00 00 00 2c 00 33 00 65 00 00 00 ,.3.d...,.3.e...
2c 00 33 00 66 00 00 00 2c 00 34 00 30 00 00 00 ,.3.f...,.4.0...
2c 00 34 00 31 00 00 00 2c 00 34 00 32 00 00 00 ,.4.1...,.4.2...
2c 00 34 00 33 00 00 00 2c 00 34 00 34 00 00 00 ,.4.3...,.4.4...
2c 00 34 00 35 00 00 00 2c 00 34 00 36 00 00 00 ,.4.5...,.4.6...
2c 00 34 00 37 00 00 00 2c 00 34 00 38 00 00 00 ,.4.7...,.4.8...
2c 00 34 00 39 00 00 00 2c 00 34 00 61 00 00 00 ,.4.9...,.4.a...
2c 00 34 00 62 00 00 00 2c 00 34 00 63 00 00 00 ,.4.b...,.4.c...
2c 00 34 00 64 00 00 00 2c 00 34 00 65 00 00 00 ,.4.d...,.4.e...
2c 00 34 00 66 00 00 00 2c 00 35 00 30 00 00 00 ,.4.f...,.5.0...
2c 00 35 00 31 00 00 00 2c 00 35 00 32 00 00 00 ,.5.1...,.5.2...
2c 00 35 00 33 00 00 00 2c 00 35 00 34 00 00 00 ,.5.3...,.5.4...
2c 00 35 00 35 00 00 00 2c 00 35 00 36 00 00 00 ,.5.5...,.5.6...
2c 00 35 00 37 00 00 00 2c 00 35 00 38 00 00 00 ,.5.7...,.5.8...
2c 00 35 00 39 00 00 00 2c 00 35 00 61 00 00 00 ,.5.9...,.5.a...
2c 00 35 00 62 00 00 00 2c 00 35 00 63 00 00 00 ,.5.b...,.5.c...
2c 00 35 00 64 00 00 00 2c 00 35 00 65 00 00 00 ,.5.d...,.5.e...
2c 00 35 00 66 00 00 00 2c 00 36 00 30 00 00 00 ,.5.f...,.6.0...
2c 00 36 00 31 00 00 00 2c 00 36 00 32 00 00 00 ,.6.1...,.6.2...
2c 00 36 00 33 00 00 00 2c 00 36 00 34 00 00 00 ,.6.3...,.6.4...
2c 00 36 00 35 00 00 00 2c 00 36 00 36 00 00 00 ,.6.5...,.6.6...
2c 00 36 00 37 00 00 00 2c 00 36 00 38 00 00 00 ,.6.7...,.6.8...
2c 00 36 00 39 00 00 00 2c 00 36 00 61 00 00 00 ,.6.9...,.6.a...
2c 00 36 00 62 00 00 00 2c 00 36 00 63 00 00 00 ,.6.b...,.6.c...
2c 00 36 00 64 00 00 00 2c 00 36 00 65 00 00 00 ,.6.d...,.6.e...
2c 00 36 00 66 00 00 00 2c 00 37 00 30 00 00 00 ,.6.f...,.7.0...
2c 00 37 00 31 00 00 00 2c 00 37 00 32 00 00 00 ,.7.1...,.7.2...
2c 00 37 00 33 00 00 00 2c 00 37 00 34 00 00 00 ,.7.3...,.7.4...
2c 00 37 00 35 00 00 00 2c 00 37 00 36 00 00 00 ,.7.5...,.7.6...
2c 00 37 00 37 00 00 00 2c 00 37 00 38 00 00 00 ,.7.7...,.7.8...
2c 00 37 00 39 00 00 00 2c 00 37 00 61 00 00 00 ,.7.9...,.7.a...
2c 00 37 00 62 00 00 00 2c 00 37 00 63 00 00 00 ,.7.b...,.7.c...
2c 00 37 00 64 00 00 00 2c 00 37 00 65 00 00 00 ,.7.d...,.7.e...
2c 00 37 00 66 00 00 00 2c 00 38 00 30 00 00 00 ,.7.f...,.8.0...
2c 00 38 00 31 00 00 00 2c 00 38 00 32 00 00 00 ,.8.1...,.8.2...
2c 00 38 00 33 00 00 00 2c 00 38 00 34 00 00 00 ,.8.3...,.8.4...
2c 00 38 00 35 00 00 00 2c 00 38 00 36 00 00 00 ,.8.5...,.8.6...
2c 00 38 00 37 00 00 00 2c 00 38 00 38 00 00 00 ,.8.7...,.8.8...
2c 00 38 00 39 00 00 00 2c 00 38 00 61 00 00 00 ,.8.9...,.8.a...
2c 00 38 00 62 00 00 00 2c 00 38 00 63 00 00 00 ,.8.b...,.8.c...
2c 00 38 00 64 00 00 00 2c 00 38 00 65 00 00 00 ,.8.d...,.8.e...
2c 00 38 00 66 00 00 00 2c 00 39 00 30 00 00 00 ,.8.f...,.9.0...
2c 00 39 00 31 00 00 00 2c 00 39 00 32 00 00 00 ,.9.1...,.9.2...
2c 00 39 00 33 00 00 00 2c 00 39 00 34 00 00 00 ,.9.3...,.9.4...
2c 00 39 00 35 00 00 00 2c 00 39 00 36 00 00 00 ,.9.5...,.9.6...
2c 00 39 00 37 00 00 00 2c 00 39 00 38 00 00 00 ,.9.7...,.9.8...
2c 00 39 00 39 00 00 00 2c 00 39 00 61 00 00 00 ,.9.9...,.9.a...
2c 00 39 00 62 00 00 00 2c 00 39 00 63 00 00 00 ,.9.b...,.9.c...
2c 00 39 00 64 00 00 00 2c 00 39 00 65 00 00 00 ,.9.d...,.9.e...
2c 00 39 00 66 00 00 00 2c 00 61 00 30 00 00 00 ,.9.f...,.a.0...
2c 00 61 00 31 00 00 00 2c 00 61 00 32 00 00 00 ,.a.1...,.a.2...
2c 00 61 00 33 00 00 00 2c 00 61 00 34 00 00 00 ,.a.3...,.a.4...
2c 00 61 00 35 00 00 00 2c 00 61 00 36 00 00 00 ,.a.5...,.a.6...
2c 00 61 00 37 00 00 00 2c 00 61 00 38 00 00 00 ,.a.7...,.a.8...
2c 00 61 00 39 00 00 00 2c 00 61 00 61 00 00 00 ,.a.9...,.a.a...
2c 00 61 00 62 00 00 00 2c 00 61 00 63 00 00 00 ,.a.b...,.a.c...
2c 00 61 00 64 00 00 00 2c 00 61 00 65 00 00 00 ,.a.d...,.a.e...
2c 00 61 00 66 00 00 00 2c 00 62 00 30 00 00 00 ,.a.f...,.b.0...
2c 00 62 00 31 00 00 00 2c 00 62 00 32 00 00 00 ,.b.1...,.b.2...
2c 00 62 00 33 00 00 00 2c 00 62 00 34 00 00 00 ,.b.3...,.b.4...
2c 00 62 00 35 00 00 00 2c 00 62 00 36 00 00 00 ,.b.5...,.b.6...
2c 00 62 00 37 00 00 00 2c 00 62 00 38 00 00 00 ,.b.7...,.b.8...
2c 00 62 00 39 00 00 00 2c 00 62 00 61 00 00 00 ,.b.9...,.b.a...
2c 00 62 00 62 00 00 00 2c 00 62 00 63 00 00 00 ,.b.b...,.b.c...
2c 00 62 00 64 00 00 00 2c 00 62 00 65 00 00 00 ,.b.d...,.b.e...
2c 00 62 00 66 00 00 00 2c 00 63 00 30 00 00 00 ,.b.f...,.c.0...
2c 00 63 00 31 00 00 00 2c 00 63 00 32 00 00 00 ,.c.1...,.c.2...
2c 00 63 00 33 00 00 00 2c 00 63 00 34 00 00 00 ,.c.3...,.c.4...
2c 00 63 00 35 00 00 00 2c 00 63 00 36 00 00 00 ,.c.5...,.c.6...
2c 00 63 00 37 00 00 00 2c 00 63 00 38 00 00 00 ,.c.7...,.c.8...
2c 00 63 00 39 00 00 00 2c 00 63 00 61 00 00 00 ,.c.9...,.c.a...
2c 00 63 00 62 00 00 00 2c 00 63 00 63 00 00 00 ,.c.b...,.c.c...
2c 00 63 00 64 00 00 00 2c 00 63 00 65 00 00 00 ,.c.d...,.c.e...
2c 00 63 00 66 00 00 00 2c 00 64 00 30 00 00 00 ,.c.f...,.d.0...
2c 00 64 00 31 00 00 00 2c 00 64 00 32 00 00 00 ,.d.1...,.d.2...
2c 00 64 00 33 00 00 00 2c 00 64 00 34 00 00 00 ,.d.3...,.d.4...
2c 00 64 00 35 00 00 00 2c 00 64 00 36 00 00 00 ,.d.5...,.d.6...
2c 00 64 00 37 00 00 00 2c 00 64 00 38 00 00 00 ,.d.7...,.d.8...
2c 00 64 00 39 00 00 00 2c 00 64 00 61 00 00 00 ,.d.9...,.d.a...
2c 00 64 00 62 00 00 00 2c 00 64 00 63 00 00 00 ,.d.b...,.d.c...
2c 00 64 00 64 00 00 00 2c 00 64 00 65 00 00 00 ,.d.d...,.d.e...
2c 00 64 00 66 00 00 00 2c 00 65 00 30 00 00 00 ,.d.f...,.e.0...
2c 00 65 00 31 00 00 00 2c 00 65 00 32 00 00 00 ,.e.1...,.e.2...
2c 00 65 00 33 00 00 00 2c 00 65 00 34 00 00 00 ,.e.3...,.e.4...
2c 00 65 00 35 00 00 00 2c 00 65 00 36 00 00 00 ,.e.5...,.e.6...
2c 00 65 00 37 00 00 00 2c 00 65 00 38 00 00 00 ,.e.7...,.e.8...
2c 00 65 00 39 00 00 00 2c 00 65 00 61 00 00 00 ,.e.9...,.e.a...
2c 00 65 00 62 00 00 00 2c 00 65 00 63 00 00 00 ,.e.b...,.e.c...
2c 00 65 00 64 00 00 00 2c 00 65 00 65 00 00 00 ,.e.d...,.e.e...
2c 00 65 00 66 00 00 00 2c 00 66 00 30 00 00 00 ,.e.f...,.f.0...
2c 00 66 00 31 00 00 00 2c 00 66 00 32 00 00 00 ,.f.1...,.f.2...
2c 00 66 00 33 00 00 00 2c 00 66 00 34 00 00 00 ,.f.3...,.f.4...
2c 00 66 00 35 00 00 00 2c 00 66 00 36 00 00 00 ,.f.5...,.f.6...
2c 00 66 00 37 00 00 00 2c 00 66 00 38 00 00 00 ,.f.7...,.f.8...
2c 00 66 00 39 00 00 00 2c 00 66 00 61 00 00 00 ,.f.9...,.f.a...
2c 00 66 00 62 00 00 00 2c 00 66 00 63 00 00 00 ,.f.b...,.f.c...
2c 00 66 00 64 00 00 00 2c 00 66 00 65 00 00 00 ,.f.d...,.f.e...
2c 00 66 00 66 00 00 00 68 21 40 00 60 21 40 00 ,.f.f...h!@.`!@.
4c 21 40 00 3c 21 40 00 30 21 40 00 0c 21 40 00 L!@.<!@.0!@..!@.
00 21 40 00 ec 20 40 00 d0 20 40 00 9c 20 40 00 .!@.. @.. @.. @.
64 20 40 00 58 20 40 00 57 00 72 00 69 00 74 00 d @.X @.W.r.i.t.
65 00 46 00 69 00 6c 00 65 00 28 00 29 00 20 00 e.F.i.l.e.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 20 00 66 00 6f 00 72 00 20 00 65 00 l.u. .f.o.r. .e.
6d 00 70 00 74 00 79 00 20 00 72 00 65 00 67 00 m.p.t.y. .r.e.g.
69 00 73 00 74 00 72 00 79 00 20 00 6b 00 65 00 i.s.t.r.y. .k.e.
79 00 20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 y. .'.%.l.s.'...
00 00 00 00 48 00 4b 00 4f 00 2c 00 22 00 25 00 ....H.K.O.,.".%.
6c 00 73 00 22 00 2c 00 2c 00 25 00 25 00 52 00 l.s.".,.,.%.%.R.
45 00 47 00 5f 00 4b 00 45 00 59 00 4f 00 4e 00 E.G._.K.E.Y.O.N.
4c 00 59 00 25 00 25 00 0d 00 0a 00 00 00 00 00 L.Y.%.%.........
48 00 4b 00 4f 00 2c 00 2c 00 2c 00 25 00 25 00 H.K.O.,.,.,.%.%.
52 00 45 00 47 00 5f 00 4b 00 45 00 59 00 4f 00 R.E.G._.K.E.Y.O.
4e 00 4c 00 59 00 25 00 25 00 0d 00 0a 00 00 00 N.L.Y.%.%.......
4f 00 52 00 43 00 6c 00 6f 00 73 00 65 00 4b 00 O.R.C.l.o.s.e.K.
65 00 79 00 28 00 29 00 20 00 72 00 65 00 74 00 e.y.(.). .r.e.t.
75 00 72 00 6e 00 65 00 64 00 20 00 65 00 72 00 u.r.n.e.d. .e.r.
72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 20 00 r.o.r. .%.l.u. .
66 00 6f 00 72 00 20 00 72 00 65 00 67 00 69 00 f.o.r. .r.e.g.i.
73 00 74 00 72 00 79 00 20 00 6b 00 65 00 79 00 s.t.r.y. .k.e.y.
20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 .'.%.l.s.'.....
4f 00 52 00 4f 00 70 00 65 00 6e 00 4b 00 65 00 O.R.O.p.e.n.K.e.
79 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 y.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 20 00 66 00 o.r. .%.l.u. .f.
6f 00 72 00 20 00 72 00 65 00 67 00 69 00 73 00 o.r. .r.e.g.i.s.
74 00 72 00 79 00 20 00 6b 00 65 00 79 00 20 00 t.r.y. .k.e.y. .
27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 '.%.l.s.'.......
4f 00 52 00 45 00 6e 00 75 00 6d 00 4b 00 65 00 O.R.E.n.u.m.K.e.
79 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 y.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 20 00 66 00 o.r. .%.l.u. .f.
6f 00 72 00 20 00 72 00 65 00 67 00 69 00 73 00 o.r. .r.e.g.i.s.
74 00 72 00 79 00 20 00 6b 00 65 00 79 00 20 00 t.r.y. .k.e.y. .
27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 '.%.l.s.'.......
57 00 72 00 69 00 74 00 65 00 46 00 69 00 6c 00 W.r.i.t.e.F.i.l.
65 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 e.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 20 00 66 00 o.r. .%.l.u. .f.
6f 00 72 00 20 00 76 00 61 00 6c 00 75 00 65 00 o.r. .v.a.l.u.e.
20 00 27 00 25 00 6c 00 73 00 27 00 20 00 6f 00 .'.%.l.s.'. .o.
66 00 20 00 72 00 65 00 67 00 69 00 73 00 74 00 f. .r.e.g.i.s.t.
72 00 79 00 20 00 6b 00 65 00 79 00 20 00 27 00 r.y. .k.e.y. .'.
25 00 6c 00 73 00 27 00 0a 00 00 00 2c 00 22 00 %.l.s.'.....,.".
22 00 0d 00 0a 00 00 00 2c 00 25 00 6c 00 75 00 ".......,.%.l.u.
20 00 3b 00 20 00 30 00 78 00 25 00 30 00 38 00 .;. .0.x.%.0.8.
6c 00 78 00 0d 00 0a 00 00 00 00 00 22 00 0d 00 l.x........."...
0a 00 00 00 0d 00 0a 00 00 00 00 00 22 00 00 00 ............"...
2c 00 22 00 00 00 00 00 3b 00 22 00 22 00 00 00 ,.".....;."."...
3b 00 0d 00 0a 00 00 00 2c 00 25 00 49 00 36 00 ;.......,.%.I.6.
34 00 75 00 20 00 3b 00 20 00 30 00 78 00 25 00 4.u. .;. .0.x.%.
30 00 31 00 36 00 49 00 36 00 34 00 78 00 0d 00 0.1.6.I.6.4.x...
0a 00 00 00 22 00 25 00 6c 00 73 00 22 00 2c 00 ....".%.l.s.".,.
25 00 25 00 52 00 45 00 47 00 5f 00 25 00 6c 00 %.%.R.E.G._.%.l.
73 00 25 00 25 00 00 00 2c 00 25 00 25 00 52 00 s.%.%...,.%.%.R.
45 00 47 00 5f 00 25 00 6c 00 73 00 25 00 25 00 E.G._.%.l.s.%.%.
00 00 00 00 22 00 25 00 6c 00 73 00 22 00 2c 00 ....".%.l.s.".,.
30 00 78 00 25 00 30 00 38 00 6c 00 78 00 00 00 0.x.%.0.8.l.x...
2c 00 30 00 78 00 25 00 30 00 38 00 6c 00 78 00 ,.0.x.%.0.8.l.x.
00 00 00 00 48 00 4b 00 4f 00 2c 00 22 00 25 00 ....H.K.O.,.".%.
6c 00 73 00 22 00 2c 00 00 00 00 00 48 00 4b 00 l.s.".,.....H.K.
4f 00 2c 00 2c 00 00 00 4f 00 52 00 45 00 6e 00 O.,.,...O.R.E.n.
75 00 6d 00 56 00 61 00 6c 00 75 00 65 00 28 00 u.m.V.a.l.u.e.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 72 00 .%.l.u. .f.o.r.
20 00 72 00 65 00 67 00 69 00 73 00 74 00 72 00 .r.e.g.i.s.t.r.
79 00 20 00 6b 00 65 00 79 00 20 00 27 00 25 00 y. .k.e.y. .'.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 00 00 l.s.'...........
4c 00 6f 00 63 00 61 00 6c 00 46 00 72 00 65 00 L.o.c.a.l.F.r.e.
65 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 e.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
4f 00 52 00 43 00 6c 00 6f 00 73 00 65 00 48 00 O.R.C.l.o.s.e.H.
69 00 76 00 65 00 28 00 29 00 20 00 72 00 65 00 i.v.e.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
0a 00 00 00 0d 00 0a 00 3b 00 20 00 45 00 4f 00 ........;. .E.O.
46 00 0d 00 0a 00 00 00 48 00 4b 00 45 00 59 00 F.......H.K.E.Y.
5f 00 4f 00 46 00 46 00 4c 00 49 00 4e 00 45 00 _.O.F.F.L.I.N.E.
00 00 00 00 00 00 00 00 57 00 72 00 69 00 74 00 ........W.r.i.t.
65 00 46 00 69 00 6c 00 65 00 28 00 29 00 20 00 e.F.i.l.e.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 0a 00 00 00 ff fe 5b 00 56 00 65 00 l.u.......[.V.e.
72 00 73 00 69 00 6f 00 6e 00 5d 00 0d 00 0a 00 r.s.i.o.n.].....
44 00 72 00 69 00 76 00 65 00 72 00 56 00 65 00 D.r.i.v.e.r.V.e.
72 00 20 00 3d 00 20 00 25 00 30 00 32 00 68 00 r. .=. .%.0.2.h.
75 00 2f 00 25 00 30 00 32 00 68 00 75 00 2f 00 u./.%.0.2.h.u./.
25 00 30 00 34 00 68 00 75 00 2c 00 25 00 30 00 %.0.4.h.u.,.%.0.
32 00 68 00 75 00 2e 00 25 00 30 00 32 00 68 00 2.h.u...%.0.2.h.
75 00 2e 00 25 00 30 00 32 00 68 00 75 00 2e 00 u...%.0.2.h.u...
25 00 30 00 33 00 68 00 75 00 20 00 3b 00 20 00 %.0.3.h.u. .;. .
55 00 54 00 43 00 0d 00 0a 00 50 00 72 00 6f 00 U.T.C.....P.r.o.
76 00 69 00 64 00 65 00 72 00 20 00 20 00 3d 00 v.i.d.e.r. . .=.
20 00 22 00 53 00 74 00 65 00 66 00 61 00 6e 00 .".S.t.e.f.a.n.
20 00 4b 00 61 00 6e 00 74 00 68 00 61 00 6b 00 .K.a.n.t.h.a.k.
22 00 0d 00 0a 00 53 00 69 00 67 00 6e 00 61 00 ".....S.i.g.n.a.
74 00 75 00 72 00 65 00 20 00 3d 00 20 00 22 00 t.u.r.e. .=. .".
24 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 $.W.i.n.d.o.w.s.
20 00 4e 00 54 00 24 00 22 00 0d 00 0a 00 0d 00 .N.T.$.".......
0a 00 5b 00 53 00 74 00 72 00 69 00 6e 00 67 00 ..[.S.t.r.i.n.g.
73 00 5d 00 0d 00 0a 00 52 00 45 00 47 00 5f 00 s.].....R.E.G._.
53 00 5a 00 20 00 20 00 20 00 20 00 20 00 20 00 S.Z. . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 3d 00 20 00 30 00 78 00 30 00 . . .=. .0.x.0.
30 00 30 00 30 00 30 00 30 00 30 00 30 00 0d 00 0.0.0.0.0.0.0...
0a 00 52 00 45 00 47 00 5f 00 42 00 49 00 4e 00 ..R.E.G._.B.I.N.
41 00 52 00 59 00 20 00 20 00 20 00 20 00 20 00 A.R.Y. . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
3d 00 20 00 30 00 78 00 30 00 30 00 30 00 30 00 =. .0.x.0.0.0.0.
30 00 30 00 30 00 31 00 0d 00 0a 00 52 00 45 00 0.0.0.1.....R.E.
47 00 5f 00 4b 00 45 00 59 00 4f 00 4e 00 4c 00 G._.K.E.Y.O.N.L.
59 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 Y. . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 3d 00 20 00 30 00 . . . . .=. .0.
78 00 30 00 30 00 30 00 30 00 30 00 30 00 31 00 x.0.0.0.0.0.0.1.
30 00 0d 00 0a 00 52 00 45 00 47 00 5f 00 4d 00 0.....R.E.G._.M.
55 00 4c 00 54 00 49 00 5f 00 53 00 5a 00 20 00 U.L.T.I._.S.Z. .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 3d 00 20 00 30 00 78 00 30 00 30 00 . .=. .0.x.0.0.
30 00 31 00 30 00 30 00 30 00 30 00 0d 00 0a 00 0.1.0.0.0.0.....
52 00 45 00 47 00 5f 00 44 00 57 00 4f 00 52 00 R.E.G._.D.W.O.R.
44 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 D. . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 . . . . . . .=.
20 00 30 00 78 00 30 00 30 00 30 00 31 00 30 00 .0.x.0.0.0.1.0.
30 00 30 00 31 00 0d 00 0a 00 52 00 45 00 47 00 0.0.1.....R.E.G.
5f 00 45 00 58 00 50 00 41 00 4e 00 44 00 5f 00 _.E.X.P.A.N.D._.
53 00 5a 00 20 00 20 00 20 00 20 00 20 00 20 00 S.Z. . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 3d 00 20 00 30 00 78 00 . . . .=. .0.x.
30 00 30 00 30 00 32 00 30 00 30 00 30 00 30 00 0.0.0.2.0.0.0.0.
0d 00 0a 00 52 00 45 00 47 00 5f 00 4e 00 4f 00 ....R.E.G._.N.O.
4e 00 45 00 20 00 20 00 20 00 20 00 20 00 20 00 N.E. . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 3d 00 20 00 30 00 78 00 30 00 30 00 30 00 .=. .0.x.0.0.0.
32 00 30 00 30 00 30 00 31 00 0d 00 0a 00 52 00 2.0.0.0.1.....R.
45 00 47 00 5f 00 43 00 4f 00 4d 00 50 00 41 00 E.G._.C.O.M.P.A.
54 00 49 00 42 00 4c 00 45 00 20 00 20 00 20 00 T.I.B.L.E. . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 . . . . . .=. .
30 00 78 00 30 00 30 00 30 00 33 00 30 00 30 00 0.x.0.0.0.3.0.0.
30 00 31 00 20 00 3b 00 20 00 73 00 61 00 6d 00 0.1. .;. .s.a.m.
65 00 20 00 61 00 73 00 20 00 52 00 45 00 47 00 e. .a.s. .R.E.G.
5f 00 42 00 49 00 4e 00 41 00 52 00 59 00 0d 00 _.B.I.N.A.R.Y...
0a 00 52 00 45 00 47 00 5f 00 44 00 57 00 4f 00 ..R.E.G._.D.W.O.
52 00 44 00 5f 00 4c 00 49 00 54 00 54 00 4c 00 R.D._.L.I.T.T.L.
45 00 5f 00 45 00 4e 00 44 00 49 00 41 00 4e 00 E._.E.N.D.I.A.N.
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
3d 00 20 00 30 00 78 00 30 00 30 00 30 00 34 00 =. .0.x.0.0.0.4.
30 00 30 00 30 00 31 00 20 00 3b 00 20 00 73 00 0.0.0.1. .;. .s.
61 00 6d 00 65 00 20 00 61 00 73 00 20 00 52 00 a.m.e. .a.s. .R.
45 00 47 00 5f 00 44 00 57 00 4f 00 52 00 44 00 E.G._.D.W.O.R.D.
0d 00 0a 00 52 00 45 00 47 00 5f 00 44 00 57 00 ....R.E.G._.D.W.
4f 00 52 00 44 00 5f 00 42 00 49 00 47 00 5f 00 O.R.D._.B.I.G._.
45 00 4e 00 44 00 49 00 41 00 4e 00 20 00 20 00 E.N.D.I.A.N. . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 3d 00 20 00 30 00 78 00 30 00 30 00 30 00 .=. .0.x.0.0.0.
35 00 30 00 30 00 30 00 31 00 0d 00 0a 00 52 00 5.0.0.0.1.....R.
45 00 47 00 5f 00 4c 00 49 00 4e 00 4b 00 20 00 E.G._.L.I.N.K. .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 . . . . . .=. .
30 00 78 00 30 00 30 00 30 00 36 00 30 00 30 00 0.x.0.0.0.6.0.0.
30 00 30 00 0d 00 0a 00 52 00 45 00 47 00 5f 00 0.0.....R.E.G._.
52 00 45 00 53 00 4f 00 55 00 52 00 43 00 45 00 R.E.S.O.U.R.C.E.
5f 00 4c 00 49 00 53 00 54 00 20 00 20 00 20 00 _.L.I.S.T. . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 3d 00 20 00 30 00 78 00 30 00 . . .=. .0.x.0.
30 00 30 00 38 00 30 00 30 00 30 00 31 00 0d 00 0.0.8.0.0.0.1...
0a 00 52 00 45 00 47 00 5f 00 46 00 55 00 4c 00 ..R.E.G._.F.U.L.
4c 00 5f 00 52 00 45 00 53 00 4f 00 55 00 52 00 L._.R.E.S.O.U.R.
43 00 45 00 5f 00 44 00 45 00 53 00 43 00 52 00 C.E._.D.E.S.C.R.
49 00 50 00 54 00 4f 00 52 00 20 00 20 00 20 00 I.P.T.O.R. . . .
3d 00 20 00 30 00 78 00 30 00 30 00 30 00 39 00 =. .0.x.0.0.0.9.
30 00 30 00 30 00 31 00 0d 00 0a 00 52 00 45 00 0.0.0.1.....R.E.
47 00 5f 00 52 00 45 00 53 00 4f 00 55 00 52 00 G._.R.E.S.O.U.R.
43 00 45 00 5f 00 52 00 45 00 51 00 55 00 49 00 C.E._.R.E.Q.U.I.
52 00 45 00 4d 00 45 00 4e 00 54 00 53 00 5f 00 R.E.M.E.N.T.S._.
4c 00 49 00 53 00 54 00 20 00 3d 00 20 00 30 00 L.I.S.T. .=. .0.
78 00 30 00 30 00 30 00 61 00 30 00 30 00 30 00 x.0.0.0.a.0.0.0.
31 00 0d 00 0a 00 52 00 45 00 47 00 5f 00 51 00 1.....R.E.G._.Q.
57 00 4f 00 52 00 44 00 20 00 20 00 20 00 20 00 W.O.R.D. . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 3d 00 20 00 30 00 78 00 30 00 30 00 . .=. .0.x.0.0.
30 00 62 00 30 00 30 00 30 00 31 00 0d 00 0a 00 0.b.0.0.0.1.....
52 00 45 00 47 00 5f 00 51 00 57 00 4f 00 52 00 R.E.G._.Q.W.O.R.
44 00 5f 00 4c 00 49 00 54 00 54 00 4c 00 45 00 D._.L.I.T.T.L.E.
5f 00 45 00 4e 00 44 00 49 00 41 00 4e 00 20 00 _.E.N.D.I.A.N. .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 . . . . . . .=.
20 00 30 00 78 00 30 00 30 00 30 00 62 00 30 00 .0.x.0.0.0.b.0.
30 00 30 00 31 00 20 00 3b 00 20 00 73 00 61 00 0.0.1. .;. .s.a.
6d 00 65 00 20 00 61 00 73 00 20 00 52 00 45 00 m.e. .a.s. .R.E.
47 00 5f 00 51 00 57 00 4f 00 52 00 44 00 0d 00 G._.Q.W.O.R.D...
0a 00 0d 00 0a 00 5b 00 44 00 65 00 66 00 61 00 ......[.D.e.f.a.
75 00 6c 00 74 00 49 00 6e 00 73 00 74 00 61 00 u.l.t.I.n.s.t.a.
6c 00 6c 00 2e 00 4e 00 54 00 5d 00 0d 00 0a 00 l.l...N.T.].....
3b 00 41 00 64 00 64 00 52 00 65 00 67 00 20 00 ;.A.d.d.R.e.g. .
3d 00 20 00 41 00 64 00 64 00 52 00 65 00 67 00 =. .A.d.d.R.e.g.
2e 00 48 00 4b 00 4f 00 0d 00 0a 00 0d 00 0a 00 ..H.K.O.........
5b 00 41 00 64 00 64 00 52 00 65 00 67 00 2e 00 [.A.d.d.R.e.g...
48 00 4b 00 4f 00 5d 00 0d 00 0a 00 00 00 00 00 H.K.O.].........
4f 00 52 00 4f 00 70 00 65 00 6e 00 48 00 69 00 O.R.O.p.e.n.H.i.
76 00 65 00 28 00 29 00 20 00 72 00 65 00 74 00 v.e.(.). .r.e.t.
75 00 72 00 6e 00 65 00 64 00 20 00 65 00 72 00 u.r.n.e.d. .e.r.
72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 r.o.r. .%.l.u...
00 00 00 00 4f 00 46 00 46 00 52 00 45 00 47 00 ....O.F.F.R.E.G.
2e 00 44 00 4c 00 4c 00 20 00 76 00 65 00 72 00 ..D.L.L. .v.e.r.
73 00 69 00 6f 00 6e 00 20 00 25 00 6c 00 75 00 s.i.o.n. .%.l.u.
2e 00 25 00 6c 00 75 00 0a 00 00 00 00 00 00 00 ..%.l.u.........
46 00 6c 00 75 00 73 00 68 00 46 00 69 00 6c 00 F.l.u.s.h.F.i.l.
65 00 42 00 75 00 66 00 66 00 65 00 72 00 73 00 e.B.u.f.f.e.r.s.
28 00 29 00 20 00 72 00 65 00 74 00 75 00 72 00 (.). .r.e.t.u.r.
6e 00 65 00 64 00 20 00 65 00 72 00 72 00 6f 00 n.e.d. .e.r.r.o.
72 00 20 00 25 00 6c 00 75 00 3a 00 20 00 73 00 r. .%.l.u.:. .s.
74 00 61 00 6e 00 64 00 61 00 72 00 64 00 20 00 t.a.n.d.a.r.d. .
6f 00 75 00 74 00 70 00 75 00 74 00 20 00 69 00 o.u.t.p.u.t. .i.
73 00 20 00 6e 00 6f 00 74 00 20 00 72 00 65 00 s. .n.o.t. .r.e.
64 00 69 00 72 00 65 00 63 00 74 00 65 00 64 00 d.i.r.e.c.t.e.d.
20 00 74 00 6f 00 20 00 61 00 20 00 66 00 69 00 .t.o. .a. .f.i.
6c 00 65 00 21 00 0a 00 00 00 00 00 00 00 00 00 l.e.!...........
47 00 65 00 74 00 53 00 74 00 64 00 48 00 61 00 G.e.t.S.t.d.H.a.
6e 00 64 00 6c 00 65 00 28 00 29 00 20 00 72 00 n.d.l.e.(.). .r.
65 00 74 00 75 00 72 00 6e 00 65 00 64 00 20 00 e.t.u.r.n.e.d. .
65 00 72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 e.r.r.o.r. .%.l.
75 00 0a 00 00 00 00 00 54 00 6f 00 6f 00 20 00 u.......T.o.o. .
6d 00 61 00 6e 00 79 00 20 00 61 00 72 00 67 00 m.a.n.y. .a.r.g.
75 00 6d 00 65 00 6e 00 74 00 73 00 3a 00 20 00 u.m.e.n.t.s.:. .
61 00 20 00 73 00 69 00 6e 00 67 00 6c 00 65 00 a. .s.i.n.g.l.e.
20 00 66 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 .f.i.l.e.n.a.m.
65 00 20 00 6f 00 66 00 20 00 61 00 20 00 72 00 e. .o.f. .a. .r.
65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 e.g.i.s.t.r.y. .
68 00 69 00 76 00 65 00 20 00 6d 00 75 00 73 00 h.i.v.e. .m.u.s.
74 00 20 00 62 00 65 00 20 00 67 00 69 00 76 00 t. .b.e. .g.i.v.
65 00 6e 00 21 00 0a 00 00 00 00 00 00 00 00 00 e.n.!...........
4e 00 6f 00 20 00 61 00 72 00 67 00 75 00 6d 00 N.o. .a.r.g.u.m.
65 00 6e 00 74 00 3a 00 20 00 61 00 20 00 73 00 e.n.t.:. .a. .s.
69 00 6e 00 67 00 6c 00 65 00 20 00 66 00 69 00 i.n.g.l.e. .f.i.
6c 00 65 00 6e 00 61 00 6d 00 65 00 20 00 6f 00 l.e.n.a.m.e. .o.
66 00 20 00 61 00 20 00 72 00 65 00 67 00 69 00 f. .a. .r.e.g.i.
73 00 74 00 72 00 79 00 20 00 68 00 69 00 76 00 s.t.r.y. .h.i.v.
65 00 20 00 6d 00 75 00 73 00 74 00 20 00 62 00 e. .m.u.s.t. .b.
65 00 20 00 67 00 69 00 76 00 65 00 6e 00 21 00 e. .g.i.v.e.n.!.
0a 00 00 00 00 00 00 00 43 00 6f 00 6d 00 6d 00 ........C.o.m.m.
61 00 6e 00 64 00 4c 00 69 00 6e 00 65 00 54 00 a.n.d.L.i.n.e.T.
6f 00 41 00 72 00 67 00 76 00 28 00 29 00 20 00 o.A.r.g.v.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 0a 00 00 00 fc 39 00 00 00 00 00 00 l.u......9......
00 00 00 00 e0 3a 00 00 00 20 00 00 24 3a 00 00 .....:... ..$:..
00 00 00 00 00 00 00 00 4e 3b 00 00 28 20 00 00 ........N;..( ..
44 3a 00 00 00 00 00 00 00 00 00 00 70 3b 00 00 D:..........p;..
48 20 00 00 4c 3a 00 00 00 00 00 00 00 00 00 00 H ..L:..........
8a 3b 00 00 50 20 00 00 00 00 00 00 00 00 00 00 .;..P ..........
00 00 00 00 00 00 00 00 00 00 00 00 54 3a 00 00 ............T:..
64 3a 00 00 70 3a 00 00 80 3a 00 00 8e 3a 00 00 d:..p:...:...:..
9a 3a 00 00 aa 3a 00 00 be 3a 00 00 d0 3a 00 00 .:...:...:...:..
00 00 00 00 ee 3a 00 00 fa 3a 00 00 08 3b 00 00 .....:...:...;..
14 3b 00 00 22 3b 00 00 30 3b 00 00 3e 3b 00 00 .;..";..0;..>;..
00 00 00 00 5a 3b 00 00 00 00 00 00 7c 3b 00 00 ....Z;......|;..
00 00 00 00 24 05 57 72 69 74 65 43 6f 6e 73 6f ....$.WriteConso
6c 65 57 00 25 05 57 72 69 74 65 46 69 6c 65 00 leW.%.WriteFile.
02 02 47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 ..GetLastError..
19 01 45 78 69 74 50 72 6f 63 65 73 73 00 48 03 ..ExitProcess.H.
4c 6f 63 61 6c 46 72 65 65 00 77 02 47 65 74 53 LocalFree.w.GetS
79 73 74 65 6d 54 69 6d 65 00 57 01 46 6c 75 73 ystemTime.W.Flus
68 46 69 6c 65 42 75 66 66 65 72 73 00 00 87 01 hFileBuffers....
47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 57 00 GetCommandLineW.
64 02 47 65 74 53 74 64 48 61 6e 64 6c 65 00 00 d.GetStdHandle..
4b 45 52 4e 45 4c 33 32 2e 64 6c 6c 00 00 06 00 KERNEL32.dll....
4f 52 45 6e 75 6d 4b 65 79 00 01 00 4f 52 43 6c OREnumKey...ORCl
6f 73 65 4b 65 79 00 00 0d 00 4f 52 4f 70 65 6e oseKey....OROpen
4b 65 79 00 07 00 4f 52 45 6e 75 6d 56 61 6c 75 Key...OREnumValu
65 00 00 00 4f 52 43 6c 6f 73 65 48 69 76 65 00 e...ORCloseHive.
0c 00 4f 52 4f 70 65 6e 48 69 76 65 00 00 0a 00 ..OROpenHive....
4f 52 47 65 74 56 65 72 73 69 6f 6e 00 00 4f 46 ORGetVersion..OF
46 52 45 47 2e 64 6c 6c 00 00 06 00 43 6f 6d 6d FREG.dll....Comm
61 6e 64 4c 69 6e 65 54 6f 41 72 67 76 57 00 00 andLineToArgvW..
53 48 45 4c 4c 33 32 2e 64 6c 6c 00 35 03 77 76 SHELL32.dll.5.wv
73 70 72 69 6e 74 66 57 00 00 55 53 45 52 33 32 sprintfW..USER32
2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 00 00 .dll............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file OFFREG.TXT
created in
step 3. to recreate the console application
Offline Registry Reader:
CERTUTIL.EXE /DecodeHex /V OFFREG.TXT OFFREG.COM
Input Length = 43520 Output Length = 10240 CertUtil: -decodehex command completed successfully.
HKCC
,
HKCR
,
HKCU
,
HKLM
,
HKLS
,
HKPD
,
HKU
) and print them as an
.inf
file in
UTF-16LE
encoding on standard output(which must be redirected to a file).
Note: to dump the entire Registry
specify the branches HKLM
and HKU
.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
is not supported!
The MSDN article Console Handles provides background information.
Create the text file REGISTRY.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define _CRT_SECURE_NO_WARNINGS
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#include <sddl.h>
#define memcpy __movsb
#define wmemcpy __movsw
#define MAX_DEPTH 512UL
#define MAX_KEY_LENGTH 255UL
#define MAX_VALUE_NAME 16383UL
#define MAX_VALUE_DATA 1048576UL
typedef unsigned __int64 QWORD, *LPQWORD;
BYTE cbData[MAX_VALUE_DATA];
WCHAR szKey[(MAX_KEY_LENGTH + 1) * MAX_DEPTH];
WCHAR szValue[MAX_VALUE_NAME + 1];
#ifdef SECURITY
BYTE cbSD[65536];
#endif
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, LPCWSTR lpFormat, ...)
{
WCHAR szBuffer[1025];
DWORD dwBuffer;
DWORD dwConsole;
va_list vaInserts;
va_start(vaInserts, lpFormat);
dwBuffer = wvsprintf(szBuffer, lpFormat, vaInserts);
va_end(vaInserts);
if (dwBuffer == 0)
return FALSE;
if (!WriteConsole(hConsole, szBuffer, dwBuffer, &dwConsole, NULL))
return FALSE;
return dwConsole == dwBuffer;
}
__declspec(safebuffers)
BOOL PrintFormat(HANDLE hFile, LPCWSTR lpFormat, ...)
{
WCHAR szBuffer[1025];
LPBYTE lpBuffer;
DWORD dwBuffer;
DWORD dwFile;
va_list vaInserts;
va_start(vaInserts, lpFormat);
dwBuffer = wvsprintf(szBuffer, lpFormat, vaInserts);
va_end(vaInserts);
if (dwBuffer == 0)
return FALSE;
dwBuffer *= sizeof(*szBuffer);
lpBuffer = (LPBYTE) szBuffer;
do
{
if (!WriteFile(hFile, lpBuffer, dwBuffer, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
lpBuffer += dwFile;
dwBuffer -= dwFile;
} while (dwBuffer > 0);
return TRUE;
}
__inline
BOOL WINAPI PrintString(HANDLE hFile, LPCWSTR lpString, DWORD dwString)
{
DWORD dwFile;
dwString *= sizeof(*lpString);
do
{
if (!WriteFile(hFile, lpString, dwString, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
(LPBYTE) lpString += dwFile;
dwString -= dwFile;
} while (dwString > 0);
return TRUE;
}
__inline
LPCWSTR WINAPI InfEscape(LPCWSTR lpString)
{
do
if ((*lpString == L'"')
|| (*lpString == L'%'))
return lpString;
while (*lpString++ != L'\0');
return NULL;
}
const WCHAR szBytes[256][4] = {L",00", L",01", L",02", L",03", L",04", L",05", L",06", L",07", L",08", L",09", L",0a", L",0b", L",0c", L",0d", L",0e", L",0f",
L",10", L",11", L",12", L",13", L",14", L",15", L",16", L",17", L",18", L",19", L",1a", L",1b", L",1c", L",1d", L",1e", L",1f",
L",20", L",21", L",22", L",23", L",24", L",25", L",26", L",27", L",28", L",29", L",2a", L",2b", L",2c", L",2d", L",2e", L",2f",
L",30", L",31", L",32", L",33", L",34", L",35", L",36", L",37", L",38", L",39", L",3a", L",3b", L",3c", L",3d", L",3e", L",3f",
L",40", L",41", L",42", L",43", L",44", L",45", L",46", L",47", L",48", L",49", L",4a", L",4b", L",4c", L",4d", L",4e", L",4f",
L",50", L",51", L",52", L",53", L",54", L",55", L",56", L",57", L",58", L",59", L",5a", L",5b", L",5c", L",5d", L",5e", L",5f",
L",60", L",61", L",62", L",63", L",64", L",65", L",66", L",67", L",68", L",69", L",6a", L",6b", L",6c", L",6d", L",6e", L",6f",
L",70", L",71", L",72", L",73", L",74", L",75", L",76", L",77", L",78", L",79", L",7a", L",7b", L",7c", L",7d", L",7e", L",7f",
L",80", L",81", L",82", L",83", L",84", L",85", L",86", L",87", L",88", L",89", L",8a", L",8b", L",8c", L",8d", L",8e", L",8f",
L",90", L",91", L",92", L",93", L",94", L",95", L",96", L",97", L",98", L",99", L",9a", L",9b", L",9c", L",9d", L",9e", L",9f",
L",a0", L",a1", L",a2", L",a3", L",a4", L",a5", L",a6", L",a7", L",a8", L",a9", L",aa", L",ab", L",ac", L",ad", L",ae", L",af",
L",b0", L",b1", L",b2", L",b3", L",b4", L",b5", L",b6", L",b7", L",b8", L",b9", L",ba", L",bb", L",bc", L",bd", L",be", L",bf",
L",c0", L",c1", L",c2", L",c3", L",c4", L",c5", L",c6", L",c7", L",c8", L",c9", L",ca", L",cb", L",cc", L",cd", L",ce", L",cf",
L",d0", L",d1", L",d2", L",d3", L",d4", L",d5", L",d6", L",d7", L",d8", L",d9", L",da", L",db", L",dc", L",dd", L",de", L",df",
L",e0", L",e1", L",e2", L",e3", L",e4", L",e5", L",e6", L",e7", L",e8", L",e9", L",ea", L",eb", L",ec", L",ed", L",ee", L",ef",
L",f0", L",f1", L",f2", L",f3", L",f4", L",f5", L",f6", L",f7", L",f8", L",f9", L",fa", L",fb", L",fc", L",fd", L",fe", L",ff"};
const LPCWSTR szHKey[8] = {L"HKCR",
L"HKCU",
L"HKLM",
L"HKU",
L"HKPD",
L"HKCC",
L"HKDD",
L"HKLS"};
const LPCWSTR szHKEY[8] = {L"HKEY_CLASSES_ROOT",
L"HKEY_CURRENT_USER",
L"HKEY_LOCAL_MACHINE",
L"HKEY_USERS",
L"HKEY_PERFORMANCE_DATA",
L"HKEY_CURRENT_CONFIG",
L"HKEY_DYN_DATA",
L"HKEY_CURRENT_USER_LOCAL_SETTINGS"};
const LPCWSTR dwHKEY[8] = {sizeof("HKEY_CLASSES_ROOT"),
sizeof("HKEY_CURRENT_USER"),
sizeof("HKEY_LOCAL_MACHINE"),
sizeof("HKEY_USERS"),
sizeof("HKEY_PERFORMANCE_DATA"),
sizeof("HKEY_CURRENT_CONFIG"),
sizeof("HKEY_DYN_DATA"),
sizeof("HKEY_CURRENT_USER_LOCAL_SETTINGS")};
const LPCWSTR szType[12] = {L"NONE",
L"SZ",
L"EXPAND_SZ",
L"BINARY",
L"DWORD", // alias DWORD_LITTLE_ENDIAN
L"DWORD_BIG_ENDIAN",
L"LINK",
L"MULTI_SZ",
L"RESOURCE_LIST",
L"FULL_RESOURCE_DESCRIPTOR",
L"RESOURCE_REQUIREMENTS_LIST",
L"QWORD"}; // alias QWORD_LITTLE_ENDIAN
DWORD WINAPI Registry(HANDLE hConsole, HANDLE hOutput, HKEY hkHKEY, DWORD dwKey)
{
DWORD dwIndex = (DWORD) hkHKEY ^ (DWORD) HKEY_CLASSES_ROOT;
DWORD dwSubKeys, dwSubKey;
DWORD dwValues, dwValue, dwType, dwData, dwBytes;
#ifdef SANITY
DWORD dwCount, dwChars;
LPCWSTR lpCount;
#endif
LPCWSTR lpHKey = szHKey[dwIndex];
LPCWSTR lpKey = dwKey < dwHKEY[dwIndex] ? NULL : szKey + dwHKEY[dwIndex];
LPCWSTR lpSubKey = szKey + dwKey + 1;
LPCWSTR lpData, lpEscape, lpLast, lpMulti;
#ifdef SECURITY
LPCWSTR lpSDDL;
DWORD dwSD;
#endif
DWORD dwError;
BOOL bOutput;
HKEY hkKey;
dwError = RegOpenKeyEx(hkHKEY,
lpKey,
REG_OPTION_OPEN_LINK,
KEY_READ | KEY_WOW64_64KEY,
&hkKey);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"RegOpenKeyEx() returned error %lu for registry key \'%ls\'\n",
dwError, szKey);
else
{
#ifdef SECURITY
dwSD = sizeof(cbSD);
dwError = RegGetKeySecurity(hkHKEY,
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION,
cbSD,
&dwSD);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"RegGetKeySecurity() returned error %lu for registry key \'%ls\'\n",
dwError, szKey);
else
if (!ConvertSecurityDescriptorToStringSecurityDescriptor(cbSD,
SDDL_REVISION_1,
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION,
&lpSDDL,
(LPDWORD) NULL))
PrintConsole(hConsole,
L"ConvertSecurityDescriptorToStringSecurityDescriptor() returned error %lu for registry key \'%ls\'\n",
dwError = GetLastError(), szKey);
else
{
if (lpKey == NULL)
bOutput = PrintFormat(hOutput,
L"%ls,,,%%REG_KEYONLY%%; %ls\n",
lpHKey, lpSDDL);
else
bOutput = PrintFormat(hOutput,
L"%ls,\"%ls\",,%%REG_KEYONLY%%; %ls\n",
lpHKey, lpKey, lpSDDL))
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu for registry key \'%ls\'\n",
dwError = GetLastError(), szKey);
if (LocalFree(lpSDDL) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
#endif
for (dwValues = 0;; dwValues++)
{
// *szValue = L'\0';
dwValue = sizeof(szValue) / sizeof(*szValue);
dwData = sizeof(cbData);
dwError = RegEnumValue(hkKey,
dwValues,
szValue,
&dwValue,
(LPDWORD) NULL,
&dwType,
cbData,
&dwData);
if (dwError != ERROR_SUCCESS)
{
if (dwError == ERROR_NO_MORE_ITEMS)
break;
PrintConsole(hConsole,
L"RegEnumValue() returned error %lu for registry key \'%ls\'\n",
dwError, szKey);
if (dwError == ERROR_ACCESS_DENIED)
break;
}
else
{
#ifdef SANITY
dwChars = wcslen(szValue);
if (dwValue < dwChars)
PrintConsole(hConsole,
L"ERROR: size (%lu characters) of value name \'%ls\' in registry key \'%ls\' smaller than actual string length (%lu characters)!\n",
dwValue, szValue, dwChars, szKey);
else if (dwValue > dwChars)
PrintConsole(hConsole,
L"WARNING: size (%lu characters) of value name \'%ls\' in registry key \'%ls\' greater than actual string length (%lu characters)\n",
dwValue, szValue, dwChars, szKey);
if (dwData == 0)
PrintConsole(hConsole,
L"WARNING: no value data for value name \'%ls\' in registry key \'%ls\'\n",
szValue, szKey);
else
switch (dwType)
{
case REG_LINK:
if (dwData % sizeof(L'\0'))
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' not a multiple of WCHAR size!\n",
dwData, szValue, szKey);
break;
case REG_DWORD_BIG_ENDIAN:
case REG_DWORD_LITTLE_ENDIAN:
// case REG_DWORD:
if (dwData < sizeof(DWORD))
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than DWORD size!\n",
dwData, szValue, szKey);
else if (dwData > sizeof(DWORD))
PrintConsole(hConsole,
L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than DWORD size\n",
dwData, szValue, szKey);
break;
case REG_QWORD_LITTLE_ENDIAN:
// case REG_QWORD:
if (dwData < sizeof(QWORD))
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than QWORD size!\n",
dwData, szValue, szKey);
else if (dwData > sizeof(QWORD))
PrintConsole(hConsole,
L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than QWORD size\n",
dwData, szValue, szKey);
break;
case REG_SZ:
case REG_EXPAND_SZ:
dwChars = wcslen((LPCWSTR) cbData);
dwBytes = (dwChars + 1) * sizeof(L'\0');
if (dwData < dwBytes)
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than actual string length (%lu + 1 characters = %lu bytes)\n",
dwData, szValue, szKey, dwChars, dwBytes);
else if (dwData > dwBytes)
PrintConsole(hConsole,
L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than actual string length (%lu + 1 characters = %lu bytes)\n",
dwData, szValue, szKey, dwChars, dwBytes);
break;
case REG_MULTI_SZ:
dwChars = 0;
dwCount = 1;
lpCount = (LPCWSTR) cbData;
while (*lpCount != L'\0')
{
dwChars += wcslen(lpCount);
dwCount++;
lpCount += wcslen(lpCount) + 1;
}
dwBytes = (dwChars + dwCount) * sizeof(L'\0');
if (dwData < dwBytes)
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than sum of actual string lengths (%lu + %lu characters = %lu bytes)\n",
dwData, szValue, szKey, dwChars, dwCount, dwBytes);
else if (dwData > dwBytes)
PrintConsole(hConsole,
L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than sum of actual string lengths (%lu + %lu characters = %lu bytes)\n",
dwData, szValue, szKey, dwChars, dwCount, dwBytes);
break;
// case REG_NONE:
// case REG_BINARY:
// case REG_RESOURCE_LIST:
// case REG_FULL_RESOURCE_DESCRIPTOR:
// case REG_RESOURCE_REQUIREMENTS_LIST:
}
#ifdef UNKNOWN
if (dwType > REG_QWORD)
PrintConsole(hConsole,
L"WARNING: unknown data type (0x%08lx) for value name \'%ls\' in registry key \'%ls\'\n",
dwType, szValue, szKey);
#endif
#endif // SANITY
if (lpKey == NULL)
bOutput = PrintFormat(hOutput, L"%ls,,", lpHKey);
else
bOutput = PrintFormat(hOutput, L"%ls,\"%ls\",", lpHKey, lpKey);
if (dwType > sizeof(szType) / sizeof(*szType))
if (dwValue == 0)
bOutput &= PrintFormat(hOutput, L",0x%08lx", dwType);
else
bOutput &= PrintFormat(hOutput, L"\"%ls\",0x%08lx", dwType);
else
if (dwValue == 0)
bOutput &= PrintFormat(hOutput, L",%%REG_%ls%%", szType[dwType]);
else
bOutput &= PrintFormat(hOutput, L"\"%ls\",%%REG_%ls%%", szValue, szType[dwType]);
if (dwData == 0)
bOutput &= PrintString(hOutput, L"\r\n", 3);
else
switch (dwType)
{
case REG_LINK:
if (dwData % sizeof(L'\0'))
goto DEFAULT;
bOutput &= PrintString(hOutput, L",\"", 2);
bOutput &= PrintString(hOutput, (LPCWSTR) cbData, dwData / sizeof(L'\0'));
bOutput &= PrintString(hOutput, L"\"\r\n", 3);
break;
case REG_SZ:
case REG_EXPAND_SZ:
if (dwData % sizeof(L'\0'))
goto DEFAULT;
if (*(LPCWSTR) cbData == L'\0')
bOutput &= PrintString(hOutput, L",\"\"\r\n", 5);
else
{
lpData = (LPCWSTR) cbData;
((LPWSTR) lpData)[dwData / sizeof(L'\0')] = L'\0';
dwData = wcslen(lpData);
bOutput &= PrintString(hOutput, L",\"", 2);
for (lpEscape = InfEscape(lpData); lpEscape != NULL; lpData = lpEscape, lpEscape = InfEscape(lpData + 1))
bOutput &= PrintString(hOutput, lpData, lpEscape + 1 - lpData);
bOutput &= PrintString(hOutput, lpData, (LPCWSTR) cbData + dwData - lpData);
bOutput &= PrintString(hOutput, L"\"\r\n", 3);
}
break;
case REG_MULTI_SZ:
if (dwData % sizeof(L'\0'))
goto DEFAULT;
if ((dwData == sizeof(L'\0'))
&& (*(LPCWSTR) cbData == L'\0'))
bOutput &= PrintString(hOutput, L";\r\n", 3);
else
{
lpData = (LPCWSTR) cbData;
dwData /= sizeof(L'\0');
lpLast = lpData + dwData;
if ((dwData > 1)
&& (lpData[dwData - 1] == L'\0')
&& (lpData[dwData - 2] == L'\0'))
lpLast--;
else
*(LPWSTR) lpLast = L'\0';
do
if (*lpData == L'\0')
bOutput &= PrintString(hOutput, L";\"\"", 3);
else
{
dwData = wcslen(lpData);
bOutput &= PrintString(hOutput, L",\"", 2);
for (lpEscape = InfEscape(lpMulti = lpData), lpData += dwData;
lpEscape != NULL; lpMulti = lpEscape,
lpEscape = InfEscape(lpEscape + 1))
bOutput &= PrintString(hOutput, lpMulti, lpEscape + 1 - lpMulti);
bOutput &= PrintString(hOutput, lpMulti, lpData - lpMulti);
bOutput &= PrintString(hOutput, L"\"", 1);
}
while (++lpData < lpLast);
bOutput &= PrintString(hOutput, L"\r\n", 2);
}
break;
case REG_DWORD_BIG_ENDIAN:
if (dwData != sizeof(DWORD))
goto DEFAULT;
#if 0
bOutput &= PrintFormat(hOutput, L",%lu\r\n", _byteswap_ulong(*(LPDWORD) cbData));
#else
bOutput &= PrintFormat(hOutput, L",%lu ; 0x%08lx\r\n", _byteswap_ulong(*(LPDWORD) cbData), *(LPDWORD) cbData);
#endif
break;
case REG_DWORD_LITTLE_ENDIAN:
// case REG_DWORD:
if (dwData != sizeof(DWORD))
goto DEFAULT;
#if 0
bOutput &= PrintFormat(hOutput, L",%lu\r\n", *(LPDWORD) cbData);
#else
bOutput &= PrintFormat(hOutput, L",%lu ; 0x%08lx\r\n", *(LPDWORD) cbData, *(LPDWORD) cbData);
#endif
break;
case REG_QWORD_LITTLE_ENDIAN:
// case REG_QWORD:
if (dwData != sizeof(QWORD))
goto DEFAULT;
#if 0
bOutput &= PrintFormat(hOutput, L",%I64u\r\n", *(LPQWORD) cbData);
#else
bOutput &= PrintFormat(hOutput, L",%I64u ; 0x%016I64x\r\n", *(LPQWORD) cbData, *(LPQWORD) cbData);
#endif
break;
// case REG_NONE:
// case REG_BINARY:
// case REG_RESOURCE_LIST:
// case REG_FULL_RESOURCE_DESCRIPTOR:
// case REG_RESOURCE_REQUIREMENTS_LIST:
default:
DEFAULT:
for (dwBytes = 0; dwBytes < dwData; dwBytes++)
#if 0
bOutput &= PrintFormat(hOutput, L",%02x", cbData[dwBytes]);
#else
bOutput &= PrintString(hOutput, szBytes[cbData[dwBytes]], 3);
#endif
bOutput &= PrintString(hOutput, L"\r\n", 2);
}
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu for value \'%ls\' of registry key \'%ls\'\n",
dwError = GetLastError(), szValue, szKey);
}
}
for (dwSubKeys = 0;; dwSubKeys++)
{
dwSubKey = sizeof(szKey) / sizeof(*szKey) - dwKey - 1;
#if 0
dwError = RegEnumKey(hkKey,
dwSubKeys,
lpSubKey,
dwSubKey);
#else
dwError = RegEnumKeyEx(hkKey,
dwSubKeys,
lpSubKey,
&dwSubKey,
(LPDWORD) NULL,
(LPWSTR) NULL,
(LPDWORD) NULL,
(LPFILETIME) NULL);
#endif
if (dwError != ERROR_SUCCESS)
{
if (dwError == ERROR_NO_MORE_ITEMS)
break;
PrintConsole(hConsole,
#if 0
L"RegEnumKey() returned error %lu for registry key \'%ls\'\n",
#else
L"RegEnumKeyEx() returned error %lu for registry key \'%ls\'\n",
#endif
dwError, szKey);
if (dwError == ERROR_ACCESS_DENIED)
break;
}
else
{
#ifdef SANITY
dwChars = wcslen(lpSubKey);
if (dwChars > dwSubKey)
PrintConsole(hConsole,
L"ERROR: size (%lu characters) of subkey name \'%ls\' in registry key \'%ls\' smaller than actual string length (%lu characters)\n",
dwSubKey, lpSubKey, szKey, dwChars);
else if (dwChars < dwSubKey)
PrintConsole(hConsole,
L"WARNING: size (%lu characters) of subkey name \'%ls\' in registry key \'%ls\' greater than actual string length (%lu characters)\n",
dwSubKey, lpSubKey, szKey, dwChars);
#endif
szKey[dwKey] = L'\\';
dwError = Registry(hConsole, hOutput, hkHKEY, dwKey + 1 + dwSubKey);
szKey[dwKey] = L'\0';
}
}
#ifndef SECURITY
if ((dwValues == 0) && (dwSubKeys == 0))
{
if (lpKey == NULL)
bOutput = PrintFormat(hOutput,
L"%ls,,,%%REG_KEYONLY%%\r\n",
lpHKey);
else
bOutput = PrintFormat(hOutput,
L"%ls,\"%ls\",,%%REG_KEYONLY%%\r\n",
lpHKey, lpKey);
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu for empty registry key \'%ls\'\n",
dwError = GetLastError(), szKey);
}
#endif
dwValue = RegCloseKey(hkKey);
if (dwValue != ERROR_SUCCESS)
PrintConsole(hConsole,
L"RegCloseKey() returned error %lu for registry key \'%ls\'\n",
dwValue, szKey);
}
return dwError;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
SYSTEMTIME st;
INT nArgument = 1;
INT nArguments;
LPWSTR *lpArguments;
WCHAR szComputer[MAX_COMPUTERNAME_LENGTH + 1] = L"<unknown>";
DWORD dwComputer = sizeof(szComputer) / sizeof(*szComputer);
DWORD dwError = ERROR_BAD_ARGUMENTS;
DWORD dwIndex;
HKEY hkHKEY;
HANDLE hOutput;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
if (nArguments < 2)
PrintConsole(hConsole,
L"No arguments: at least one predefined registry key name must be given!\n");
else
{
hOutput = GetStdHandle(STD_OUTPUT_HANDLE);
if (hOutput == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"GetStdHandle() returned error %lu\n",
dwError = GetLastError());
else
{
if (!FlushFileBuffers(hOutput))
PrintConsole(hConsole,
L"FlushFileBuffers() returned error %lu: standard output is not redirected to a file!\n",
dwError = GetLastError());
else
{
dwError = ERROR_SUCCESS;
if (!GetComputerName(szComputer, &dwComputer))
PrintConsole(hConsole,
L"GetComputerName() returned error %lu\n",
dwError = GetLastError());
GetSystemTime(&st);
if (!PrintFormat(hOutput,
L"\xfeff" // UTF-16LE BOM
L"; Registry of \'%ls\'\r\n"
L"\r\n"
L"[Version]\r\n"
L"DriverVer = %02hu/%02hu/%04hu,%02hu.%02hu.%02hu.%03hu ; UTC\r\n"
L"Provider = \"Stefan Kanthak\"\r\n"
L"Signature = \"$Windows NT$\"\r\n"
L"\r\n"
L"[Strings]\r\n"
L"REG_SZ = 0x00000000\r\n"
L"REG_BINARY = 0x00000001\r\n"
L"REG_KEYONLY = 0x00000010\r\n"
L"REG_MULTI_SZ = 0x00010000\r\n"
L"REG_DWORD = 0x00010001\r\n"
L"REG_EXPAND_SZ = 0x00020000\r\n"
L"REG_NONE = 0x00020001\r\n"
L"REG_COMPATIBLE = 0x00030001 ; same as REG_BINARY\r\n"
L"REG_DWORD_LITTLE_ENDIAN = 0x00040001 ; same as REG_DWORD\r\n"
L"REG_DWORD_BIG_ENDIAN = 0x00050001\r\n"
L"REG_LINK = 0x00060000\r\n"
L"REG_RESOURCE_LIST = 0x00080001\r\n"
L"REG_FULL_RESOURCE_DESCRIPTOR = 0x00090001\r\n"
L"REG_RESOURCE_REQUIREMENTS_LIST = 0x000a0001\r\n"
L"REG_QWORD = 0x000b0001\r\n"
L"REG_QWORD_LITTLE_ENDIAN = 0x000b0001 ; same as REG_QWORD\r\n"
L"\r\n"
L"[DefaultInstall.NT]\r\n"
L";AddReg = AddReg.HKU,AddReg.HKLM;AddReg.HKCU,AddReg.HKCR\r\n",
szComputer,
st.wMonth, st.wDay, st.wYear, st.wHour, st.wMinute, st.wSecond, st.wMilliseconds))
PrintConsole(hConsole,
L"WriteFile() returned error %lu\n",
dwError = GetLastError());
do
{
hkHKEY = HKEY_CLASSES_ROOT;
do
{
dwIndex = (DWORD) hkHKEY ^ (DWORD) HKEY_CLASSES_ROOT;
if ((wcscmp(szHKey[dwIndex], lpArguments[nArgument]) == 0)
|| (wcscmp(szHKEY[dwIndex], lpArguments[nArgument]) == 0))
{
memcpy(szKey, szHKEY[dwIndex], dwHKEY[dwIndex] * sizeof(*szKey));
if (!PrintFormat(hOutput,
L"\r\n"
L"[AddReg.%ls]\r\n",
szHKey[dwIndex]))
PrintConsole(hConsole,
L"WriteFile() returned error %lu\n",
dwError = GetLastError());
Registry(hConsole, hOutput, hkHKEY, dwHKEY[dwIndex] - 1);
break;
}
} while (++(DWORD) hkHKEY <= (DWORD) HKEY_CURRENT_USER_LOCAL_SETTINGS);
if ((DWORD) hkHKEY > (DWORD) HKEY_CURRENT_USER_LOCAL_SETTINGS)
PrintConsole(hConsole,
L"Argument \'%ls\' is not a predefined registry key name!\n",
lpArguments[nArgument]);
} while (++nArgument < nArguments);
if (!PrintString(hOutput,
L"\r\n"
L"; EOF\r\n", 9))
PrintConsole(hConsole,
L"WriteFile() returned error %lu\n",
dwError = GetLastError());
}
if (!CloseHandle(hOutput))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Note: the output format allows to detect
Registry values without data, REG_SZ
,
REG_EXPAND_SZ
and REG_MULTI_SZ
values with
empty strings, REG_LINK
, REG_SZ
,
REG_EXPAND_SZ
and REG_MULTI_SZ
values with
(invalid) odd size, and REG_DWORD_BIG_ENDIAN
,
REG_DWORD_LITTLE_ENDIAN
alias REG_DWORD
as well as REG_QWORD_LITTLE_ENDIAN
alias
REG_QWORD
values with sizes not matching their data
type.
Note: with the preprocessor macro
SANITY
defined, several consistency and sanity checks
regarding the size of key and value names as well as value data and
value data types are performed.
Note: with the preprocessor macro
SECURITY
defined, the
security descriptors
of enumerated keys are printed in
Security Descriptor Definition Language
notation.
Run the following four command lines to compile the source file
REGISTRY.C
created in step 1., link the compiled
object file REGISTRY.OBJ
and cleanup afterwards:
SET CL=/GA /GF /GS /Gy /O1 /Oi /Os /Oy /W4 /Zl SET LINK=/DEFAULTLIB:ADVAPI32.LIB /DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /DYNAMICBASE /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NXCOMPAT /OSVERSION:5.0 /OUT:"Registry INF Dumper.com" /RELEASE /SUBSYSTEM:CONSOLE,5.0 /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE REGISTRY.C ERASE REGISTRY.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. REGISTRY.C REGISTRY.C(113) : warning C4213: nonstandard extension used : cast on l-value REGISTRY.C(573) : warning C4090: 'function' : different 'const' qualifiers REGISTRY.C(761) : warning C4213: nonstandard extension used : cast on l-value Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved.
Finally execute the console application
Registry INF Dumper.com
built in step 2. to dump
the HKCC
branch to the file
HKCC.inf
and display it afterwards:
VER ".\Registry INF Dumper.com" HKCC 1>HKCC.inf NET.EXE HelpMsg %ERRORLEVEL% TYPE HKCC.inf
Microsoft Windows [Version 6.1.7601] The operation completed successfully. ; Registry of 'AMNESIAC' [Version] DriverVer = 04/27/2022,08.15.00.815 ; UTC Provider = "Stefan Kanthak" Signature = "$Windows NT$" [Strings] REG_SZ = 0x00000000 REG_BINARY = 0x00000001 REG_KEYONLY = 0x00000010 REG_MULTI_SZ = 0x00010000 REG_DWORD = 0x00010001 REG_EXPAND_SZ = 0x00020000 REG_NONE = 0x00020001 REG_COMPATIBLE = 0x00030001 ; same as REG_BINARY REG_DWORD_LITTLE_ENDIAN = 0x00040001 ; same as REG_DWORD REG_DWORD_BIG_ENDIAN = 0x00050001 REG_LINK = 0x00060000 REG_RESOURCE_LIST = 0x00080001 REG_FULL_RESOURCE_DESCRIPTOR = 0x00090001 REG_RESOURCE_REQUIREMENTS_LIST = 0x000a0001 REG_QWORD = 0x000b0001 REG_QWORD_LITTLE_ENDIAN = 0x000b0001 ; same as REG_QWORD [DefaultInstall.NT] ;AddReg = AddReg.HKU,AddReg.HKLM;AddReg.HKCU,AddReg.HKCR [AddReg.HKCC] HKCC,"Software\Fonts","LogPixels",%REG_DWORD%,96 ; 0x00000060 HKCC,"System\CurrentControlSet\Control\Print\Printers",,%REG_KEYONLY%; HKCC,"System\CurrentControlSet\Control\VIDEO",,%REG_KEYONLY%; HKCC,"System\CurrentControlSet\Enum\IDE\DISKFUJITSU_MHZ2320BJ_G2____________________0000001E\5&2223391E&0&0.0.0","CSConfigFlags",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\Enum\USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\4E0B595B&0","CSConfigFlags",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\TSDDD\DEVICE0","Attach.ToDesktop",%REG_DWORD%,1 ; 0x00000001 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","Attach.ToDesktop",%REG_DWORD%,1 ; 0x00000001 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.BitsPerPel",%REG_DWORD%,32 ; 0x00000020 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.XResolution",%REG_DWORD%,1920 ; 0x00000780 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.YResolution",%REG_DWORD%,1200 ; 0x000004b0 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.VRefresh",%REG_DWORD%,1 ; 0x00000001 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.Flags",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.XPanning",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.YPanning",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.Orientation",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.FixedOutput",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","Attach.RelativeX",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","Attach.RelativeY",%REG_DWORD%,0 ; 0x00000000 ; EOF
Create the text file REGISTRY.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 32 2c 20 53 74 65 66 61 6e 20 4b 61 -2022, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 03 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 0a 00 00 ......#.........
00 9e 14 00 00 00 00 00 72 16 00 00 00 10 00 00 ........r.......
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 c0 14 00 00 02 00 00 ed 11 01 00 03 00 00 85 ................
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
84 3b 00 00 64 00 00 00 00 00 00 00 00 00 00 00 .;..d...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 20 00 00 50 00 00 00 ......... ..P...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
56 09 00 00 00 10 00 00 00 0a 00 00 00 02 00 00 V...............
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 6e 1d 00 00 00 20 00 00 .const..n.... ..
00 1e 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ....@..@.data...
00 80 14 00 00 40 00 00 00 00 00 00 00 00 00 00 .....@..........
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 ............@...
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 48 20 40 00 8b f0 .......P..H @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 14 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8b .t.3.9u....^..U.
ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 0c 8d .......V.E.P.u..
b5 f8 f7 ff ff 8b c6 50 ff 15 48 20 40 00 85 c0 .......P..H @...
74 25 57 8d 3c 00 6a 00 8d 45 fc 50 57 56 ff 75 t%W.<.j..E.PWV.u
08 ff 15 18 20 40 00 85 c0 74 0f 03 75 fc 2b 7d .... @...t..u.+}
fc 75 e3 33 c0 40 5f 5e c9 c3 33 c0 eb f8 55 8b .u.3.@_^..3...U.
ec 56 8b 75 10 57 8b 7d 0c 03 f6 6a 00 8d 45 10 .V.u.W.}...j..E.
50 56 57 ff 75 08 ff 15 18 20 40 00 85 c0 74 11 PVW.u.... @...t.
03 7d 10 2b 75 10 75 e3 33 c0 40 5f 5e 5d c2 0c .}.+u.u.3.@_^]..
00 33 c0 eb f6 8b 44 24 04 0f b7 08 83 f9 22 74 .3....D$......"t
0f 83 f9 25 74 0a 83 c0 02 66 85 c9 75 eb 33 c0 ...%t....f..u.3.
c2 04 00 55 8b ec 83 ec 28 8b 45 10 35 00 00 00 ...U....(.E.5...
80 8b 0c 85 08 2b 40 00 8b 04 85 48 2b 40 00 89 .....+@....H+@..
4d ec 39 45 14 73 04 33 c0 eb 07 8d 04 45 00 40 M.9E.s.3.....E.@
40 00 57 8d 4d e4 51 68 19 01 02 00 6a 08 50 ff @.W.M.Qh....j.P.
75 10 89 45 f4 ff 15 08 20 40 00 8b f8 85 ff 74 u..E.... @.....t
10 68 00 40 40 00 57 68 90 2f 40 00 e9 0f 05 00 .h.@@.Wh./@.....
00 83 65 f0 00 53 56 8b 75 0c bb 00 c0 44 00 8d ..e..SV.u....D..
45 fc 50 53 8d 45 e0 50 6a 00 8d 45 e8 50 68 00 E.PS.E.Pj..E.Ph.
40 44 00 ff 75 f0 c7 45 e8 00 40 00 00 ff 75 e4 @D..u..E..@...u.
c7 45 fc 00 00 10 00 ff 15 04 20 40 00 8b f8 85 .E........ @....
ff 0f 84 b7 00 00 00 81 ff 03 01 00 00 74 1f 68 .............t.h
00 40 40 00 57 68 18 2f 40 00 ff 75 08 e8 4e fe .@@.Wh./@..u..N.
ff ff 83 c4 10 83 ff 05 0f 85 11 04 00 00 bb ff ................
ff 01 00 33 f6 2b 5d 14 33 c0 50 50 50 50 8d 45 ...3.+].3.PPPP.E
d8 50 8b 45 14 8d 04 45 02 40 40 00 50 56 ff 75 .P.E...E.@@.PV.u
e4 89 5d d8 ff 15 00 20 40 00 8b f8 85 ff 0f 84 ..].... @.......
e3 03 00 00 81 ff 03 01 00 00 74 1f 68 00 40 40 ..........t.h.@@
00 57 68 a0 2e 40 00 ff 75 08 e8 f1 fd ff ff 83 .Wh..@..u.......
c4 10 83 ff 05 0f 85 ea 03 00 00 83 7d f0 00 0f ............}...
85 1e 04 00 00 85 f6 0f 85 16 04 00 00 39 75 f4 .............9u.
0f 85 d5 03 00 00 ff 75 ec 68 70 2e 40 00 ff 75 .......u.hp.@..u
0c e8 08 fe ff ff 83 c4 0c e9 d3 03 00 00 83 7d ...............}
f4 00 75 13 ff 75 ec 68 64 2e 40 00 56 e8 ec fd ..u..u.hd.@.V...
ff ff 83 c4 0c eb 14 ff 75 f4 ff 75 ec 68 4c 2e ........u..u.hL.
40 00 56 e8 d6 fd ff ff 83 c4 10 8b f8 8b 45 e0 @.V...........E.
83 f8 0c 76 23 83 7d e8 00 50 75 10 68 38 2e 40 ...v#.}..Pu.h8.@
00 56 e8 b7 fd ff ff 83 c4 0c eb 33 68 00 40 44 .V.........3h.@D
00 68 1c 2e 40 00 eb 1e 83 7d e8 00 ff 34 85 68 .h..@....}...4.h
2b 40 00 75 07 68 00 2e 40 00 eb d5 68 00 40 44 +@.u.h..@...h.@D
00 68 dc 2d 40 00 56 e8 82 fd ff ff 83 c4 10 23 .h.-@.V........#
f8 8b 45 fc 85 c0 75 12 6a 03 68 d4 2d 40 00 56 ..E...u.j.h.-@.V
e8 b9 fd ff ff e9 be 02 00 00 8b 4d e0 85 c9 0f ...........M....
84 7a 02 00 00 83 f9 02 0f 86 ce 01 00 00 83 f9 .z..............
04 0f 84 b4 01 00 00 83 f9 05 0f 84 86 01 00 00 ................
83 f9 06 0f 84 4b 01 00 00 83 f9 07 74 34 83 f9 .....K......t4..
0b 0f 85 48 02 00 00 83 f8 08 0f 85 3f 02 00 00 ...H........?...
a1 04 c0 44 00 8b 0d 00 c0 44 00 50 51 50 51 68 ...D.....D.PQPQh
a8 2d 40 00 56 e8 04 fd ff ff 83 c4 18 e9 56 02 .-@.V.........V.
00 00 a8 01 0f 85 15 02 00 00 83 f8 02 75 16 66 .............u.f
83 3d 00 c0 44 00 00 75 0c 6a 03 68 a0 2d 40 00 .=..D..u.j.h.-@.
e9 6a ff ff ff d1 e8 8d 0c 45 00 c0 44 00 8b f3 .j.......E..D...
89 45 fc 89 4d dc 83 f8 01 76 19 8d 51 fe 66 83 .E..M....v..Q.f.
3a 00 75 10 66 83 3c 45 fc bf 44 00 00 75 05 89 :.u.f.<E..D..u..
55 dc eb 05 33 c0 66 89 01 66 83 3e 00 75 14 6a U...3.f..f.>.u.j
03 68 98 2d 40 00 ff 75 0c e8 e0 fc ff ff e9 8e .h.-@..u........
00 00 00 8b c6 8d 50 02 66 8b 08 83 c0 02 66 85 ......P.f.....f.
c9 75 f5 6a 02 2b c2 68 90 2d 40 00 ff 75 0c d1 .u.j.+.h.-@..u..
f8 89 45 fc e8 b5 fc ff ff 56 23 f8 89 75 f8 e8 ..E......V#..u..
e1 fc ff ff 8b d8 8b 45 fc 8d 34 46 eb 26 8b c3 .......E..4F.&..
2b 45 f8 83 c0 02 d1 f8 50 ff 75 f8 ff 75 0c e8 +E......P.u..u..
8a fc ff ff 89 5d f8 83 c3 02 53 23 f8 e8 b3 fc .....]....S#....
ff ff 8b d8 85 db 75 d6 8b c6 2b 45 f8 d1 f8 50 ......u...+E...P
ff 75 f8 ff 75 0c e8 63 fc ff ff 6a 01 68 8c 2d .u..u..c...j.h.-
40 00 ff 75 0c 23 f8 e8 52 fc ff ff bb 00 c0 44 @..u.#..R......D
00 83 c6 02 23 f8 3b 75 dc 0f 82 4a ff ff ff e9 ....#.;u...J....
32 01 00 00 a8 01 0f 85 03 01 00 00 6a 02 68 90 2...........j.h.
2d 40 00 56 e8 25 fc ff ff 23 f8 8b 45 fc d1 e8 -@.V.%...#..E...
50 53 56 e8 16 fc ff ff 6a 03 23 f8 68 84 2d 40 PSV.....j.#.h.-@
00 e9 49 fe ff ff 83 f8 04 0f 85 d0 00 00 00 a1 ..I.............
00 c0 44 00 50 0f c8 50 68 60 2d 40 00 56 e8 9b ..D.P..Ph`-@.V..
fb ff ff 83 c4 10 e9 ed 00 00 00 83 f8 04 0f 85 ................
ab 00 00 00 a1 00 c0 44 00 50 eb db a8 01 0f 85 .......D.P......
9b 00 00 00 66 83 3d 00 c0 44 00 00 75 0c 6a 05 ....f.=..D..u.j.
68 54 2d 40 00 e9 f5 fd ff ff d1 e8 33 c9 66 89 hT-@........3.f.
0c 45 00 c0 44 00 8b c3 89 5d f8 8d 48 02 66 8b .E..D....]..H.f.
10 83 c0 02 66 85 d2 75 f5 6a 02 2b c1 68 90 2d ....f..u.j.+.h.-
40 00 ff 75 0c d1 f8 89 45 fc e8 7f fb ff ff 53 @..u....E......S
eb 1d 8b c6 2b 45 f8 83 c0 02 d1 f8 50 ff 75 f8 ....+E......P.u.
ff 75 0c e8 66 fb ff ff 89 75 f8 83 c6 02 56 23 .u..f....u....V#
f8 e8 8f fb ff ff 8b f0 85 f6 75 d6 8b 45 fc 03 ..........u..E..
c0 2b 45 f8 03 c3 d1 f8 50 ff 75 f8 ff 75 0c e8 .+E.....P.u..u..
3a fb ff ff 6a 03 23 f8 68 84 2d 40 00 eb 2e 33 :...j.#.h.-@...3
f6 85 c0 74 21 0f b6 86 00 c0 44 00 6a 03 8d 04 ...t!.....D.j...
c5 08 23 40 00 50 ff 75 0c e8 10 fb ff ff 23 f8 ..#@.P.u......#.
46 3b 75 fc 72 df 6a 02 68 d4 2d 40 00 ff 75 0c F;u.r.j.h.-@..u.
e8 f9 fa ff ff 8b 75 0c 23 f8 85 ff 75 21 ff 15 ......u.#...u!..
1c 20 40 00 68 00 40 40 00 68 00 40 44 00 50 68 . @.h.@@.h.@D.Ph
c8 2c 40 00 ff 75 08 e8 34 fa ff ff 83 c4 14 ff .,@..u..4.......
45 f0 e9 88 fb ff ff 8b 7d 14 6a 5c 58 66 89 04 E.......}.j\Xf..
7d 00 40 40 00 8b 45 d8 8d 44 38 01 50 ff 75 10 }.@@..E..D8.P.u.
ff 75 0c ff 75 08 e8 f8 fa ff ff 33 c0 66 89 04 .u..u......3.f..
7d 00 40 40 00 46 e9 bd fb ff ff ff 75 f4 ff 75 }.@@.F......u..u
ec 68 8c 2c 40 00 ff 75 0c e8 30 fa ff ff 83 c4 .h.,@..u..0.....
10 85 c0 75 1e ff 15 1c 20 40 00 68 00 40 40 00 ...u.... @.h.@@.
8b f8 57 68 10 2c 40 00 ff 75 08 e8 c0 f9 ff ff ..Wh.,@..u......
83 c4 10 ff 75 e4 ff 15 0c 20 40 00 5e 89 45 e8 ....u.... @.^.E.
5b 85 c0 74 16 68 00 40 40 00 50 68 98 2b 40 00 [..t.h.@@.Ph.+@.
ff 75 08 e8 98 f9 ff ff 83 c4 10 8b c7 5f c9 c2 .u..........._..
10 00 55 8b ec 83 ec 54 53 56 57 6a 05 59 be 70 ..U....TSVWj.Y.p
3b 40 00 8d 7d ac f3 a5 8b 35 38 20 40 00 33 c0 ;@..}....58 @.3.
8d 7d c0 ab ab 6a f4 c7 45 f0 01 00 00 00 ab c7 .}...j..E.......
45 e0 10 00 00 00 c7 45 fc a0 00 00 00 ff d6 8b E......E........
f8 89 7d f4 83 ff ff 75 0e ff 15 1c 20 40 00 89 ..}....u.... @..
45 fc e9 85 02 00 00 8d 45 e8 50 ff 15 34 20 40 E.......E.P..4 @
00 50 ff 15 40 20 40 00 89 45 e4 85 c0 75 15 ff .P..@ @..E...u..
15 1c 20 40 00 50 68 20 3b 40 00 89 45 fc 57 e9 .. @.Ph ;@..E.W.
50 02 00 00 83 7d e8 02 7d 12 68 90 3a 40 00 57 P....}..}.h.:@.W
e8 fb f8 ff ff 59 59 e9 1c 02 00 00 6a f5 ff d6 .....YY.....j...
8b f0 89 75 ec 83 fe ff 75 12 ff 15 1c 20 40 00 ...u....u.... @.
50 68 48 3a 40 00 57 e9 f1 01 00 00 56 ff 15 30 PhH:@.W.....V..0
20 40 00 85 c0 75 0e ff 15 1c 20 40 00 50 68 98 @...u.... @.Ph.
39 40 00 eb e1 83 65 fc 00 8d 45 e0 50 8d 45 ac 9@....e...E.P.E.
50 ff 15 2c 20 40 00 85 c0 75 18 ff 15 1c 20 40 P.., @...u.... @
00 50 68 48 39 40 00 57 89 45 fc e8 90 f8 ff ff .PhH9@.W.E......
83 c4 0c 8d 45 cc 50 ff 15 28 20 40 00 0f b7 45 ....E.P..( @...E
da 50 0f b7 45 d8 50 0f b7 45 d6 50 0f b7 45 d4 .P..E.P..E.P..E.
50 0f b7 45 cc 50 0f b7 45 d2 50 0f b7 45 ce 50 P..E.P..E.P..E.P
8d 45 ac 50 68 38 31 40 00 56 e8 9f f8 ff ff 83 .E.Ph81@.V......
c4 28 85 c0 75 18 ff 15 1c 20 40 00 50 68 f8 30 .(..u.... @.Ph.0
40 00 57 89 45 fc e8 35 f8 ff ff 83 c4 0c 8b 45 @.W.E..5.......E
e4 8b 4d f0 bf 00 00 00 80 8d 1c 88 89 7d f8 89 ..M..........}..
5d dc 8b 4d f8 8b 13 33 cf 8b 04 8d 08 2b 40 00 ]..M...3.....+@.
66 8b 30 66 3b 32 75 1e 66 85 f6 74 15 66 8b 70 f.0f;2u.f..t.f.p
02 66 3b 72 02 75 0f 83 c0 04 83 c2 04 66 85 f6 .f;r.u.......f..
75 de 33 c0 eb 05 1b c0 83 d8 ff 85 c0 74 4a 8b u.3..........tJ.
13 8b 04 8d 28 2b 40 00 66 8b 30 66 3b 32 75 1e ....(+@.f.0f;2u.
66 85 f6 74 15 66 8b 70 02 66 3b 72 02 75 0f 83 f..t.f.p.f;r.u..
c0 04 83 c2 04 66 85 f6 75 de 33 c0 eb 05 1b c0 .....f..u.3.....
83 d8 ff 85 c0 74 12 ff 45 f8 81 7d f8 07 00 00 .....t..E..}....
80 0f 86 7b ff ff ff eb 71 8b d9 ff 34 9d 08 2b ...{....q...4..+
40 00 8b 0c 9d 48 2b 40 00 8b 34 9d 28 2b 40 00 @....H+@..4.(+@.
68 d0 30 40 00 ff 75 ec 03 c9 bf 00 40 40 00 f3 h.0@..u.....@@..
a4 e8 b8 f7 ff ff 83 c4 0c 85 c0 75 1a ff 15 1c ...........u....
20 40 00 50 68 f8 30 40 00 ff 75 f4 89 45 fc e8 @.Ph.0@..u..E..
4c f7 ff ff 83 c4 0c 8b 04 9d 48 2b 40 00 48 50 L.........H+@.HP
ff 75 f8 ff 75 ec ff 75 f4 e8 25 f8 ff ff 81 7d .u..u..u..%....}
f8 07 00 00 80 76 15 8b 5d dc ff 33 68 60 30 40 .....v..]..3h`0@
00 ff 75 f4 e8 17 f7 ff ff 83 c4 0c ff 45 f0 8b ..u..........E..
45 f0 3b 45 e8 0f 8c d3 fe ff ff 6a 09 68 48 30 E.;E.......j.hH0
40 00 ff 75 ec e8 94 f7 ff ff 85 c0 75 1a ff 15 @..u........u...
1c 20 40 00 50 68 f8 30 40 00 ff 75 f4 89 45 fc . @.Ph.0@..u..E.
e8 db f6 ff ff 83 c4 0c ff 75 e4 ff 15 24 20 40 .........u...$ @
00 85 c0 74 17 ff 15 1c 20 40 00 50 68 08 30 40 ...t.... @.Ph.0@
00 ff 75 f4 e8 b7 f6 ff ff 83 c4 0c ff 75 fc ff ..u..........u..
15 20 20 40 00 cc 00 00 00 00 00 00 00 00 00 00 . @............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
46 3c 00 00 56 3c 00 00 66 3c 00 00 38 3c 00 00 F<..V<..f<..8<..
00 00 00 00 84 3c 00 00 94 3c 00 00 a0 3c 00 00 .....<...<...<..
b0 3c 00 00 be 3c 00 00 ca 3c 00 00 da 3c 00 00 .<...<...<...<..
ee 3c 00 00 02 3d 00 00 14 3d 00 00 00 00 00 00 .<...=...=......
32 3d 00 00 00 00 00 00 54 3d 00 00 00 00 00 00 2=......T=......
51 00 57 00 4f 00 52 00 44 00 00 00 52 00 45 00 Q.W.O.R.D...R.E.
53 00 4f 00 55 00 52 00 43 00 45 00 5f 00 52 00 S.O.U.R.C.E._.R.
45 00 51 00 55 00 49 00 52 00 45 00 4d 00 45 00 E.Q.U.I.R.E.M.E.
4e 00 54 00 53 00 5f 00 4c 00 49 00 53 00 54 00 N.T.S._.L.I.S.T.
00 00 00 00 46 00 55 00 4c 00 4c 00 5f 00 52 00 ....F.U.L.L._.R.
45 00 53 00 4f 00 55 00 52 00 43 00 45 00 5f 00 E.S.O.U.R.C.E._.
44 00 45 00 53 00 43 00 52 00 49 00 50 00 54 00 D.E.S.C.R.I.P.T.
4f 00 52 00 00 00 00 00 52 00 45 00 53 00 4f 00 O.R.....R.E.S.O.
55 00 52 00 43 00 45 00 5f 00 4c 00 49 00 53 00 U.R.C.E._.L.I.S.
54 00 00 00 4d 00 55 00 4c 00 54 00 49 00 5f 00 T...M.U.L.T.I._.
53 00 5a 00 00 00 00 00 4c 00 49 00 4e 00 4b 00 S.Z.....L.I.N.K.
00 00 00 00 44 00 57 00 4f 00 52 00 44 00 5f 00 ....D.W.O.R.D._.
42 00 49 00 47 00 5f 00 45 00 4e 00 44 00 49 00 B.I.G._.E.N.D.I.
41 00 4e 00 00 00 00 00 44 00 57 00 4f 00 52 00 A.N.....D.W.O.R.
44 00 00 00 42 00 49 00 4e 00 41 00 52 00 59 00 D...B.I.N.A.R.Y.
00 00 00 00 45 00 58 00 50 00 41 00 4e 00 44 00 ....E.X.P.A.N.D.
5f 00 53 00 5a 00 00 00 53 00 5a 00 00 00 00 00 _.S.Z...S.Z.....
4e 00 4f 00 4e 00 45 00 00 00 00 00 00 00 00 00 N.O.N.E.........
48 00 4b 00 45 00 59 00 5f 00 43 00 55 00 52 00 H.K.E.Y._.C.U.R.
52 00 45 00 4e 00 54 00 5f 00 55 00 53 00 45 00 R.E.N.T._.U.S.E.
52 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 R._.L.O.C.A.L._.
53 00 45 00 54 00 54 00 49 00 4e 00 47 00 53 00 S.E.T.T.I.N.G.S.
00 00 00 00 48 00 4b 00 45 00 59 00 5f 00 44 00 ....H.K.E.Y._.D.
59 00 4e 00 5f 00 44 00 41 00 54 00 41 00 00 00 Y.N._.D.A.T.A...
48 00 4b 00 45 00 59 00 5f 00 43 00 55 00 52 00 H.K.E.Y._.C.U.R.
52 00 45 00 4e 00 54 00 5f 00 43 00 4f 00 4e 00 R.E.N.T._.C.O.N.
46 00 49 00 47 00 00 00 48 00 4b 00 45 00 59 00 F.I.G...H.K.E.Y.
5f 00 50 00 45 00 52 00 46 00 4f 00 52 00 4d 00 _.P.E.R.F.O.R.M.
41 00 4e 00 43 00 45 00 5f 00 44 00 41 00 54 00 A.N.C.E._.D.A.T.
41 00 00 00 48 00 4b 00 45 00 59 00 5f 00 55 00 A...H.K.E.Y._.U.
53 00 45 00 52 00 53 00 00 00 00 00 48 00 4b 00 S.E.R.S.....H.K.
45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 E.Y._.L.O.C.A.L.
5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 _.M.A.C.H.I.N.E.
00 00 00 00 48 00 4b 00 45 00 59 00 5f 00 43 00 ....H.K.E.Y._.C.
55 00 52 00 52 00 45 00 4e 00 54 00 5f 00 55 00 U.R.R.E.N.T._.U.
53 00 45 00 52 00 00 00 48 00 4b 00 45 00 59 00 S.E.R...H.K.E.Y.
5f 00 43 00 4c 00 41 00 53 00 53 00 45 00 53 00 _.C.L.A.S.S.E.S.
5f 00 52 00 4f 00 4f 00 54 00 00 00 48 00 4b 00 _.R.O.O.T...H.K.
4c 00 53 00 00 00 00 00 48 00 4b 00 44 00 44 00 L.S.....H.K.D.D.
00 00 00 00 48 00 4b 00 43 00 43 00 00 00 00 00 ....H.K.C.C.....
48 00 4b 00 50 00 44 00 00 00 00 00 48 00 4b 00 H.K.P.D.....H.K.
55 00 00 00 48 00 4b 00 4c 00 4d 00 00 00 00 00 U...H.K.L.M.....
48 00 4b 00 43 00 55 00 00 00 00 00 48 00 4b 00 H.K.C.U.....H.K.
43 00 52 00 00 00 00 00 2c 00 30 00 30 00 00 00 C.R.....,.0.0...
2c 00 30 00 31 00 00 00 2c 00 30 00 32 00 00 00 ,.0.1...,.0.2...
2c 00 30 00 33 00 00 00 2c 00 30 00 34 00 00 00 ,.0.3...,.0.4...
2c 00 30 00 35 00 00 00 2c 00 30 00 36 00 00 00 ,.0.5...,.0.6...
2c 00 30 00 37 00 00 00 2c 00 30 00 38 00 00 00 ,.0.7...,.0.8...
2c 00 30 00 39 00 00 00 2c 00 30 00 61 00 00 00 ,.0.9...,.0.a...
2c 00 30 00 62 00 00 00 2c 00 30 00 63 00 00 00 ,.0.b...,.0.c...
2c 00 30 00 64 00 00 00 2c 00 30 00 65 00 00 00 ,.0.d...,.0.e...
2c 00 30 00 66 00 00 00 2c 00 31 00 30 00 00 00 ,.0.f...,.1.0...
2c 00 31 00 31 00 00 00 2c 00 31 00 32 00 00 00 ,.1.1...,.1.2...
2c 00 31 00 33 00 00 00 2c 00 31 00 34 00 00 00 ,.1.3...,.1.4...
2c 00 31 00 35 00 00 00 2c 00 31 00 36 00 00 00 ,.1.5...,.1.6...
2c 00 31 00 37 00 00 00 2c 00 31 00 38 00 00 00 ,.1.7...,.1.8...
2c 00 31 00 39 00 00 00 2c 00 31 00 61 00 00 00 ,.1.9...,.1.a...
2c 00 31 00 62 00 00 00 2c 00 31 00 63 00 00 00 ,.1.b...,.1.c...
2c 00 31 00 64 00 00 00 2c 00 31 00 65 00 00 00 ,.1.d...,.1.e...
2c 00 31 00 66 00 00 00 2c 00 32 00 30 00 00 00 ,.1.f...,.2.0...
2c 00 32 00 31 00 00 00 2c 00 32 00 32 00 00 00 ,.2.1...,.2.2...
2c 00 32 00 33 00 00 00 2c 00 32 00 34 00 00 00 ,.2.3...,.2.4...
2c 00 32 00 35 00 00 00 2c 00 32 00 36 00 00 00 ,.2.5...,.2.6...
2c 00 32 00 37 00 00 00 2c 00 32 00 38 00 00 00 ,.2.7...,.2.8...
2c 00 32 00 39 00 00 00 2c 00 32 00 61 00 00 00 ,.2.9...,.2.a...
2c 00 32 00 62 00 00 00 2c 00 32 00 63 00 00 00 ,.2.b...,.2.c...
2c 00 32 00 64 00 00 00 2c 00 32 00 65 00 00 00 ,.2.d...,.2.e...
2c 00 32 00 66 00 00 00 2c 00 33 00 30 00 00 00 ,.2.f...,.3.0...
2c 00 33 00 31 00 00 00 2c 00 33 00 32 00 00 00 ,.3.1...,.3.2...
2c 00 33 00 33 00 00 00 2c 00 33 00 34 00 00 00 ,.3.3...,.3.4...
2c 00 33 00 35 00 00 00 2c 00 33 00 36 00 00 00 ,.3.5...,.3.6...
2c 00 33 00 37 00 00 00 2c 00 33 00 38 00 00 00 ,.3.7...,.3.8...
2c 00 33 00 39 00 00 00 2c 00 33 00 61 00 00 00 ,.3.9...,.3.a...
2c 00 33 00 62 00 00 00 2c 00 33 00 63 00 00 00 ,.3.b...,.3.c...
2c 00 33 00 64 00 00 00 2c 00 33 00 65 00 00 00 ,.3.d...,.3.e...
2c 00 33 00 66 00 00 00 2c 00 34 00 30 00 00 00 ,.3.f...,.4.0...
2c 00 34 00 31 00 00 00 2c 00 34 00 32 00 00 00 ,.4.1...,.4.2...
2c 00 34 00 33 00 00 00 2c 00 34 00 34 00 00 00 ,.4.3...,.4.4...
2c 00 34 00 35 00 00 00 2c 00 34 00 36 00 00 00 ,.4.5...,.4.6...
2c 00 34 00 37 00 00 00 2c 00 34 00 38 00 00 00 ,.4.7...,.4.8...
2c 00 34 00 39 00 00 00 2c 00 34 00 61 00 00 00 ,.4.9...,.4.a...
2c 00 34 00 62 00 00 00 2c 00 34 00 63 00 00 00 ,.4.b...,.4.c...
2c 00 34 00 64 00 00 00 2c 00 34 00 65 00 00 00 ,.4.d...,.4.e...
2c 00 34 00 66 00 00 00 2c 00 35 00 30 00 00 00 ,.4.f...,.5.0...
2c 00 35 00 31 00 00 00 2c 00 35 00 32 00 00 00 ,.5.1...,.5.2...
2c 00 35 00 33 00 00 00 2c 00 35 00 34 00 00 00 ,.5.3...,.5.4...
2c 00 35 00 35 00 00 00 2c 00 35 00 36 00 00 00 ,.5.5...,.5.6...
2c 00 35 00 37 00 00 00 2c 00 35 00 38 00 00 00 ,.5.7...,.5.8...
2c 00 35 00 39 00 00 00 2c 00 35 00 61 00 00 00 ,.5.9...,.5.a...
2c 00 35 00 62 00 00 00 2c 00 35 00 63 00 00 00 ,.5.b...,.5.c...
2c 00 35 00 64 00 00 00 2c 00 35 00 65 00 00 00 ,.5.d...,.5.e...
2c 00 35 00 66 00 00 00 2c 00 36 00 30 00 00 00 ,.5.f...,.6.0...
2c 00 36 00 31 00 00 00 2c 00 36 00 32 00 00 00 ,.6.1...,.6.2...
2c 00 36 00 33 00 00 00 2c 00 36 00 34 00 00 00 ,.6.3...,.6.4...
2c 00 36 00 35 00 00 00 2c 00 36 00 36 00 00 00 ,.6.5...,.6.6...
2c 00 36 00 37 00 00 00 2c 00 36 00 38 00 00 00 ,.6.7...,.6.8...
2c 00 36 00 39 00 00 00 2c 00 36 00 61 00 00 00 ,.6.9...,.6.a...
2c 00 36 00 62 00 00 00 2c 00 36 00 63 00 00 00 ,.6.b...,.6.c...
2c 00 36 00 64 00 00 00 2c 00 36 00 65 00 00 00 ,.6.d...,.6.e...
2c 00 36 00 66 00 00 00 2c 00 37 00 30 00 00 00 ,.6.f...,.7.0...
2c 00 37 00 31 00 00 00 2c 00 37 00 32 00 00 00 ,.7.1...,.7.2...
2c 00 37 00 33 00 00 00 2c 00 37 00 34 00 00 00 ,.7.3...,.7.4...
2c 00 37 00 35 00 00 00 2c 00 37 00 36 00 00 00 ,.7.5...,.7.6...
2c 00 37 00 37 00 00 00 2c 00 37 00 38 00 00 00 ,.7.7...,.7.8...
2c 00 37 00 39 00 00 00 2c 00 37 00 61 00 00 00 ,.7.9...,.7.a...
2c 00 37 00 62 00 00 00 2c 00 37 00 63 00 00 00 ,.7.b...,.7.c...
2c 00 37 00 64 00 00 00 2c 00 37 00 65 00 00 00 ,.7.d...,.7.e...
2c 00 37 00 66 00 00 00 2c 00 38 00 30 00 00 00 ,.7.f...,.8.0...
2c 00 38 00 31 00 00 00 2c 00 38 00 32 00 00 00 ,.8.1...,.8.2...
2c 00 38 00 33 00 00 00 2c 00 38 00 34 00 00 00 ,.8.3...,.8.4...
2c 00 38 00 35 00 00 00 2c 00 38 00 36 00 00 00 ,.8.5...,.8.6...
2c 00 38 00 37 00 00 00 2c 00 38 00 38 00 00 00 ,.8.7...,.8.8...
2c 00 38 00 39 00 00 00 2c 00 38 00 61 00 00 00 ,.8.9...,.8.a...
2c 00 38 00 62 00 00 00 2c 00 38 00 63 00 00 00 ,.8.b...,.8.c...
2c 00 38 00 64 00 00 00 2c 00 38 00 65 00 00 00 ,.8.d...,.8.e...
2c 00 38 00 66 00 00 00 2c 00 39 00 30 00 00 00 ,.8.f...,.9.0...
2c 00 39 00 31 00 00 00 2c 00 39 00 32 00 00 00 ,.9.1...,.9.2...
2c 00 39 00 33 00 00 00 2c 00 39 00 34 00 00 00 ,.9.3...,.9.4...
2c 00 39 00 35 00 00 00 2c 00 39 00 36 00 00 00 ,.9.5...,.9.6...
2c 00 39 00 37 00 00 00 2c 00 39 00 38 00 00 00 ,.9.7...,.9.8...
2c 00 39 00 39 00 00 00 2c 00 39 00 61 00 00 00 ,.9.9...,.9.a...
2c 00 39 00 62 00 00 00 2c 00 39 00 63 00 00 00 ,.9.b...,.9.c...
2c 00 39 00 64 00 00 00 2c 00 39 00 65 00 00 00 ,.9.d...,.9.e...
2c 00 39 00 66 00 00 00 2c 00 61 00 30 00 00 00 ,.9.f...,.a.0...
2c 00 61 00 31 00 00 00 2c 00 61 00 32 00 00 00 ,.a.1...,.a.2...
2c 00 61 00 33 00 00 00 2c 00 61 00 34 00 00 00 ,.a.3...,.a.4...
2c 00 61 00 35 00 00 00 2c 00 61 00 36 00 00 00 ,.a.5...,.a.6...
2c 00 61 00 37 00 00 00 2c 00 61 00 38 00 00 00 ,.a.7...,.a.8...
2c 00 61 00 39 00 00 00 2c 00 61 00 61 00 00 00 ,.a.9...,.a.a...
2c 00 61 00 62 00 00 00 2c 00 61 00 63 00 00 00 ,.a.b...,.a.c...
2c 00 61 00 64 00 00 00 2c 00 61 00 65 00 00 00 ,.a.d...,.a.e...
2c 00 61 00 66 00 00 00 2c 00 62 00 30 00 00 00 ,.a.f...,.b.0...
2c 00 62 00 31 00 00 00 2c 00 62 00 32 00 00 00 ,.b.1...,.b.2...
2c 00 62 00 33 00 00 00 2c 00 62 00 34 00 00 00 ,.b.3...,.b.4...
2c 00 62 00 35 00 00 00 2c 00 62 00 36 00 00 00 ,.b.5...,.b.6...
2c 00 62 00 37 00 00 00 2c 00 62 00 38 00 00 00 ,.b.7...,.b.8...
2c 00 62 00 39 00 00 00 2c 00 62 00 61 00 00 00 ,.b.9...,.b.a...
2c 00 62 00 62 00 00 00 2c 00 62 00 63 00 00 00 ,.b.b...,.b.c...
2c 00 62 00 64 00 00 00 2c 00 62 00 65 00 00 00 ,.b.d...,.b.e...
2c 00 62 00 66 00 00 00 2c 00 63 00 30 00 00 00 ,.b.f...,.c.0...
2c 00 63 00 31 00 00 00 2c 00 63 00 32 00 00 00 ,.c.1...,.c.2...
2c 00 63 00 33 00 00 00 2c 00 63 00 34 00 00 00 ,.c.3...,.c.4...
2c 00 63 00 35 00 00 00 2c 00 63 00 36 00 00 00 ,.c.5...,.c.6...
2c 00 63 00 37 00 00 00 2c 00 63 00 38 00 00 00 ,.c.7...,.c.8...
2c 00 63 00 39 00 00 00 2c 00 63 00 61 00 00 00 ,.c.9...,.c.a...
2c 00 63 00 62 00 00 00 2c 00 63 00 63 00 00 00 ,.c.b...,.c.c...
2c 00 63 00 64 00 00 00 2c 00 63 00 65 00 00 00 ,.c.d...,.c.e...
2c 00 63 00 66 00 00 00 2c 00 64 00 30 00 00 00 ,.c.f...,.d.0...
2c 00 64 00 31 00 00 00 2c 00 64 00 32 00 00 00 ,.d.1...,.d.2...
2c 00 64 00 33 00 00 00 2c 00 64 00 34 00 00 00 ,.d.3...,.d.4...
2c 00 64 00 35 00 00 00 2c 00 64 00 36 00 00 00 ,.d.5...,.d.6...
2c 00 64 00 37 00 00 00 2c 00 64 00 38 00 00 00 ,.d.7...,.d.8...
2c 00 64 00 39 00 00 00 2c 00 64 00 61 00 00 00 ,.d.9...,.d.a...
2c 00 64 00 62 00 00 00 2c 00 64 00 63 00 00 00 ,.d.b...,.d.c...
2c 00 64 00 64 00 00 00 2c 00 64 00 65 00 00 00 ,.d.d...,.d.e...
2c 00 64 00 66 00 00 00 2c 00 65 00 30 00 00 00 ,.d.f...,.e.0...
2c 00 65 00 31 00 00 00 2c 00 65 00 32 00 00 00 ,.e.1...,.e.2...
2c 00 65 00 33 00 00 00 2c 00 65 00 34 00 00 00 ,.e.3...,.e.4...
2c 00 65 00 35 00 00 00 2c 00 65 00 36 00 00 00 ,.e.5...,.e.6...
2c 00 65 00 37 00 00 00 2c 00 65 00 38 00 00 00 ,.e.7...,.e.8...
2c 00 65 00 39 00 00 00 2c 00 65 00 61 00 00 00 ,.e.9...,.e.a...
2c 00 65 00 62 00 00 00 2c 00 65 00 63 00 00 00 ,.e.b...,.e.c...
2c 00 65 00 64 00 00 00 2c 00 65 00 65 00 00 00 ,.e.d...,.e.e...
2c 00 65 00 66 00 00 00 2c 00 66 00 30 00 00 00 ,.e.f...,.f.0...
2c 00 66 00 31 00 00 00 2c 00 66 00 32 00 00 00 ,.f.1...,.f.2...
2c 00 66 00 33 00 00 00 2c 00 66 00 34 00 00 00 ,.f.3...,.f.4...
2c 00 66 00 35 00 00 00 2c 00 66 00 36 00 00 00 ,.f.5...,.f.6...
2c 00 66 00 37 00 00 00 2c 00 66 00 38 00 00 00 ,.f.7...,.f.8...
2c 00 66 00 39 00 00 00 2c 00 66 00 61 00 00 00 ,.f.9...,.f.a...
2c 00 66 00 62 00 00 00 2c 00 66 00 63 00 00 00 ,.f.b...,.f.c...
2c 00 66 00 64 00 00 00 2c 00 66 00 65 00 00 00 ,.f.d...,.f.e...
2c 00 66 00 66 00 00 00 fc 22 40 00 f0 22 40 00 ,.f.f...."@.."@.
e4 22 40 00 dc 22 40 00 d0 22 40 00 c4 22 40 00 ."@.."@.."@.."@.
b8 22 40 00 ac 22 40 00 88 22 40 00 64 22 40 00 ."@.."@.."@.d"@.
3c 22 40 00 24 22 40 00 f8 21 40 00 d0 21 40 00 <"@.$"@..!@..!@.
b4 21 40 00 70 21 40 00 12 00 00 00 12 00 00 00 .!@.p!@.........
13 00 00 00 0b 00 00 00 16 00 00 00 14 00 00 00 ................
0e 00 00 00 21 00 00 00 60 21 40 00 58 21 40 00 ....!...`!@.X!@.
44 21 40 00 34 21 40 00 28 21 40 00 04 21 40 00 D!@.4!@.(!@..!@.
f8 20 40 00 e4 20 40 00 c8 20 40 00 94 20 40 00 . @.. @.. @.. @.
5c 20 40 00 50 20 40 00 52 00 65 00 67 00 43 00 \ @.P @.R.e.g.C.
6c 00 6f 00 73 00 65 00 4b 00 65 00 79 00 28 00 l.o.s.e.K.e.y.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 72 00 .%.l.u. .f.o.r.
20 00 72 00 65 00 67 00 69 00 73 00 74 00 72 00 .r.e.g.i.s.t.r.
79 00 20 00 6b 00 65 00 79 00 20 00 27 00 25 00 y. .k.e.y. .'.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 00 00 l.s.'...........
57 00 72 00 69 00 74 00 65 00 46 00 69 00 6c 00 W.r.i.t.e.F.i.l.
65 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 e.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 20 00 66 00 o.r. .%.l.u. .f.
6f 00 72 00 20 00 65 00 6d 00 70 00 74 00 79 00 o.r. .e.m.p.t.y.
20 00 72 00 65 00 67 00 69 00 73 00 74 00 72 00 .r.e.g.i.s.t.r.
79 00 20 00 6b 00 65 00 79 00 20 00 27 00 25 00 y. .k.e.y. .'.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 25 00 6c 00 l.s.'.......%.l.
73 00 2c 00 22 00 25 00 6c 00 73 00 22 00 2c 00 s.,.".%.l.s.".,.
2c 00 25 00 25 00 52 00 45 00 47 00 5f 00 4b 00 ,.%.%.R.E.G._.K.
45 00 59 00 4f 00 4e 00 4c 00 59 00 25 00 25 00 E.Y.O.N.L.Y.%.%.
0d 00 0a 00 00 00 00 00 57 00 72 00 69 00 74 00 ........W.r.i.t.
65 00 46 00 69 00 6c 00 65 00 28 00 29 00 20 00 e.F.i.l.e.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 20 00 66 00 6f 00 72 00 20 00 76 00 l.u. .f.o.r. .v.
61 00 6c 00 75 00 65 00 20 00 27 00 25 00 6c 00 a.l.u.e. .'.%.l.
73 00 27 00 20 00 6f 00 66 00 20 00 72 00 65 00 s.'. .o.f. .r.e.
67 00 69 00 73 00 74 00 72 00 79 00 20 00 6b 00 g.i.s.t.r.y. .k.
65 00 79 00 20 00 27 00 25 00 6c 00 73 00 27 00 e.y. .'.%.l.s.'.
0a 00 00 00 2c 00 22 00 22 00 0d 00 0a 00 00 00 ....,.".".......
2c 00 25 00 6c 00 75 00 20 00 3b 00 20 00 30 00 ,.%.l.u. .;. .0.
78 00 25 00 30 00 38 00 6c 00 78 00 0d 00 0a 00 x.%.0.8.l.x.....
00 00 00 00 22 00 0d 00 0a 00 00 00 22 00 00 00 ...."......."...
2c 00 22 00 00 00 00 00 3b 00 22 00 22 00 00 00 ,.".....;."."...
3b 00 0d 00 0a 00 00 00 2c 00 25 00 49 00 36 00 ;.......,.%.I.6.
34 00 75 00 20 00 3b 00 20 00 30 00 78 00 25 00 4.u. .;. .0.x.%.
30 00 31 00 36 00 49 00 36 00 34 00 78 00 0d 00 0.1.6.I.6.4.x...
0a 00 00 00 0d 00 0a 00 00 00 00 00 22 00 25 00 ............".%.
6c 00 73 00 22 00 2c 00 25 00 25 00 52 00 45 00 l.s.".,.%.%.R.E.
47 00 5f 00 25 00 6c 00 73 00 25 00 25 00 00 00 G._.%.l.s.%.%...
2c 00 25 00 25 00 52 00 45 00 47 00 5f 00 25 00 ,.%.%.R.E.G._.%.
6c 00 73 00 25 00 25 00 00 00 00 00 22 00 25 00 l.s.%.%.....".%.
6c 00 73 00 22 00 2c 00 30 00 78 00 25 00 30 00 l.s.".,.0.x.%.0.
38 00 6c 00 78 00 00 00 2c 00 30 00 78 00 25 00 8.l.x...,.0.x.%.
30 00 38 00 6c 00 78 00 00 00 00 00 25 00 6c 00 0.8.l.x.....%.l.
73 00 2c 00 22 00 25 00 6c 00 73 00 22 00 2c 00 s.,.".%.l.s.".,.
00 00 00 00 25 00 6c 00 73 00 2c 00 2c 00 00 00 ....%.l.s.,.,...
25 00 6c 00 73 00 2c 00 2c 00 2c 00 25 00 25 00 %.l.s.,.,.,.%.%.
52 00 45 00 47 00 5f 00 4b 00 45 00 59 00 4f 00 R.E.G._.K.E.Y.O.
4e 00 4c 00 59 00 25 00 25 00 0d 00 0a 00 00 00 N.L.Y.%.%.......
52 00 65 00 67 00 45 00 6e 00 75 00 6d 00 4b 00 R.e.g.E.n.u.m.K.
65 00 79 00 45 00 78 00 28 00 29 00 20 00 72 00 e.y.E.x.(.). .r.
65 00 74 00 75 00 72 00 6e 00 65 00 64 00 20 00 e.t.u.r.n.e.d. .
65 00 72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 e.r.r.o.r. .%.l.
75 00 20 00 66 00 6f 00 72 00 20 00 72 00 65 00 u. .f.o.r. .r.e.
67 00 69 00 73 00 74 00 72 00 79 00 20 00 6b 00 g.i.s.t.r.y. .k.
65 00 79 00 20 00 27 00 25 00 6c 00 73 00 27 00 e.y. .'.%.l.s.'.
0a 00 00 00 00 00 00 00 52 00 65 00 67 00 45 00 ........R.e.g.E.
6e 00 75 00 6d 00 56 00 61 00 6c 00 75 00 65 00 n.u.m.V.a.l.u.e.
28 00 29 00 20 00 72 00 65 00 74 00 75 00 72 00 (.). .r.e.t.u.r.
6e 00 65 00 64 00 20 00 65 00 72 00 72 00 6f 00 n.e.d. .e.r.r.o.
72 00 20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 r. .%.l.u. .f.o.
72 00 20 00 72 00 65 00 67 00 69 00 73 00 74 00 r. .r.e.g.i.s.t.
72 00 79 00 20 00 6b 00 65 00 79 00 20 00 27 00 r.y. .k.e.y. .'.
25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 %.l.s.'.........
52 00 65 00 67 00 4f 00 70 00 65 00 6e 00 4b 00 R.e.g.O.p.e.n.K.
65 00 79 00 45 00 78 00 28 00 29 00 20 00 72 00 e.y.E.x.(.). .r.
65 00 74 00 75 00 72 00 6e 00 65 00 64 00 20 00 e.t.u.r.n.e.d. .
65 00 72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 e.r.r.o.r. .%.l.
75 00 20 00 66 00 6f 00 72 00 20 00 72 00 65 00 u. .f.o.r. .r.e.
67 00 69 00 73 00 74 00 72 00 79 00 20 00 6b 00 g.i.s.t.r.y. .k.
65 00 79 00 20 00 27 00 25 00 6c 00 73 00 27 00 e.y. .'.%.l.s.'.
0a 00 00 00 00 00 00 00 4c 00 6f 00 63 00 61 00 ........L.o.c.a.
6c 00 46 00 72 00 65 00 65 00 28 00 29 00 20 00 l.F.r.e.e.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 0a 00 00 00 0d 00 0a 00 3b 00 20 00 l.u.........;. .
45 00 4f 00 46 00 0d 00 0a 00 00 00 00 00 00 00 E.O.F...........
41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 A.r.g.u.m.e.n.t.
20 00 27 00 25 00 6c 00 73 00 27 00 20 00 69 00 .'.%.l.s.'. .i.
73 00 20 00 6e 00 6f 00 74 00 20 00 61 00 20 00 s. .n.o.t. .a. .
70 00 72 00 65 00 64 00 65 00 66 00 69 00 6e 00 p.r.e.d.e.f.i.n.
65 00 64 00 20 00 72 00 65 00 67 00 69 00 73 00 e.d. .r.e.g.i.s.
74 00 72 00 79 00 20 00 6b 00 65 00 79 00 20 00 t.r.y. .k.e.y. .
6e 00 61 00 6d 00 65 00 21 00 0a 00 00 00 00 00 n.a.m.e.!.......
0d 00 0a 00 5b 00 41 00 64 00 64 00 52 00 65 00 ....[.A.d.d.R.e.
67 00 2e 00 25 00 6c 00 73 00 5d 00 0d 00 0a 00 g...%.l.s.].....
00 00 00 00 00 00 00 00 57 00 72 00 69 00 74 00 ........W.r.i.t.
65 00 46 00 69 00 6c 00 65 00 28 00 29 00 20 00 e.F.i.l.e.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 0a 00 00 00 ff fe 3b 00 20 00 52 00 l.u.......;. .R.
65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 e.g.i.s.t.r.y. .
6f 00 66 00 20 00 27 00 25 00 6c 00 73 00 27 00 o.f. .'.%.l.s.'.
0d 00 0a 00 0d 00 0a 00 5b 00 56 00 65 00 72 00 ........[.V.e.r.
73 00 69 00 6f 00 6e 00 5d 00 0d 00 0a 00 44 00 s.i.o.n.].....D.
72 00 69 00 76 00 65 00 72 00 56 00 65 00 72 00 r.i.v.e.r.V.e.r.
20 00 3d 00 20 00 25 00 30 00 32 00 68 00 75 00 .=. .%.0.2.h.u.
2f 00 25 00 30 00 32 00 68 00 75 00 2f 00 25 00 /.%.0.2.h.u./.%.
30 00 34 00 68 00 75 00 2c 00 25 00 30 00 32 00 0.4.h.u.,.%.0.2.
68 00 75 00 2e 00 25 00 30 00 32 00 68 00 75 00 h.u...%.0.2.h.u.
2e 00 25 00 30 00 32 00 68 00 75 00 2e 00 25 00 ..%.0.2.h.u...%.
30 00 33 00 68 00 75 00 20 00 3b 00 20 00 55 00 0.3.h.u. .;. .U.
54 00 43 00 0d 00 0a 00 50 00 72 00 6f 00 76 00 T.C.....P.r.o.v.
69 00 64 00 65 00 72 00 20 00 20 00 3d 00 20 00 i.d.e.r. . .=. .
22 00 53 00 74 00 65 00 66 00 61 00 6e 00 20 00 ".S.t.e.f.a.n. .
4b 00 61 00 6e 00 74 00 68 00 61 00 6b 00 22 00 K.a.n.t.h.a.k.".
0d 00 0a 00 53 00 69 00 67 00 6e 00 61 00 74 00 ....S.i.g.n.a.t.
75 00 72 00 65 00 20 00 3d 00 20 00 22 00 24 00 u.r.e. .=. .".$.
57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 W.i.n.d.o.w.s. .
4e 00 54 00 24 00 22 00 0d 00 0a 00 0d 00 0a 00 N.T.$.".........
5b 00 53 00 74 00 72 00 69 00 6e 00 67 00 73 00 [.S.t.r.i.n.g.s.
5d 00 0d 00 0a 00 52 00 45 00 47 00 5f 00 53 00 ].....R.E.G._.S.
5a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 Z. . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 3d 00 20 00 30 00 78 00 30 00 30 00 . .=. .0.x.0.0.
30 00 30 00 30 00 30 00 30 00 30 00 0d 00 0a 00 0.0.0.0.0.0.....
52 00 45 00 47 00 5f 00 42 00 49 00 4e 00 41 00 R.E.G._.B.I.N.A.
52 00 59 00 20 00 20 00 20 00 20 00 20 00 20 00 R.Y. . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 . . . . . . .=.
20 00 30 00 78 00 30 00 30 00 30 00 30 00 30 00 .0.x.0.0.0.0.0.
30 00 30 00 31 00 0d 00 0a 00 52 00 45 00 47 00 0.0.1.....R.E.G.
5f 00 4b 00 45 00 59 00 4f 00 4e 00 4c 00 59 00 _.K.E.Y.O.N.L.Y.
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 3d 00 20 00 30 00 78 00 . . . .=. .0.x.
30 00 30 00 30 00 30 00 30 00 30 00 31 00 30 00 0.0.0.0.0.0.1.0.
0d 00 0a 00 52 00 45 00 47 00 5f 00 4d 00 55 00 ....R.E.G._.M.U.
4c 00 54 00 49 00 5f 00 53 00 5a 00 20 00 20 00 L.T.I._.S.Z. . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 3d 00 20 00 30 00 78 00 30 00 30 00 30 00 .=. .0.x.0.0.0.
31 00 30 00 30 00 30 00 30 00 0d 00 0a 00 52 00 1.0.0.0.0.....R.
45 00 47 00 5f 00 44 00 57 00 4f 00 52 00 44 00 E.G._.D.W.O.R.D.
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 . . . . . .=. .
30 00 78 00 30 00 30 00 30 00 31 00 30 00 30 00 0.x.0.0.0.1.0.0.
30 00 31 00 0d 00 0a 00 52 00 45 00 47 00 5f 00 0.1.....R.E.G._.
45 00 58 00 50 00 41 00 4e 00 44 00 5f 00 53 00 E.X.P.A.N.D._.S.
5a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 Z. . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 3d 00 20 00 30 00 78 00 30 00 . . .=. .0.x.0.
30 00 30 00 32 00 30 00 30 00 30 00 30 00 0d 00 0.0.2.0.0.0.0...
0a 00 52 00 45 00 47 00 5f 00 4e 00 4f 00 4e 00 ..R.E.G._.N.O.N.
45 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 E. . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
3d 00 20 00 30 00 78 00 30 00 30 00 30 00 32 00 =. .0.x.0.0.0.2.
30 00 30 00 30 00 31 00 0d 00 0a 00 52 00 45 00 0.0.0.1.....R.E.
47 00 5f 00 43 00 4f 00 4d 00 50 00 41 00 54 00 G._.C.O.M.P.A.T.
49 00 42 00 4c 00 45 00 20 00 20 00 20 00 20 00 I.B.L.E. . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 3d 00 20 00 30 00 . . . . .=. .0.
78 00 30 00 30 00 30 00 33 00 30 00 30 00 30 00 x.0.0.0.3.0.0.0.
31 00 20 00 3b 00 20 00 73 00 61 00 6d 00 65 00 1. .;. .s.a.m.e.
20 00 61 00 73 00 20 00 52 00 45 00 47 00 5f 00 .a.s. .R.E.G._.
42 00 49 00 4e 00 41 00 52 00 59 00 0d 00 0a 00 B.I.N.A.R.Y.....
52 00 45 00 47 00 5f 00 44 00 57 00 4f 00 52 00 R.E.G._.D.W.O.R.
44 00 5f 00 4c 00 49 00 54 00 54 00 4c 00 45 00 D._.L.I.T.T.L.E.
5f 00 45 00 4e 00 44 00 49 00 41 00 4e 00 20 00 _.E.N.D.I.A.N. .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 . . . . . . .=.
20 00 30 00 78 00 30 00 30 00 30 00 34 00 30 00 .0.x.0.0.0.4.0.
30 00 30 00 31 00 20 00 3b 00 20 00 73 00 61 00 0.0.1. .;. .s.a.
6d 00 65 00 20 00 61 00 73 00 20 00 52 00 45 00 m.e. .a.s. .R.E.
47 00 5f 00 44 00 57 00 4f 00 52 00 44 00 0d 00 G._.D.W.O.R.D...
0a 00 52 00 45 00 47 00 5f 00 44 00 57 00 4f 00 ..R.E.G._.D.W.O.
52 00 44 00 5f 00 42 00 49 00 47 00 5f 00 45 00 R.D._.B.I.G._.E.
4e 00 44 00 49 00 41 00 4e 00 20 00 20 00 20 00 N.D.I.A.N. . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
3d 00 20 00 30 00 78 00 30 00 30 00 30 00 35 00 =. .0.x.0.0.0.5.
30 00 30 00 30 00 31 00 0d 00 0a 00 52 00 45 00 0.0.0.1.....R.E.
47 00 5f 00 4c 00 49 00 4e 00 4b 00 20 00 20 00 G._.L.I.N.K. . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 3d 00 20 00 30 00 . . . . .=. .0.
78 00 30 00 30 00 30 00 36 00 30 00 30 00 30 00 x.0.0.0.6.0.0.0.
30 00 0d 00 0a 00 52 00 45 00 47 00 5f 00 52 00 0.....R.E.G._.R.
45 00 53 00 4f 00 55 00 52 00 43 00 45 00 5f 00 E.S.O.U.R.C.E._.
4c 00 49 00 53 00 54 00 20 00 20 00 20 00 20 00 L.I.S.T. . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 3d 00 20 00 30 00 78 00 30 00 30 00 . .=. .0.x.0.0.
30 00 38 00 30 00 30 00 30 00 31 00 0d 00 0a 00 0.8.0.0.0.1.....
52 00 45 00 47 00 5f 00 46 00 55 00 4c 00 4c 00 R.E.G._.F.U.L.L.
5f 00 52 00 45 00 53 00 4f 00 55 00 52 00 43 00 _.R.E.S.O.U.R.C.
45 00 5f 00 44 00 45 00 53 00 43 00 52 00 49 00 E._.D.E.S.C.R.I.
50 00 54 00 4f 00 52 00 20 00 20 00 20 00 3d 00 P.T.O.R. . . .=.
20 00 30 00 78 00 30 00 30 00 30 00 39 00 30 00 .0.x.0.0.0.9.0.
30 00 30 00 31 00 0d 00 0a 00 52 00 45 00 47 00 0.0.1.....R.E.G.
5f 00 52 00 45 00 53 00 4f 00 55 00 52 00 43 00 _.R.E.S.O.U.R.C.
45 00 5f 00 52 00 45 00 51 00 55 00 49 00 52 00 E._.R.E.Q.U.I.R.
45 00 4d 00 45 00 4e 00 54 00 53 00 5f 00 4c 00 E.M.E.N.T.S._.L.
49 00 53 00 54 00 20 00 3d 00 20 00 30 00 78 00 I.S.T. .=. .0.x.
30 00 30 00 30 00 61 00 30 00 30 00 30 00 31 00 0.0.0.a.0.0.0.1.
0d 00 0a 00 52 00 45 00 47 00 5f 00 51 00 57 00 ....R.E.G._.Q.W.
4f 00 52 00 44 00 20 00 20 00 20 00 20 00 20 00 O.R.D. . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 3d 00 20 00 30 00 78 00 30 00 30 00 30 00 .=. .0.x.0.0.0.
62 00 30 00 30 00 30 00 31 00 0d 00 0a 00 52 00 b.0.0.0.1.....R.
45 00 47 00 5f 00 51 00 57 00 4f 00 52 00 44 00 E.G._.Q.W.O.R.D.
5f 00 4c 00 49 00 54 00 54 00 4c 00 45 00 5f 00 _.L.I.T.T.L.E._.
45 00 4e 00 44 00 49 00 41 00 4e 00 20 00 20 00 E.N.D.I.A.N. . .
20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 . . . . . .=. .
30 00 78 00 30 00 30 00 30 00 62 00 30 00 30 00 0.x.0.0.0.b.0.0.
30 00 31 00 20 00 3b 00 20 00 73 00 61 00 6d 00 0.1. .;. .s.a.m.
65 00 20 00 61 00 73 00 20 00 52 00 45 00 47 00 e. .a.s. .R.E.G.
5f 00 51 00 57 00 4f 00 52 00 44 00 0d 00 0a 00 _.Q.W.O.R.D.....
0d 00 0a 00 5b 00 44 00 65 00 66 00 61 00 75 00 ....[.D.e.f.a.u.
6c 00 74 00 49 00 6e 00 73 00 74 00 61 00 6c 00 l.t.I.n.s.t.a.l.
6c 00 2e 00 4e 00 54 00 5d 00 0d 00 0a 00 3b 00 l...N.T.].....;.
41 00 64 00 64 00 52 00 65 00 67 00 20 00 3d 00 A.d.d.R.e.g. .=.
20 00 41 00 64 00 64 00 52 00 65 00 67 00 2e 00 .A.d.d.R.e.g...
48 00 4b 00 55 00 2c 00 41 00 64 00 64 00 52 00 H.K.U.,.A.d.d.R.
65 00 67 00 2e 00 48 00 4b 00 4c 00 4d 00 3b 00 e.g...H.K.L.M.;.
41 00 64 00 64 00 52 00 65 00 67 00 2e 00 48 00 A.d.d.R.e.g...H.
4b 00 43 00 55 00 2c 00 41 00 64 00 64 00 52 00 K.C.U.,.A.d.d.R.
65 00 67 00 2e 00 48 00 4b 00 43 00 52 00 0d 00 e.g...H.K.C.R...
0a 00 00 00 00 00 00 00 47 00 65 00 74 00 43 00 ........G.e.t.C.
6f 00 6d 00 70 00 75 00 74 00 65 00 72 00 4e 00 o.m.p.u.t.e.r.N.
61 00 6d 00 65 00 28 00 29 00 20 00 72 00 65 00 a.m.e.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
0a 00 00 00 00 00 00 00 46 00 6c 00 75 00 73 00 ........F.l.u.s.
68 00 46 00 69 00 6c 00 65 00 42 00 75 00 66 00 h.F.i.l.e.B.u.f.
66 00 65 00 72 00 73 00 28 00 29 00 20 00 72 00 f.e.r.s.(.). .r.
65 00 74 00 75 00 72 00 6e 00 65 00 64 00 20 00 e.t.u.r.n.e.d. .
65 00 72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 e.r.r.o.r. .%.l.
75 00 3a 00 20 00 73 00 74 00 61 00 6e 00 64 00 u.:. .s.t.a.n.d.
61 00 72 00 64 00 20 00 6f 00 75 00 74 00 70 00 a.r.d. .o.u.t.p.
75 00 74 00 20 00 69 00 73 00 20 00 6e 00 6f 00 u.t. .i.s. .n.o.
74 00 20 00 72 00 65 00 64 00 69 00 72 00 65 00 t. .r.e.d.i.r.e.
63 00 74 00 65 00 64 00 20 00 74 00 6f 00 20 00 c.t.e.d. .t.o. .
61 00 20 00 66 00 69 00 6c 00 65 00 21 00 0a 00 a. .f.i.l.e.!...
00 00 00 00 00 00 00 00 47 00 65 00 74 00 53 00 ........G.e.t.S.
74 00 64 00 48 00 61 00 6e 00 64 00 6c 00 65 00 t.d.H.a.n.d.l.e.
28 00 29 00 20 00 72 00 65 00 74 00 75 00 72 00 (.). .r.e.t.u.r.
6e 00 65 00 64 00 20 00 65 00 72 00 72 00 6f 00 n.e.d. .e.r.r.o.
72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 00 00 r. .%.l.u.......
4e 00 6f 00 20 00 61 00 72 00 67 00 75 00 6d 00 N.o. .a.r.g.u.m.
65 00 6e 00 74 00 73 00 3a 00 20 00 61 00 74 00 e.n.t.s.:. .a.t.
20 00 6c 00 65 00 61 00 73 00 74 00 20 00 6f 00 .l.e.a.s.t. .o.
6e 00 65 00 20 00 70 00 72 00 65 00 64 00 65 00 n.e. .p.r.e.d.e.
66 00 69 00 6e 00 65 00 64 00 20 00 72 00 65 00 f.i.n.e.d. .r.e.
67 00 69 00 73 00 74 00 72 00 79 00 20 00 6b 00 g.i.s.t.r.y. .k.
65 00 79 00 20 00 6e 00 61 00 6d 00 65 00 20 00 e.y. .n.a.m.e. .
6d 00 75 00 73 00 74 00 20 00 62 00 65 00 20 00 m.u.s.t. .b.e. .
67 00 69 00 76 00 65 00 6e 00 21 00 0a 00 00 00 g.i.v.e.n.!.....
43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 4c 00 C.o.m.m.a.n.d.L.
69 00 6e 00 65 00 54 00 6f 00 41 00 72 00 67 00 i.n.e.T.o.A.r.g.
76 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 v.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
3c 00 75 00 6e 00 6b 00 6e 00 6f 00 77 00 6e 00 <.u.n.k.n.o.w.n.
3e 00 00 00 e8 3b 00 00 00 00 00 00 00 00 00 00 >....;..........
76 3c 00 00 00 20 00 00 fc 3b 00 00 00 00 00 00 v<... ...;......
00 00 00 00 24 3d 00 00 14 20 00 00 28 3c 00 00 ....$=... ..(<..
00 00 00 00 00 00 00 00 48 3d 00 00 40 20 00 00 ........H=..@ ..
30 3c 00 00 00 00 00 00 00 00 00 00 62 3d 00 00 0<..........b=..
48 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 H ..............
00 00 00 00 00 00 00 00 46 3c 00 00 56 3c 00 00 ........F<..V<..
66 3c 00 00 38 3c 00 00 00 00 00 00 84 3c 00 00 f<..8<.......<..
94 3c 00 00 a0 3c 00 00 b0 3c 00 00 be 3c 00 00 .<...<...<...<..
ca 3c 00 00 da 3c 00 00 ee 3c 00 00 02 3d 00 00 .<...<...<...=..
14 3d 00 00 00 00 00 00 32 3d 00 00 00 00 00 00 .=......2=......
54 3d 00 00 00 00 00 00 30 02 52 65 67 43 6c 6f T=......0.RegClo
73 65 4b 65 79 00 4f 02 52 65 67 45 6e 75 6d 4b seKey.O.RegEnumK
65 79 45 78 57 00 52 02 52 65 67 45 6e 75 6d 56 eyExW.R.RegEnumV
61 6c 75 65 57 00 61 02 52 65 67 4f 70 65 6e 4b alueW.a.RegOpenK
65 79 45 78 57 00 41 44 56 41 50 49 33 32 2e 64 eyExW.ADVAPI32.d
6c 6c 00 00 24 05 57 72 69 74 65 43 6f 6e 73 6f ll..$.WriteConso
6c 65 57 00 25 05 57 72 69 74 65 46 69 6c 65 00 leW.%.WriteFile.
02 02 47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 ..GetLastError..
19 01 45 78 69 74 50 72 6f 63 65 73 73 00 48 03 ..ExitProcess.H.
4c 6f 63 61 6c 46 72 65 65 00 77 02 47 65 74 53 LocalFree.w.GetS
79 73 74 65 6d 54 69 6d 65 00 8f 01 47 65 74 43 ystemTime...GetC
6f 6d 70 75 74 65 72 4e 61 6d 65 57 00 00 57 01 omputerNameW..W.
46 6c 75 73 68 46 69 6c 65 42 75 66 66 65 72 73 FlushFileBuffers
00 00 87 01 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 ....GetCommandLi
6e 65 57 00 64 02 47 65 74 53 74 64 48 61 6e 64 neW.d.GetStdHand
6c 65 00 00 4b 45 52 4e 45 4c 33 32 2e 64 6c 6c le..KERNEL32.dll
00 00 06 00 43 6f 6d 6d 61 6e 64 4c 69 6e 65 54 ....CommandLineT
6f 41 72 67 76 57 00 00 53 48 45 4c 4c 33 32 2e oArgvW..SHELL32.
64 6c 6c 00 35 03 77 76 73 70 72 69 6e 74 66 57 dll.5.wvsprintfW
00 00 55 53 45 52 33 32 2e 64 6c 6c 00 00 00 00 ..USER32.dll....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file REGISTRY.TXT
created in
step 3. to recreate the console application
Registry INF Dumper:
CERTUTIL.EXE /DecodeHex /V REGISTRY.TXT REGISTRY.COM
Input Length = 45696 Output Length = 10752 CertUtil: -decodehex command completed successfully.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
Create the text file SECURITY.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define _CRT_SECURE_NO_WARNINGS
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#include <sddl.h>
#include <lmcons.h>
#include <aclapi.h>
#ifndef LABEL_SECURITY_INFORMATION
#define LABEL_SECURITY_INFORMATION 0x00000010UL
#endif
#ifndef ATTRIBUTE_SECURITY_INFORMATION
#define ATTRIBUTE_SECURITY_INFORMATION 0x00000020UL
#endif
#ifndef SCOPE_SECURITY_INFORMATION
#define SCOPE_SECURITY_INFORMATION 0x00000040UL
#endif
#ifndef PROCESS_TRUST_LABEL_SECURITY_INFORMATION
#define PROCESS_TRUST_LABEL_SECURITY_INFORMATION 0x00000080UL
#endif
#ifndef BACKUP_SECURITY_INFORMATION
#define BACKUP_SECURITY_INFORMATION 0x00010000UL
#endif
#ifndef SYSTEM_MANDATORY_LABEL_ACE_TYPE
#define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11
typedef struct _SYSTEM_MANDATORY_LABEL_ACE
{
ACE_HEADER Header;
ACCESS_MASK Mask;
DWORD SidStart;
} SYSTEM_MANDATORY_LABEL_ACE;
#endif
#ifndef SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE
#define SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE 0x12
typedef struct _SYSTEM_RESOURCE_ATTRIBUTE_ACE
{
ACE_HEADER Header;
ACCESS_MASK Mask;
DWORD SidStart;
} SYSTEM_RESOURCE_ATTRIBUTE_ACE;
#endif
#ifndef SYSTEM_SCOPED_POLICY_ID_ACE_TYPE
#define SYSTEM_SCOPED_POLICY_ID_ACE_TYPE 0x13
typedef struct _SYSTEM_SCOPED_POLICY_ID_ACE
{
ACE_HEADER Header;
ACCESS_MASK Mask;
DWORD SidStart;
} SYSTEM_SCOPED_POLICY_ID_ACE;
#endif
#ifndef SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE
#define SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE 0x14
typedef struct _SYSTEM_PROCESS_TRUST_LABEL_ACE
{
ACE_HEADER Header;
ACCESS_MASK Mask;
DWORD SidStart;
} SYSTEM_PROCESS_TRUST_LABEL_ACE;
#endif
#ifndef SYSTEM_ACCESS_FILTER_ACE_TYPE
#define SYSTEM_ACCESS_FILTER_ACE_TYPE 0x15
typedef struct _SYSTEM_ACCESS_FILTER_ACE
{
ACE_HEADER Header;
ACCESS_MASK Mask;
DWORD SidStart;
} SYSTEM_ACCESS_FILTER_ACE;
#endif
#define memcpy __movsb
#define wmemcpy __movsw
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, LPCWSTR lpFormat, ...)
{
WCHAR szBuffer[1025];
DWORD dwBuffer;
DWORD dwConsole;
va_list vaInserts;
va_start(vaInserts, lpFormat);
dwBuffer = wvsprintf(szBuffer, lpFormat, vaInserts);
va_end(vaInserts);
if (dwBuffer == 0)
return FALSE;
if (!WriteConsole(hConsole, szBuffer, dwBuffer, &dwConsole, NULL))
return FALSE;
return dwConsole == dwBuffer;
}
__declspec(safebuffers)
SID_NAME_USE CheckSID(HANDLE hConsole, SID *sid, LPWSTR *lpStringSID)
{
SID_NAME_USE snu = 0;
DWORD dwError = ERROR_SUCCESS;
WCHAR szAccount[UNLEN + 1];
DWORD dwAccount = sizeof(szAccount) / sizeof(*szAccount);
WCHAR szDomain[GNLEN + 1];
DWORD dwDomain = sizeof(szDomain) / sizeof(*szDomain);
if (!ConvertSidToStringSid(sid, lpStringSID))
PrintConsole(hConsole,
L"ConvertSidToStringSid() returned error %lu\n",
GetLastError());
if (!LookupAccountSid((LPCWSTR) NULL,
sid,
szAccount, &dwAccount,
szDomain, &dwDomain,
&snu))
{
dwError = GetLastError();
if (dwError != ERROR_NONE_MAPPED)
PrintConsole(hConsole,
L"LookupAccountSid() returned error %lu for \'%ls\'\n",
dwError, *lpStringSID);
}
return snu;
}
__declspec(safebuffers)
DWORD WINAPI Security(HANDLE hConsole, WCHAR szPathName[])
{
SECURITY_DESCRIPTOR *lpSD;
SID *lpOwner, *lpGroup, *lpTrustee;
ACL *lpDACL, *lpSACL;
ACE_HEADER *lpACE;
WORD wACE;
LPWSTR lpStringSID;
DWORD dwError;
dwError = GetNamedSecurityInfo(szPathName,
SE_FILE_OBJECT,
#if 1
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION,
#else
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION,
#endif
&lpOwner,
&lpGroup,
&lpDACL,
&lpSACL,
&lpSD);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"GetNamedSecurityInfo() returned error %lu for \'%ls\'\n",
dwError, szPathName);
else
if (!IsValidSecurityDescriptor(lpSD))
PrintConsole(hConsole,
L"IsValidSecurityDescriptor() returned FALSE for security descriptor of \'%ls\'\n",
szPathName);
else
{
if (lpOwner == NULL)
PrintConsole(hConsole,
L"No owner in security descriptor of \'%ls\'\n",
szPathName);
else
if (!IsValidSid(lpOwner))
PrintConsole(hConsole,
L"IsValidSid() returned FALSE for owner of \'%ls\'\n",
szPathName);
else
{
if (!CheckSID(hConsole, lpOwner, &lpStringSID))
PrintConsole(hConsole,
L"Unknown owner \'%ls\' in security descriptor of \'%ls\'\n",
lpStringSID, szPathName);
if (LocalFree(lpStringSID) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (lpGroup == NULL)
PrintConsole(hConsole,
L"No group in security descriptor of \'%ls\'\n",
szPathName);
else
if (!IsValidSid(lpGroup))
PrintConsole(hConsole,
L"IsValidSid() returned FALSE for group of \'%ls\'\n",
szPathName);
else
{
if (!CheckSID(hConsole, lpGroup, &lpStringSID))
PrintConsole(hConsole,
L"Unknown group \'%ls\' in security descriptor of \'%ls\'\n",
lpStringSID, szPathName);
if (LocalFree(lpStringSID) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (lpDACL == NULL)
PrintConsole(hConsole,
L"No DACL in security descriptor of \'%ls\'\n",
szPathName);
else
if (!IsValidAcl(lpDACL))
PrintConsole(hConsole,
L"IsValidAcl() returned FALSE for DACL of \'%ls\'\n",
szPathName);
else
if (lpDACL->AceCount == 0)
PrintConsole(hConsole,
L"Empty DACL in security descriptor of \'%ls\'\n",
szPathName);
else
for (lpACE = (ACE_HEADER *) (lpDACL + 1),
wACE = 0; wACE < lpDACL->AceCount; wACE++,
lpACE = (ACE_HEADER *) ((BYTE *) lpACE + lpACE->AceSize))
{
switch (lpACE->AceType)
{
case ACCESS_ALLOWED_ACE_TYPE:
lpTrustee = (SID *) &(((ACCESS_ALLOWED_ACE *) lpACE)->SidStart);
break;
case ACCESS_DENIED_ACE_TYPE:
lpTrustee = (SID *) &(((ACCESS_DENIED_ACE *) lpACE)->SidStart);
break;
case ACCESS_ALLOWED_COMPOUND_ACE_TYPE:
continue;
case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
if (((((ACCESS_ALLOWED_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
== ((((ACCESS_ALLOWED_OBJECT_ACE *) lpACE)->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT) == ACE_INHERITED_OBJECT_TYPE_PRESENT))
if ((((ACCESS_ALLOWED_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
lpTrustee = (SID *) &(((ACCESS_ALLOWED_OBJECT_ACE *) lpACE)->SidStart);
else
lpTrustee = (SID *) &(((ACCESS_ALLOWED_OBJECT_ACE *) lpACE)->ObjectType);
else
lpTrustee = (SID *) &(((ACCESS_ALLOWED_OBJECT_ACE *) lpACE)->InheritedObjectType);
break;
case ACCESS_DENIED_OBJECT_ACE_TYPE:
if (((((ACCESS_DENIED_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
== ((((ACCESS_DENIED_OBJECT_ACE *) lpACE)->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT) == ACE_INHERITED_OBJECT_TYPE_PRESENT))
if ((((ACCESS_DENIED_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
lpTrustee = (SID *) &(((ACCESS_DENIED_OBJECT_ACE *) lpACE)->SidStart);
else
lpTrustee = (SID *) &(((ACCESS_DENIED_OBJECT_ACE *) lpACE)->ObjectType);
else
lpTrustee = (SID *) &(((ACCESS_DENIED_OBJECT_ACE *) lpACE)->InheritedObjectType);
break;
case ACCESS_ALLOWED_CALLBACK_ACE_TYPE:
lpTrustee = (SID *) &(((ACCESS_ALLOWED_CALLBACK_ACE *) lpACE)->SidStart);
break;
case ACCESS_DENIED_CALLBACK_ACE_TYPE:
lpTrustee = (SID *) &(((ACCESS_DENIED_CALLBACK_ACE *) lpACE)->SidStart);
break;
case ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE:
if (((((ACCESS_ALLOWED_CALLBACK_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
== ((((ACCESS_ALLOWED_CALLBACK_OBJECT_ACE *) lpACE)->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT) == ACE_INHERITED_OBJECT_TYPE_PRESENT))
if ((((ACCESS_ALLOWED_CALLBACK_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
lpTrustee = (SID *) &(((ACCESS_ALLOWED_CALLBACK_OBJECT_ACE *) lpACE)->SidStart);
else
lpTrustee = (SID *) &(((ACCESS_ALLOWED_CALLBACK_OBJECT_ACE *) lpACE)->ObjectType);
else
lpTrustee = (SID *) &(((ACCESS_ALLOWED_CALLBACK_OBJECT_ACE *) lpACE)->InheritedObjectType);
break;
case ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE:
if (((((ACCESS_DENIED_CALLBACK_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
== ((((ACCESS_DENIED_CALLBACK_OBJECT_ACE *) lpACE)->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT) == ACE_INHERITED_OBJECT_TYPE_PRESENT))
if ((((ACCESS_DENIED_CALLBACK_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
lpTrustee = (SID *) &(((ACCESS_DENIED_CALLBACK_OBJECT_ACE *) lpACE)->SidStart);
else
lpTrustee = (SID *) &(((ACCESS_DENIED_CALLBACK_OBJECT_ACE *) lpACE)->ObjectType);
else
lpTrustee = (SID *) &(((ACCESS_DENIED_CALLBACK_OBJECT_ACE *) lpACE)->InheritedObjectType);
break;
default:
PrintConsole(hConsole,
L"Unknown ACE type %u in DACL of \'%ls\'\n",
lpACE->AceType, szPathName);
continue;
}
if (!IsValidSid(lpTrustee))
PrintConsole(hConsole,
L"IsValidSid() returned FALSE for trustee in DACL of \'%ls\'\n",
szPathName);
else
{
if (!CheckSID(hConsole, lpTrustee, &lpStringSID))
PrintConsole(hConsole,
L"Unknown trustee \'%ls\' in DACL of \'%ls\'\n",
lpStringSID, szPathName);
if (LocalFree(lpStringSID) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
}
if (lpSACL == NULL)
PrintConsole(hConsole,
L"No SACL in security descriptor of \'%ls\'\n",
szPathName);
else
if (!IsValidAcl(lpSACL))
PrintConsole(hConsole,
L"IsValidAcl() returned FALSE for SACL of \'%ls\'\n",
szPathName);
else
if (lpSACL->AceCount == 0)
PrintConsole(hConsole,
L"Empty SACL in security descriptor of \'%ls\'\n",
szPathName);
else
for (lpACE = (ACE_HEADER *) (lpSACL + 1),
wACE = 0; wACE < lpSACL->AceCount; wACE++,
lpACE = (ACE_HEADER *) ((BYTE *) lpACE + lpACE->AceSize))
{
switch (lpACE->AceType)
{
case SYSTEM_AUDIT_ACE_TYPE:
lpTrustee = (SID *) &(((SYSTEM_AUDIT_ACE *) lpACE)->SidStart);
break;
case SYSTEM_ALARM_ACE_TYPE:
lpTrustee = (SID *) &(((SYSTEM_ALARM_ACE *) lpACE)->SidStart);
break;
case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
if (((((SYSTEM_AUDIT_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
== ((((SYSTEM_AUDIT_OBJECT_ACE *) lpACE)->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT) == ACE_INHERITED_OBJECT_TYPE_PRESENT))
if ((((SYSTEM_AUDIT_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
lpTrustee = (SID *) &(((SYSTEM_AUDIT_OBJECT_ACE *) lpACE)->SidStart);
else
lpTrustee = (SID *) &(((SYSTEM_AUDIT_OBJECT_ACE *) lpACE)->ObjectType);
else
lpTrustee = (SID *) &(((SYSTEM_AUDIT_OBJECT_ACE *) lpACE)->InheritedObjectType);
break;
case SYSTEM_ALARM_OBJECT_ACE_TYPE:
if (((((SYSTEM_ALARM_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
== ((((SYSTEM_ALARM_OBJECT_ACE *) lpACE)->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT) == ACE_INHERITED_OBJECT_TYPE_PRESENT))
if ((((SYSTEM_ALARM_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
lpTrustee = (SID *) &(((SYSTEM_ALARM_OBJECT_ACE *) lpACE)->SidStart);
else
lpTrustee = (SID *) &(((SYSTEM_ALARM_OBJECT_ACE *) lpACE)->ObjectType);
else
lpTrustee = (SID *) &(((SYSTEM_ALARM_OBJECT_ACE *) lpACE)->InheritedObjectType);
break;
case SYSTEM_AUDIT_CALLBACK_ACE_TYPE:
lpTrustee = (SID *) &(((SYSTEM_AUDIT_CALLBACK_ACE *) lpACE)->SidStart);
break;
case SYSTEM_ALARM_CALLBACK_ACE_TYPE:
lpTrustee = (SID *) &(((SYSTEM_ALARM_CALLBACK_ACE *) lpACE)->SidStart);
break;
case SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE:
if (((((SYSTEM_AUDIT_CALLBACK_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
== ((((SYSTEM_AUDIT_CALLBACK_OBJECT_ACE *) lpACE)->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT) == ACE_INHERITED_OBJECT_TYPE_PRESENT))
if ((((SYSTEM_AUDIT_CALLBACK_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
lpTrustee = (SID *) &(((SYSTEM_AUDIT_CALLBACK_OBJECT_ACE *) lpACE)->SidStart);
else
lpTrustee = (SID *) &(((SYSTEM_AUDIT_CALLBACK_OBJECT_ACE *) lpACE)->ObjectType);
else
lpTrustee = (SID *) &(((SYSTEM_AUDIT_CALLBACK_OBJECT_ACE *) lpACE)->InheritedObjectType);
break;
case SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE:
if (((((SYSTEM_ALARM_CALLBACK_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
== ((((SYSTEM_ALARM_CALLBACK_OBJECT_ACE *) lpACE)->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT) == ACE_INHERITED_OBJECT_TYPE_PRESENT))
if ((((SYSTEM_ALARM_CALLBACK_OBJECT_ACE *) lpACE)->Flags & ACE_OBJECT_TYPE_PRESENT) == ACE_OBJECT_TYPE_PRESENT)
lpTrustee = (SID *) &(((SYSTEM_ALARM_CALLBACK_OBJECT_ACE *) lpACE)->SidStart);
else
lpTrustee = (SID *) &(((SYSTEM_ALARM_CALLBACK_OBJECT_ACE *) lpACE)->ObjectType);
else
lpTrustee = (SID *) &(((SYSTEM_ALARM_CALLBACK_OBJECT_ACE *) lpACE)->InheritedObjectType);
break;
case SYSTEM_MANDATORY_LABEL_ACE_TYPE:
lpTrustee = (SID *) &(((SYSTEM_MANDATORY_LABEL_ACE *) lpACE)->SidStart);
break;
case SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE:
lpTrustee = (SID *) &(((SYSTEM_RESOURCE_ATTRIBUTE_ACE *) lpACE)->SidStart);
break;
case SYSTEM_SCOPED_POLICY_ID_ACE_TYPE:
lpTrustee = (SID *) &(((SYSTEM_SCOPED_POLICY_ID_ACE *) lpACE)->SidStart);
break;
case SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE:
lpTrustee = (SID *) &(((SYSTEM_PROCESS_TRUST_LABEL_ACE *) lpACE)->SidStart);
break;
case SYSTEM_ACCESS_FILTER_ACE_TYPE:
lpTrustee = (SID *) &(((SYSTEM_ACCESS_FILTER_ACE *) lpACE)->SidStart);
break;
default:
PrintConsole(hConsole,
L"Unknown ACE type %u in SACL of \'%ls\'\n",
lpACE->AceType, szPathName);
continue;
}
if (!IsValidSid(lpTrustee))
PrintConsole(hConsole,
L"IsValidSid() returned FALSE for trustee in SACL of \'%ls\'\n",
szPathName);
else
{
if (!CheckSID(hConsole, lpTrustee, &lpStringSID))
PrintConsole(hConsole,
L"Unknown trustee \'%ls\' in SACL of \'%ls\'\n",
lpStringSID, szPathName);
if (LocalFree(lpStringSID) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
}
if (LocalFree(lpSD) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
return dwError;
}
__declspec(safebuffers)
DWORD WINAPI Traverse(HANDLE hConsole, WCHAR szPathName[32768])
{
WIN32_FIND_DATA wfd;
HANDLE hPathName;
DWORD dwPathName;
DWORD dwError = Security(hConsole, szPathName);
dwPathName = wcslen(szPathName);
#if 0
wcscat(szPathName, L"\\*");
#elif 0
wmemcpy(szPathName + dwPathName, L"\\*", sizeof("\\*"));
#elif 0
memcpy(szPathName + dwPathName, L"\\*", sizeof(L"\\*"));
#else
szPathName[dwPathName + 0] = L'\\';
szPathName[dwPathName + 1] = L'*';
szPathName[dwPathName + 2] = L'\0';
#endif
hPathName = FindFirstFile(szPathName, &wfd);
if (hPathName != INVALID_HANDLE_VALUE)
{
do
{
#if 0
if ((wcscmp(wfd.cFileName, L".") == 0)
|| (wcscmp(wfd.cFileName, L"..") == 0))
continue;
#elif 0
if ((wmemcmp(wfd.cFileName, L".", sizeof(".")) == 0)
|| (wmemcmp(wfd.cFileName, L"..", sizeof("..")) == 0))
continue;
#elif 0
if ((memcmp(wfd.cFileName, L".", sizeof(L".")) == 0)
|| (memcmp(wfd.cFileName, L"..", sizeof(L"..")) == 0))
continue;
#else
if ((wfd.cFileName[0] == L'.')
&& (wfd.cFileName[1] == L'\0'))
continue;
if ((wfd.cFileName[0] == L'.')
&& (wfd.cFileName[1] == L'.')
&& (wfd.cFileName[2] == L'\0'))
continue;
#endif
wcscpy(szPathName + dwPathName + 1, wfd.cFileName);
if ((wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) == 0)
dwError = Security(hConsole, szPathName);
else if ((wfd.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) == 0)
dwError = Traverse(hConsole, szPathName);
}
while (FindNextFile(hPathName, &wfd));
dwError = GetLastError();
if (dwError == ERROR_NO_MORE_FILES)
dwError = ERROR_SUCCESS;
else
PrintConsole(hConsole,
L"FindNextFile() returned error %lu for path \'%ls\'\n",
dwError, szPathName);
if (!FindClose(hPathName))
PrintConsole(hConsole,
L"FindClose() returned error %lu for path \'%ls\'\n",
GetLastError(), szPathName);
}
else
{
dwError = GetLastError();
if (dwError == ERROR_FILE_NOT_FOUND)
dwError = ERROR_SUCCESS;
else
PrintConsole(hConsole,
L"FindFirstFile() returned error %lu for path \'%ls\'\n",
dwError, szPathName);
}
// szPathName[dwPathName] = L'\0';
return dwError;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
WIN32_FIND_DATA wfd;
LPWSTR *lpArguments;
INT nArguments;
INT nArgument = 1;
DWORD dwError = ERROR_BAD_ARGUMENTS;
DWORD dwArgument;
WCHAR szArgument[32768];
LPWSTR lpArgument;
HANDLE hArgument;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
if (nArguments < 2)
PrintConsole(hConsole,
L"No arguments: at least one directory or file name must be given!\n");
else
do
{
wcscpy(szArgument, lpArguments[nArgument]);
dwArgument = GetFileAttributes(szArgument);
if (dwArgument == INVALID_FILE_ATTRIBUTES)
{
hArgument = FindFirstFile(szArgument, &wfd);
if (hArgument == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"FindFirstFile() returned error %lu for argument \'%ls\'\n",
dwError = GetLastError(), szArgument);
else
{
dwArgument = 0;
lpArgument = NULL;
do
if (szArgument[dwArgument] == L'\\')
lpArgument = szArgument + dwArgument;
while (szArgument[dwArgument++] != L'\0');
if (dwArgument > MAX_PATH)
PrintConsole(hConsole,
L"Argument \'%ls\' exceeds MAX_PATH!\n",
szArgument);
if (lpArgument != NULL)
lpArgument++;
else
lpArgument = szArgument + 2 * (szArgument[1] == L':');
dwArgument = 0;
do
{
#if 0
if ((wcscmp(wfd.cFileName, L".") == 0)
|| (wcscmp(wfd.cFileName, L"..") == 0))
continue;
#elif 0
if ((wmemcmp(wfd.cFileName, L".", sizeof(".")) == 0)
|| (wmemcmp(wfd.cFileName, L"..", sizeof("..")) == 0))
continue;
#elif 0
if ((memcmp(wfd.cFileName, L".", sizeof(L".")) == 0)
|| (memcmp(wfd.cFileName, L"..", sizeof(L"..")) == 0))
continue;
#else
if ((wfd.cFileName[0] == L'.')
&& (wfd.cFileName[1] == L'\0'))
continue;
if ((wfd.cFileName[0] == L'.')
&& (wfd.cFileName[1] == L'.')
&& (wfd.cFileName[2] == L'\0'))
continue;
#endif
dwArgument++;
wcscpy(lpArgument, wfd.cFileName);
if ((wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) == 0)
dwError = Security(hConsole, szArgument);
else
dwError = Traverse(hConsole, szArgument);
}
while (FindNextFile(hArgument, &wfd));
dwError = GetLastError();
if (dwError == ERROR_NO_MORE_FILES)
dwError = ERROR_SUCCESS;
else
PrintConsole(hConsole,
L"FindNextFile() returned error %lu for argument \'%ls\'\n",
dwError, lpArguments[nArgument]);
if (dwArgument == 0)
PrintConsole(hConsole,
L"No match for argument \'%ls\'!\n",
lpArguments[nArgument]);
if (!FindClose(hArgument))
PrintConsole(hConsole,
L"FindClose() returned error %lu for argument \'%ls\'\n",
GetLastError(), lpArguments[nArgument]);
}
}
else if ((dwArgument & FILE_ATTRIBUTE_DIRECTORY) == 0)
dwError = Security(hConsole, szArgument);
else
dwError = Traverse(hConsole, szArgument);
}
while (++nArgument < nArguments);
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Note: the console application
Security Descriptor Inspector.com
supports longpathnames with the
\\?\
prefix.
Run the following four command lines to compile the source file
SECURITY.C
created in step 1., link the compiled
object file SECURITY.OBJ
and cleanup afterwards:
SET CL=/GA /GF /GS /Gs69632 /Gy /O1 /Oi /Os /Oy /W4 /Zl SET LINK=/DEFAULTLIB:ADVAPI32.LIB /DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /DYNAMICBASE /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NXCOMPAT /OSVERSION:5.0 /OUT:"Security Descriptor Inspector.com" /RELEASE /STACK:1048576,65536 /SUBSYSTEM:CONSOLE,5.0 /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE SECURITY.C ERASE SECURITY.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. SECURITY.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved.
Create the text file SECURITY.XML
with the following
content next to the console application
Security Descriptor Inspector.com
built in
step 2.:
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
<assemblyIdentity name="eSKamation.Tidbits.Security Descriptor Inspector" processorArchitecture="*" type="win32" version="0.8.1.5" />
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application xmlns="urn:schemas-microsoft-com:asm.v3">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />
<windowsSettings>
<longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware>
</windowsSettings>
</application>
</compatibility>
<description>Security Descriptor Inspector</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="highestAvailable" uiAccess="false" />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Embed the application manifest
SECURITY.XML
created in step 3. in the console application
Security Descriptor Inspector.com
built in
step 2.:
MT.EXE /MANIFEST SECURITY.XML /OUTPUTRESOURCE:"Security Descriptor Inspector.com"Note: the Manifest Tool
MT.exe
is shipped with the Windows Software Development Kit.
Microsoft (R) Manifest Tool version 6.1.7716.0 Copyright (c) Microsoft Corporation 2009. All rights reserved.Note: on Windows 10 1607 alias Anniversary Update and newer versions of Windows NT, the console application
Security Descriptor Inspector.com
supports longpathnames when the following Registry. entry is present:
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"LongPathsEnabled"=dword:00000001
Note: without this
Registry
entry and on older versions of Windows NT, the console
application Security Descriptor Inspector.com
supports
longpathnames with the
\\?\
prefix.
Create the text file SECURITY.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 32 2c 20 53 74 65 66 61 6e 20 4b 61 -2022, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 03 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 0a 00 00 ......#.........
00 16 00 00 00 00 00 00 33 16 00 00 00 10 00 00 ........3.......
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 40 00 00 00 02 00 00 98 83 00 00 03 00 00 85 .@..............
00 00 10 00 00 00 01 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
e0 2c 00 00 64 00 00 00 00 30 00 00 e8 05 00 00 .,..d....0......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 20 00 00 58 00 00 00 ......... ..X...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
ac 08 00 00 00 10 00 00 00 0a 00 00 00 02 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 12 0f 00 00 00 20 00 00 .const....... ..
00 10 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 ....@..@.rsrc...
e8 05 00 00 00 30 00 00 00 06 00 00 00 1c 00 00 .....0..........
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ............@..@
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 50 20 40 00 8b f0 .......P..P @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 1c 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8b .t.3.9u....^..U.
ec 81 ec 14 04 00 00 83 65 fc 00 56 57 8b 7d 10 ........e..VW.}.
57 ff 75 0c b8 01 01 00 00 89 45 f8 89 45 f4 e8 W.u.......E..E..
32 08 00 00 8b 35 20 20 40 00 85 c0 75 13 ff d6 2....5 @...u...
50 68 c0 20 40 00 ff 75 08 e8 72 ff ff ff 83 c4 Ph. @..u..r.....
0c 8d 45 fc 50 8d 45 f4 50 8d 85 f0 fd ff ff 50 ..E.P.E.P......P
8d 45 f8 50 8d 85 ec fb ff ff 50 ff 75 0c 6a 00 .E.P......P.u.j.
ff 15 14 20 40 00 85 c0 75 1c ff d6 3d 34 05 00 ... @...u...=4..
00 74 13 ff 37 50 68 58 20 40 00 ff 75 08 e8 2d .t..7PhX @..u..-
ff ff ff 83 c4 10 8b 45 fc 5f 5e c9 c3 55 8b ec .......E._^..U..
83 ec 1c 8d 45 e8 50 8d 45 f4 50 8d 45 f8 50 8d ....E.P.E.P.E.P.
45 ec 50 8d 45 f0 50 6a 17 6a 01 ff 75 0c ff 15 E.P.E.Pj.j..u...
10 20 40 00 89 45 e4 85 c0 74 19 ff 75 0c 50 68 . @..E...t..u.Ph
98 28 40 00 ff 75 08 e8 e4 fe ff ff 83 c4 10 e9 .(@..u..........
c3 03 00 00 ff 75 e8 ff 15 0c 20 40 00 85 c0 75 .....u.... @...u
0d ff 75 0c 68 f8 27 40 00 e9 9e 03 00 00 83 7d ..u.h.'@.......}
f0 00 53 56 57 8b 3d 20 20 40 00 bb b8 27 40 00 ..SVW.= @...'@.
75 0d ff 75 0c 8b 75 08 68 60 27 40 00 eb 53 ff u..u..u.h`'@..S.
75 f0 ff 15 08 20 40 00 8b 75 08 85 c0 75 0a ff u.... @..u...u..
75 0c 68 00 27 40 00 eb 39 8d 45 fc 50 ff 75 f0 u.h.'@..9.E.P.u.
56 e8 c8 fe ff ff 83 c4 0c 85 c0 75 14 ff 75 0c V..........u..u.
ff 75 fc 68 90 26 40 00 56 e8 62 fe ff ff 83 c4 .u.h.&@.V.b.....
10 ff 75 fc ff 15 24 20 40 00 85 c0 74 0d ff d7 ..u...$ @...t...
50 53 56 e8 48 fe ff ff 83 c4 0c 83 7d ec 00 75 PSV.H.......}..u
0a ff 75 0c 68 38 26 40 00 eb 50 ff 75 ec ff 15 ..u.h8&@..P.u...
08 20 40 00 85 c0 75 0a ff 75 0c 68 d8 25 40 00 . @...u..u.h.%@.
eb 39 8d 45 fc 50 ff 75 ec 56 e8 5f fe ff ff 83 .9.E.P.u.V._....
c4 0c 85 c0 75 14 ff 75 0c ff 75 fc 68 68 25 40 ....u..u..u.hh%@
00 56 e8 f9 fd ff ff 83 c4 10 ff 75 fc ff 15 24 .V.........u...$
20 40 00 85 c0 74 0d ff d7 50 53 56 e8 df fd ff @...t...PSV....
ff 83 c4 0c 33 db 39 5d f8 75 0a ff 75 0c 68 10 ....3.9].u..u.h.
25 40 00 eb 2b ff 75 f8 ff 15 04 20 40 00 85 c0 %@..+.u.... @...
75 0a ff 75 0c 68 b0 24 40 00 eb 14 8b 4d f8 0f u..u.h.$@....M..
b7 41 04 66 3b c3 75 16 ff 75 0c 68 58 24 40 00 .A.f;.u..u.hX$@.
56 e8 9a fd ff ff 83 c4 0c e9 fe 00 00 00 8d 71 V..............q
08 33 c9 66 3b c8 0f 83 f0 00 00 00 0f b6 06 83 .3.f;...........
f8 06 7f 48 74 15 8b c8 83 e9 00 74 65 49 74 62 ...Ht......teItb
83 e9 03 0f 84 bf 00 00 00 eb 3e 8b 46 08 8b c8 ..........>.F...
24 02 33 d2 83 e1 01 3c 02 0f 94 c2 33 c0 83 f9 $.3....<....3...
01 0f 94 c0 3b c2 75 0f 83 f9 01 75 05 8d 7e 2c ....;.u....u..~,
eb 33 8d 7e 0c eb 2e 8d 7e 1c eb 29 8b c8 83 e9 .3.~....~..)....
09 74 1f 49 74 1c 49 74 c2 49 74 bf ff 75 0c 50 .t.It.It.It..u.P
68 08 24 40 00 ff 75 08 e8 13 fd ff ff 83 c4 10 h.$@..u.........
eb 66 8d 7e 08 57 ff 15 08 20 40 00 85 c0 75 0a .f.~.W... @...u.
ff 75 0c 68 90 23 40 00 eb 43 8d 45 fc 50 57 ff .u.h.#@..C.E.PW.
75 08 e8 37 fd ff ff 83 c4 0c 85 c0 75 16 ff 75 u..7........u..u
0c ff 75 fc 68 40 23 40 00 ff 75 08 e8 cf fc ff ..u.h@#@..u.....
ff 83 c4 10 ff 75 fc ff 15 24 20 40 00 85 c0 74 .....u...$ @...t
17 ff 15 20 20 40 00 50 68 b8 27 40 00 ff 75 08 ... @.Ph.'@..u.
e8 ab fc ff ff 83 c4 0c 0f b7 46 02 03 f0 8b 45 ..........F....E
f8 43 66 3b 58 04 0f 82 10 ff ff ff 33 db 39 5d .Cf;X.......3.9]
f4 75 0a ff 75 0c 68 e8 22 40 00 eb 2b ff 75 f4 .u..u.h."@..+.u.
ff 15 04 20 40 00 85 c0 75 0a ff 75 0c 68 88 22 ... @...u..u.h."
40 00 eb 14 8b 45 f4 0f b7 48 04 66 3b cb 75 18 @....E...H.f;.u.
ff 75 0c 68 30 22 40 00 ff 75 08 e8 50 fc ff ff .u.h0"@..u..P...
83 c4 0c e9 08 01 00 00 8d 70 08 33 c0 66 3b c1 .........p.3.f;.
0f 83 fa 00 00 00 0f b6 0e 83 f9 0f 7f 20 74 4a ............. tJ
8d 41 ff 48 74 13 48 74 10 83 e8 04 74 3c 48 74 .A.Ht.Ht....t<Ht
39 83 e8 05 74 03 48 75 18 8d 7e 08 eb 5b 8b c1 9...t.Hu..~..[..
83 e8 10 74 25 48 74 f1 48 74 ee 48 74 eb 48 eb ...t%Ht.Ht.Ht.H.
e3 ff 75 0c 51 68 e0 21 40 00 ff 75 08 e8 ee fb ..u.Qh.!@..u....
ff ff 83 c4 10 e9 92 00 00 00 8b 46 08 8b c8 24 ...........F...$
02 33 d2 83 e1 01 3c 02 0f 94 c2 33 c0 83 f9 01 .3....<....3....
0f 94 c0 3b c2 75 0f 83 f9 01 75 05 8d 7e 2c eb ...;.u....u..~,.
08 8d 7e 0c eb 03 8d 7e 1c 57 ff 15 08 20 40 00 ..~....~.W... @.
85 c0 75 0a ff 75 0c 68 68 21 40 00 eb 43 8d 45 ..u..u.hh!@..C.E
fc 50 57 ff 75 08 e8 e3 fb ff ff 83 c4 0c 85 c0 .PW.u...........
75 16 ff 75 0c ff 75 fc 68 18 21 40 00 ff 75 08 u..u..u.h.!@..u.
e8 7b fb ff ff 83 c4 10 ff 75 fc ff 15 24 20 40 .{.......u...$ @
00 85 c0 74 17 ff 15 20 20 40 00 50 68 b8 27 40 ...t... @.Ph.'@
00 ff 75 08 e8 57 fb ff ff 83 c4 0c 0f b7 46 02 ..u..W........F.
03 f0 8b 45 f4 43 66 3b 58 04 0f 82 06 ff ff ff ...E.Cf;X.......
ff 75 e8 ff 15 24 20 40 00 5f 5e 5b 85 c0 74 17 .u...$ @._^[..t.
ff 15 20 20 40 00 50 68 b8 27 40 00 ff 75 08 e8 .. @.Ph.'@..u..
1c fb ff ff 83 c4 0c 8b 45 e4 c9 c2 08 00 55 8b ........E.....U.
ec 81 ec 50 02 00 00 53 8b 5d 08 56 8b 75 0c 57 ...P...S.].V.u.W
56 53 e8 d6 fb ff ff 8b c6 8d 50 02 66 8b 08 83 VS........P.f...
c0 02 66 85 c9 75 f5 6a 5c 59 2b c2 d1 f8 6a 2a ..f..u.j\Y+...j*
66 89 0c 46 59 8d 7c 46 02 66 89 0f 33 c9 66 89 f..FY.|F.f..3.f.
4c 46 04 8d 85 b0 fd ff ff 50 56 ff 15 30 20 40 LF.......PV..0 @
00 89 45 0c 83 f8 ff 0f 84 bc 00 00 00 66 83 bd ..E..........f..
dc fd ff ff 2e 75 1e 66 83 bd de fd ff ff 00 74 .....u.f.......t
54 66 83 bd de fd ff ff 2e 75 0a 66 83 bd e0 fd Tf.......u.f....
ff ff 00 74 40 8d 85 dc fd ff ff 8b d7 8b c8 2b ...t@..........+
d1 0f b7 08 66 89 0c 02 83 c0 02 66 85 c9 75 f1 ....f......f..u.
f6 85 b0 fd ff ff 10 75 09 56 53 e8 3d fb ff ff .......u.VS.=...
eb 13 f7 85 b0 fd ff ff 00 04 00 00 75 07 56 53 ............u.VS
e8 39 ff ff ff 8d 85 b0 fd ff ff 50 ff 75 0c ff .9.........P.u..
15 2c 20 40 00 85 c0 75 84 8b 1d 20 20 40 00 ff ., @...u... @..
d3 8b f8 83 ff 12 75 04 33 ff eb 12 56 57 68 d0 ......u.3...VWh.
29 40 00 ff 75 08 e8 15 fa ff ff 83 c4 10 ff 75 )@..u..........u
0c ff 15 28 20 40 00 85 c0 75 2f 56 ff d3 50 68 ...( @...u/V..Ph
70 29 40 00 ff 75 08 eb 19 ff 15 20 20 40 00 8b p)@..u..... @..
f8 83 ff 02 75 04 33 ff eb 10 56 57 68 08 29 40 ....u.3...VWh.)@
00 53 e8 d9 f9 ff ff 83 c4 10 8b c7 5f 5e 5b c9 .S.........._^[.
c2 08 00 55 8b ec 81 ec 64 02 01 00 53 56 57 6a ...U....d...SVWj
f4 c7 45 f8 01 00 00 00 be a0 00 00 00 ff 15 40 ..E............@
20 40 00 8b f8 89 7d fc 83 ff ff 75 0d ff 15 20 @....}....u...
20 40 00 8b f0 e9 34 02 00 00 8d 45 f4 50 ff 15 @....4....E.P..
3c 20 40 00 50 ff 15 48 20 40 00 89 45 f0 85 c0 < @.P..H @..E...
75 14 ff 15 20 20 40 00 8b f0 56 68 90 2c 40 00 u... @...Vh.,@.
57 e9 00 02 00 00 83 7d f4 02 7d 12 68 08 2c 40 W......}..}.h.,@
00 57 e8 59 f9 ff ff 59 59 e9 cc 01 00 00 8b 4d .W.Y...YY......M
f8 8b 45 f0 8d 3c 88 8b 0f 6a 02 8d 95 9c fd fe ..E..<...j......
ff 5b 0f b7 01 66 89 02 03 cb 03 d3 66 85 c0 75 .[...f......f..u
f1 8d 85 9c fd fe ff 50 ff 15 38 20 40 00 83 f8 .......P..8 @...
ff 0f 85 68 01 00 00 8d 85 9c fd ff ff 50 8d 85 ...h.........P..
9c fd fe ff 50 ff 15 30 20 40 00 89 45 ec 83 f8 ....P..0 @..E...
ff 75 1a ff 15 20 20 40 00 8b f0 8d 85 9c fd fe .u... @........
ff 50 56 68 98 2b 40 00 e9 25 01 00 00 33 d2 33 .PVh.+@..%...3.3
f6 8d 85 9c fd fe ff 0f b7 08 83 f9 5c 75 02 8b ............\u..
f0 42 03 c3 66 85 c9 75 ee 81 fa 04 01 00 00 76 .B..f..u.......v
17 8d 85 9c fd fe ff 50 68 50 2b 40 00 ff 75 fc .......PhP+@..u.
e8 ab f8 ff ff 83 c4 0c 85 f6 74 04 03 f3 eb 14 ..........t.....
33 c0 66 83 bd 9e fd fe ff 3a 0f 94 c0 8d b4 85 3.f......:......
9c fd fe ff 33 db 66 83 bd c8 fd ff ff 2e 75 1e ....3.f.......u.
66 83 bd ca fd ff ff 00 74 4f 66 83 bd ca fd ff f.......tOf.....
ff 2e 75 0a 66 83 bd cc fd ff ff 00 74 3b 8d 85 ..u.f.......t;..
c8 fd ff ff 8b d6 8b c8 43 2b d1 0f b7 08 66 89 ........C+....f.
0c 02 83 c0 02 66 85 c9 75 f1 f6 85 9c fd ff ff .....f..u.......
10 8d 85 9c fd fe ff 50 ff 75 fc 75 07 e8 0b f9 .......P.u.u....
ff ff eb 05 e8 15 fd ff ff 8d 85 9c fd ff ff 50 ...............P
ff 75 ec ff 15 2c 20 40 00 85 c0 75 89 ff 15 20 .u..., @...u...
20 40 00 8b f0 83 fe 12 75 04 33 f6 eb 13 ff 37 @......u.3....7
56 68 e0 2a 40 00 ff 75 fc e8 f2 f7 ff ff 83 c4 Vh.*@..u........
10 85 db 75 12 ff 37 68 a0 2a 40 00 ff 75 fc e8 ...u..7h.*@..u..
dc f7 ff ff 83 c4 0c ff 75 ec ff 15 28 20 40 00 ........u...( @.
85 c0 75 37 ff 37 ff 15 20 20 40 00 50 68 38 2a ..u7.7.. @.Ph8*
40 00 ff 75 fc e8 b6 f7 ff ff 83 c4 10 eb 1c a8 @..u............
10 8d 85 9c fd fe ff 50 ff 75 fc 75 07 e8 7b f8 .......P.u.u..{.
ff ff eb 05 e8 85 fc ff ff 8b f0 ff 45 f8 8b 45 ............E..E
f8 3b 45 f4 0f 8c 34 fe ff ff ff 75 f0 ff 15 24 .;E...4....u...$
20 40 00 85 c0 74 17 ff 15 20 20 40 00 50 68 b8 @...t... @.Ph.
27 40 00 ff 75 fc e8 65 f7 ff ff 83 c4 0c 56 ff '@..u..e......V.
15 34 20 40 00 cc ff 25 00 20 40 00 00 00 00 00 .4 @...%. @.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b0 2d 00 00 ca 2d 00 00 d8 2d 00 00 e6 2d 00 00 .-...-...-...-..
02 2e 00 00 9c 2d 00 00 00 00 00 00 28 2e 00 00 .....-......(...
38 2e 00 00 48 2e 00 00 54 2e 00 00 60 2e 00 00 8...H...T...`...
70 2e 00 00 82 2e 00 00 90 2e 00 00 a6 2e 00 00 p...............
b8 2e 00 00 00 00 00 00 d6 2e 00 00 00 00 00 00 ................
f8 2e 00 00 00 00 00 00 4c 00 6f 00 6f 00 6b 00 ........L.o.o.k.
75 00 70 00 41 00 63 00 63 00 6f 00 75 00 6e 00 u.p.A.c.c.o.u.n.
74 00 53 00 69 00 64 00 28 00 29 00 20 00 72 00 t.S.i.d.(.). .r.
65 00 74 00 75 00 72 00 6e 00 65 00 64 00 20 00 e.t.u.r.n.e.d. .
65 00 72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 e.r.r.o.r. .%.l.
75 00 20 00 66 00 6f 00 72 00 20 00 27 00 25 00 u. .f.o.r. .'.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 00 00 l.s.'...........
43 00 6f 00 6e 00 76 00 65 00 72 00 74 00 53 00 C.o.n.v.e.r.t.S.
69 00 64 00 54 00 6f 00 53 00 74 00 72 00 69 00 i.d.T.o.S.t.r.i.
6e 00 67 00 53 00 69 00 64 00 28 00 29 00 20 00 n.g.S.i.d.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 0a 00 00 00 55 00 6e 00 6b 00 6e 00 l.u.....U.n.k.n.
6f 00 77 00 6e 00 20 00 74 00 72 00 75 00 73 00 o.w.n. .t.r.u.s.
74 00 65 00 65 00 20 00 27 00 25 00 6c 00 73 00 t.e.e. .'.%.l.s.
27 00 20 00 69 00 6e 00 20 00 53 00 41 00 43 00 '. .i.n. .S.A.C.
4c 00 20 00 6f 00 66 00 20 00 27 00 25 00 6c 00 L. .o.f. .'.%.l.
73 00 27 00 0a 00 00 00 49 00 73 00 56 00 61 00 s.'.....I.s.V.a.
6c 00 69 00 64 00 53 00 69 00 64 00 28 00 29 00 l.i.d.S.i.d.(.).
20 00 72 00 65 00 74 00 75 00 72 00 6e 00 65 00 .r.e.t.u.r.n.e.
64 00 20 00 46 00 41 00 4c 00 53 00 45 00 20 00 d. .F.A.L.S.E. .
66 00 6f 00 72 00 20 00 74 00 72 00 75 00 73 00 f.o.r. .t.r.u.s.
74 00 65 00 65 00 20 00 69 00 6e 00 20 00 53 00 t.e.e. .i.n. .S.
41 00 43 00 4c 00 20 00 6f 00 66 00 20 00 27 00 A.C.L. .o.f. .'.
25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 %.l.s.'.........
55 00 6e 00 6b 00 6e 00 6f 00 77 00 6e 00 20 00 U.n.k.n.o.w.n. .
41 00 43 00 45 00 20 00 74 00 79 00 70 00 65 00 A.C.E. .t.y.p.e.
20 00 25 00 75 00 20 00 69 00 6e 00 20 00 53 00 .%.u. .i.n. .S.
41 00 43 00 4c 00 20 00 6f 00 66 00 20 00 27 00 A.C.L. .o.f. .'.
25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 %.l.s.'.........
45 00 6d 00 70 00 74 00 79 00 20 00 53 00 41 00 E.m.p.t.y. .S.A.
43 00 4c 00 20 00 69 00 6e 00 20 00 73 00 65 00 C.L. .i.n. .s.e.
63 00 75 00 72 00 69 00 74 00 79 00 20 00 64 00 c.u.r.i.t.y. .d.
65 00 73 00 63 00 72 00 69 00 70 00 74 00 6f 00 e.s.c.r.i.p.t.o.
72 00 20 00 6f 00 66 00 20 00 27 00 25 00 6c 00 r. .o.f. .'.%.l.
73 00 27 00 0a 00 00 00 49 00 73 00 56 00 61 00 s.'.....I.s.V.a.
6c 00 69 00 64 00 41 00 63 00 6c 00 28 00 29 00 l.i.d.A.c.l.(.).
20 00 72 00 65 00 74 00 75 00 72 00 6e 00 65 00 .r.e.t.u.r.n.e.
64 00 20 00 46 00 41 00 4c 00 53 00 45 00 20 00 d. .F.A.L.S.E. .
66 00 6f 00 72 00 20 00 53 00 41 00 43 00 4c 00 f.o.r. .S.A.C.L.
20 00 6f 00 66 00 20 00 27 00 25 00 6c 00 73 00 .o.f. .'.%.l.s.
27 00 0a 00 00 00 00 00 4e 00 6f 00 20 00 53 00 '.......N.o. .S.
41 00 43 00 4c 00 20 00 69 00 6e 00 20 00 73 00 A.C.L. .i.n. .s.
65 00 63 00 75 00 72 00 69 00 74 00 79 00 20 00 e.c.u.r.i.t.y. .
64 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 d.e.s.c.r.i.p.t.
6f 00 72 00 20 00 6f 00 66 00 20 00 27 00 25 00 o.r. .o.f. .'.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 00 00 l.s.'...........
55 00 6e 00 6b 00 6e 00 6f 00 77 00 6e 00 20 00 U.n.k.n.o.w.n. .
74 00 72 00 75 00 73 00 74 00 65 00 65 00 20 00 t.r.u.s.t.e.e. .
27 00 25 00 6c 00 73 00 27 00 20 00 69 00 6e 00 '.%.l.s.'. .i.n.
20 00 44 00 41 00 43 00 4c 00 20 00 6f 00 66 00 .D.A.C.L. .o.f.
20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 .'.%.l.s.'.....
49 00 73 00 56 00 61 00 6c 00 69 00 64 00 53 00 I.s.V.a.l.i.d.S.
69 00 64 00 28 00 29 00 20 00 72 00 65 00 74 00 i.d.(.). .r.e.t.
75 00 72 00 6e 00 65 00 64 00 20 00 46 00 41 00 u.r.n.e.d. .F.A.
4c 00 53 00 45 00 20 00 66 00 6f 00 72 00 20 00 L.S.E. .f.o.r. .
74 00 72 00 75 00 73 00 74 00 65 00 65 00 20 00 t.r.u.s.t.e.e. .
69 00 6e 00 20 00 44 00 41 00 43 00 4c 00 20 00 i.n. .D.A.C.L. .
6f 00 66 00 20 00 27 00 25 00 6c 00 73 00 27 00 o.f. .'.%.l.s.'.
0a 00 00 00 00 00 00 00 55 00 6e 00 6b 00 6e 00 ........U.n.k.n.
6f 00 77 00 6e 00 20 00 41 00 43 00 45 00 20 00 o.w.n. .A.C.E. .
74 00 79 00 70 00 65 00 20 00 25 00 75 00 20 00 t.y.p.e. .%.u. .
69 00 6e 00 20 00 44 00 41 00 43 00 4c 00 20 00 i.n. .D.A.C.L. .
6f 00 66 00 20 00 27 00 25 00 6c 00 73 00 27 00 o.f. .'.%.l.s.'.
0a 00 00 00 00 00 00 00 45 00 6d 00 70 00 74 00 ........E.m.p.t.
79 00 20 00 44 00 41 00 43 00 4c 00 20 00 69 00 y. .D.A.C.L. .i.
6e 00 20 00 73 00 65 00 63 00 75 00 72 00 69 00 n. .s.e.c.u.r.i.
74 00 79 00 20 00 64 00 65 00 73 00 63 00 72 00 t.y. .d.e.s.c.r.
69 00 70 00 74 00 6f 00 72 00 20 00 6f 00 66 00 i.p.t.o.r. .o.f.
20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 .'.%.l.s.'.....
49 00 73 00 56 00 61 00 6c 00 69 00 64 00 41 00 I.s.V.a.l.i.d.A.
63 00 6c 00 28 00 29 00 20 00 72 00 65 00 74 00 c.l.(.). .r.e.t.
75 00 72 00 6e 00 65 00 64 00 20 00 46 00 41 00 u.r.n.e.d. .F.A.
4c 00 53 00 45 00 20 00 66 00 6f 00 72 00 20 00 L.S.E. .f.o.r. .
44 00 41 00 43 00 4c 00 20 00 6f 00 66 00 20 00 D.A.C.L. .o.f. .
27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 '.%.l.s.'.......
4e 00 6f 00 20 00 44 00 41 00 43 00 4c 00 20 00 N.o. .D.A.C.L. .
69 00 6e 00 20 00 73 00 65 00 63 00 75 00 72 00 i.n. .s.e.c.u.r.
69 00 74 00 79 00 20 00 64 00 65 00 73 00 63 00 i.t.y. .d.e.s.c.
72 00 69 00 70 00 74 00 6f 00 72 00 20 00 6f 00 r.i.p.t.o.r. .o.
66 00 20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 f. .'.%.l.s.'...
00 00 00 00 00 00 00 00 55 00 6e 00 6b 00 6e 00 ........U.n.k.n.
6f 00 77 00 6e 00 20 00 67 00 72 00 6f 00 75 00 o.w.n. .g.r.o.u.
70 00 20 00 27 00 25 00 6c 00 73 00 27 00 20 00 p. .'.%.l.s.'. .
69 00 6e 00 20 00 73 00 65 00 63 00 75 00 72 00 i.n. .s.e.c.u.r.
69 00 74 00 79 00 20 00 64 00 65 00 73 00 63 00 i.t.y. .d.e.s.c.
72 00 69 00 70 00 74 00 6f 00 72 00 20 00 6f 00 r.i.p.t.o.r. .o.
66 00 20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 f. .'.%.l.s.'...
00 00 00 00 00 00 00 00 49 00 73 00 56 00 61 00 ........I.s.V.a.
6c 00 69 00 64 00 53 00 69 00 64 00 28 00 29 00 l.i.d.S.i.d.(.).
20 00 72 00 65 00 74 00 75 00 72 00 6e 00 65 00 .r.e.t.u.r.n.e.
64 00 20 00 46 00 41 00 4c 00 53 00 45 00 20 00 d. .F.A.L.S.E. .
66 00 6f 00 72 00 20 00 67 00 72 00 6f 00 75 00 f.o.r. .g.r.o.u.
70 00 20 00 6f 00 66 00 20 00 27 00 25 00 6c 00 p. .o.f. .'.%.l.
73 00 27 00 0a 00 00 00 4e 00 6f 00 20 00 67 00 s.'.....N.o. .g.
72 00 6f 00 75 00 70 00 20 00 69 00 6e 00 20 00 r.o.u.p. .i.n. .
73 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 s.e.c.u.r.i.t.y.
20 00 64 00 65 00 73 00 63 00 72 00 69 00 70 00 .d.e.s.c.r.i.p.
74 00 6f 00 72 00 20 00 6f 00 66 00 20 00 27 00 t.o.r. .o.f. .'.
25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 %.l.s.'.........
55 00 6e 00 6b 00 6e 00 6f 00 77 00 6e 00 20 00 U.n.k.n.o.w.n. .
6f 00 77 00 6e 00 65 00 72 00 20 00 27 00 25 00 o.w.n.e.r. .'.%.
6c 00 73 00 27 00 20 00 69 00 6e 00 20 00 73 00 l.s.'. .i.n. .s.
65 00 63 00 75 00 72 00 69 00 74 00 79 00 20 00 e.c.u.r.i.t.y. .
64 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 d.e.s.c.r.i.p.t.
6f 00 72 00 20 00 6f 00 66 00 20 00 27 00 25 00 o.r. .o.f. .'.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 00 00 l.s.'...........
49 00 73 00 56 00 61 00 6c 00 69 00 64 00 53 00 I.s.V.a.l.i.d.S.
69 00 64 00 28 00 29 00 20 00 72 00 65 00 74 00 i.d.(.). .r.e.t.
75 00 72 00 6e 00 65 00 64 00 20 00 46 00 41 00 u.r.n.e.d. .F.A.
4c 00 53 00 45 00 20 00 66 00 6f 00 72 00 20 00 L.S.E. .f.o.r. .
6f 00 77 00 6e 00 65 00 72 00 20 00 6f 00 66 00 o.w.n.e.r. .o.f.
20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 .'.%.l.s.'.....
4e 00 6f 00 20 00 6f 00 77 00 6e 00 65 00 72 00 N.o. .o.w.n.e.r.
20 00 69 00 6e 00 20 00 73 00 65 00 63 00 75 00 .i.n. .s.e.c.u.
72 00 69 00 74 00 79 00 20 00 64 00 65 00 73 00 r.i.t.y. .d.e.s.
63 00 72 00 69 00 70 00 74 00 6f 00 72 00 20 00 c.r.i.p.t.o.r. .
6f 00 66 00 20 00 27 00 25 00 6c 00 73 00 27 00 o.f. .'.%.l.s.'.
0a 00 00 00 00 00 00 00 4c 00 6f 00 63 00 61 00 ........L.o.c.a.
6c 00 46 00 72 00 65 00 65 00 28 00 29 00 20 00 l.F.r.e.e.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 0a 00 00 00 49 00 73 00 56 00 61 00 l.u.....I.s.V.a.
6c 00 69 00 64 00 53 00 65 00 63 00 75 00 72 00 l.i.d.S.e.c.u.r.
69 00 74 00 79 00 44 00 65 00 73 00 63 00 72 00 i.t.y.D.e.s.c.r.
69 00 70 00 74 00 6f 00 72 00 28 00 29 00 20 00 i.p.t.o.r.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 46 00 41 00 4c 00 53 00 45 00 20 00 66 00 .F.A.L.S.E. .f.
6f 00 72 00 20 00 73 00 65 00 63 00 75 00 72 00 o.r. .s.e.c.u.r.
69 00 74 00 79 00 20 00 64 00 65 00 73 00 63 00 i.t.y. .d.e.s.c.
72 00 69 00 70 00 74 00 6f 00 72 00 20 00 6f 00 r.i.p.t.o.r. .o.
66 00 20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 f. .'.%.l.s.'...
00 00 00 00 00 00 00 00 47 00 65 00 74 00 4e 00 ........G.e.t.N.
61 00 6d 00 65 00 64 00 53 00 65 00 63 00 75 00 a.m.e.d.S.e.c.u.
72 00 69 00 74 00 79 00 49 00 6e 00 66 00 6f 00 r.i.t.y.I.n.f.o.
28 00 29 00 20 00 72 00 65 00 74 00 75 00 72 00 (.). .r.e.t.u.r.
6e 00 65 00 64 00 20 00 65 00 72 00 72 00 6f 00 n.e.d. .e.r.r.o.
72 00 20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 r. .%.l.u. .f.o.
72 00 20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 r. .'.%.l.s.'...
00 00 00 00 00 00 00 00 46 00 69 00 6e 00 64 00 ........F.i.n.d.
46 00 69 00 72 00 73 00 74 00 46 00 69 00 6c 00 F.i.r.s.t.F.i.l.
65 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 e.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 20 00 66 00 o.r. .%.l.u. .f.
6f 00 72 00 20 00 70 00 61 00 74 00 68 00 20 00 o.r. .p.a.t.h. .
27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 '.%.l.s.'.......
46 00 69 00 6e 00 64 00 43 00 6c 00 6f 00 73 00 F.i.n.d.C.l.o.s.
65 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 e.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 20 00 66 00 o.r. .%.l.u. .f.
6f 00 72 00 20 00 70 00 61 00 74 00 68 00 20 00 o.r. .p.a.t.h. .
27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 '.%.l.s.'.......
46 00 69 00 6e 00 64 00 4e 00 65 00 78 00 74 00 F.i.n.d.N.e.x.t.
46 00 69 00 6c 00 65 00 28 00 29 00 20 00 72 00 F.i.l.e.(.). .r.
65 00 74 00 75 00 72 00 6e 00 65 00 64 00 20 00 e.t.u.r.n.e.d. .
65 00 72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 e.r.r.o.r. .%.l.
75 00 20 00 66 00 6f 00 72 00 20 00 70 00 61 00 u. .f.o.r. .p.a.
74 00 68 00 20 00 27 00 25 00 6c 00 73 00 27 00 t.h. .'.%.l.s.'.
0a 00 00 00 00 00 00 00 46 00 69 00 6e 00 64 00 ........F.i.n.d.
43 00 6c 00 6f 00 73 00 65 00 28 00 29 00 20 00 C.l.o.s.e.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 20 00 66 00 6f 00 72 00 20 00 61 00 l.u. .f.o.r. .a.
72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 20 00 r.g.u.m.e.n.t. .
27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 '.%.l.s.'.......
4e 00 6f 00 20 00 6d 00 61 00 74 00 63 00 68 00 N.o. .m.a.t.c.h.
20 00 66 00 6f 00 72 00 20 00 61 00 72 00 67 00 .f.o.r. .a.r.g.
75 00 6d 00 65 00 6e 00 74 00 20 00 27 00 25 00 u.m.e.n.t. .'.%.
6c 00 73 00 27 00 21 00 0a 00 00 00 00 00 00 00 l.s.'.!.........
46 00 69 00 6e 00 64 00 4e 00 65 00 78 00 74 00 F.i.n.d.N.e.x.t.
46 00 69 00 6c 00 65 00 28 00 29 00 20 00 72 00 F.i.l.e.(.). .r.
65 00 74 00 75 00 72 00 6e 00 65 00 64 00 20 00 e.t.u.r.n.e.d. .
65 00 72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 e.r.r.o.r. .%.l.
75 00 20 00 66 00 6f 00 72 00 20 00 61 00 72 00 u. .f.o.r. .a.r.
67 00 75 00 6d 00 65 00 6e 00 74 00 20 00 27 00 g.u.m.e.n.t. .'.
25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 %.l.s.'.........
41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 A.r.g.u.m.e.n.t.
20 00 27 00 25 00 6c 00 73 00 27 00 20 00 65 00 .'.%.l.s.'. .e.
78 00 63 00 65 00 65 00 64 00 73 00 20 00 4d 00 x.c.e.e.d.s. .M.
41 00 58 00 5f 00 50 00 41 00 54 00 48 00 21 00 A.X._.P.A.T.H.!.
0a 00 00 00 00 00 00 00 46 00 69 00 6e 00 64 00 ........F.i.n.d.
46 00 69 00 72 00 73 00 74 00 46 00 69 00 6c 00 F.i.r.s.t.F.i.l.
65 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 e.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 20 00 66 00 o.r. .%.l.u. .f.
6f 00 72 00 20 00 61 00 72 00 67 00 75 00 6d 00 o.r. .a.r.g.u.m.
65 00 6e 00 74 00 20 00 27 00 25 00 6c 00 73 00 e.n.t. .'.%.l.s.
27 00 0a 00 00 00 00 00 4e 00 6f 00 20 00 61 00 '.......N.o. .a.
72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 73 00 r.g.u.m.e.n.t.s.
3a 00 20 00 61 00 74 00 20 00 6c 00 65 00 61 00 :. .a.t. .l.e.a.
73 00 74 00 20 00 6f 00 6e 00 65 00 20 00 64 00 s.t. .o.n.e. .d.
69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 i.r.e.c.t.o.r.y.
20 00 6f 00 72 00 20 00 66 00 69 00 6c 00 65 00 .o.r. .f.i.l.e.
20 00 6e 00 61 00 6d 00 65 00 20 00 6d 00 75 00 .n.a.m.e. .m.u.
73 00 74 00 20 00 62 00 65 00 20 00 67 00 69 00 s.t. .b.e. .g.i.
76 00 65 00 6e 00 21 00 0a 00 00 00 00 00 00 00 v.e.n.!.........
43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 4c 00 C.o.m.m.a.n.d.L.
69 00 6e 00 65 00 54 00 6f 00 41 00 72 00 67 00 i.n.e.T.o.A.r.g.
76 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 v.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
44 2d 00 00 00 00 00 00 00 00 00 00 1a 2e 00 00 D-..............
00 20 00 00 60 2d 00 00 00 00 00 00 00 00 00 00 . ..`-..........
c8 2e 00 00 1c 20 00 00 8c 2d 00 00 00 00 00 00 ..... ...-......
00 00 00 00 ec 2e 00 00 48 20 00 00 94 2d 00 00 ........H ...-..
00 00 00 00 00 00 00 00 06 2f 00 00 50 20 00 00 ........./..P ..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 b0 2d 00 00 ca 2d 00 00 d8 2d 00 00 .....-...-...-..
e6 2d 00 00 02 2e 00 00 9c 2d 00 00 00 00 00 00 .-.......-......
28 2e 00 00 38 2e 00 00 48 2e 00 00 54 2e 00 00 (...8...H...T...
60 2e 00 00 70 2e 00 00 82 2e 00 00 90 2e 00 00 `...p...........
a6 2e 00 00 b8 2e 00 00 00 00 00 00 d6 2e 00 00 ................
00 00 00 00 f8 2e 00 00 00 00 00 00 91 01 4c 6f ..............Lo
6f 6b 75 70 41 63 63 6f 75 6e 74 53 69 64 57 00 okupAccountSidW.
6c 00 43 6f 6e 76 65 72 74 53 69 64 54 6f 53 74 l.ConvertSidToSt
72 69 6e 67 53 69 64 57 00 00 83 01 49 73 56 61 ringSidW....IsVa
6c 69 64 41 63 6c 00 00 86 01 49 73 56 61 6c 69 lidAcl....IsVali
64 53 69 64 00 00 85 01 49 73 56 61 6c 69 64 53 dSid....IsValidS
65 63 75 72 69 74 79 44 65 73 63 72 69 70 74 6f ecurityDescripto
72 00 42 01 47 65 74 4e 61 6d 65 64 53 65 63 75 r.B.GetNamedSecu
72 69 74 79 49 6e 66 6f 57 00 41 44 56 41 50 49 rityInfoW.ADVAPI
33 32 2e 64 6c 6c 00 00 24 05 57 72 69 74 65 43 32.dll..$.WriteC
6f 6e 73 6f 6c 65 57 00 02 02 47 65 74 4c 61 73 onsoleW...GetLas
74 45 72 72 6f 72 00 00 48 03 4c 6f 63 61 6c 46 tError..H.LocalF
72 65 65 00 2e 01 46 69 6e 64 43 6c 6f 73 65 00 ree...FindClose.
45 01 46 69 6e 64 4e 65 78 74 46 69 6c 65 57 00 E.FindNextFileW.
39 01 46 69 6e 64 46 69 72 73 74 46 69 6c 65 57 9.FindFirstFileW
00 00 19 01 45 78 69 74 50 72 6f 63 65 73 73 00 ....ExitProcess.
ea 01 47 65 74 46 69 6c 65 41 74 74 72 69 62 75 ..GetFileAttribu
74 65 73 57 00 00 87 01 47 65 74 43 6f 6d 6d 61 tesW....GetComma
6e 64 4c 69 6e 65 57 00 64 02 47 65 74 53 74 64 ndLineW.d.GetStd
48 61 6e 64 6c 65 00 00 4b 45 52 4e 45 4c 33 32 Handle..KERNEL32
2e 64 6c 6c 00 00 06 00 43 6f 6d 6d 61 6e 64 4c .dll....CommandL
69 6e 65 54 6f 41 72 67 76 57 00 00 53 48 45 4c ineToArgvW..SHEL
4c 33 32 2e 64 6c 6c 00 35 03 77 76 73 70 72 69 L32.dll.5.wvspri
6e 74 66 57 00 00 55 53 45 52 33 32 2e 64 6c 6c ntfW..USER32.dll
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 ................
18 00 00 00 18 00 00 80 00 00 00 00 00 00 00 00 ................
04 00 00 00 00 00 01 00 01 00 00 00 30 00 00 80 ............0...
00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 ................
09 04 00 00 48 00 00 00 58 30 00 00 8e 05 00 00 ....H...X0......
e4 04 00 00 00 00 00 00 3c 61 73 73 65 6d 62 6c ........<assembl
79 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f y manifestVersio
6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3d 22 75 n="1.0" xmlns="u
72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f rn:schemas-micro
73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 soft-com:asm.v1"
3e 0d 0a 20 20 20 20 3c 61 73 73 65 6d 62 6c 79 >.. <assembly
49 64 65 6e 74 69 74 79 20 6e 61 6d 65 3d 22 65 Identity name="e
53 4b 61 6d 61 74 69 6f 6e 2e 54 69 64 62 69 74 SKamation.Tidbit
73 2e 53 65 63 75 72 69 74 79 20 44 65 73 63 72 s.Security Descr
69 70 74 6f 72 20 49 6e 73 70 65 63 74 6f 72 22 iptor Inspector"
20 70 72 6f 63 65 73 73 6f 72 41 72 63 68 69 74 processorArchit
65 63 74 75 72 65 3d 22 2a 22 20 74 79 70 65 3d ecture="*" type=
22 77 69 6e 33 32 22 20 76 65 72 73 69 6f 6e 3d "win32" version=
22 30 2e 38 2e 31 2e 35 22 3e 3c 2f 61 73 73 65 "0.8.1.5"></asse
6d 62 6c 79 49 64 65 6e 74 69 74 79 3e 0d 0a 20 mblyIdentity>..
20 20 20 3c 63 6f 6d 70 61 74 69 62 69 6c 69 74 <compatibilit
79 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 y xmlns="urn:sch
65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 emas-microsoft-c
6f 6d 3a 63 6f 6d 70 61 74 69 62 69 6c 69 74 79 om:compatibility
2e 76 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c .v1">.. <
61 70 70 6c 69 63 61 74 69 6f 6e 20 78 6d 6c 6e application xmln
73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d s="urn:schemas-m
69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d icrosoft-com:asm
2e 76 33 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 .v3">..
20 20 20 3c 73 75 70 70 6f 72 74 65 64 4f 53 20 <supportedOS
49 64 3d 22 7b 65 32 30 31 31 34 35 37 2d 31 35 Id="{e2011457-15
34 36 2d 34 33 63 35 2d 61 35 66 65 2d 30 30 38 46-43c5-a5fe-008
64 65 65 65 33 64 33 66 30 7d 22 3e 3c 2f 73 75 deee3d3f0}"></su
70 70 6f 72 74 65 64 4f 53 3e 0d 0a 20 20 20 20 pportedOS>..
20 20 20 20 20 20 20 20 3c 73 75 70 70 6f 72 74 <support
65 64 4f 53 20 49 64 3d 22 7b 33 35 31 33 38 62 edOS Id="{35138b
39 61 2d 35 64 39 36 2d 34 66 62 64 2d 38 65 32 9a-5d96-4fbd-8e2
64 2d 61 32 34 34 30 32 32 35 66 39 33 61 7d 22 d-a2440225f93a}"
3e 3c 2f 73 75 70 70 6f 72 74 65 64 4f 53 3e 0d ></supportedOS>.
0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 75 . <su
70 70 6f 72 74 65 64 4f 53 20 49 64 3d 22 7b 34 pportedOS Id="{4
61 32 66 32 38 65 33 2d 35 33 62 39 2d 34 34 34 a2f28e3-53b9-444
31 2d 62 61 39 63 2d 64 36 39 64 34 61 34 61 36 1-ba9c-d69d4a4a6
65 33 38 7d 22 3e 3c 2f 73 75 70 70 6f 72 74 65 e38}"></supporte
64 4f 53 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 dOS>..
20 20 3c 73 75 70 70 6f 72 74 65 64 4f 53 20 49 <supportedOS I
64 3d 22 7b 31 66 36 37 36 63 37 36 2d 38 30 65 d="{1f676c76-80e
31 2d 34 32 33 39 2d 39 35 62 62 2d 38 33 64 30 1-4239-95bb-83d0
66 36 64 30 64 61 37 38 7d 22 3e 3c 2f 73 75 70 f6d0da78}"></sup
70 6f 72 74 65 64 4f 53 3e 0d 0a 20 20 20 20 20 portedOS>..
20 20 20 20 20 20 20 3c 73 75 70 70 6f 72 74 65 <supporte
64 4f 53 20 49 64 3d 22 7b 38 65 30 66 37 61 31 dOS Id="{8e0f7a1
32 2d 62 66 62 33 2d 34 66 65 38 2d 62 39 61 35 2-bfb3-4fe8-b9a5
2d 34 38 66 64 35 30 61 31 35 61 39 61 7d 22 3e -48fd50a15a9a}">
3c 2f 73 75 70 70 6f 72 74 65 64 4f 53 3e 0d 0a </supportedOS>..
20 20 20 20 20 20 20 20 20 20 20 20 3c 77 69 6e <win
64 6f 77 73 53 65 74 74 69 6e 67 73 3e 0d 0a 20 dowsSettings>..
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c <
6c 6f 6e 67 50 61 74 68 41 77 61 72 65 20 78 6d longPathAware xm
6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 lns="http://sche
6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f mas.microsoft.co
6d 2f 53 4d 49 2f 32 30 31 36 2f 57 69 6e 64 6f m/SMI/2016/Windo
77 73 53 65 74 74 69 6e 67 73 22 3e 74 72 75 65 wsSettings">true
3c 2f 6c 6f 6e 67 50 61 74 68 41 77 61 72 65 3e </longPathAware>
0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f .. </
77 69 6e 64 6f 77 73 53 65 74 74 69 6e 67 73 3e windowsSettings>
0d 0a 20 20 20 20 20 20 20 20 3c 2f 61 70 70 6c .. </appl
69 63 61 74 69 6f 6e 3e 0d 0a 20 20 20 20 3c 2f ication>.. </
63 6f 6d 70 61 74 69 62 69 6c 69 74 79 3e 0d 0a compatibility>..
20 20 20 20 3c 64 65 73 63 72 69 70 74 69 6f 6e <description
3e 53 65 63 75 72 69 74 79 20 44 65 73 63 72 69 >Security Descri
70 74 6f 72 20 49 6e 73 70 65 63 74 6f 72 3c 2f ptor Inspector</
64 65 73 63 72 69 70 74 69 6f 6e 3e 0d 0a 20 20 description>..
20 20 3c 74 72 75 73 74 49 6e 66 6f 20 78 6d 6c <trustInfo xml
6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d ns="urn:schemas-
6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 microsoft-com:as
6d 2e 76 32 22 3e 0d 0a 20 20 20 20 20 20 20 20 m.v2">..
3c 73 65 63 75 72 69 74 79 3e 0d 0a 20 20 20 20 <security>..
20 20 20 20 20 20 20 20 3c 72 65 71 75 65 73 74 <request
65 64 50 72 69 76 69 6c 65 67 65 73 20 78 6d 6c edPrivileges xml
6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d ns="urn:schemas-
6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 microsoft-com:as
6d 2e 76 33 22 3e 0d 0a 20 20 20 20 20 20 20 20 m.v3">..
20 20 20 20 20 20 20 20 3c 72 65 71 75 65 73 74 <request
65 64 45 78 65 63 75 74 69 6f 6e 4c 65 76 65 6c edExecutionLevel
20 6c 65 76 65 6c 3d 22 61 73 49 6e 76 6f 6b 65 level="asInvoke
72 22 20 75 69 41 63 63 65 73 73 3d 22 66 61 6c r" uiAccess="fal
73 65 22 3e 3c 2f 72 65 71 75 65 73 74 65 64 45 se"></requestedE
78 65 63 75 74 69 6f 6e 4c 65 76 65 6c 3e 0d 0a xecutionLevel>..
20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 72 65 </re
71 75 65 73 74 65 64 50 72 69 76 69 6c 65 67 65 questedPrivilege
73 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 65 s>.. </se
63 75 72 69 74 79 3e 0d 0a 20 20 20 20 3c 2f 74 curity>.. </t
72 75 73 74 49 6e 66 6f 3e 0d 0a 3c 2f 61 73 73 rustInfo>..</ass
65 6d 62 6c 79 3e 00 00 00 00 00 00 00 00 00 00 embly>..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file SECURITY.TXT
created in
step 5. to recreate the console application
Security Descriptor Inspector:
CERTUTIL.EXE /DecodeHex /V SECURITY.TXT SECURITY.COM
Input Length = 36992 Output Length = 8704 CertUtil: -decodehex command completed successfully.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
Create the text file SIDEREAL.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <sddl.h>
#include <lmcons.h>
#ifndef SECURITY_LOCAL_LOGON_RID
#define SECURITY_LOCAL_LOGON_RID 1UL
#endif
#ifndef SECURITY_CREATOR_OWNER_RIGHTS_RID
#define SECURITY_CREATOR_OWNER_RIGHTS_RID 4UL
#endif
#ifndef DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS
#define DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS 498UL
#endif
#ifndef DOMAIN_GROUP_RID_READONLY_CONTROLLERS
#define DOMAIN_GROUP_RID_READONLY_CONTROLLERS 521UL
#endif
#ifndef DOMAIN_GROUP_RID_CLONEABLE_CONTROLLERS
#define DOMAIN_GROUP_RID_CLONEABLE_CONTROLLERS 522UL
#endif
#ifndef DOMAIN_GROUP_RID_PROTECTED_USERS
#define DOMAIN_GROUP_RID_PROTECTED_USERS 525UL
#endif
#ifndef DOMAIN_GROUP_RID_KEY_ADMINS
#define DOMAIN_GROUP_RID_KEY_ADMINS 526UL
#endif
#ifndef DOMAIN_GROUP_RID_ENTERPRISE_KEY_ADMINS
#define DOMAIN_GROUP_RID_ENTERPRISE_KEY_ADMINS 527UL
#endif
#ifndef DOMAIN_ALIAS_RID_IUSERS
#define DOMAIN_ALIAS_RID_IUSERS 568UL
#endif
#ifndef DOMAIN_ALIAS_RID_CRYPTO_OPERATORS
#define DOMAIN_ALIAS_RID_CRYPTO_OPERATORS 569UL
#endif
#ifndef DOMAIN_ALIAS_RID_CACHEABLE_PRINCIPALS_GROUP
#define DOMAIN_ALIAS_RID_CACHEABLE_PRINCIPALS_GROUP 571UL
#endif
#ifndef DOMAIN_ALIAS_RID_NON_CACHEABLE_PRINCIPALS_GROUP
#define DOMAIN_ALIAS_RID_NON_CACHEABLE_PRINCIPALS_GROUP 572UL
#endif
#ifndef DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP
#define DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP 573UL
#endif
#ifndef DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP
#define DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP 574UL
#endif
#ifndef DOMAIN_ALIAS_RID_RDS_REMOTE_ACCESS_SERVERS
#define DOMAIN_ALIAS_RID_RDS_REMOTE_ACCESS_SERVERS 575UL
#endif
#ifndef DOMAIN_ALIAS_RID_RDS_ENDPOINT_SERVERS
#define DOMAIN_ALIAS_RID_RDS_ENDPOINT_SERVERS 576UL
#endif
#ifndef DOMAIN_ALIAS_RID_RDS_MANAGEMENT_SERVERS
#define DOMAIN_ALIAS_RID_RDS_MANAGEMENT_SERVERS 577UL
#endif
#ifndef DOMAIN_ALIAS_RID_HYPER_V_ADMINS
#define DOMAIN_ALIAS_RID_HYPER_V_ADMINS 578UL
#endif
#ifndef DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS
#define DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS 579UL
#endif
#ifndef DOMAIN_ALIAS_RID_REMOTE_MANAGEMENT_USERS
#define DOMAIN_ALIAS_RID_REMOTE_MANAGEMENT_USERS 580UL
#endif
#ifndef DOMAIN_ALIAS_RID_DEFAULT_ACCOUNT
#define DOMAIN_ALIAS_RID_DEFAULT_ACCOUNT 581UL
#endif
#ifndef DOMAIN_ALIAS_RID_STORAGE_REPLICA_ADMINS
#define DOMAIN_ALIAS_RID_STORAGE_REPLICA_ADMINS 582UL
#endif
#ifndef DOMAIN_ALIAS_RID_DEVICE_OWNERS
#define DOMAIN_ALIAS_RID_DEVICE_OWNERS 583UL
#endif
#ifndef SECURITY_IUSER_RID
#define SECURITY_IUSER_RID 17UL
#endif
#ifndef SECURITY_ENTERPRISE_READONLY_CONTROLLERS_RID
#define SECURITY_ENTERPRISE_READONLY_CONTROLLERS_RID 22UL
#endif
#ifndef SECURITY_WRITE_RESTRICTED_CODE_RID
#define SECURITY_WRITE_RESTRICTED_CODE_RID 33UL
#endif
#ifndef SECURITY_CRED_TYPE_BASE_RID
#define SECURITY_CRED_TYPE_BASE_RID 65UL
#endif
#ifndef SECURITY_CRED_TYPE_THIS_ORG_CERT_RID
#define SECURITY_CRED_TYPE_THIS_ORG_CERT_RID 1UL
#endif
#ifndef SECURITY_SERVICE_ID_BASE_RID
#define SECURITY_SERVICE_ID_BASE_RID 80UL
#endif
#ifndef SECURITY_TRUSTED_INSTALLER_RID1
#define SECURITY_TRUSTED_INSTALLER_RID1 956008885UL
#define SECURITY_TRUSTED_INSTALLER_RID2 3418522649UL
#define SECURITY_TRUSTED_INSTALLER_RID3 1831038044UL
#define SECURITY_TRUSTED_INSTALLER_RID4 1853292631UL
#define SECURITY_TRUSTED_INSTALLER_RID5 2271478464UL
#endif
#ifndef SECURITY_RESERVED_ID_BASE_RID
#define SECURITY_RESERVED_ID_BASE_RID 81UL
#endif
#ifndef SECURITY_APPPOOL_ID_BASE_RID
#define SECURITY_APPPOOL_ID_BASE_RID 82UL
#endif
#ifndef SECURITY_VIRTUALSERVER_ID_BASE_RID
#define SECURITY_VIRTUALSERVER_ID_BASE_RID 83UL
#endif
#ifndef SECURITY_USERMODEDRIVERHOST_ID_BASE_RID
#define SECURITY_USERMODEDRIVERHOST_ID_BASE_RID 84UL
#endif
#ifndef SECURITY_CLOUD_INFRASTRUCTURE_SERVICES_ID_BASE_RID
#define SECURITY_CLOUD_INFRASTRUCTURE_SERVICES_ID_BASE_RID 85UL
#endif
#ifndef SECURITY_WMIHOST_ID_BASE_RID
#define SECURITY_WMIHOST_ID_BASE_RID 86UL
#endif
#ifndef SECURITY_TASK_ID_BASE_RID
#define SECURITY_TASK_ID_BASE_RID 87UL
#endif
#ifndef SECURITY_NFS_ID_BASE_RID
#define SECURITY_NFS_ID_BASE_RID 88UL
#endif
#ifndef SECURITY_COM_ID_BASE_RID
#define SECURITY_COM_ID_BASE_RID 89UL
#endif
#ifndef SECURITY_WINDOW_MANAGER_BASE_RID
#define SECURITY_WINDOW_MANAGER_BASE_RID 90UL
#endif
#ifndef SECURITY_RDV_GFX_BASE_RID
#define SECURITY_RDV_GFX_BASE_RID 91UL
#endif
#ifndef SECURITY_DASHOST_ID_BASE_RID
#define SECURITY_DASHOST_ID_BASE_RID 92UL
#endif
#ifndef SECURITY_USERMANAGER_ID_BASE_RID
#define SECURITY_USERMANAGER_ID_BASE_RID 93UL
#endif
#ifndef SECURITY_WINRM_ID_BASE_RID
#define SECURITY_WINRM_ID_BASE_RID 94UL
#endif
#ifndef SECURITY_WINDOWSMOBILE_ID_BASE_RID
#define SECURITY_WINDOWSMOBILE_ID_BASE_RID 112UL
#endif
#ifndef SECURITY_LOCAL_ACCOUNT_RID
#define SECURITY_LOCAL_ACCOUNT_RID 113UL
#endif
#ifndef SECURITY_LOCAL_ACCOUNT_AND_ADMIN_RID
#define SECURITY_LOCAL_ACCOUNT_AND_ADMIN_RID 114UL
#endif
#ifndef SECURITY_SITESERVER_AUTHORITY
#define SECURITY_SITESERVER_AUTHORITY {0, 0, 0, 0, 0, 6}
#endif
#ifndef SECURITY_INTERNETSITE_AUTHORITY
#define SECURITY_INTERNETSITE_AUTHORITY {0, 0, 0, 0, 0, 7}
#endif
#ifndef SECURITY_EXCHANGE_AUTHORITY
#define SECURITY_EXCHANGE_AUTHORITY {0, 0, 0, 0, 0, 8}
#endif
#ifndef SECURITY_PASSPORT_AUTHORITY
#define SECURITY_PASSPORT_AUTHORITY {0, 0, 0, 0, 0, 10}
#endif
#ifndef SECURITY_APP_PACKAGE_AUTHORITY
#define SECURITY_APP_PACKAGE_AUTHORITY {0, 0, 0, 0, 0, 15}
#define SECURITY_APP_PACKAGE_BASE_RID 2UL
#define SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE 1UL
#define SECURITY_CAPABILITY_BASE_RID 3UL
#define SECURITY_CAPABILITY_INTERNET_CLIENT 1UL
#define SECURITY_CAPABILITY_INTERNET_CLIENT_SERVER 2UL
#define SECURITY_CAPABILITY_PRIVATE_NETWORK_CLIENT_SERVER 3UL
#define SECURITY_CAPABILITY_PICTURES_LIBRARY 4UL
#define SECURITY_CAPABILITY_VIDEOS_LIBRARY 5UL
#define SECURITY_CAPABILITY_MUSIC_LIBRARY 6UL
#define SECURITY_CAPABILITY_DOCUMENTS_LIBRARY 7UL
#define SECURITY_CAPABILITY_ENTERPRISE_AUTHENTICATION 8UL
#define SECURITY_CAPABILITY_SHARED_USER_CERTIFICATES 9UL
#define SECURITY_CAPABILITY_REMOVABLE_STORAGE 10UL
#define SECURITY_CAPABILITY_APPOINTMENTS 11UL
#define SECURITY_CAPABILITY_CONTACTS 12UL
#define SECURITY_CAPABILITY_APP_RID 1024UL
#define SECURITY_CAPABILITY_INTERNET_EXPLORER 4096UL
#endif
#ifndef SECURITY_MANDATORY_LABEL_AUTHORITY
#define SECURITY_MANDATORY_LABEL_AUTHORITY {0, 0, 0, 0, 0, 16}
#define SECURITY_MANDATORY_UNTRUSTED_RID 0UL
#define SECURITY_MANDATORY_LOW_RID 4096UL
#define SECURITY_MANDATORY_MEDIUM_RID 8192UL
#define SECURITY_MANDATORY_MEDIUM_PLUS_RID (SECURITY_MANDATORY_MEDIUM_RID + 256UL)
#define SECURITY_MANDATORY_HIGH_RID 12288UL
#define SECURITY_MANDATORY_SYSTEM_RID 16384UL
#define SECURITY_MANDATORY_PROTECTED_PROCESS_RID 20480UL
#endif
#ifndef SECURITY_MANDATORY_SECURE_PROCESS_RID
#define SECURITY_MANDATORY_SECURE_PROCESS_RID 28672UL
#endif
#ifndef SECURITY_SCOPED_POLICY_ID_AUTHORITY
#define SECURITY_SCOPED_POLICY_ID_AUTHORITY {0, 0, 0, 0, 0, 17}
#endif
#ifndef SECURITY_AUTHENTICATION_AUTHORITY
#define SECURITY_AUTHENTICATION_AUTHORITY {0, 0, 0, 0, 0, 18}
#define SECURITY_AUTHENTICATION_AUTHORITY_ASSERTED_RID 1UL
#define SECURITY_AUTHENTICATION_SERVICE_ASSERTED_RID 2UL
#define SECURITY_AUTHENTICATION_FRESH_KEY_AUTH_RID 3UL
#define SECURITY_AUTHENTICATION_KEY_TRUST_RID 4UL
#define SECURITY_AUTHENTICATION_KEY_PROPERTY_MFA_RID 5UL
#define SECURITY_AUTHENTICATION_KEY_PROPERTY_ATTESTATION_RID 6UL
#endif
#ifndef SECURITY_PROCESS_TRUST_AUTHORITY
#define SECURITY_PROCESS_TRUST_AUTHORITY {0, 0, 0, 0, 0, 19}
#define SECURITY_PROCESS_PROTECTION_TYPE_NONE_RID 0UL
#define SECURITY_PROCESS_PROTECTION_TYPE_LITE_RID 512UL
#define SECURITY_PROCESS_PROTECTION_TYPE_FULL_RID 1024UL
#define SECURITY_PROCESS_PROTECTION_LEVEL_NONE_RID 0UL
#define SECURITY_PROCESS_PROTECTION_LEVEL_AUTHENTICODE_RID 1024UL
#define SECURITY_PROCESS_PROTECTION_LEVEL_APP_RID 2048UL
#define SECURITY_PROCESS_PROTECTION_LEVEL_WINDOWS_RID 4096UL
#define SECURITY_PROCESS_PROTECTION_LEVEL_WINTCB_RID 8192UL
#endif
struct _SID2
{
BYTE Revision;
BYTE SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
DWORD SubAuthority[2];
}
const sid2[] =
{
// S-1-0 =
{SID_REVISION, 0, SECURITY_NULL_SID_AUTHORITY, {0, 0}},
// S-1-0-0 = 'NULL SID'
{SID_REVISION, 1, SECURITY_NULL_SID_AUTHORITY, {SECURITY_NULL_RID, 0}},
// S-1-1 =
{SID_REVISION, 0, SECURITY_WORLD_SID_AUTHORITY, {0, 0}},
// S-1-1-0 = 'Everyone'
{SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, {SECURITY_WORLD_RID, 0}},
// S-1-2 =
{SID_REVISION, 0, SECURITY_LOCAL_SID_AUTHORITY, {0, 0}},
// S-1-2-0 = 'LOCAL'
{SID_REVISION, 1, SECURITY_LOCAL_SID_AUTHORITY, {SECURITY_LOCAL_RID, 0}},
// S-1-2-1 = 'CONSOLE LOGON'
{SID_REVISION, 1, SECURITY_LOCAL_SID_AUTHORITY, {SECURITY_LOCAL_LOGON_RID, 0}},
// S-1-3 =
{SID_REVISION, 0, SECURITY_CREATOR_SID_AUTHORITY, {0, 0}},
// S-1-3-0 = 'CREATOR OWNER'
{SID_REVISION, 1, SECURITY_CREATOR_SID_AUTHORITY, {SECURITY_CREATOR_OWNER_RID, 0}},
// S-1-3-1 = 'CREATOR GROUP'
{SID_REVISION, 1, SECURITY_CREATOR_SID_AUTHORITY, {SECURITY_CREATOR_GROUP_RID, 0}},
// S-1-3-2 = 'CREATOR OWNER SERVER'
{SID_REVISION, 1, SECURITY_CREATOR_SID_AUTHORITY, {SECURITY_CREATOR_OWNER_SERVER_RID, 0}},
// S-1-3-3 = 'CREATOR GROUP SERVER'
{SID_REVISION, 1, SECURITY_CREATOR_SID_AUTHORITY, {SECURITY_CREATOR_GROUP_SERVER_RID, 0}},
// S-1-3-4 = 'OWNER RIGHTS'
{SID_REVISION, 1, SECURITY_CREATOR_SID_AUTHORITY, {SECURITY_CREATOR_OWNER_RIGHTS_RID, 0}},
// S-1-4 =
{SID_REVISION, 0, SECURITY_NON_UNIQUE_AUTHORITY, {0, 0}},
// S-1-4-0 =
{SID_REVISION, 1, SECURITY_NON_UNIQUE_AUTHORITY, {0, 0}},
// S-1-5 = 'NT Pseudo Domain\NT Pseudo Domain'
{SID_REVISION, 0, SECURITY_NT_AUTHORITY, {0, 0}},
// S-1-5-1 = 'NT AUTHORITY\DIALUP'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_DIALUP_RID, 0}},
// S-1-5-2 = 'NT AUTHORITY\NETWORK'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_NETWORK_RID, 0}},
// S-1-5-3 = 'NT AUTHORITY\BATCH'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_BATCH_RID, 0}},
// S-1-5-4 = 'NT AUTHORITY\INTERACTIVE'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_INTERACTIVE_RID, 0}},
// S-1-5-5 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_LOGON_IDS_RID, 0}},
// S-1-5-5-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_LOGON_IDS_RID, 0}},
// S-1-5-6 = 'NT AUTHORITY\SERVICE'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_SERVICE_RID, 0}},
// S-1-5-7 = 'NT AUTHORITY\ANONYMOUS LOGON'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_ANONYMOUS_LOGON_RID, 0}},
// S-1-5-8 = 'NT AUTHORITY\PROXY'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_PROXY_RID, 0}},
// S-1-5-9 = 'NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_ENTERPRISE_CONTROLLERS_RID, 0}},
// S-1-5-10 = 'NT AUTHORITY\SELF'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_PRINCIPAL_SELF_RID, 0}},
// S-1-5-11 = 'NT AUTHORITY\Authenticated Users'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_AUTHENTICATED_USER_RID, 0}},
// S-1-5-12 = 'NT AUTHORITY\RESTRICTED'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_RESTRICTED_CODE_RID, 0}},
// S-1-5-13 = 'NT AUTHORITY\TERMINAL SERVER USER'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_TERMINAL_SERVER_RID, 0}},
// S-1-5-14 = 'NT AUTHORITY\REMOTE INTERACTIVE LOGON'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_REMOTE_LOGON_RID, 0}},
// S-1-5-15 = 'NT AUTHORITY\This Organization'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_THIS_ORGANIZATION_RID, 0}},
// S-1-5-16 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {16, 0}},
// S-1-5-17 = 'NT AUTHORITY\IUSR'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_IUSER_RID, 0}},
// S-1-5-18 = 'NT AUTHORITY\SYSTEM'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_LOCAL_SYSTEM_RID, 0}},
// S-1-5-19 = 'NT AUTHORITY\LOCAL SERVICE'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_LOCAL_SERVICE_RID, 0}},
// S-1-5-20 = 'NT AUTHORITY\NETWORK SERVICE'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_NETWORK_SERVICE_RID, 0}},
// S-1-5-21 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_NT_NON_UNIQUE, 0}},
// S-1-5-21-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_NT_NON_UNIQUE, 0}},
// S-1-5-21-1 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_NT_NON_UNIQUE, 1}},
// S-1-5-22 = 'NT AUTHORITY\ENTERPRISE READ-ONLY DOMAIN CONTROLLERS BETA'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_ENTERPRISE_READONLY_CONTROLLERS_RID, 0}},
// S-1-5-32 = 'BUILTIN\BUILTIN'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, 0}},
// S-1-5-32-498 = 'BUILTIN\Enterprise Read-Only Domain Controllers'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS}},
// S-1-5-32-500 = 'BUILTIN\Administrator'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_USER_RID_ADMIN}},
// S-1-5-32-501 = 'BUILTIN\User'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_USER_RID_GUEST}},
// S-1-5-32-502 = 'BUILTIN\Kerberos Ticket Granting Ticket'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_USER_RID_KRBTGT}},
// S-1-5-32-512 = 'BUILTIN\Domain Administrators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_ADMINS}},
// S-1-5-32-513 = 'BUILTIN\Domain Users'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_USERS}},
// S-1-5-32-514 = 'BUILTIN\Domain Guests'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_GUESTS}},
// S-1-5-32-515 = 'BUILTIN\Domain Computers'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_COMPUTERS}},
// S-1-5-32-516 = 'BUILTIN\Domain Controllers'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_CONTROLLERS}},
// S-1-5-32-517 = 'BUILTIN\Certificate Server Administrators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_CERT_ADMINS}},
// S-1-5-32-518 = 'BUILTIN\Schema Administrators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_SCHEMA_ADMINS}},
// S-1-5-32-519 = 'BUILTIN\Enterprise Administrators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_ENTERPRISE_ADMINS}},
// S-1-5-32-520 = 'BUILTIN\Group Policy Administrators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_POLICY_ADMINS}},
// S-1-5-32-521 = 'BUILTIN\Read-Only Domain Controllers'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_READONLY_CONTROLLERS}},
// S-1-5-32-522 = 'BUILTIN\Cloneable Controllers'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_CLONEABLE_CONTROLLERS}},
// S-1-5-32-525 = 'BUILTIN\Protected Users'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_PROTECTED_USERS}},
// S-1-5-32-526 = 'BUILTIN\Key Admins'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_KEY_ADMINS}},
// S-1-5-32-527 = 'BUILTIN\Enterprise Key Admins'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_ENTERPRISE_KEY_ADMINS}},
// S-1-5-32-544 = 'BUILTIN\Administrators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS}},
// S-1-5-32-545 = 'BUILTIN\Users'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS}},
// S-1-5-32-546 = 'BUILTIN\Guests'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_GUESTS}},
// S-1-5-32-547 = 'BUILTIN\Power Users'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_POWER_USERS}},
// S-1-5-32-548 = 'BUILTIN\Account Operators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ACCOUNT_OPS}},
// S-1-5-32-549 = 'BUILTIN\System Operators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_SYSTEM_OPS}},
// S-1-5-32-550 = 'BUILTIN\Print Operators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_PRINT_OPS}},
// S-1-5-32-551 = 'BUILTIN\Backup Operators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_BACKUP_OPS}},
// S-1-5-32-552 = 'BUILTIN\Replicator'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_REPLICATOR}},
// S-1-5-32-553 = 'BUILTIN\RAS Servers'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_RAS_SERVERS}},
// S-1-5-32-554 = 'BUILTIN\Pre-Windows 2000 Compatible Access'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_PREW2KCOMPACCESS}},
// S-1-5-32-555 = 'BUILTIN\Remote Desktop Users'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS}},
// S-1-5-32-556 = 'BUILTIN\Network Configuration Operators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS}},
// S-1-5-32-557 = 'BUILTIN\Incoming Forest Trust Builders'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS}},
// S-1-5-32-558 = 'BUILTIN\Performance Monitor Users'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_MONITORING_USERS}},
// S-1-5-32-559 = 'BUILTIN\Performance Log Users'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_LOGGING_USERS}},
// S-1-5-32-560 = 'BUILTIN\Windows Authorization Access Group'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS}},
// S-1-5-32-561 = 'BUILTIN\Terminal Server License Servers'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS}},
// S-1-5-32-562 = 'BUILTIN\Distributed COM Users'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_DCOM_USERS}},
// S-1-5-32-568 = 'BUILTIN\IIS IUSRS'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_IUSERS}},
// S-1-5-32-569 = 'BUILTIN\Cryptographic Operators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_CRYPTO_OPERATORS}},
// S-1-5-32-571 = 'BUILTIN\Allowed RODC Password Replication Group'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_CACHEABLE_PRINCIPALS_GROUP}},
// S-1-5-32-572 = 'BUILTIN\Denied RODC Password Replication Group'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_NON_CACHEABLE_PRINCIPALS_GROUP}},
// S-1-5-32-573 = 'BUILTIN\Event Log Readers'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP}},
// S-1-5-32-574 = 'BUILTIN\Certificate Service DCOM Access'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP}},
// S-1-5-32-575 = 'BUILTIN\RDS Remote Access Servers'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_RDS_REMOTE_ACCESS_SERVERS}},
// S-1-5-32-576 = 'BUILTIN\RDS Endpoint Servers'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_RDS_ENDPOINT_SERVERS}},
// S-1-5-32-577 = 'BUILTIN\RDS Management Servers'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_RDS_MANAGEMENT_SERVERS}},
// S-1-5-32-578 = 'BUILTIN\Hyper-V Administrators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_HYPER_V_ADMINS}},
// S-1-5-32-579 = 'BUILTIN\Access Control Assistance Operators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS}},
// S-1-5-32-580 = 'BUILTIN\Remote Management Users'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_REMOTE_MANAGEMENT_USERS}},
// S-1-5-32-581 = 'BUILTIN\System Managed Accounts Group'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_DEFAULT_ACCOUNT}},
// S-1-5-32-582 = 'BUILTIN\Storage Replica Administrators'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_STORAGE_REPLICA_ADMINS}},
// S-1-5-32-583 = 'BUILTIN\Device Owners'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_DEVICE_OWNERS}},
// S-1-5-33 = 'NT AUTHORITY\WRITE RESTRICTED'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_WRITE_RESTRICTED_CODE_RID, 0}},
// S-1-5-64 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_PACKAGE_BASE_RID, 0}},
// S-1-5-64-10 = 'NT AUTHORITY\NTLM Authentication'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_PACKAGE_BASE_RID, SECURITY_PACKAGE_NTLM_RID}},
// S-1-5-64-14 = 'NT AUTHORITY\SChannel Authentication'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_PACKAGE_BASE_RID, SECURITY_PACKAGE_SCHANNEL_RID}},
// S-1-5-64-21 = 'NT AUTHORITY\Digest Authentication'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_PACKAGE_BASE_RID, SECURITY_PACKAGE_DIGEST_RID}},
// S-1-5-65 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_CRED_TYPE_BASE_RID, 0}},
// S-1-5-65-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_CRED_TYPE_BASE_RID, 0}},
// S-1-5-65-1 = 'NT AUTHORITY\This Organization Certificate'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_CRED_TYPE_BASE_RID, SECURITY_CRED_TYPE_THIS_ORG_CERT_RID}},
// S-1-5-80 = 'NT SERVICE\NT SERVICE'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_SERVICE_ID_BASE_RID, 0}},
// S-1-5-80-0 = 'NT SERVICE\ALL SERVICES'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_SERVICE_ID_BASE_RID, 0}},
// S-1-5-80-1 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_SERVICE_ID_BASE_RID, 1}},
// S-1-5-81 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_RESERVED_ID_BASE_RID, 0}},
// S-1-5-81-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_RESERVED_ID_BASE_RID, 0}},
// S-1-5-82 = 'IIS APPPOOL\IIS APPPOOL'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_APPPOOL_ID_BASE_RID, 0}},
// S-1-5-82-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_APPPOOL_ID_BASE_RID, 0}},
// S-1-5-83 = 'NT VIRTUAL MACHINE\NT VIRTUAL MACHINE'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_VIRTUALSERVER_ID_BASE_RID, 0}},
// S-1-5-83-0 = 'NT VIRTUAL MACHINE\Virtual Machines'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_VIRTUALSERVER_ID_BASE_RID, 0}},
// S-1-5-84 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_USERMODEDRIVERHOST_ID_BASE_RID, 0}},
// S-1-5-84-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_USERMODEDRIVERHOST_ID_BASE_RID, 0}},
// S-1-5-85 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_CLOUD_INFRASTRUCTURE_SERVICES_ID_BASE_RID, 0}},
// S-1-5-85-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_CLOUD_INFRASTRUCTURE_SERVICES_ID_BASE_RID, 0}},
// S-1-5-86 = 'WMI\WMI'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_WMIHOST_ID_BASE_RID, 0}},
// S-1-5-86-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_WMIHOST_ID_BASE_RID, 0}},
// S-1-5-87 = 'NT TASK\NT TASK'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_TASK_ID_BASE_RID, 0}},
// S-1-5-87-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_TASK_ID_BASE_RID, 0}},
// S-1-5-88 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_NFS_ID_BASE_RID, 0}},
// S-1-5-88-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_NFS_ID_BASE_RID, 0}},
// S-1-5-89 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_COM_ID_BASE_RID, 0}},
// S-1-5-89-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_COM_ID_BASE_RID, 0}},
// S-1-5-90 = 'Window Manager\Window Manager'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_WINDOW_MANAGER_BASE_RID, 0}},
// S-1-5-90-0 = 'Window Manager\Window Manager Group'
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_WINDOW_MANAGER_BASE_RID, 0}},
// S-1-5-91 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_RDV_GFX_BASE_RID, 0}},
// S-1-5-91-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_RDV_GFX_BASE_RID, 0}},
// S-1-5-92 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_DASHOST_ID_BASE_RID, 0}},
// S-1-5-92-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_DASHOST_ID_BASE_RID, 0}},
// S-1-5-93 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_USERMANAGER_ID_BASE_RID, 0}},
// S-1-5-93-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_USERMANAGER_ID_BASE_RID, 0}},
// S-1-5-94 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_WINRM_ID_BASE_RID, 0}},
// S-1-5-94-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_WINRM_ID_BASE_RID, 0}},
// S-1-5-95 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {95, 0}},
// S-1-5-95-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {95, 0}},
// S-1-5-96 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {96, 0}},
// S-1-5-96-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {96, 0}},
// S-1-5-112 =
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_WINDOWSMOBILE_ID_BASE_RID, 0}},
// S-1-5-112-0 =
{SID_REVISION, 2, SECURITY_NT_AUTHORITY, {SECURITY_WINDOWSMOBILE_ID_BASE_RID, 0}},
// S-1-5-113 = 'NT AUTHORITY\Local Account'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_LOCAL_ACCOUNT_RID, 0}},
// S-1-5-114 = 'NT AUTHORITY\Local Account and Member of Administrators Group'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_LOCAL_ACCOUNT_AND_ADMIN_RID, 0}},
// S-1-5-1000 = 'NT AUTHORITY\Other Organization'
{SID_REVISION, 1, SECURITY_NT_AUTHORITY, {SECURITY_OTHER_ORGANIZATION_RID, 0}},
// S-1-6 =
{SID_REVISION, 0, SECURITY_SITESERVER_AUTHORITY, {0, 0}},
// S-1-6-0 =
{SID_REVISION, 1, SECURITY_SITESERVER_AUTHORITY, {0, 0}},
// S-1-6-0-0 =
{SID_REVISION, 2, SECURITY_SITESERVER_AUTHORITY, {0, 0}},
// S-1-6-0-1 =
{SID_REVISION, 2, SECURITY_SITESERVER_AUTHORITY, {0, 1}},
// S-1-7 = 'Internet$\Internet$'
{SID_REVISION, 0, SECURITY_INTERNETSITE_AUTHORITY, {0, 0}},
// S-1-7-0 =
{SID_REVISION, 1, SECURITY_INTERNETSITE_AUTHORITY, {0, 0}},
// S-1-7-0-0 =
{SID_REVISION, 2, SECURITY_INTERNETSITE_AUTHORITY, {0, 0}},
// S-1-7-0-1 =
{SID_REVISION, 2, SECURITY_INTERNETSITE_AUTHORITY, {0, 1}},
// S-1-8 =
{SID_REVISION, 0, SECURITY_EXCHANGE_AUTHORITY, {0, 0}},
// S-1-8-0 =
{SID_REVISION, 1, SECURITY_EXCHANGE_AUTHORITY, {0, 0}},
// S-1-8-0-0 =
{SID_REVISION, 2, SECURITY_EXCHANGE_AUTHORITY, {0, 0}},
// S-1-8-0-1 =
{SID_REVISION, 2, SECURITY_EXCHANGE_AUTHORITY, {0, 1}},
// S-1-9 =
{SID_REVISION, 0, SECURITY_RESOURCE_MANAGER_AUTHORITY, {0, 0}},
// S-1-9-0 =
{SID_REVISION, 1, SECURITY_RESOURCE_MANAGER_AUTHORITY, {0, 0}},
// S-1-9-0-0 =
{SID_REVISION, 2, SECURITY_RESOURCE_MANAGER_AUTHORITY, {0, 0}},
// S-1-9-0-1 =
{SID_REVISION, 2, SECURITY_RESOURCE_MANAGER_AUTHORITY, {0, 1}},
// S-1-10 =
{SID_REVISION, 0, SECURITY_PASSPORT_AUTHORITY, {0, 0}},
// S-1-10-0 =
{SID_REVISION, 1, SECURITY_PASSPORT_AUTHORITY, {0, 0}},
// S-1-10-0-0 =
{SID_REVISION, 2, SECURITY_PASSPORT_AUTHORITY, {0, 0}},
// S-1-10-0-1 =
{SID_REVISION, 2, SECURITY_PASSPORT_AUTHORITY, {0, 1}},
// S-1-15 =
{SID_REVISION, 0, SECURITY_APP_PACKAGE_AUTHORITY, {0, 0}},
// S-1-15-0 =
{SID_REVISION, 1, SECURITY_APP_PACKAGE_AUTHORITY, {0, 0}},
// S-1-15-1 = 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES'
{SID_REVISION, 1, SECURITY_APP_PACKAGE_AUTHORITY, {1, 0}},
// S-1-15-2 =
{SID_REVISION, 1, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_APP_PACKAGE_BASE_RID, 0}},
// S-1-15-2-0 =
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_APP_PACKAGE_BASE_RID, 0}},
// S-1-15-2-1 =
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_APP_PACKAGE_BASE_RID, SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE}},
// S-1-15-3 =
{SID_REVISION, 1, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, 0}},
// S-1-15-3-0 =
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, 0}},
// S-1-15-3-1 = 'APPLICATION PACKAGE AUTHORITY\Your Internet connection'
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_INTERNET_CLIENT}},
// S-1-15-3-2 = 'APPLICATION PACKAGE AUTHORITY\Your Internet connection, including incoming connections from the Internet'
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_INTERNET_CLIENT_SERVER}},
// S-1-15-3-3 = 'APPLICATION PACKAGE AUTHORITY\Your home or work networks'
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_PRIVATE_NETWORK_CLIENT_SERVER}},
// S-1-15-3-4 = 'APPLICATION PACKAGE AUTHORITY\Your pictures library'
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_PICTURES_LIBRARY}},
// S-1-15-3-5 = 'APPLICATION PACKAGE AUTHORITY\Your videos library'
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_VIDEOS_LIBRARY}},
// S-1-15-3-6 = 'APPLICATION PACKAGE AUTHORITY\Your music library'
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_MUSIC_LIBRARY}},
// S-1-15-3-7 = 'APPLICATION PACKAGE AUTHORITY\Your documents library'
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_DOCUMENTS_LIBRARY}},
// S-1-15-3-8 = 'APPLICATION PACKAGE AUTHORITY\Your Windows credentials'
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_ENTERPRISE_AUTHENTICATION}},
// S-1-15-3-9 = 'APPLICATION PACKAGE AUTHORITY\Software and hardware certificates or a smart card'
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_SHARED_USER_CERTIFICATES}},
// S-1-15-3-10 = 'APPLICATION PACKAGE AUTHORITY\Removable storage'
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_REMOVABLE_STORAGE}},
// S-1-15-3-11 = 'APPLICATION PACKAGE AUTHORITY\Your Appointments'
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_APPOINTMENTS}},
// S-1-15-3-12 = 'APPLICATION PACKAGE AUTHORITY\Your Contacts'
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_CONTACTS}},
// S-1-15-3-1024 =
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_APP_RID}},
// S-1-15-3-4096 =
{SID_REVISION, 2, SECURITY_APP_PACKAGE_AUTHORITY, {SECURITY_CAPABILITY_BASE_RID, SECURITY_CAPABILITY_INTERNET_EXPLORER}},
// S-1-16 = 'Mandatory Label\Mandatory Label'
{SID_REVISION, 0, SECURITY_MANDATORY_LABEL_AUTHORITY, {0, 0}},
// S-1-16-0 = 'Mandatory Label\Untrusted Mandatory Level'
{SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, {SECURITY_MANDATORY_UNTRUSTED_RID, 0}},
// S-1-16-4096 = 'Mandatory Label\Low Mandatory Level'
{SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, {SECURITY_MANDATORY_LOW_RID, 0}},
// S-1-16-8192 = 'Mandatory Label\Medium Mandatory Level'
{SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, {SECURITY_MANDATORY_MEDIUM_RID, 0}},
// S-1-16-8448 = 'Mandatory Label\Medium Plus Mandatory Level'
{SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, {SECURITY_MANDATORY_MEDIUM_PLUS_RID, 0}},
// S-1-16-12288 = 'Mandatory Label\High Mandatory Level'
{SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, {SECURITY_MANDATORY_HIGH_RID, 0}},
// S-1-16-16384 = 'Mandatory Label\System Mandatory Level'
{SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, {SECURITY_MANDATORY_SYSTEM_RID, 0}},
// S-1-16-20480 = 'Mandatory Label\Protected Process Mandatory Level'
{SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, {SECURITY_MANDATORY_PROTECTED_PROCESS_RID, 0}},
// S-1-16-24576 =
{SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, {24576, 0}},
// S-1-16-28672 = 'Mandatory Label\Secure Process Mandatory Level'
{SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, {SECURITY_MANDATORY_SECURE_PROCESS_RID, 0}},
// S-1-17 =
{SID_REVISION, 0, SECURITY_SCOPED_POLICY_ID_AUTHORITY, {0, 0}},
// S-1-17-0 =
{SID_REVISION, 1, SECURITY_SCOPED_POLICY_ID_AUTHORITY, {0, 0}},
// S-1-18 =
{SID_REVISION, 0, SECURITY_AUTHENTICATION_AUTHORITY, {0, 0}},
// S-1-18-0 =
{SID_REVISION, 1, SECURITY_AUTHENTICATION_AUTHORITY, {0, 0}},
// S-1-18-1 = 'Authentication Authority Asserted Identity'
{SID_REVISION, 1, SECURITY_AUTHENTICATION_AUTHORITY, {SECURITY_AUTHENTICATION_AUTHORITY_ASSERTED_RID, 0}},
// S-1-18-2 = 'Service Asserted Identity'
{SID_REVISION, 1, SECURITY_AUTHENTICATION_AUTHORITY, {SECURITY_AUTHENTICATION_SERVICE_ASSERTED_RID, 0}},
// S-1-18-3 = 'Fresh Public Key Identity'
{SID_REVISION, 1, SECURITY_AUTHENTICATION_AUTHORITY, {SECURITY_AUTHENTICATION_FRESH_KEY_AUTH_RID, 0}},
// S-1-18-4 = 'Key Trust Identity'
{SID_REVISION, 1, SECURITY_AUTHENTICATION_AUTHORITY, {SECURITY_AUTHENTICATION_KEY_TRUST_RID, 0}},
// S-1-18-5 = 'Key Property Multi-factor Authentication'
{SID_REVISION, 1, SECURITY_AUTHENTICATION_AUTHORITY, {SECURITY_AUTHENTICATION_KEY_PROPERTY_MFA_RID, 0}},
// S-1-18-6 = 'Key Property Attestation'
{SID_REVISION, 1, SECURITY_AUTHENTICATION_AUTHORITY, {SECURITY_AUTHENTICATION_KEY_PROPERTY_ATTESTATION_RID, 0}},
// S-1-19 =
{SID_REVISION, 0, SECURITY_PROCESS_TRUST_AUTHORITY, {0, 0}},
// S-1-19-0 =
{SID_REVISION, 1, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_NONE_RID, 0}},
// S-1-19-0-0 =
{SID_REVISION, 2, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_NONE_RID, SECURITY_PROCESS_PROTECTION_LEVEL_NONE_RID}},
// S-1-19-512 =
{SID_REVISION, 1, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_LITE_RID, 0}},
// S-1-19-512-0 =
{SID_REVISION, 2, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_LITE_RID, SECURITY_PROCESS_PROTECTION_LEVEL_NONE_RID}},
// S-1-19-512-1024 =
{SID_REVISION, 2, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_LITE_RID, SECURITY_PROCESS_PROTECTION_LEVEL_AUTHENTICODE_RID}},
// S-1-19-512-2048 =
{SID_REVISION, 2, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_LITE_RID, SECURITY_PROCESS_PROTECTION_LEVEL_APP_RID}},
// S-1-19-512-4096 =
{SID_REVISION, 2, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_LITE_RID, SECURITY_PROCESS_PROTECTION_LEVEL_WINDOWS_RID}},
// S-1-19-512-8192 =
{SID_REVISION, 2, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_LITE_RID, SECURITY_PROCESS_PROTECTION_LEVEL_WINTCB_RID}},
// S-1-19-1024 =
{SID_REVISION, 1, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_FULL_RID, 0}},
// S-1-19-1024-0 =
{SID_REVISION, 2, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_FULL_RID, SECURITY_PROCESS_PROTECTION_LEVEL_NONE_RID}},
// S-1-19-1024-1024 =
{SID_REVISION, 2, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_FULL_RID, SECURITY_PROCESS_PROTECTION_LEVEL_AUTHENTICODE_RID}},
// S-1-19-1024-2048 =
{SID_REVISION, 2, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_FULL_RID, SECURITY_PROCESS_PROTECTION_LEVEL_APP_RID}},
// S-1-19-1024-4096 =
{SID_REVISION, 2, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_FULL_RID, SECURITY_PROCESS_PROTECTION_LEVEL_WINDOWS_RID}},
// S-1-19-1024-8192 =
{SID_REVISION, 2, SECURITY_PROCESS_TRUST_AUTHORITY, {SECURITY_PROCESS_PROTECTION_TYPE_FULL_RID, SECURITY_PROCESS_PROTECTION_LEVEL_WINTCB_RID}}
};
struct _SID6
{
BYTE Revision;
BYTE SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
DWORD SubAuthority[6];
}
const sid6[] =
{
// S-1-5-21-0-0-0-496 =
{SID_REVISION, 5, SECURITY_NT_AUTHORITY, {SECURITY_NT_NON_UNIQUE, 0, 0, 0, 496, 0}},
// S-1-5-21-0-0-0-497 =
{SID_REVISION, 5, SECURITY_NT_AUTHORITY, {SECURITY_NT_NON_UNIQUE, 0, 0, 0, 497, 0}},
// S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 = 'NT SERVICE\TrustedInstaller'
{SID_REVISION, 6, SECURITY_NT_AUTHORITY, {SECURITY_SERVICE_ID_BASE_RID, SECURITY_TRUSTED_INSTALLER_RID1, SECURITY_TRUSTED_INSTALLER_RID2, SECURITY_TRUSTED_INSTALLER_RID3, SECURITY_TRUSTED_INSTALLER_RID4, SECURITY_TRUSTED_INSTALLER_RID5}},
// S-1-5-84-0-0-0-0-0 = 'NT AUTHORITY\USER MODE DRIVERS'
{SID_REVISION, 6, SECURITY_NT_AUTHORITY, {SECURITY_USERMODEDRIVERHOST_ID_BASE_RID, 0, 0, 0, 0, 0}},
// S-1-5-86-615999462-62705297-2911207457-59056572-3668589837 = 'WMI\Network Service'
{SID_REVISION, 6, SECURITY_NT_AUTHORITY, {SECURITY_WMIHOST_ID_BASE_RID, 615999462, 62705297, 2911207457, 59056572, 3668589837}},
// S-1-5-86-1544737700-199408000-2549878335-3519669259-381336952 = 'WMI\Local Service'
{SID_REVISION, 6, SECURITY_NT_AUTHORITY, {SECURITY_WMIHOST_ID_BASE_RID, 1544737700, 199408000, 2549878335, 3519669259, 381336952}}
};
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, LPCWSTR lpFormat, ...)
{
WCHAR szBuffer[1025];
DWORD dwBuffer;
DWORD dwConsole;
va_list vaInserts;
va_start(vaInserts, lpFormat);
dwBuffer = wvsprintf(szBuffer, lpFormat, vaInserts);
va_end(vaInserts);
if (dwBuffer == 0)
return FALSE;
if (!WriteConsole(hConsole, szBuffer, dwBuffer, &dwConsole, NULL))
return FALSE;
return dwConsole == dwBuffer;
}
const LPCWSTR szSNU[] = {NULL,
L"user",
L"group",
L"domain",
L"alias",
L"well-known group",
L"deleted account",
L"invalid",
L"unknown",
L"computer",
L"label",
L"logon session"};
__declspec(safebuffers)
SID_NAME_USE WINAPI CheckSID(HANDLE hConsole, SID *sid)
{
LPWSTR lpStringSID;
DWORD dwError = ERROR_SUCCESS;
WCHAR szAccount[UNLEN + 1];
DWORD dwAccount = sizeof(szAccount) / sizeof(*szAccount);
WCHAR szDomain[GNLEN + 1];
DWORD dwDomain = sizeof(szDomain) / sizeof(*szDomain);
SID_NAME_USE snu = 0;
if (!ConvertSidToStringSid(sid, &lpStringSID))
PrintConsole(hConsole,
L"ConvertSidToStringSid() returned error %lu\n",
dwError = GetLastError());
else
{
if (!LookupAccountSid((LPCWSTR) NULL,
sid,
szAccount, &dwAccount,
szDomain, &dwDomain,
&snu))
{
dwError = GetLastError();
if (dwError != ERROR_NONE_MAPPED)
PrintConsole(hConsole,
L"LookupAccountSid() returned error %lu for security identifier \'%ls\'\n",
dwError, lpStringSID);
}
else
if (*szDomain == L'\0')
PrintConsole(hConsole,
L"%ls: %ls \'%ls\'\n",
lpStringSID, szSNU[snu], szAccount);
else if (*szAccount == L'\0')
PrintConsole(hConsole,
L"%ls: %ls \'%ls\'\n",
lpStringSID, szSNU[snu], szDomain);
else
PrintConsole(hConsole,
L"%ls: %ls \'%ls\\%ls\'\n",
lpStringSID, szSNU[snu], szDomain, szAccount);
if (LocalFree(lpStringSID) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
// SetLastError(dwError);
return snu;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
SID_NAME_USE snu;
WCHAR szAccount[UNLEN + 1];
DWORD dwAccount = sizeof(szAccount) / sizeof(*szAccount);
WCHAR szDomain[GNLEN + 1];
DWORD dwDomain = sizeof(szDomain) / sizeof(*szDomain);
BYTE sid[SECURITY_MAX_SID_SIZE];
BOOL bSid;
DWORD dwSid;
DWORD dw;
DWORD *lpRid;
DWORD dwError = ERROR_SUCCESS;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
for (dw = 0; dw < sizeof(sid2) / sizeof(*sid2); dw++)
CheckSID(hConsole, (SID *) &sid2[dw]);
for (dw = 0; dw < sizeof(sid6) / sizeof(*sid6); dw++)
CheckSID(hConsole, (SID *) &sid6[dw]);
for (dw = 0; dw < 128; dw++)
{
dwSid = sizeof(sid);
if (!CreateWellKnownSid((WELL_KNOWN_SID_TYPE) dw,
(SID *) NULL,
(SID *) sid,
&dwSid))
{
dwError = GetLastError();
if (dwError != ERROR_INVALID_PARAMETER)
PrintConsole(hConsole,
L"CreateWellKnownSid() returned error %lu\n",
dwError);
}
else
{
bSid = FALSE;
if (dwSid <= sizeof(*sid2))
{
for (dwSid = 0; dwSid < sizeof(sid2) / sizeof(*sid2); dwSid++)
if (bSid = EqualSid((SID *) sid, (SID *) &sid2[dwSid]))
break;
}
else if (dwSid == sizeof(*sid6))
{
for (dwSid = 0; dwSid < sizeof(sid6) / sizeof(*sid6); dwSid++)
if (bSid = EqualSid((SID *) sid, (SID *) &sid6[dwSid]))
break;
}
else
continue;
if (!bSid)
CheckSID(hConsole, (SID *) sid);
}
}
if (!GetComputerName(szAccount, &dwAccount))
PrintConsole(hConsole,
L"GetComputerName() returned error %lu\n",
dwError = GetLastError());
else
{
dwSid = sizeof(sid);
if (!LookupAccountName((LPCWSTR) NULL,
szAccount,
(SID *) sid, &dwSid,
szDomain, &dwDomain,
&snu))
PrintConsole(hConsole,
L"LookupAccountName() returned error %lu for \'%ls\'\n",
dwError = GetLastError(), szAccount);
else
{
CheckSID(hConsole, (SID *) sid);
lpRid = GetSidSubAuthority((SID *) sid, GetSidSubAuthorityCount((SID *) sid)[0]++);
for (lpRid[0] = FOREST_USER_RID_MAX - 1; lpRid[0] <= DOMAIN_USER_RID_MAX + 1; lpRid[0]++)
CheckSID(hConsole, (SID *) sid);
}
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Run the following four command lines to compile the source file
SIDEREAL.C
created in step 1., link the compiled
object file SIDEREAL.OBJ
and cleanup afterwards:
SET CL=/GA /GF /GS /Gy /O1 /Oi /Os /Oy /W4 /Zl SET LINK=/DEFAULTLIB:ADVAPI32.LIB /DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:USER32.LIB /DYNAMICBASE /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NXCOMPAT /OSVERSION:5.1 /OUT:"Really Known SIDs Enumerator.com" /RELEASE /SUBSYSTEM:CONSOLE,5.1 /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE SIDEREAL.C ERASE SIDEREAL.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. SIDEREAL.C SIDEREAL.C(957) : warning C4706: assignment within conditional expression SIDEREAL.C(963) : warning C4706: assignment within conditional expression Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved.
Finally execute the console application SIDEREAL.COM
built in step 2.:
VER .\SIDEREAL.COM
Microsoft Windows [Version 10.0.19044] S-1-0-0: well-known group 'NULL SID' S-1-1-0: well-known group 'Everyone' S-1-2-0: well-known group 'LOCAL' S-1-2-1: well-known group 'CONSOLE LOGON' S-1-3-0: well-known group 'CREATOR OWNER' S-1-3-1: well-known group 'CREATOR GROUP' S-1-3-2: well-known group 'CREATOR OWNER SERVER' S-1-3-3: well-known group 'CREATOR GROUP SERVER' S-1-3-4: well-known group 'OWNER RIGHTS' S-1-5: domain 'NT Pseudo Domain\NT Pseudo Domain' S-1-5-1: well-known group 'NT AUTHORITY\DIALUP' S-1-5-2: well-known group 'NT AUTHORITY\NETWORK' S-1-5-3: well-known group 'NT AUTHORITY\BATCH' S-1-5-4: well-known group 'NT AUTHORITY\INTERACTIVE' S-1-5-6: well-known group 'NT AUTHORITY\SERVICE' S-1-5-7: well-known group 'NT AUTHORITY\ANONYMOUS LOGON' S-1-5-8: well-known group 'NT AUTHORITY\PROXY' S-1-5-9: well-known group 'NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS' S-1-5-10: well-known group 'NT AUTHORITY\SELF' S-1-5-11: well-known group 'NT AUTHORITY\Authenticated Users' S-1-5-12: well-known group 'NT AUTHORITY\RESTRICTED' S-1-5-13: well-known group 'NT AUTHORITY\TERMINAL SERVER USER' S-1-5-14: well-known group 'NT AUTHORITY\REMOTE INTERACTIVE LOGON' S-1-5-15: well-known group 'NT AUTHORITY\This Organization' S-1-5-17: well-known group 'NT AUTHORITY\IUSR' S-1-5-18: well-known group 'NT AUTHORITY\SYSTEM' S-1-5-19: well-known group 'NT AUTHORITY\LOCAL SERVICE' S-1-5-20: well-known group 'NT AUTHORITY\NETWORK SERVICE' S-1-5-22: well-known group 'NT AUTHORITY\ENTERPRISE READ-ONLY DOMAIN CONTROLLERS BETA' S-1-5-32: domain 'BUILTIN\BUILTIN' S-1-5-32-544: alias 'BUILTIN\Administrators' S-1-5-32-545: alias 'BUILTIN\Users' S-1-5-32-546: alias 'BUILTIN\Guests' S-1-5-32-547: alias 'BUILTIN\Power Users' S-1-5-32-551: alias 'BUILTIN\Backup Operators' S-1-5-32-552: alias 'BUILTIN\Replicator' S-1-5-32-555: alias 'BUILTIN\Remote Desktop Users' S-1-5-32-556: alias 'BUILTIN\Network Configuration Operators' S-1-5-32-558: alias 'BUILTIN\Performance Monitor Users' S-1-5-32-559: alias 'BUILTIN\Performance Log Users' S-1-5-32-562: alias 'BUILTIN\Distributed COM Users' S-1-5-32-568: alias 'BUILTIN\IIS_IUSRS' S-1-5-32-569: alias 'BUILTIN\Cryptographic Operators' S-1-5-32-573: alias 'BUILTIN\Event Log Readers' S-1-5-32-578: alias 'BUILTIN\Hyper-V Administrators' S-1-5-32-579: alias 'BUILTIN\Access Control Assistance Operators' S-1-5-32-580: alias 'BUILTIN\Remote Management Users' S-1-5-32-581: alias 'BUILTIN\System Managed Accounts Group' S-1-5-32-583: alias 'BUILTIN\Device Owners' S-1-5-33: well-known group 'NT AUTHORITY\WRITE RESTRICTED' S-1-5-64-10: well-known group 'NT AUTHORITY\NTLM Authentication' S-1-5-64-14: well-known group 'NT AUTHORITY\SChannel Authentication' S-1-5-64-21: well-known group 'NT AUTHORITY\Digest Authentication' S-1-5-65-1: well-known group 'NT AUTHORITY\This Organization Certificate' S-1-5-80: domain 'NT SERVICE\NT SERVICE' S-1-5-80-0: well-known group 'NT SERVICE\ALL SERVICES' S-1-5-87: domain 'NT TASK\NT TASK' S-1-5-90: domain 'Window Manager\Window Manager' S-1-5-90-0: well-known group 'Window Manager\Window Manager Group' S-1-5-96: domain 'Font Driver Host\Font Driver Host' S-1-5-113: well-known group 'NT AUTHORITY\Local account' S-1-5-114: well-known group 'NT AUTHORITY\Local account and member of Administrators group' S-1-5-1000: well-known group 'NT AUTHORITY\Other Organization' S-1-7: domain 'Internet$\Internet$' S-1-15-2-1: well-known group 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' S-1-15-3-1: well-known group 'APPLICATION PACKAGE AUTHORITY\Your Internet connection' S-1-15-3-2: well-known group 'APPLICATION PACKAGE AUTHORITY\Your Internet connection, including incoming connections from the Internet' S-1-15-3-3: well-known group 'APPLICATION PACKAGE AUTHORITY\Your home or work networks' S-1-15-3-4: well-known group 'APPLICATION PACKAGE AUTHORITY\Your pictures library' S-1-15-3-5: well-known group 'APPLICATION PACKAGE AUTHORITY\Your videos library' S-1-15-3-6: well-known group 'APPLICATION PACKAGE AUTHORITY\Your music library' S-1-15-3-7: well-known group 'APPLICATION PACKAGE AUTHORITY\Your documents library' S-1-15-3-8: well-known group 'APPLICATION PACKAGE AUTHORITY\Your Windows credentials' S-1-15-3-9: well-known group 'APPLICATION PACKAGE AUTHORITY\Software and hardware certificates or a smart card' S-1-15-3-10: well-known group 'APPLICATION PACKAGE AUTHORITY\Removable storage' S-1-15-3-11: well-known group 'APPLICATION PACKAGE AUTHORITY\Your Appointments' S-1-15-3-12: well-known group 'APPLICATION PACKAGE AUTHORITY\Your Contacts' S-1-16: domain 'Mandatory Label\Mandatory Label' S-1-16-0: label 'Mandatory Label\Untrusted Mandatory Level' S-1-16-4096: label 'Mandatory Label\Low Mandatory Level' S-1-16-8192: label 'Mandatory Label\Medium Mandatory Level' S-1-16-8448: label 'Mandatory Label\Medium Plus Mandatory Level' S-1-16-12288: label 'Mandatory Label\High Mandatory Level' S-1-16-16384: label 'Mandatory Label\System Mandatory Level' S-1-16-20480: label 'Mandatory Label\Protected Process Mandatory Level' S-1-18-1: well-known group 'Authentication authority asserted identity' S-1-18-2: well-known group 'Service asserted identity' S-1-18-3: well-known group 'Fresh public key identity' S-1-18-4: well-known group 'Key trust identity' S-1-18-5: well-known group 'Key property multi-factor authentication' S-1-18-6: well-known group 'Key property attestation' S-1-5-21-0-0-0-496: well-known group 'NT AUTHORITY\Compound Identity Present' S-1-5-21-0-0-0-497: well-known group 'NT AUTHORITY\Claims Valid' S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464: well-known group 'NT SERVICE\TrustedInstaller' S-1-5-84-0-0-0-0-0: well-known group 'NT AUTHORITY\USER MODE DRIVERS' S-1-5-21-820728443-44925810-1835867902: domain 'AMNESIAC' S-1-5-21-820728443-44925810-1835867902-500: user 'AMNESIAC\Administrator' S-1-5-21-820728443-44925810-1835867902-501: user 'AMNESIAC\Guest' S-1-5-21-820728443-44925810-1835867902-503: user 'AMNESIAC\DefaultAccount' S-1-5-21-820728443-44925810-1835867902-504: user 'AMNESIAC\WDAGUtilityAccount' S-1-5-21-820728443-44925810-1835867902-513: group 'AMNESIAC\None' S-1-5-21-820728443-44925810-1835867902-1000: user 'AMNESIAC\Stefan'
Create the text file SIDEREAL.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 32 2c 20 53 74 65 66 61 6e 20 4b 61 -2022, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 04 00 00 ......#.........
00 14 00 00 00 00 00 00 73 11 00 00 00 10 00 00 ........s.......
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 40 00 00 00 02 00 00 34 6d 00 00 03 00 00 85 .@......4m......
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
3c 32 00 00 50 00 00 00 00 00 00 00 00 00 00 00 <2..P...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 20 00 00 44 00 00 00 ......... ..D...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
72 03 00 00 00 10 00 00 00 04 00 00 00 02 00 00 r...............
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 fa 13 00 00 00 20 00 00 .const....... ..
00 14 00 00 00 06 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 3c 20 40 00 8b f0 .......P..< @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 20 20 40 00 85 .....P.u... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8b .t.3.9u....^..U.
ec 81 ec 18 04 00 00 83 65 f8 00 b8 01 01 00 00 ........e.......
89 45 f0 89 45 f4 8d 45 fc 50 ff 75 0c e8 fa 02 .E..E..E.P.u....
00 00 85 c0 75 1c ff 15 28 20 40 00 50 68 d8 30 ....u...( @.Ph.0
40 00 ff 75 08 e8 76 ff ff ff 83 c4 0c e9 da 00 @..u..v.........
00 00 53 56 8d 45 f8 50 8d 45 f4 50 8d 85 e8 fb ..SV.E.P.E.P....
ff ff 50 8d 45 f0 50 8d 85 ec fd ff ff 50 ff 75 ..P.E.P......P.u
0c 6a 00 ff 15 18 20 40 00 8b 35 28 20 40 00 8b .j.... @..5( @..
5d 08 85 c0 75 1d ff d6 3d 34 05 00 00 74 7d ff ]...u...=4...t}.
75 fc 50 68 48 30 40 00 53 e8 22 ff ff ff 83 c4 u.PhH0@.S.".....
10 eb 69 66 83 bd e8 fb ff ff 00 75 08 8d 85 ec ..if.......u....
fd ff ff eb 10 66 83 bd ec fd ff ff 00 75 24 8d .....f.......u$.
85 e8 fb ff ff 50 8b 45 f8 ff 34 85 90 2f 40 00 .....P.E..4../@.
ff 75 fc 68 28 30 40 00 53 e8 e2 fe ff ff 83 c4 .u.h(0@.S.......
14 eb 29 8d 85 ec fd ff ff 50 8d 85 e8 fb ff ff ..)......P......
50 8b 45 f8 ff 34 85 90 2f 40 00 ff 75 fc 68 00 P.E..4../@..u.h.
30 40 00 53 e8 b7 fe ff ff 83 c4 18 ff 75 fc ff 0@.S.........u..
15 24 20 40 00 85 c0 74 11 ff d6 50 68 c0 2f 40 .$ @...t...Ph./@
00 53 e8 99 fe ff ff 83 c4 0c 5e 5b 8b 45 f8 c9 .S........^[.E..
c2 08 00 55 8b ec 81 ec 68 04 00 00 83 65 f4 00 ...U....h....e..
53 56 57 b8 01 01 00 00 6a f4 89 45 ec 89 45 e8 SVW.....j..E..E.
ff 15 34 20 40 00 89 45 f8 83 f8 ff 75 0e ff 15 ..4 @..E....u...
28 20 40 00 89 45 f4 e9 b5 01 00 00 be 20 21 40 ( @..E....... !@
00 bf db 00 00 00 56 ff 75 f8 e8 8f fe ff ff 83 ......V.u.......
c6 10 4f 75 f1 bb d0 2e 40 00 6a 06 8b f3 5f 56 ..Ou....@.j..._V
ff 75 f8 e8 76 fe ff ff 83 c6 20 4f 75 f1 21 7d .u..v..... Ou.!}
f0 8b 3d 28 20 40 00 8b 35 14 20 40 00 8d 45 fc ..=( @..5. @..E.
50 8d 45 a0 50 6a 00 ff 75 f0 c7 45 fc 44 00 00 P.E.Pj..u..E.D..
00 ff 15 10 20 40 00 85 c0 75 1d ff d7 89 45 f4 .... @...u....E.
83 f8 57 74 74 50 68 e8 31 40 00 ff 75 f8 e8 dd ..WttPh.1@..u...
fd ff ff 83 c4 0c eb 61 83 7d fc 10 77 28 33 c0 .......a.}..w(3.
89 45 fc c1 e0 04 05 20 21 40 00 50 8d 45 a0 50 .E..... !@.P.E.P
ff d6 85 c0 75 43 8b 45 fc 40 89 45 fc 3d db 00 ....uC.E.@.E.=..
00 00 72 df eb 27 83 7d fc 20 75 2d 33 c0 89 45 ..r..'.}. u-3..E
fc c1 e0 05 03 c3 50 8d 45 a0 50 ff d6 85 c0 75 ......P.E.P....u
18 8b 45 fc 40 89 45 fc 83 f8 06 72 e4 8d 45 a0 ..E.@.E....r..E.
50 ff 75 f8 e8 c5 fd ff ff ff 45 f0 81 7d f0 80 P.u.......E..}..
00 00 00 0f 82 54 ff ff ff 8d 45 ec 50 8d 85 9c .....T....E.P...
fd ff ff 50 ff 15 30 20 40 00 85 c0 75 1b ff d7 ...P..0 @...u...
50 68 98 31 40 00 ff 75 f8 89 45 f4 e8 3f fd ff Ph.1@..u..E..?..
ff 83 c4 0c e9 98 00 00 00 8d 45 e4 50 8d 45 e8 ..........E.P.E.
50 8d 85 98 fb ff ff 50 8d 45 fc 50 8d 45 a0 50 P......P.E.P.E.P
8d 85 9c fd ff ff 50 6a 00 c7 45 fc 44 00 00 00 ......Pj..E.D...
ff 15 0c 20 40 00 85 c0 75 1f ff d7 8d 8d 9c fd ... @...u.......
ff ff 51 50 68 30 31 40 00 ff 75 f8 89 45 f4 e8 ..QPh01@..u..E..
ec fc ff ff 83 c4 10 eb 48 8d 45 a0 50 ff 75 f8 ........H.E.P.u.
e8 29 fd ff ff 8d 45 a0 50 ff 15 08 20 40 00 8a .)....E.P... @..
08 0f b6 d1 fe c1 88 08 52 8d 45 a0 50 ff 15 04 ........R.E.P...
20 40 00 8b f0 c7 06 f2 01 00 00 8d 45 a0 50 ff @..........E.P.
75 f8 e8 f7 fc ff ff ff 06 81 3e e8 03 00 00 76 u.........>....v
ea ff 75 f4 ff 15 2c 20 40 00 cc cc ff 25 00 20 ..u..., @....%.
40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
e4 32 00 00 fe 32 00 00 14 33 00 00 2e 33 00 00 .2...2...3...3..
44 33 00 00 5a 33 00 00 d0 32 00 00 00 00 00 00 D3..Z3...2......
74 33 00 00 84 33 00 00 90 33 00 00 a0 33 00 00 t3...3...3...3..
ae 33 00 00 c2 33 00 00 00 00 00 00 e0 33 00 00 .3...3.......3..
00 00 00 00 00 00 00 00 6c 00 6f 00 67 00 6f 00 ........l.o.g.o.
6e 00 20 00 73 00 65 00 73 00 73 00 69 00 6f 00 n. .s.e.s.s.i.o.
6e 00 00 00 6c 00 61 00 62 00 65 00 6c 00 00 00 n...l.a.b.e.l...
63 00 6f 00 6d 00 70 00 75 00 74 00 65 00 72 00 c.o.m.p.u.t.e.r.
00 00 00 00 75 00 6e 00 6b 00 6e 00 6f 00 77 00 ....u.n.k.n.o.w.
6e 00 00 00 69 00 6e 00 76 00 61 00 6c 00 69 00 n...i.n.v.a.l.i.
64 00 00 00 64 00 65 00 6c 00 65 00 74 00 65 00 d...d.e.l.e.t.e.
64 00 20 00 61 00 63 00 63 00 6f 00 75 00 6e 00 d. .a.c.c.o.u.n.
74 00 00 00 77 00 65 00 6c 00 6c 00 2d 00 6b 00 t...w.e.l.l.-.k.
6e 00 6f 00 77 00 6e 00 20 00 67 00 72 00 6f 00 n.o.w.n. .g.r.o.
75 00 70 00 00 00 00 00 61 00 6c 00 69 00 61 00 u.p.....a.l.i.a.
73 00 00 00 64 00 6f 00 6d 00 61 00 69 00 6e 00 s...d.o.m.a.i.n.
00 00 00 00 67 00 72 00 6f 00 75 00 70 00 00 00 ....g.r.o.u.p...
75 00 73 00 65 00 72 00 00 00 00 00 00 00 00 00 u.s.e.r.........
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 01 00 00 00 00 00 00 00 00 ................
01 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 02 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 02 01 00 00 00 00 00 00 00 ................
01 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 03 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 03 01 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 03 02 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 03 03 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 03 04 00 00 00 00 00 00 00 ................
01 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 04 00 00 00 00 00 00 00 00 ................
01 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 01 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 02 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 03 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 04 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 05 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 05 05 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 06 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 07 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 08 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 09 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 0a 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 0b 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 0c 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 0d 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 0e 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 0f 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 10 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 11 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 12 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 13 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 14 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 15 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 05 15 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 05 15 00 00 00 01 00 00 00 ................
01 01 00 00 00 00 00 05 16 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 05 20 00 00 00 00 00 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 f2 01 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 f4 01 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 f5 01 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 f6 01 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 00 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 01 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 02 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 03 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 04 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 05 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 06 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 07 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 08 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 09 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 0a 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 0d 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 0e 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 0f 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 ........ ... ...
01 02 00 00 00 00 00 05 20 00 00 00 21 02 00 00 ........ ...!...
01 02 00 00 00 00 00 05 20 00 00 00 22 02 00 00 ........ ..."...
01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 ........ ...#...
01 02 00 00 00 00 00 05 20 00 00 00 24 02 00 00 ........ ...$...
01 02 00 00 00 00 00 05 20 00 00 00 25 02 00 00 ........ ...%...
01 02 00 00 00 00 00 05 20 00 00 00 26 02 00 00 ........ ...&...
01 02 00 00 00 00 00 05 20 00 00 00 27 02 00 00 ........ ...'...
01 02 00 00 00 00 00 05 20 00 00 00 28 02 00 00 ........ ...(...
01 02 00 00 00 00 00 05 20 00 00 00 29 02 00 00 ........ ...)...
01 02 00 00 00 00 00 05 20 00 00 00 2a 02 00 00 ........ ...*...
01 02 00 00 00 00 00 05 20 00 00 00 2b 02 00 00 ........ ...+...
01 02 00 00 00 00 00 05 20 00 00 00 2c 02 00 00 ........ ...,...
01 02 00 00 00 00 00 05 20 00 00 00 2d 02 00 00 ........ ...-...
01 02 00 00 00 00 00 05 20 00 00 00 2e 02 00 00 ........ .......
01 02 00 00 00 00 00 05 20 00 00 00 2f 02 00 00 ........ .../...
01 02 00 00 00 00 00 05 20 00 00 00 30 02 00 00 ........ ...0...
01 02 00 00 00 00 00 05 20 00 00 00 31 02 00 00 ........ ...1...
01 02 00 00 00 00 00 05 20 00 00 00 32 02 00 00 ........ ...2...
01 02 00 00 00 00 00 05 20 00 00 00 38 02 00 00 ........ ...8...
01 02 00 00 00 00 00 05 20 00 00 00 39 02 00 00 ........ ...9...
01 02 00 00 00 00 00 05 20 00 00 00 3b 02 00 00 ........ ...;...
01 02 00 00 00 00 00 05 20 00 00 00 3c 02 00 00 ........ ...<...
01 02 00 00 00 00 00 05 20 00 00 00 3d 02 00 00 ........ ...=...
01 02 00 00 00 00 00 05 20 00 00 00 3e 02 00 00 ........ ...>...
01 02 00 00 00 00 00 05 20 00 00 00 3f 02 00 00 ........ ...?...
01 02 00 00 00 00 00 05 20 00 00 00 40 02 00 00 ........ ...@...
01 02 00 00 00 00 00 05 20 00 00 00 41 02 00 00 ........ ...A...
01 02 00 00 00 00 00 05 20 00 00 00 42 02 00 00 ........ ...B...
01 02 00 00 00 00 00 05 20 00 00 00 43 02 00 00 ........ ...C...
01 02 00 00 00 00 00 05 20 00 00 00 44 02 00 00 ........ ...D...
01 02 00 00 00 00 00 05 20 00 00 00 45 02 00 00 ........ ...E...
01 02 00 00 00 00 00 05 20 00 00 00 46 02 00 00 ........ ...F...
01 02 00 00 00 00 00 05 20 00 00 00 47 02 00 00 ........ ...G...
01 01 00 00 00 00 00 05 21 00 00 00 00 00 00 00 ........!.......
01 01 00 00 00 00 00 05 40 00 00 00 00 00 00 00 ........@.......
01 02 00 00 00 00 00 05 40 00 00 00 0a 00 00 00 ........@.......
01 02 00 00 00 00 00 05 40 00 00 00 0e 00 00 00 ........@.......
01 02 00 00 00 00 00 05 40 00 00 00 15 00 00 00 ........@.......
01 01 00 00 00 00 00 05 41 00 00 00 00 00 00 00 ........A.......
01 02 00 00 00 00 00 05 41 00 00 00 00 00 00 00 ........A.......
01 02 00 00 00 00 00 05 41 00 00 00 01 00 00 00 ........A.......
01 01 00 00 00 00 00 05 50 00 00 00 00 00 00 00 ........P.......
01 02 00 00 00 00 00 05 50 00 00 00 00 00 00 00 ........P.......
01 02 00 00 00 00 00 05 50 00 00 00 01 00 00 00 ........P.......
01 01 00 00 00 00 00 05 51 00 00 00 00 00 00 00 ........Q.......
01 02 00 00 00 00 00 05 51 00 00 00 00 00 00 00 ........Q.......
01 01 00 00 00 00 00 05 52 00 00 00 00 00 00 00 ........R.......
01 02 00 00 00 00 00 05 52 00 00 00 00 00 00 00 ........R.......
01 01 00 00 00 00 00 05 53 00 00 00 00 00 00 00 ........S.......
01 02 00 00 00 00 00 05 53 00 00 00 00 00 00 00 ........S.......
01 01 00 00 00 00 00 05 54 00 00 00 00 00 00 00 ........T.......
01 02 00 00 00 00 00 05 54 00 00 00 00 00 00 00 ........T.......
01 01 00 00 00 00 00 05 55 00 00 00 00 00 00 00 ........U.......
01 02 00 00 00 00 00 05 55 00 00 00 00 00 00 00 ........U.......
01 01 00 00 00 00 00 05 56 00 00 00 00 00 00 00 ........V.......
01 02 00 00 00 00 00 05 56 00 00 00 00 00 00 00 ........V.......
01 01 00 00 00 00 00 05 57 00 00 00 00 00 00 00 ........W.......
01 02 00 00 00 00 00 05 57 00 00 00 00 00 00 00 ........W.......
01 01 00 00 00 00 00 05 58 00 00 00 00 00 00 00 ........X.......
01 02 00 00 00 00 00 05 58 00 00 00 00 00 00 00 ........X.......
01 01 00 00 00 00 00 05 59 00 00 00 00 00 00 00 ........Y.......
01 02 00 00 00 00 00 05 59 00 00 00 00 00 00 00 ........Y.......
01 01 00 00 00 00 00 05 5a 00 00 00 00 00 00 00 ........Z.......
01 02 00 00 00 00 00 05 5a 00 00 00 00 00 00 00 ........Z.......
01 01 00 00 00 00 00 05 5b 00 00 00 00 00 00 00 ........[.......
01 02 00 00 00 00 00 05 5b 00 00 00 00 00 00 00 ........[.......
01 01 00 00 00 00 00 05 5c 00 00 00 00 00 00 00 ........\.......
01 02 00 00 00 00 00 05 5c 00 00 00 00 00 00 00 ........\.......
01 01 00 00 00 00 00 05 5d 00 00 00 00 00 00 00 ........].......
01 02 00 00 00 00 00 05 5d 00 00 00 00 00 00 00 ........].......
01 01 00 00 00 00 00 05 5e 00 00 00 00 00 00 00 ........^.......
01 02 00 00 00 00 00 05 5e 00 00 00 00 00 00 00 ........^.......
01 01 00 00 00 00 00 05 5f 00 00 00 00 00 00 00 ........_.......
01 02 00 00 00 00 00 05 5f 00 00 00 00 00 00 00 ........_.......
01 01 00 00 00 00 00 05 60 00 00 00 00 00 00 00 ........`.......
01 02 00 00 00 00 00 05 60 00 00 00 00 00 00 00 ........`.......
01 01 00 00 00 00 00 05 70 00 00 00 00 00 00 00 ........p.......
01 02 00 00 00 00 00 05 70 00 00 00 00 00 00 00 ........p.......
01 01 00 00 00 00 00 05 71 00 00 00 00 00 00 00 ........q.......
01 01 00 00 00 00 00 05 72 00 00 00 00 00 00 00 ........r.......
01 01 00 00 00 00 00 05 e8 03 00 00 00 00 00 00 ................
01 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 06 00 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 06 00 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 06 00 00 00 00 01 00 00 00 ................
01 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 07 00 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 07 00 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 07 00 00 00 00 01 00 00 00 ................
01 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 08 00 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 08 00 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 08 00 00 00 00 01 00 00 00 ................
01 00 00 00 00 00 00 09 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 09 00 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 09 00 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 09 00 00 00 00 01 00 00 00 ................
01 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 0a 00 00 00 00 01 00 00 00 ................
01 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 0f 01 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 0f 02 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 0f 02 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 0f 02 00 00 00 01 00 00 00 ................
01 01 00 00 00 00 00 0f 03 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 01 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 02 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 03 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 04 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 05 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 06 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 07 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 08 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 09 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 0a 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 0b 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 0c 00 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 00 04 00 00 ................
01 02 00 00 00 00 00 0f 03 00 00 00 00 10 00 00 ................
01 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 10 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 10 00 10 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 10 00 20 00 00 00 00 00 00 ......... ......
01 01 00 00 00 00 00 10 00 21 00 00 00 00 00 00 .........!......
01 01 00 00 00 00 00 10 00 30 00 00 00 00 00 00 .........0......
01 01 00 00 00 00 00 10 00 40 00 00 00 00 00 00 .........@......
01 01 00 00 00 00 00 10 00 50 00 00 00 00 00 00 .........P......
01 01 00 00 00 00 00 10 00 60 00 00 00 00 00 00 .........`......
01 01 00 00 00 00 00 10 00 70 00 00 00 00 00 00 .........p......
01 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 11 00 00 00 00 00 00 00 00 ................
01 00 00 00 00 00 00 12 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 12 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 12 01 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 12 02 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 12 03 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 12 04 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 12 05 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 12 06 00 00 00 00 00 00 00 ................
01 00 00 00 00 00 00 13 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 13 00 00 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 13 00 00 00 00 00 00 00 00 ................
01 01 00 00 00 00 00 13 00 02 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 13 00 02 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 13 00 02 00 00 00 04 00 00 ................
01 02 00 00 00 00 00 13 00 02 00 00 00 08 00 00 ................
01 02 00 00 00 00 00 13 00 02 00 00 00 10 00 00 ................
01 02 00 00 00 00 00 13 00 02 00 00 00 20 00 00 ............. ..
01 01 00 00 00 00 00 13 00 04 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 13 00 04 00 00 00 00 00 00 ................
01 02 00 00 00 00 00 13 00 04 00 00 00 04 00 00 ................
01 02 00 00 00 00 00 13 00 04 00 00 00 08 00 00 ................
01 02 00 00 00 00 00 13 00 04 00 00 00 10 00 00 ................
01 02 00 00 00 00 00 13 00 04 00 00 00 20 00 00 ............. ..
01 05 00 00 00 00 00 05 15 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................
01 05 00 00 00 00 00 05 15 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 f1 01 00 00 00 00 00 00 ................
01 06 00 00 00 00 00 05 50 00 00 00 b5 89 fb 38 ........P......8
19 84 c2 cb 5c 6c 23 6d 57 00 77 6e c0 02 64 87 ....\l#mW.wn..d.
01 06 00 00 00 00 00 05 54 00 00 00 00 00 00 00 ........T.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01 06 00 00 00 00 00 05 56 00 00 00 e6 67 b7 24 ........V....g.$
91 ce bc 03 21 80 85 ad bc 21 85 03 0d 3d aa da ....!....!...=..
01 06 00 00 00 00 00 05 56 00 00 00 a4 d3 12 5c ........V......\
80 b9 e2 0b 3f 0e fc 97 0b e4 c9 d1 78 bd ba 16 ....?.......x...
00 00 00 00 10 21 40 00 04 21 40 00 f4 20 40 00 .....!@..!@.. @.
e8 20 40 00 c4 20 40 00 a4 20 40 00 94 20 40 00 . @.. @.. @.. @.
84 20 40 00 70 20 40 00 64 20 40 00 48 20 40 00 . @.p @.d @.H @.
4c 00 6f 00 63 00 61 00 6c 00 46 00 72 00 65 00 L.o.c.a.l.F.r.e.
65 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 e.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
25 00 6c 00 73 00 3a 00 20 00 25 00 6c 00 73 00 %.l.s.:. .%.l.s.
20 00 27 00 25 00 6c 00 73 00 5c 00 25 00 6c 00 .'.%.l.s.\.%.l.
73 00 27 00 0a 00 00 00 25 00 6c 00 73 00 3a 00 s.'.....%.l.s.:.
20 00 25 00 6c 00 73 00 20 00 27 00 25 00 6c 00 .%.l.s. .'.%.l.
73 00 27 00 0a 00 00 00 4c 00 6f 00 6f 00 6b 00 s.'.....L.o.o.k.
75 00 70 00 41 00 63 00 63 00 6f 00 75 00 6e 00 u.p.A.c.c.o.u.n.
74 00 53 00 69 00 64 00 28 00 29 00 20 00 72 00 t.S.i.d.(.). .r.
65 00 74 00 75 00 72 00 6e 00 65 00 64 00 20 00 e.t.u.r.n.e.d. .
65 00 72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 e.r.r.o.r. .%.l.
75 00 20 00 66 00 6f 00 72 00 20 00 73 00 65 00 u. .f.o.r. .s.e.
63 00 75 00 72 00 69 00 74 00 79 00 20 00 69 00 c.u.r.i.t.y. .i.
64 00 65 00 6e 00 74 00 69 00 66 00 69 00 65 00 d.e.n.t.i.f.i.e.
72 00 20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 r. .'.%.l.s.'...
00 00 00 00 00 00 00 00 43 00 6f 00 6e 00 76 00 ........C.o.n.v.
65 00 72 00 74 00 53 00 69 00 64 00 54 00 6f 00 e.r.t.S.i.d.T.o.
53 00 74 00 72 00 69 00 6e 00 67 00 53 00 69 00 S.t.r.i.n.g.S.i.
64 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 d.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
4c 00 6f 00 6f 00 6b 00 75 00 70 00 41 00 63 00 L.o.o.k.u.p.A.c.
63 00 6f 00 75 00 6e 00 74 00 4e 00 61 00 6d 00 c.o.u.n.t.N.a.m.
65 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 e.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 20 00 66 00 o.r. .%.l.u. .f.
6f 00 72 00 20 00 27 00 25 00 6c 00 73 00 27 00 o.r. .'.%.l.s.'.
0a 00 00 00 00 00 00 00 47 00 65 00 74 00 43 00 ........G.e.t.C.
6f 00 6d 00 70 00 75 00 74 00 65 00 72 00 4e 00 o.m.p.u.t.e.r.N.
61 00 6d 00 65 00 28 00 29 00 20 00 72 00 65 00 a.m.e.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
0a 00 00 00 00 00 00 00 43 00 72 00 65 00 61 00 ........C.r.e.a.
74 00 65 00 57 00 65 00 6c 00 6c 00 4b 00 6e 00 t.e.W.e.l.l.K.n.
6f 00 77 00 6e 00 53 00 69 00 64 00 28 00 29 00 o.w.n.S.i.d.(.).
20 00 72 00 65 00 74 00 75 00 72 00 6e 00 65 00 .r.e.t.u.r.n.e.
64 00 20 00 65 00 72 00 72 00 6f 00 72 00 20 00 d. .e.r.r.o.r. .
25 00 6c 00 75 00 0a 00 00 00 00 00 8c 32 00 00 %.l.u........2..
00 00 00 00 00 00 00 00 66 33 00 00 00 20 00 00 ........f3... ..
ac 32 00 00 00 00 00 00 00 00 00 00 d2 33 00 00 .2...........3..
20 20 00 00 c8 32 00 00 00 00 00 00 00 00 00 00 ...2..........
ee 33 00 00 3c 20 00 00 00 00 00 00 00 00 00 00 .3..< ..........
00 00 00 00 00 00 00 00 00 00 00 00 e4 32 00 00 .............2..
fe 32 00 00 14 33 00 00 2e 33 00 00 44 33 00 00 .2...3...3..D3..
5a 33 00 00 d0 32 00 00 00 00 00 00 74 33 00 00 Z3...2......t3..
84 33 00 00 90 33 00 00 a0 33 00 00 ae 33 00 00 .3...3...3...3..
c2 33 00 00 00 00 00 00 e0 33 00 00 00 00 00 00 .3.......3......
91 01 4c 6f 6f 6b 75 70 41 63 63 6f 75 6e 74 53 ..LookupAccountS
69 64 57 00 6c 00 43 6f 6e 76 65 72 74 53 69 64 idW.l.ConvertSid
54 6f 53 74 72 69 6e 67 53 69 64 57 00 00 57 01 ToStringSidW..W.
47 65 74 53 69 64 53 75 62 41 75 74 68 6f 72 69 GetSidSubAuthori
74 79 00 00 58 01 47 65 74 53 69 64 53 75 62 41 ty..X.GetSidSubA
75 74 68 6f 72 69 74 79 43 6f 75 6e 74 00 8f 01 uthorityCount...
4c 6f 6f 6b 75 70 41 63 63 6f 75 6e 74 4e 61 6d LookupAccountNam
65 57 00 00 83 00 43 72 65 61 74 65 57 65 6c 6c eW....CreateWell
4b 6e 6f 77 6e 53 69 64 00 00 07 01 45 71 75 61 KnownSid....Equa
6c 53 69 64 00 00 41 44 56 41 50 49 33 32 2e 64 lSid..ADVAPI32.d
6c 6c 00 00 24 05 57 72 69 74 65 43 6f 6e 73 6f ll..$.WriteConso
6c 65 57 00 48 03 4c 6f 63 61 6c 46 72 65 65 00 leW.H.LocalFree.
02 02 47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 ..GetLastError..
19 01 45 78 69 74 50 72 6f 63 65 73 73 00 8f 01 ..ExitProcess...
47 65 74 43 6f 6d 70 75 74 65 72 4e 61 6d 65 57 GetComputerNameW
00 00 64 02 47 65 74 53 74 64 48 61 6e 64 6c 65 ..d.GetStdHandle
00 00 4b 45 52 4e 45 4c 33 32 2e 64 6c 6c 00 00 ..KERNEL32.dll..
35 03 77 76 73 70 72 69 6e 74 66 57 00 00 55 53 5.wvsprintfW..US
45 52 33 32 2e 64 6c 6c 00 00 00 00 00 00 00 00 ER32.dll........
Decode the dump file SIDEREAL.TXT
created in
step 3. to recreate the console application
Really Known SIDs Enumerator:
CERTUTIL.EXE /DecodeHex /V SIDEREAL.TXT SIDEREAL.COM
Input Length = 28288 Output Length = 6656 CertUtil: -decodehex command completed successfully.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
Create the text file TWIDDLER.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <tlhelp32.h>
#include <shellapi.h>
#define SE_PRIVILEGE_DISABLED 0UL
#define SE_MIN_WELL_KNOWN_PRIVILEGE 2UL
#define SE_CREATE_TOKEN_PRIVILEGE 2UL // "SeCreateTokenPrivilege"
#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE 3UL // "SeAssignPrimaryTokenPrivilege"
#define SE_LOCK_MEMORY_PRIVILEGE 4UL // "SeLockMemoryPrivilege"
#define SE_INCREASE_QUOTA_PRIVILEGE 5UL // "SeIncreaseQuotaPrivilege"
// SE_UNSOLICITED_INPUT_PRIVILEGE 6UL // "SeUnsolicitedInputPrivilege"
#define SE_MACHINE_ACCOUNT_PRIVILEGE 6UL // "SeMachineAccountPrivilege"
#define SE_TCB_PRIVILEGE 7UL // "SeTcbPrivilege"
#define SE_SECURITY_PRIVILEGE 8UL // "SeSecurityPrivilege"
#define SE_TAKE_OWNERSHIP_PRIVILEGE 9UL // "SeTakeOwnershipPrivilege"
#define SE_LOAD_DRIVER_PRIVILEGE 10UL // "SeLoadDriverPrivilege"
#define SE_SYSTEM_PROFILE_PRIVILEGE 11UL // "SeSystemProfilePrivilege"
#define SE_SYSTEMTIME_PRIVILEGE 12UL // "SeSystemtimePrivilege"
#define SE_PROF_SINGLE_PROCESS_PRIVILEGE 13UL // "SeProfileSingleProcessPrivilege"
#define SE_INC_BASE_PRIORITY_PRIVILEGE 14UL // "SeIncreaseBasePriorityPrivilege"
#define SE_CREATE_PAGEFILE_PRIVILEGE 15UL // "SeCreatePagefilePrivilege"
#define SE_CREATE_PERMANENT_PRIVILEGE 16UL // "SeCreatePermanentPrivilege"
#define SE_BACKUP_PRIVILEGE 17UL // "SeBackupPrivilege"
#define SE_RESTORE_PRIVILEGE 18UL // "SeRestorePrivilege"
#define SE_SHUTDOWN_PRIVILEGE 19UL // "SeShutdownPrivilege"
#define SE_DEBUG_PRIVILEGE 20UL // "SeDebugPrivilege"
#define SE_AUDIT_PRIVILEGE 21UL // "SeAuditPrivilege"
#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE 22UL // "SeSystemEnvironmentPrivilege"
#define SE_CHANGE_NOTIFY_PRIVILEGE 23UL // "SeChangeNotifyPrivilege"
#define SE_REMOTE_SHUTDOWN_PRIVILEGE 24UL // "SeRemoteShutdownPrivilege"
#define SE_UNDOCK_PRIVILEGE 25UL // "SeUndockPrivilege"
#define SE_SYNC_AGENT_PRIVILEGE 26UL // "SeSyncAgentPrivilege"
#define SE_ENABLE_DELEGATION_PRIVILEGE 27UL // "SeEnableDelegationPrivilege"
#define SE_MANAGE_VOLUME_PRIVILEGE 28UL // "SeManageVolumePrivilege"
#define SE_IMPERSONATE_PRIVILEGE 29UL // "SeImpersonatePrivilege"
#define SE_CREATE_GLOBAL_PRIVILEGE 30UL // "SeCreateGlobalPrivilege"
#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE 31UL // "SeTrustedCredManAccessPrivilege"
#define SE_RELABEL_PRIVILEGE 32UL // "SeRelabelPrivilege"
#define SE_INCREASE_WORKING_SET_PRIVILEGE 33UL // "SeIncreaseWorkingSetPrivilege"
#define SE_TIME_ZONE_PRIVILEGE 34UL // "SeTimeZonePrivilege"
#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE 35UL // "SeCreateSymbolicLinkPrivilege"
#define SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE 36UL // "SeDelegateSessionUserImpersonatePrivilege"
#define SE_MAX_WELL_KNOWN_PRIVILEGE 36UL
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, LPCWSTR lpFormat, ...)
{
WCHAR szBuffer[1025];
DWORD dwBuffer;
DWORD dwConsole;
va_list vaInserts;
va_start(vaInserts, lpFormat);
dwBuffer = wvsprintf(szBuffer, lpFormat, vaInserts);
va_end(vaInserts);
if (dwBuffer == 0)
return FALSE;
if (!WriteConsole(hConsole, szBuffer, dwBuffer, &dwConsole, NULL))
return FALSE;
return dwConsole == dwBuffer;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
INT nArgument = 1;
INT nArguments;
LPWSTR *lpArguments;
LPCWSTR lpPrivilege;
WCHAR szPrivilege[sizeof("SeDelegateSessionUserImpersonatePrivilege")];
DWORD dwPrivilege;
DWORD dwCurrentProcessId = GetCurrentProcessId();
DWORD dwParentProcessId = 0;
DWORD dwError = ERROR_BAD_ARGUMENTS;
DWORD dwTP;
TOKEN_PRIVILEGES *lpTP;
PROCESSENTRY32 pe /* = {sizeof(pe)} */;
HANDLE hSnapshot;
HANDLE hParent;
HANDLE hToken;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
if (nArguments < 2)
PrintConsole(hConsole,
L"At least one privilege to enable, disable or remove must be given by its name!\n");
else
{
dwTP = sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES) * (nArguments - 1 - ANYSIZE_ARRAY);
lpTP = (TOKEN_PRIVILEGES *) LocalAlloc(LPTR, dwTP);
if (lpTP == NULL)
PrintConsole(hConsole,
L"LocalAlloc() returned error %lu\n",
dwError = GetLastError());
else
{
lpTP->PrivilegeCount = nArguments - 1;
do
{
lpPrivilege = NULL;
if (wcslen(lpArguments[nArgument]) > sizeof("/DISABLE:Se*Privilege"))
if (memcmp(lpArguments[nArgument], L"/DISABLE:", sizeof(L"/DISABLE:") - sizeof(L"")) == 0)
{
lpPrivilege = lpArguments[nArgument] + sizeof("/DISABLE");
// lpTP->Privileges[nArgument - 1].Attributes = SE_PRIVILEGE_DISABLED;
}
else if (memcmp(lpArguments[nArgument], L"/ENABLE:", sizeof(L"/ENABLE:") - sizeof(L"")) == 0)
{
lpPrivilege = lpArguments[nArgument] + sizeof("/ENABLE");
lpTP->Privileges[nArgument - 1].Attributes = SE_PRIVILEGE_ENABLED;
}
else if (memcmp(lpArguments[nArgument], L"/REMOVE:", sizeof(L"/REMOVE:") - sizeof(L"")) == 0)
{
lpPrivilege = lpArguments[nArgument] + sizeof("/REMOVE");
lpTP->Privileges[nArgument - 1].Attributes = SE_PRIVILEGE_REMOVED;
}
if (lpPrivilege == NULL)
{
PrintConsole(hConsole,
L"Invalid argument \'%ls\'!\n",
lpArguments[nArgument]);
lpTP->PrivilegeCount = 0;
}
else
if (!LookupPrivilegeValue((LPCWSTR) NULL,
lpPrivilege,
&lpTP->Privileges[nArgument - 1].Luid))
{
PrintConsole(hConsole,
L"LookupPrivilegeValue() returned error %lu for \'%ls\'\n",
dwError = GetLastError(), lpPrivilege);
lpTP->PrivilegeCount = 0;
}
} while (++nArgument < nArguments);
if (lpTP->PrivilegeCount != 0)
{
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"CreateToolhelp32Snapshot() returned error %lu\n",
dwError = GetLastError());
else
{
pe.dwSize = sizeof(pe);
if (!Process32First(hSnapshot, &pe))
PrintConsole(hConsole,
L"Process32First() returned error %lu\n",
dwError = GetLastError());
else
{
do
if (pe.th32ProcessID == dwCurrentProcessId)
dwParentProcessId = pe.th32ParentProcessID;
while (Process32Next(hSnapshot, &pe));
dwError = GetLastError();
if (dwError == ERROR_NO_MORE_FILES)
dwError = ERROR_SUCCESS;
else
PrintConsole(hConsole,
L"Process32Next() returned error %lu\n",
dwError);
}
if (!CloseHandle(hSnapshot))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
if (dwParentProcessId == 0)
{
PrintConsole(hConsole,
L"Parent process of process %lu not found!\n",
dwCurrentProcessId);
dwError = ERROR_PROCESS_ABORTED;
}
else
{
hParent = OpenProcess(PROCESS_QUERY_INFORMATION,
FALSE,
dwParentProcessId);
if (hParent == NULL)
PrintConsole(hConsole,
L"OpenProcess() returned error %lu\n",
dwError = GetLastError());
else
{
if (!OpenProcessToken(hParent,
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken))
PrintConsole(hConsole,
L"OpenProcessToken() returned error %lu\n",
dwError = GetLastError());
else
{
if (!AdjustTokenPrivileges(hToken,
FALSE,
lpTP,
dwTP,
lpTP,
&dwTP))
PrintConsole(hConsole,
L"AdjustTokenPrivileges() returned error %lu\n",
dwError = GetLastError());
else
{
dwError = GetLastError();
if (lpTP->PrivilegeCount == 0)
if (dwError == ERROR_NOT_ALL_ASSIGNED)
PrintConsole(hConsole,
L"Not all privileges assigned, no privilege toggled in parent process %lu\n",
dwParentProcessId);
else
PrintConsole(hConsole,
L"No privilege toggled in parent process %lu\n",
dwParentProcessId);
else
{
if (dwError == ERROR_NOT_ALL_ASSIGNED)
PrintConsole(hConsole,
L"Not all privileges assigned, %lu privilege(s) toggled in parent process %lu:\n",
lpTP->PrivilegeCount, dwParentProcessId);
else
PrintConsole(hConsole,
L"%lu privilege(s) toggled in parent process %lu:\n",
lpTP->PrivilegeCount, dwParentProcessId);
for (dwTP = 0; dwTP < lpTP->PrivilegeCount; dwTP++)
{
dwPrivilege = sizeof(szPrivilege) / sizeof(*szPrivilege);
if (!LookupPrivilegeName((LPCWSTR) NULL,
&lpTP->Privileges[dwTP].Luid,
szPrivilege,
&dwPrivilege))
PrintConsole(hConsole,
L"LookupPrivilegeName() returned error %lu\n",
dwError = GetLastError());
else
PrintConsole(hConsole,
L"\'%ls\'%lc",
szPrivilege, dwTP != lpTP->PrivilegeCount ? L' ' : L'\n');
}
}
}
if (!CloseHandle(hToken))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hParent))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
}
}
if (LocalFree(lpTP) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
}
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Run the following four command lines to compile the source file
TWIDDLER.C
created in step 1., link the compiled
object file TWIDDLER.OBJ
and cleanup afterwards:
SET CL=/GA /GF /GS /Gy /O1 /Oi /Os /Oy /W4 /Zl SET LINK=/DEFAULTLIB:ADVAPI32.LIB /DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:USER32.LIB /DYNAMICBASE /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NXCOMPAT /OSVERSION:5.0 /OUT:"Privilege Twiddler.com" /RELEASE /SUBSYSTEM:CONSOLE,5.0 /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE TWIDDLER.C ERASE TWIDDLER.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. TWIDDLER.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved.
Create the text file TWIDDLER.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 32 2c 20 53 74 65 66 61 6e 20 4b 61 -2022, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 06 00 00 ......#.........
00 0a 00 00 00 00 00 00 4e 10 00 00 00 10 00 00 ........N.......
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 30 00 00 00 02 00 00 a0 21 00 00 03 00 00 85 .0..............
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
a8 27 00 00 64 00 00 00 00 00 00 00 00 00 00 00 .'..d...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 20 00 00 5c 00 00 00 ......... ..\...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
96 04 00 00 00 10 00 00 00 06 00 00 00 02 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 f8 09 00 00 00 20 00 00 .const....... ..
00 0a 00 00 00 08 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 54 20 40 00 8b f0 .......P..T @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 14 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8b .t.3.9u....^..U.
ec 81 ec b4 02 00 00 53 56 57 c7 45 e4 01 00 00 .......SVW.E....
00 c7 45 fc a0 00 00 00 ff 15 44 20 40 00 83 65 ..E.......D @..e
f4 00 6a f4 89 45 d8 ff 15 40 20 40 00 8b f0 89 ..j..E...@ @....
75 e8 83 fe ff 75 0e ff 15 3c 20 40 00 89 45 fc u....u...< @..E.
e9 e5 03 00 00 8d 45 e0 50 ff 15 38 20 40 00 50 ......E.P..8 @.P
ff 15 4c 20 40 00 89 45 d4 85 c0 75 14 ff 15 3c ..L @..E...u...<
20 40 00 50 89 45 fc 68 58 27 40 00 e9 b0 03 00 @.P.E.hX'@.....
00 8b 45 e0 8b 1d 3c 20 40 00 83 f8 02 7d 12 68 ..E...< @....}.h
b8 26 40 00 56 e8 26 ff ff ff 59 59 e9 7b 03 00 .&@.V.&...YY.{..
00 83 c0 fe 6b c0 0c 83 c0 10 50 6a 40 89 45 f0 ....k.....Pj@.E.
ff 15 34 20 40 00 89 45 f8 85 c0 75 10 ff d3 50 ..4 @..E...u...P
89 45 fc 68 70 26 40 00 e9 46 03 00 00 8b 4d e0 .E.hp&@..F....M.
49 89 08 c7 45 ec 0c 00 00 00 8b 4d e4 8b 45 d4 I...E......M..E.
8d 04 88 8b 10 8b ca 89 45 dc 8d 71 02 66 8b 39 ........E..q.f.9
83 c1 02 66 85 ff 75 f5 2b ce d1 f9 83 f9 16 76 ...f..u.+......v
5c 6a 09 59 bf 58 26 40 00 8b f2 33 c0 66 f3 a7 \j.Y.X&@...3.f..
75 05 8d 72 12 eb 3f 6a 04 59 bf 44 26 40 00 8b u..r..?j.Y.D&@..
f2 33 c0 f3 a7 75 0f 8b 45 ec 8b 4d f8 c7 04 08 .3...u..E..M....
02 00 00 00 eb 1d 6a 04 59 bf 30 26 40 00 8b f2 ......j.Y.0&@...
33 c0 f3 a7 75 14 8b 45 f8 8b 4d ec c7 04 01 04 3...u..E..M.....
00 00 00 8d 72 10 85 f6 75 1e 8b 45 dc ff 30 8b ....r...u..E..0.
75 e8 68 fc 25 40 00 56 e8 53 fe ff ff 8b 45 f8 u.h.%@.V.S....E.
83 c4 0c 83 20 00 eb 38 8b 4d f8 8b 45 ec 8d 44 .... ..8.M..E..D
08 f8 50 56 6a 00 ff 15 08 20 40 00 85 c0 75 1d ..PVj.... @...u.
ff d3 56 50 68 90 25 40 00 ff 75 e8 89 45 fc e8 ..VPh.%@..u..E..
1c fe ff ff 8b 45 f8 83 c4 10 83 20 00 8b 75 e8 .....E..... ..u.
ff 45 e4 8b 45 e4 83 45 ec 0c 3b 45 e0 0f 8c 17 .E..E..E..;E....
ff ff ff 8b 45 f8 83 38 00 0f 84 2f 02 00 00 6a ....E..8.../...j
00 6a 02 e8 78 02 00 00 8b f8 83 ff ff 75 10 ff .j..x........u..
d3 50 89 45 fc 68 30 25 40 00 e9 06 02 00 00 8d .P.E.h0%@.......
85 4c fd ff ff 50 57 c7 85 4c fd ff ff 2c 02 00 .L...PW..L...,..
00 e8 44 02 00 00 85 c0 75 0a ff d3 50 68 e0 24 ..D.....u...Ph.$
40 00 eb 32 8b 45 d8 39 85 54 fd ff ff 75 09 8b @..2.E.9.T...u..
85 64 fd ff ff 89 45 f4 8d 85 4c fd ff ff 50 57 .d....E...L...PW
e8 0f 02 00 00 85 c0 75 db ff d3 83 f8 12 74 0f .......u......t.
50 68 98 24 40 00 56 e8 74 fd ff ff 83 c4 0c 57 Ph.$@.V.t......W
ff 15 24 20 40 00 85 c0 75 11 ff d3 50 68 50 24 ..$ @...u...PhP$
40 00 56 e8 58 fd ff ff 83 c4 0c 83 7d f4 00 75 @.V.X.......}..u
1a ff 75 d8 68 f8 23 40 00 56 e8 41 fd ff ff c7 ..u.h.#@.V.A....
45 fc 2b 04 00 00 e9 70 01 00 00 ff 75 f4 6a 00 E.+....p....u.j.
68 00 04 00 00 ff 15 20 20 40 00 89 45 dc 85 c0 h...... @..E...
75 10 ff d3 50 89 45 fc 68 b0 23 40 00 e9 43 01 u...P.E.h.#@..C.
00 00 8d 4d d0 51 6a 28 50 ff 15 04 20 40 00 85 ...M.Qj(P... @..
c0 75 10 ff d3 50 89 45 fc 68 60 23 40 00 e9 04 .u...P.E.h`#@...
01 00 00 8b 7d f8 8d 45 f0 50 57 ff 75 f0 57 6a ....}..E.PW.u.Wj
00 ff 75 d0 ff 15 00 20 40 00 85 c0 75 0d ff d3 ..u.... @...u...
50 89 45 fc 68 08 23 40 00 eb 23 ff d3 ff 75 f4 P.E.h.#@..#...u.
89 45 fc 8b 07 85 c0 75 23 81 7d fc 14 05 00 00 .E.....u#.}.....
75 07 68 70 22 40 00 eb 05 68 18 22 40 00 56 e8 u.hp"@...h."@.V.
9c fc ff ff 83 c4 0c e9 96 00 00 00 81 7d fc 14 .............}..
05 00 00 50 75 07 68 78 21 40 00 eb 05 68 10 21 ...Pu.hx!@...h.!
40 00 56 e8 78 fc ff ff 33 c0 83 c4 10 89 45 f0 @.V.x...3.....E.
39 07 76 6e 6b c0 0c 8d 4d cc 51 8d 8d 78 ff ff 9.vnk...M.Q..x..
ff 51 8d 44 38 04 50 6a 00 c7 45 cc 2a 00 00 00 .Q.D8.Pj..E.*...
ff 15 0c 20 40 00 85 c0 75 16 ff d3 50 68 b8 20 ... @...u...Ph.
40 00 56 89 45 fc e8 35 fc ff ff 83 c4 0c eb 27 @.V.E..5.......'
8b 4d f0 33 c0 3b 0f 0f 94 c0 48 83 e0 16 83 c0 .M.3.;....H.....
0a 50 8d 85 78 ff ff ff 50 68 a0 20 40 00 56 e8 .P..x...Ph. @.V.
0c fc ff ff 83 c4 10 8b 45 f0 40 89 45 f0 3b 07 ........E.@.E.;.
72 92 ff 75 d0 ff 15 24 20 40 00 85 c0 75 11 ff r..u...$ @...u..
d3 50 68 50 24 40 00 56 e8 e3 fb ff ff 83 c4 0c .PhP$@.V........
ff 75 dc ff 15 24 20 40 00 85 c0 75 11 ff d3 50 .u...$ @...u...P
68 50 24 40 00 56 e8 c5 fb ff ff 83 c4 0c ff 75 hP$@.V.........u
f8 ff 15 1c 20 40 00 85 c0 74 11 ff d3 50 68 60 .... @...t...Ph`
20 40 00 56 e8 a7 fb ff ff 83 c4 0c ff 75 d4 ff @.V.........u..
15 1c 20 40 00 85 c0 74 11 ff d3 50 68 60 20 40 .. @...t...Ph` @
00 56 e8 89 fb ff ff 83 c4 0c ff 75 fc ff 15 18 .V.........u....
20 40 00 cc ff 25 28 20 40 00 ff 25 2c 20 40 00 @...%( @..%, @.
ff 25 30 20 40 00 00 00 00 00 00 00 00 00 00 00 .%0 @...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
80 28 00 00 98 28 00 00 ac 28 00 00 68 28 00 00 .(...(...(..h(..
00 00 00 00 d2 28 00 00 e2 28 00 00 f0 28 00 00 .....(...(...(..
fc 28 00 00 0a 29 00 00 18 29 00 00 2a 29 00 00 .(...)...)..*)..
3c 29 00 00 58 29 00 00 66 29 00 00 78 29 00 00 <)..X)..f)..x)..
88 29 00 00 98 29 00 00 00 00 00 00 bc 29 00 00 .)...).......)..
00 00 00 00 de 29 00 00 00 00 00 00 00 00 00 00 .....)..........
4c 00 6f 00 63 00 61 00 6c 00 46 00 72 00 65 00 L.o.c.a.l.F.r.e.
65 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 e.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
27 00 25 00 6c 00 73 00 27 00 25 00 6c 00 63 00 '.%.l.s.'.%.l.c.
00 00 00 00 00 00 00 00 4c 00 6f 00 6f 00 6b 00 ........L.o.o.k.
75 00 70 00 50 00 72 00 69 00 76 00 69 00 6c 00 u.p.P.r.i.v.i.l.
65 00 67 00 65 00 4e 00 61 00 6d 00 65 00 28 00 e.g.e.N.a.m.e.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 0a 00 00 00 00 00 00 00 .%.l.u.........
25 00 6c 00 75 00 20 00 70 00 72 00 69 00 76 00 %.l.u. .p.r.i.v.
69 00 6c 00 65 00 67 00 65 00 28 00 73 00 29 00 i.l.e.g.e.(.s.).
20 00 74 00 6f 00 67 00 67 00 6c 00 65 00 64 00 .t.o.g.g.l.e.d.
20 00 69 00 6e 00 20 00 70 00 61 00 72 00 65 00 .i.n. .p.a.r.e.
6e 00 74 00 20 00 70 00 72 00 6f 00 63 00 65 00 n.t. .p.r.o.c.e.
73 00 73 00 20 00 25 00 6c 00 75 00 3a 00 0a 00 s.s. .%.l.u.:...
00 00 00 00 00 00 00 00 4e 00 6f 00 74 00 20 00 ........N.o.t. .
61 00 6c 00 6c 00 20 00 70 00 72 00 69 00 76 00 a.l.l. .p.r.i.v.
69 00 6c 00 65 00 67 00 65 00 73 00 20 00 61 00 i.l.e.g.e.s. .a.
73 00 73 00 69 00 67 00 6e 00 65 00 64 00 2c 00 s.s.i.g.n.e.d.,.
20 00 25 00 6c 00 75 00 20 00 70 00 72 00 69 00 .%.l.u. .p.r.i.
76 00 69 00 6c 00 65 00 67 00 65 00 28 00 73 00 v.i.l.e.g.e.(.s.
29 00 20 00 74 00 6f 00 67 00 67 00 6c 00 65 00 ). .t.o.g.g.l.e.
64 00 20 00 69 00 6e 00 20 00 70 00 61 00 72 00 d. .i.n. .p.a.r.
65 00 6e 00 74 00 20 00 70 00 72 00 6f 00 63 00 e.n.t. .p.r.o.c.
65 00 73 00 73 00 20 00 25 00 6c 00 75 00 3a 00 e.s.s. .%.l.u.:.
0a 00 00 00 00 00 00 00 4e 00 6f 00 20 00 70 00 ........N.o. .p.
72 00 69 00 76 00 69 00 6c 00 65 00 67 00 65 00 r.i.v.i.l.e.g.e.
20 00 74 00 6f 00 67 00 67 00 6c 00 65 00 64 00 .t.o.g.g.l.e.d.
20 00 69 00 6e 00 20 00 70 00 61 00 72 00 65 00 .i.n. .p.a.r.e.
6e 00 74 00 20 00 70 00 72 00 6f 00 63 00 65 00 n.t. .p.r.o.c.e.
73 00 73 00 20 00 25 00 6c 00 75 00 0a 00 00 00 s.s. .%.l.u.....
4e 00 6f 00 74 00 20 00 61 00 6c 00 6c 00 20 00 N.o.t. .a.l.l. .
70 00 72 00 69 00 76 00 69 00 6c 00 65 00 67 00 p.r.i.v.i.l.e.g.
65 00 73 00 20 00 61 00 73 00 73 00 69 00 67 00 e.s. .a.s.s.i.g.
6e 00 65 00 64 00 2c 00 20 00 6e 00 6f 00 20 00 n.e.d.,. .n.o. .
70 00 72 00 69 00 76 00 69 00 6c 00 65 00 67 00 p.r.i.v.i.l.e.g.
65 00 20 00 74 00 6f 00 67 00 67 00 6c 00 65 00 e. .t.o.g.g.l.e.
64 00 20 00 69 00 6e 00 20 00 70 00 61 00 72 00 d. .i.n. .p.a.r.
65 00 6e 00 74 00 20 00 70 00 72 00 6f 00 63 00 e.n.t. .p.r.o.c.
65 00 73 00 73 00 20 00 25 00 6c 00 75 00 0a 00 e.s.s. .%.l.u...
00 00 00 00 00 00 00 00 41 00 64 00 6a 00 75 00 ........A.d.j.u.
73 00 74 00 54 00 6f 00 6b 00 65 00 6e 00 50 00 s.t.T.o.k.e.n.P.
72 00 69 00 76 00 69 00 6c 00 65 00 67 00 65 00 r.i.v.i.l.e.g.e.
73 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 s.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
4f 00 70 00 65 00 6e 00 50 00 72 00 6f 00 63 00 O.p.e.n.P.r.o.c.
65 00 73 00 73 00 54 00 6f 00 6b 00 65 00 6e 00 e.s.s.T.o.k.e.n.
28 00 29 00 20 00 72 00 65 00 74 00 75 00 72 00 (.). .r.e.t.u.r.
6e 00 65 00 64 00 20 00 65 00 72 00 72 00 6f 00 n.e.d. .e.r.r.o.
72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 00 00 r. .%.l.u.......
4f 00 70 00 65 00 6e 00 50 00 72 00 6f 00 63 00 O.p.e.n.P.r.o.c.
65 00 73 00 73 00 28 00 29 00 20 00 72 00 65 00 e.s.s.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
0a 00 00 00 00 00 00 00 50 00 61 00 72 00 65 00 ........P.a.r.e.
6e 00 74 00 20 00 70 00 72 00 6f 00 63 00 65 00 n.t. .p.r.o.c.e.
73 00 73 00 20 00 6f 00 66 00 20 00 70 00 72 00 s.s. .o.f. .p.r.
6f 00 63 00 65 00 73 00 73 00 20 00 25 00 6c 00 o.c.e.s.s. .%.l.
75 00 20 00 6e 00 6f 00 74 00 20 00 66 00 6f 00 u. .n.o.t. .f.o.
75 00 6e 00 64 00 21 00 0a 00 00 00 00 00 00 00 u.n.d.!.........
43 00 6c 00 6f 00 73 00 65 00 48 00 61 00 6e 00 C.l.o.s.e.H.a.n.
64 00 6c 00 65 00 28 00 29 00 20 00 72 00 65 00 d.l.e.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
0a 00 00 00 00 00 00 00 50 00 72 00 6f 00 63 00 ........P.r.o.c.
65 00 73 00 73 00 33 00 32 00 4e 00 65 00 78 00 e.s.s.3.2.N.e.x.
74 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 t.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
50 00 72 00 6f 00 63 00 65 00 73 00 73 00 33 00 P.r.o.c.e.s.s.3.
32 00 46 00 69 00 72 00 73 00 74 00 28 00 29 00 2.F.i.r.s.t.(.).
20 00 72 00 65 00 74 00 75 00 72 00 6e 00 65 00 .r.e.t.u.r.n.e.
64 00 20 00 65 00 72 00 72 00 6f 00 72 00 20 00 d. .e.r.r.o.r. .
25 00 6c 00 75 00 0a 00 00 00 00 00 00 00 00 00 %.l.u...........
43 00 72 00 65 00 61 00 74 00 65 00 54 00 6f 00 C.r.e.a.t.e.T.o.
6f 00 6c 00 68 00 65 00 6c 00 70 00 33 00 32 00 o.l.h.e.l.p.3.2.
53 00 6e 00 61 00 70 00 73 00 68 00 6f 00 74 00 S.n.a.p.s.h.o.t.
28 00 29 00 20 00 72 00 65 00 74 00 75 00 72 00 (.). .r.e.t.u.r.
6e 00 65 00 64 00 20 00 65 00 72 00 72 00 6f 00 n.e.d. .e.r.r.o.
72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 00 00 r. .%.l.u.......
4c 00 6f 00 6f 00 6b 00 75 00 70 00 50 00 72 00 L.o.o.k.u.p.P.r.
69 00 76 00 69 00 6c 00 65 00 67 00 65 00 56 00 i.v.i.l.e.g.e.V.
61 00 6c 00 75 00 65 00 28 00 29 00 20 00 72 00 a.l.u.e.(.). .r.
65 00 74 00 75 00 72 00 6e 00 65 00 64 00 20 00 e.t.u.r.n.e.d. .
65 00 72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 e.r.r.o.r. .%.l.
75 00 20 00 66 00 6f 00 72 00 20 00 27 00 25 00 u. .f.o.r. .'.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 49 00 6e 00 l.s.'.......I.n.
76 00 61 00 6c 00 69 00 64 00 20 00 61 00 72 00 v.a.l.i.d. .a.r.
67 00 75 00 6d 00 65 00 6e 00 74 00 20 00 27 00 g.u.m.e.n.t. .'.
25 00 6c 00 73 00 27 00 21 00 0a 00 00 00 00 00 %.l.s.'.!.......
2f 00 52 00 45 00 4d 00 4f 00 56 00 45 00 3a 00 /.R.E.M.O.V.E.:.
00 00 00 00 2f 00 45 00 4e 00 41 00 42 00 4c 00 ..../.E.N.A.B.L.
45 00 3a 00 00 00 00 00 2f 00 44 00 49 00 53 00 E.:...../.D.I.S.
41 00 42 00 4c 00 45 00 3a 00 00 00 00 00 00 00 A.B.L.E.:.......
4c 00 6f 00 63 00 61 00 6c 00 41 00 6c 00 6c 00 L.o.c.a.l.A.l.l.
6f 00 63 00 28 00 29 00 20 00 72 00 65 00 74 00 o.c.(.). .r.e.t.
75 00 72 00 6e 00 65 00 64 00 20 00 65 00 72 00 u.r.n.e.d. .e.r.
72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 r.o.r. .%.l.u...
00 00 00 00 00 00 00 00 41 00 74 00 20 00 6c 00 ........A.t. .l.
65 00 61 00 73 00 74 00 20 00 6f 00 6e 00 65 00 e.a.s.t. .o.n.e.
20 00 70 00 72 00 69 00 76 00 69 00 6c 00 65 00 .p.r.i.v.i.l.e.
67 00 65 00 20 00 74 00 6f 00 20 00 65 00 6e 00 g.e. .t.o. .e.n.
61 00 62 00 6c 00 65 00 2c 00 20 00 64 00 69 00 a.b.l.e.,. .d.i.
73 00 61 00 62 00 6c 00 65 00 20 00 6f 00 72 00 s.a.b.l.e. .o.r.
20 00 72 00 65 00 6d 00 6f 00 76 00 65 00 20 00 .r.e.m.o.v.e. .
6d 00 75 00 73 00 74 00 20 00 62 00 65 00 20 00 m.u.s.t. .b.e. .
67 00 69 00 76 00 65 00 6e 00 20 00 62 00 79 00 g.i.v.e.n. .b.y.
20 00 69 00 74 00 73 00 20 00 6e 00 61 00 6d 00 .i.t.s. .n.a.m.
65 00 21 00 0a 00 00 00 43 00 6f 00 6d 00 6d 00 e.!.....C.o.m.m.
61 00 6e 00 64 00 4c 00 69 00 6e 00 65 00 54 00 a.n.d.L.i.n.e.T.
6f 00 41 00 72 00 67 00 76 00 28 00 29 00 20 00 o.A.r.g.v.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 0a 00 00 00 0c 28 00 00 00 00 00 00 l.u......(......
00 00 00 00 c4 28 00 00 00 20 00 00 20 28 00 00 .....(... .. (..
00 00 00 00 00 00 00 00 ae 29 00 00 14 20 00 00 .........)... ..
58 28 00 00 00 00 00 00 00 00 00 00 d2 29 00 00 X(...........)..
4c 20 00 00 60 28 00 00 00 00 00 00 00 00 00 00 L ..`(..........
ec 29 00 00 54 20 00 00 00 00 00 00 00 00 00 00 .)..T ..........
00 00 00 00 00 00 00 00 00 00 00 00 80 28 00 00 .............(..
98 28 00 00 ac 28 00 00 68 28 00 00 00 00 00 00 .(...(..h(......
d2 28 00 00 e2 28 00 00 f0 28 00 00 fc 28 00 00 .(...(...(...(..
0a 29 00 00 18 29 00 00 2a 29 00 00 3c 29 00 00 .)...)..*)..<)..
58 29 00 00 66 29 00 00 78 29 00 00 88 29 00 00 X)..f)..x)...)..
98 29 00 00 00 00 00 00 bc 29 00 00 00 00 00 00 .).......)......
de 29 00 00 00 00 00 00 95 01 4c 6f 6f 6b 75 70 .)........Lookup
50 72 69 76 69 6c 65 67 65 4e 61 6d 65 57 00 00 PrivilegeNameW..
1f 00 41 64 6a 75 73 74 54 6f 6b 65 6e 50 72 69 ..AdjustTokenPri
76 69 6c 65 67 65 73 00 f7 01 4f 70 65 6e 50 72 vileges...OpenPr
6f 63 65 73 73 54 6f 6b 65 6e 00 00 97 01 4c 6f ocessToken....Lo
6f 6b 75 70 50 72 69 76 69 6c 65 67 65 56 61 6c okupPrivilegeVal
75 65 57 00 41 44 56 41 50 49 33 32 2e 64 6c 6c ueW.ADVAPI32.dll
00 00 24 05 57 72 69 74 65 43 6f 6e 73 6f 6c 65 ..$.WriteConsole
57 00 19 01 45 78 69 74 50 72 6f 63 65 73 73 00 W...ExitProcess.
48 03 4c 6f 63 61 6c 46 72 65 65 00 80 03 4f 70 H.LocalFree...Op
65 6e 50 72 6f 63 65 73 73 00 52 00 43 6c 6f 73 enProcess.R.Clos
65 48 61 6e 64 6c 65 00 98 03 50 72 6f 63 65 73 eHandle...Proces
73 33 32 4e 65 78 74 57 00 00 96 03 50 72 6f 63 s32NextW....Proc
65 73 73 33 32 46 69 72 73 74 57 00 be 00 43 72 ess32FirstW...Cr
65 61 74 65 54 6f 6f 6c 68 65 6c 70 33 32 53 6e eateToolhelp32Sn
61 70 73 68 6f 74 00 00 44 03 4c 6f 63 61 6c 41 apshot..D.LocalA
6c 6c 6f 63 00 00 87 01 47 65 74 43 6f 6d 6d 61 lloc....GetComma
6e 64 4c 69 6e 65 57 00 02 02 47 65 74 4c 61 73 ndLineW...GetLas
74 45 72 72 6f 72 00 00 64 02 47 65 74 53 74 64 tError..d.GetStd
48 61 6e 64 6c 65 00 00 c1 01 47 65 74 43 75 72 Handle....GetCur
72 65 6e 74 50 72 6f 63 65 73 73 49 64 00 4b 45 rentProcessId.KE
52 4e 45 4c 33 32 2e 64 6c 6c 00 00 06 00 43 6f RNEL32.dll....Co
6d 6d 61 6e 64 4c 69 6e 65 54 6f 41 72 67 76 57 mmandLineToArgvW
00 00 53 48 45 4c 4c 33 32 2e 64 6c 6c 00 35 03 ..SHELL32.dll.5.
77 76 73 70 72 69 6e 74 66 57 00 00 55 53 45 52 wvsprintfW..USER
33 32 2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 32.dll..........
Decode the dump file TWIDDLER.TXT
created in
step 3. to recreate the console application
Privilege Twiddler:
CERTUTIL.EXE /DecodeHex /V TWIDDLER.TXT TWIDDLER.COM
Input Length = 19584 Output Length = 4608 CertUtil: -decodehex command completed successfully.
Note:
UU Encoder
is a so-called filter
, it reads from standard input
,
writes to standard output
and prints error messages on
standard error
.
Create the text file UUENCODE.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#define memcpy __movsb
__declspec(safebuffers)
BOOL PrintFormat(HANDLE hFile, LPCSTR lpFormat, ...)
{
CHAR szBuffer[1025];
DWORD dwBuffer;
DWORD dwFile;
va_list vaInserts;
va_start(vaInserts, lpFormat);
dwBuffer = wvsprintf(szBuffer, lpFormat, vaInserts);
va_end(vaInserts);
if (dwBuffer == 0)
return FALSE;
dwBuffer *= sizeof(*szBuffer);
if (!WriteFile(hFile, szBuffer, dwBuffer, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
return dwFile == dwBuffer;
}
const CHAR szU2U[64] = "`!\"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_";
__declspec(noreturn)
VOID WINAPI mainCRTStartup(VOID)
{
DWORD dwError = ERROR_SUCCESS;
DWORD dwCount;
DWORD dwInOut;
DWORD dwInput;
BYTE cbInput[45];
BYTE cbOutput[sizeof(cbInput) / 3 * 4 + sizeof("\r\n")];
DWORD dwOutput;
HANDLE hOutput;
HANDLE hInput;
HANDLE hError = GetStdHandle(STD_ERROR_HANDLE);
if (hError == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
hOutput = GetStdHandle(STD_OUTPUT_HANDLE);
if (hOutput == INVALID_HANDLE_VALUE)
PrintFormat(hError,
"GetStdHandle(%ld) returned error %lu\r\n",
STD_OUTPUT_HANDLE, dwError = GetLastError());
else
{
hInput = GetStdHandle(STD_INPUT_HANDLE);
if (hInput == INVALID_HANDLE_VALUE)
PrintFormat(hError,
"GetStdHandle(%ld) returned error %lu\r\n",
STD_INPUT_HANDLE, dwError = GetLastError());
else
{
memcpy(cbOutput, "\r\nbegin 644 -\r\n", dwOutput = sizeof("\r\nbegin 644 -\r\n") - 1);
for (;;)
{
if (!WriteFile(hOutput, cbOutput, dwOutput, &dwCount, (LPOVERLAPPED) NULL))
PrintFormat(hError,
"WriteFile() returned error %lu\r\n",
dwError = GetLastError());
else if (dwCount != dwOutput)
PrintFormat(hError,
"WriteFile() failed, %lu of %lu characters written\r\n",
dwCount, dwOutput, dwError = ERROR_WRITE_FAULT);
else
if (!ReadFile(hInput, cbInput, sizeof(cbInput), &dwInput, (LPOVERLAPPED) NULL)
&& (GetLastError() != ERROR_BROKEN_PIPE))
PrintFormat(hError,
"ReadFile() returned error %lu\r\n",
dwError = GetLastError());
else if (dwInput == 0)
{
memcpy(cbOutput, "`\r\nend\r\n", dwOutput = sizeof("`\r\nend\r\n") - 1);
if (!WriteFile(hOutput, cbOutput, dwOutput, &dwCount, (LPOVERLAPPED) NULL))
PrintFormat(hError,
"WriteFile() returned error %lu\r\n",
dwError = GetLastError());
else if (dwCount != dwOutput)
PrintFormat(hError,
"WriteFile() failed, %lu of %lu characters written\r\n",
dwCount, dwOutput, dwError = ERROR_WRITE_FAULT);
// else
// dwError = ERROR_SUCCESS;
}
else
{
dwOutput = 0;
#if 0
cbOutput[dwOutput++] = szU2U[dwInput];
#else
cbOutput[dwOutput++] = (BYTE) (' ' + dwInput);
#endif
#if 0
while (dwInput % 3 != 0)
cbInput[dwInput++] = '\0';
#else
switch (dwInput % 3)
{
case 1:
cbInput[dwInput++] = '\0';
case 2:
cbInput[dwInput++] = '\0';
}
#endif
dwCount = dwInput;
dwInput = 0;
do
{
#if 0
dwInOut = cbInput[dwInput++];
dwInOut <<= 8;
dwInOut |= cbInput[dwInput++];
dwInOut <<= 8;
dwInOut |= cbInput[dwInput++];
cbOutput[dwOutput++] = szU2U[(dwInOut >> 18) & 63];
cbOutput[dwOutput++] = szU2U[(dwInOut >> 12) & 63];
cbOutput[dwOutput++] = szU2U[(dwInOut >> 6) & 63];
cbOutput[dwOutput++] = szU2U[dwInOut & 63];
#else
dwInOut = _byteswap_ulong(*(DWORD *) (cbInput + dwInput));
dwInput += 3;
*(DWORD *) (cbOutput + dwOutput) = szU2U[dwInOut >> 26]
| szU2U[(dwInOut >> 20) & 63] * 256
| szU2U[(dwInOut >> 14) & 63] * 65536
| szU2U[(dwInOut >> 8) & 63] * 16777216;
dwOutput += 4;
#endif
}
while (dwInput < dwCount);
cbOutput[dwOutput++] = '\r';
cbOutput[dwOutput++] = '\n';
continue;
}
break;
}
if (!CloseHandle(hInput))
PrintFormat(hError,
"CloseHandle() returned error %lu\r\n",
GetLastError());
}
if (!CloseHandle(hOutput))
PrintFormat(hError,
"CloseHandle() returned error %lu\r\n",
GetLastError());
}
if (!CloseHandle(hError))
PrintFormat(hError,
"CloseHandle() returned error %lu\r\n",
GetLastError());
}
ExitProcess(dwError);
}
Run the following four command lines to compile the source file
UUENCODE.C
created in step 1., link the compiled
object file UUENCODE.OBJ
and cleanup afterwards:
SET CL=/GA /GF /GS /Gy /O1 /Oi /Os /Oy /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:USER32.LIB /DYNAMICBASE /ENTRY:mainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NXCOMPAT /OSVERSION:5.0 /OUT:"UU Encoder.com" /RELEASE /SUBSYSTEM:CONSOLE,5.0 /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE UUENCODE.C ERASE UUENCODE.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. UUENCODE.C UUENCODE.C(51) : warning C4295: 'szU2U' : array is too small to include a terminating null character Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved.
Create the text file UUENCODE.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 32 2c 20 53 74 65 66 61 6e 20 4b 61 -2022, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 04 00 00 ......#.........
00 02 00 00 00 00 00 00 4e 10 00 00 00 10 00 00 ........N.......
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 30 00 00 00 02 00 00 a9 0e 00 00 03 00 00 85 .0..............
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
1c 21 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 .!..<...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 20 00 00 20 00 00 00 ......... .. ...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
43 02 00 00 00 10 00 00 00 04 00 00 00 02 00 00 C...............
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 e6 01 00 00 00 20 00 00 .const....... ..
00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
55 8b ec 81 ec 08 04 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 fb ff ff 50 ff 15 18 20 40 00 8b f0 .......P... @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 fb ff ff 50 ff 75 08 ff 15 10 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8d .t.3.9u....^..U.
6c 24 88 81 ec 88 00 00 00 83 65 74 00 53 56 8b l$........et.SV.
35 0c 20 40 00 57 6a f4 ff d6 8b f8 89 7d 6c 83 5. @.Wj......}l.
ff ff 75 0e ff 15 08 20 40 00 89 45 74 e9 b7 01 ..u.... @..Et...
00 00 6a f5 ff d6 89 45 68 83 f8 ff 75 0b ff 15 ..j....Eh...u...
08 20 40 00 50 6a f5 eb 15 6a f6 ff d6 89 45 60 . @.Pj...j....E`
83 f8 ff 75 1f ff 15 08 20 40 00 50 6a f6 68 f4 ...u.... @.Pj.h.
20 40 00 57 89 45 74 e8 44 ff ff ff 83 c4 10 e9 @.W.Et.D.......
75 01 00 00 6a 0f 5b 8d 7d 20 be e4 20 40 00 8b u...j.[.} .. @..
cb f3 a4 8b 3d 10 20 40 00 e9 d4 00 00 00 39 5d ....=. @......9]
70 0f 85 37 01 00 00 6a 00 8d 45 64 50 6a 2d 8d p..7...j..EdPj-.
45 f0 50 ff 75 60 ff 15 04 20 40 00 85 c0 75 11 E.P.u`... @...u.
8b 35 08 20 40 00 ff d6 83 f8 6d 0f 85 bb 00 00 .5. @.....m.....
00 8b 4d 64 85 c9 0f 84 ba 00 00 00 8a 81 20 20 ..Md..........
40 00 88 45 20 6a 03 33 d2 8b c1 5e f7 f6 33 db @..E j.3...^..3.
43 4a 74 05 4a 74 08 eb 0c c6 44 0d f0 00 41 c6 CJt.Jt....D...A.
44 0d f0 00 41 89 4d 70 33 c9 8b 44 0d f0 0f c8 D...A.Mp3..D....
8b d0 c1 ea 14 8b f0 c1 ee 08 83 e6 3f 0f be b6 ............?...
20 20 40 00 83 e2 3f 0f be 92 20 20 40 00 c1 e6 @...?... @...
18 c1 e2 08 0b d6 8b f0 c1 ee 0e 83 e6 3f 0f be .............?..
b6 20 20 40 00 c1 e8 1a 0f be 80 20 20 40 00 c1 . @....... @..
e6 10 0b d6 0b d0 83 c1 03 89 54 1d 20 83 c3 04 ..........T. ...
3b 4d 70 72 a5 66 c7 44 1d 20 0d 0a 89 4d 64 83 ;Mpr.f.D. ...Md.
c3 02 6a 00 8d 45 70 50 53 8d 45 20 50 ff 75 68 ..j..EpPS.E P.uh
ff d7 85 c0 0f 85 14 ff ff ff eb 31 ff d6 50 68 ...........1..Ph
c4 20 40 00 eb 33 6a 08 5b 6a 00 8d 45 70 50 53 . @..3j.[j..EpPS
8d 45 20 50 ff 75 68 8d 7d 20 be b8 20 40 00 8b .E P.uh.} .. @..
cb f3 a4 ff 15 10 20 40 00 85 c0 75 1c ff 15 08 ...... @...u....
20 40 00 50 68 94 20 40 00 ff 75 6c 89 45 74 e8 @.Ph. @..ul.Et.
ec fd ff ff 83 c4 0c eb 20 39 5d 70 74 1b 6a 1d ........ 9]pt.j.
58 50 53 ff 75 70 89 45 74 68 60 20 40 00 ff 75 XPS.up.Eth` @..u
6c e8 ca fd ff ff 83 c4 14 ff 75 74 ff 15 00 20 l.........ut...
40 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 @...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
84 21 00 00 92 21 00 00 9e 21 00 00 ae 21 00 00 .!...!...!...!..
78 21 00 00 00 00 00 00 cc 21 00 00 00 00 00 00 x!.......!......
60 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f `!"#$%&'()*+,-./
30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 0123456789:;<=>?
40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f @ABCDEFGHIJKLMNO
50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f PQRSTUVWXYZ[\]^_
57 72 69 74 65 46 69 6c 65 28 29 20 66 61 69 6c WriteFile() fail
65 64 2c 20 25 6c 75 20 6f 66 20 25 6c 75 20 63 ed, %lu of %lu c
68 61 72 61 63 74 65 72 73 20 77 72 69 74 74 65 haracters writte
6e 0d 0a 00 57 72 69 74 65 46 69 6c 65 28 29 20 n...WriteFile()
72 65 74 75 72 6e 65 64 20 65 72 72 6f 72 20 25 returned error %
6c 75 0d 0a 00 00 00 00 60 0d 0a 65 6e 64 0d 0a lu......`..end..
00 00 00 00 52 65 61 64 46 69 6c 65 28 29 20 72 ....ReadFile() r
65 74 75 72 6e 65 64 20 65 72 72 6f 72 20 25 6c eturned error %l
75 0d 0a 00 0d 0a 62 65 67 69 6e 20 36 34 34 20 u.....begin 644
2d 0d 0a 00 47 65 74 53 74 64 48 61 6e 64 6c 65 -...GetStdHandle
28 25 6c 64 29 20 72 65 74 75 72 6e 65 64 20 65 (%ld) returned e
72 72 6f 72 20 25 6c 75 0d 0a 00 00 58 21 00 00 rror %lu....X!..
00 00 00 00 00 00 00 00 be 21 00 00 00 20 00 00 .........!... ..
70 21 00 00 00 00 00 00 00 00 00 00 da 21 00 00 p!...........!..
18 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . ..............
00 00 00 00 00 00 00 00 84 21 00 00 92 21 00 00 .........!...!..
9e 21 00 00 ae 21 00 00 78 21 00 00 00 00 00 00 .!...!..x!......
cc 21 00 00 00 00 00 00 25 05 57 72 69 74 65 46 .!......%.WriteF
69 6c 65 00 19 01 45 78 69 74 50 72 6f 63 65 73 ile...ExitProces
73 00 c0 03 52 65 61 64 46 69 6c 65 00 00 02 02 s...ReadFile....
47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 64 02 GetLastError..d.
47 65 74 53 74 64 48 61 6e 64 6c 65 00 00 4b 45 GetStdHandle..KE
52 4e 45 4c 33 32 2e 64 6c 6c 00 00 34 03 77 76 RNEL32.dll..4.wv
73 70 72 69 6e 74 66 41 00 00 55 53 45 52 33 32 sprintfA..USER32
2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 00 00 .dll............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file UUENCODE.TXT
created in
step 3. to recreate the console application
UU Encoder:
CERTUTIL.EXE /DecodeHex /V UUENCODE.TXT UUENCODE.COM
Input Length = 8704 Output Length = 2048 CertUtil: -decodehex command completed successfully.
The Base16, Base32, and Base64 Data Encodings.
MIME
is specified in
RFC
1341
RFCs
1521
and
1522
2045,
2046,
2047,
2048
and
2049,
all titled Multipurpose Internet Mail Extensions (MIME)
.
The MSDN articles RFC 822 Message Format and MIME Message Format document the message format.
Note:
Base64 Encoder
is a so-called filter
, it reads from standard input
,
writes to standard output
and prints error messages on
standard error
.
Create the text file 64ENCODE.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2022, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
__declspec(safebuffers)
BOOL PrintFormat(HANDLE hFile, LPCSTR lpFormat, ...)
{
CHAR szBuffer[1025];
DWORD dwBuffer;
DWORD dwFile;
va_list vaInserts;
va_start(vaInserts, lpFormat);
dwBuffer = wvsprintf(szBuffer, lpFormat, vaInserts);
va_end(vaInserts);
if (dwBuffer == 0)
return FALSE;
dwBuffer *= sizeof(*szBuffer);
if (!WriteFile(hFile, szBuffer, dwBuffer, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
return dwFile == dwBuffer;
}
const CHAR szBase64[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789+/";
__declspec(noreturn)
VOID WINAPI mainCRTStartup(VOID)
{
DWORD dwError = ERROR_SUCCESS;
DWORD dwCount;
DWORD dwInOut;
DWORD dwInput;
BYTE cbInput[57];
BYTE cbOutput[sizeof(cbInput) / 3 * 4 + sizeof("\r\n") - 1];
DWORD dwOutput;
HANDLE hOutput;
HANDLE hInput;
HANDLE hError = GetStdHandle(STD_ERROR_HANDLE);
if (hError == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
hOutput = GetStdHandle(STD_OUTPUT_HANDLE);
if (hOutput == INVALID_HANDLE_VALUE)
PrintFormat(hError,
"GetStdHandle(%s) returned error %lu\r\n",
"STD_OUTPUT_HANDLE", dwError = GetLastError());
else
{
hInput = GetStdHandle(STD_INPUT_HANDLE);
if (hInput == INVALID_HANDLE_VALUE)
PrintFormat(hError,
"GetStdHandle(%s) returned error %lu\r\n",
"STD_INPUT_HANDLE", dwError = GetLastError());
else
{
for (;;)
{
if (!ReadFile(hInput, cbInput, sizeof(cbInput), &dwInput, (LPOVERLAPPED) NULL)
&& (GetLastError() != ERROR_BROKEN_PIPE))
PrintFormat(hError,
"ReadFile() returned error %lu\r\n",
dwError = GetLastError());
else if (dwInput != 0)
{
if (dwInput < sizeof(cbInput))
cbInput[dwInput] = '\0';
dwCount = dwInput;
dwInput = 0;
dwOutput = 0;
do
{
dwInOut = _byteswap_ulong(*(DWORD *) (cbInput + dwInput));
dwInput += 3;
cbOutput[dwOutput++] = szBase64[dwInOut >> 26];
cbOutput[dwOutput++] = szBase64[(dwInOut >> 20) & 63];
cbOutput[dwOutput++] = szBase64[(dwInOut >> 14) & 63];
cbOutput[dwOutput++] = szBase64[(dwInOut >> 8) & 63];
}
while (dwInput < dwCount);
for (dwInOut = dwOutput; dwInput > dwCount; dwCount++)
cbOutput[--dwInOut] = '=';
cbOutput[dwOutput++] = '\r';
cbOutput[dwOutput++] = '\n';
if (!WriteFile(hOutput, cbOutput, dwOutput, &dwCount, (LPOVERLAPPED) NULL))
PrintFormat(hError,
"WriteFile() returned error %lu\r\n",
dwError = GetLastError());
else if (dwCount != dwOutput)
PrintFormat(hError,
"WriteFile() failed, %lu of %lu characters written\r\n",
dwCount, dwOutput, dwError = ERROR_WRITE_FAULT);
else
continue;
}
// else
// dwError = ERROR_SUCCESS;
break;
}
if (!CloseHandle(hInput))
PrintFormat(hError,
"CloseHandle() returned error %lu\r\n",
GetLastError());
}
if (!CloseHandle(hOutput))
PrintFormat(hError,
"CloseHandle() returned error %lu\r\n",
GetLastError());
}
if (!CloseHandle(hError))
PrintFormat(hError,
"CloseHandle() returned error %lu\r\n",
GetLastError());
}
ExitProcess(dwError);
}
Run the following four command lines to compile the source file
64ENCODE.C
created in step 1., link the compiled
object file 64ENCODE.OBJ
and cleanup afterwards:
SET CL=/GA /GF /GS /Gy /O1 /Oi /Os /Oy /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:USER32.LIB /DYNAMICBASE /ENTRY:mainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NXCOMPAT /OSVERSION:5.0 /OUT:"Base64 Encoder.com" /RELEASE /SUBSYSTEM:CONSOLE,5.0 /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE 64ENCODE.C ERASE 64ENCODE.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. 64ENCODE.C 64ENCODE.C(51) : warning C4295: 'szBase64' : array is too small to include a terminating null character Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved.
Create the text file 64ENCODE.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 32 2c 20 53 74 65 66 61 6e 20 4b 61 -2022, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 02 00 00 ......#.........
00 02 00 00 00 00 00 00 4e 10 00 00 00 10 00 00 ........N.......
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 30 00 00 00 02 00 00 3b 89 00 00 03 00 00 85 .0......;.......
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
28 21 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 (!..<...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 20 00 00 20 00 00 00 ......... .. ...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
e3 01 00 00 00 10 00 00 00 02 00 00 00 02 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 f2 01 00 00 00 20 00 00 .const....... ..
00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
55 8b ec 81 ec 08 04 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 fb ff ff 50 ff 15 18 20 40 00 8b f0 .......P... @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 fb ff ff 50 ff 75 08 ff 15 10 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8d .t.3.9u....^..U.
6c 24 88 81 ec a0 00 00 00 53 56 8b 35 0c 20 40 l$.......SV.5. @
00 57 6a f4 33 db ff d6 8b f8 89 7d 70 83 ff ff .Wj.3......}p...
75 0d ff 15 08 20 40 00 8b d8 e9 3a 01 00 00 6a u.... @....:...j
f5 ff d6 89 45 64 83 f8 ff 75 10 ff 15 08 20 40 ....Ed...u.... @
00 8b d8 53 68 14 21 40 00 eb 1a 6a f6 ff d6 89 ...Sh.!@...j....
45 68 83 f8 ff 75 21 ff 15 08 20 40 00 8b d8 53 Eh...u!... @...S
68 00 21 40 00 68 d8 20 40 00 57 e8 40 ff ff ff h.!@.h. @.W.@...
83 c4 10 e9 f1 00 00 00 8b 3d 08 20 40 00 33 f6 .........=. @.3.
56 8d 45 6c 50 6a 39 8d 45 d8 50 ff 75 68 ff 15 V.ElPj9.E.P.uh..
04 20 40 00 85 c0 75 0b ff d7 83 f8 6d 0f 85 cd . @...u.....m...
00 00 00 8b 45 6c 3b c6 0f 84 bb 00 00 00 83 f8 ....El;.........
39 73 04 88 5c 05 d8 89 45 74 33 c9 8b 44 0d d8 9s..\...Et3..D..
0f c8 8b d0 c1 ea 1a 8a 92 20 20 40 00 88 54 35 ......... @..T5
14 8b d0 c1 ea 14 83 e2 3f 8a 92 20 20 40 00 88 ........?.. @..
54 35 15 8b d0 c1 ea 0e c1 e8 08 83 e2 3f 8a 92 T5...........?..
20 20 40 00 83 e0 3f 8a 80 20 20 40 00 88 54 35 @...?.. @..T5
16 83 c1 03 88 44 35 17 83 c6 04 3b 4d 74 72 ac .....D5....;Mtr.
89 4d 6c 76 11 2b 4d 74 8d 44 35 14 01 4d 74 48 .Mlv.+Mt.D5..MtH
49 c6 00 3d 75 f9 6a 00 8d 45 74 50 66 c7 44 35 I..=u.j..EtPf.D5
14 0d 0a 83 c6 02 56 8d 45 14 50 ff 75 64 ff 15 ......V.E.P.ud..
10 20 40 00 85 c0 74 34 39 75 74 0f 84 2d ff ff . @...t49ut..-..
ff 6a 1d 5b 53 56 ff 75 74 68 a4 20 40 00 ff 75 .j.[SV.uth. @..u
70 e8 4a fe ff ff 83 c4 14 53 ff 15 00 20 40 00 p.J......S... @.
ff d7 8b d8 53 68 84 20 40 00 eb 0a ff d7 8b d8 ....Sh. @.......
53 68 60 20 40 00 ff 75 70 e8 22 fe ff ff 83 c4 Sh` @..up.".....
0c eb d6 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
90 21 00 00 9e 21 00 00 aa 21 00 00 ba 21 00 00 .!...!...!...!..
84 21 00 00 00 00 00 00 d8 21 00 00 00 00 00 00 .!.......!......
41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 ABCDEFGHIJKLMNOP
51 52 53 54 55 56 57 58 59 5a 61 62 63 64 65 66 QRSTUVWXYZabcdef
67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv
77 78 79 7a 30 31 32 33 34 35 36 37 38 39 2b 2f wxyz0123456789+/
57 72 69 74 65 46 69 6c 65 28 29 20 72 65 74 75 WriteFile() retu
72 6e 65 64 20 65 72 72 6f 72 20 25 6c 75 0d 0a rned error %lu..
00 00 00 00 52 65 61 64 46 69 6c 65 28 29 20 72 ....ReadFile() r
65 74 75 72 6e 65 64 20 65 72 72 6f 72 20 25 6c eturned error %l
75 0d 0a 00 57 72 69 74 65 46 69 6c 65 28 29 20 u...WriteFile()
66 61 69 6c 65 64 2c 20 25 6c 75 20 6f 66 20 25 failed, %lu of %
6c 75 20 63 68 61 72 61 63 74 65 72 73 20 77 72 lu characters wr
69 74 74 65 6e 0d 0a 00 47 65 74 53 74 64 48 61 itten...GetStdHa
6e 64 6c 65 28 25 73 29 20 72 65 74 75 72 6e 65 ndle(%s) returne
64 20 65 72 72 6f 72 20 25 6c 75 0d 0a 00 00 00 d error %lu.....
53 54 44 5f 49 4e 50 55 54 5f 48 41 4e 44 4c 45 STD_INPUT_HANDLE
00 00 00 00 53 54 44 5f 4f 55 54 50 55 54 5f 48 ....STD_OUTPUT_H
41 4e 44 4c 45 00 00 00 64 21 00 00 00 00 00 00 ANDLE...d!......
00 00 00 00 ca 21 00 00 00 20 00 00 7c 21 00 00 .....!... ..|!..
00 00 00 00 00 00 00 00 e6 21 00 00 18 20 00 00 .........!... ..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 90 21 00 00 9e 21 00 00 aa 21 00 00 .....!...!...!..
ba 21 00 00 84 21 00 00 00 00 00 00 d8 21 00 00 .!...!.......!..
00 00 00 00 25 05 57 72 69 74 65 46 69 6c 65 00 ....%.WriteFile.
19 01 45 78 69 74 50 72 6f 63 65 73 73 00 c0 03 ..ExitProcess...
52 65 61 64 46 69 6c 65 00 00 02 02 47 65 74 4c ReadFile....GetL
61 73 74 45 72 72 6f 72 00 00 64 02 47 65 74 53 astError..d.GetS
74 64 48 61 6e 64 6c 65 00 00 4b 45 52 4e 45 4c tdHandle..KERNEL
33 32 2e 64 6c 6c 00 00 34 03 77 76 73 70 72 69 32.dll..4.wvspri
6e 74 66 41 00 00 55 53 45 52 33 32 2e 64 6c 6c ntfA..USER32.dll
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file 64ENCODE.TXT
created in
step 3. to recreate the console application
Base64 Encoder:
CERTUTIL.EXE /DecodeHex /V 64ENCODE.TXT 64ENCODE.COM
Input Length = 6528 Output Length = 1536 CertUtil: -decodehex command completed successfully.
Use the X.509 certificate to send S/MIME encrypted mail.
Note: email in weird format and without a proper sender name is likely to be discarded!
I dislike
HTML (and even
weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your
nickname.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.
cookiesin the web browser.
The web service is operated and provided by
Telekom Deutschland GmbH The web service provider stores a session cookie
in the web
browser and records every visit of this web site with the following
data in an access log on their server(s):