You are browsing the archive for 2012 July.

Beyond good ol’ Run key

July 23, 2012 in Anti-Forensics, Autostart (Persistence), Forensic Analysis, Malware Analysis

I recently kept posting quite a lot about random stats from 300k/1M samples. Today something different for a change: non-obvious or less-known autorun entries.

The ‘obvious’ introduction

As we know, malware needs to work. To do so, it needs to ensure it runs when the system starts. Well, not really. In fact, it just needs to ensure it runs in general and can start at any time as long as it is at a right moment to activate its payload (e.g. keylogger doesn’t need to autostart with the system; it can activate when the user opens a browser or mail client).

Malware authors are really lucky.  There are so many autorun possibilities in Windows that it is really hard to count. One of the best known tools that try to enumerate most of the entries are Start Runners and Sysinternals’ autoruns. They both do a a great job by highlighting many of the suspicious files, but… deep inside the registry and file system exist a HUGE number of completely new, unexplored (or possibly less or under- explored) paths that can be (maybe already are)  misused.

Obviously, run-at-system start, run-at-logon are commonly used out of convenience, yet all file/registry locations supporting this persistence mechanism are already very well known and pretty much every single AV is always scanning these locations first (not to mention forensic investigators poking around on the analyzed system :)). There are of course many examples of other autostart locations that are not system/logon related and these include Browser Helper Objects, Layered Service Provider DLLs, codecs, protocols handlers, shell extensions, toolbars, deskbars, etc. etc. These are not all though and there is a lot of possibilities out there.  In this post I provide a quick brain dump of various ideas related to this subject – some may be considered silly, or not worth attention, but… oh well, it’s just a post about possibilities :) Better evil known that unknown.

The autoruns hidden inside other applications

One of the non-standard autorun entries that is probably the most known and documented is the ICQ entry stored under:

  • HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps

The old version of ICQ allowed to add a list of applications that it would launch when it connected to network – the following screenshots are taken from old versions of this great software (imho it used to be a real killer app!).

Adding calculator to be run by ICQ was relatively easy:

And it would then appear on the list:

Looking at the registry under

  • HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps

would show us the actual entry:

I have a vague memory of successfully testing it ages ago, but since the old version no longer works and I was unable to confirm it for this blog post let’s just trust the evidence that can be found online: Googling for this key brings up quite a few hits that show evidence of it being actively used by malware.

As far as I know new versions of ICQ do not support it anymore.

This, obviously is not the only app ever developed that ‘by design’ helps in launching application when some task/event is completed.

For example, similar functionality can be found in many torrent applications e.g. utorrent:

Adding the entry as shown on the screenshot would make utorrent launch calculator every time it finishes downloading the torrent (the actual data for utorrent autorun is stored inside its configuration file settings.dat).

Same goes for bittorrent client (not a surprise the code of the clients being shared)

Again, the settings.dat holds the ‘autorun’ data:

There may be other applications like this.

The even more hidden autoruns hidden inside applications

Pretty much every single downloader, torrent client, media grabber, etc. contains an option to preview files a.k.a. media player.

This is certainly a possible malware’s autorun as it will be executed anytime someone tries to preview/prelisten the video/music downloaded from P2p client or grabbed from a media grabber; again in a case of e.g. for utorrent:

and emule:

There are certainly lots of applications like this.

‘Scanning’ files with AV when downloaded

Another option to place a malicious file resides in many applications e.g. browsers, mail clients. They allow to scan every single  file that has been downloaded from the internet, attached to email or received via Instant Messenger with an extremal application.

Such feature is available e.g. in Firefox with a Download Status Bar installed.

The about:config page shows the following options (false assigned to ‘downbar.function.virusScan’ property indicates the scan is being disabled)”

the default application selected is ‘C:/Program Files/myAnti-VirusProgram.exe’, but of course malware could easily replace it: 

and modify the ‘downbar.function.virusScan’ property to true.

Notably, placing malware as ‘c:\Program Files\myAnti-VirusProgram.exe’ doesn’t seem to work due to slash/backslash war (this could be a neat trick if it worked).

Windows Shell alternatives

Windows Explorer is not the only Windows Shell available. In fact there are lots of alternatives and each of them brings lots of new options to the table. Looking at programs used by hundreds of thousands (if not millions) of users and including Total Commander, FAR, and many others can cause a real headache. From an offensive perspective there are really a lot of opportunities: from plugins and extensions, to completely new (lame, but certainly workable) ‘rootkitish’ methods for hiding under (sic!) the shell (e.g. custom views, or even simple GUI attacks).

The less obvious places for malware autorun

Most of producers of scanners/printers/combos offer  ‘associated software’ that will be taking control of many aspects of the dialog between the user, device and computer.

One of the tasks handled by the software is  ‘Start this program’ function which is an application that runs when certain events happen e.g. you press a specific button on the scanner/printer. The following screenshot is taken on a system with a CanoScan 4400F scanner attached to it, but with no software installed. The ‘Start this program’ option is grayed out.

Installing a Canon Toolbox gives assigns this program to an event associated with various user activities e.g. pressing COPY button on the scanner.

Clicking the ComboBox reveals more events – all of them are associated with the specific application:

You are probably wondering now where the information about this is stored in the registry/on the file system.

The program responding to device events itself is an example of Push-Model Aware Applications added to the system via Windows Image Acquisition (WIA) / Still Image  interface (STI).

The location in the registry where the Push-Model Aware Applications installed on the system are actually listed are described in the article that I just linked to:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage\Registered Applications

The programs registered this way can respond to STI events. Of course, malware could overwrite/manipulate the entry and act as a man in the middle between the devioe and the actual software configured to respond to the event. It could also be added to respond to certain events – the actual registry entries that need to be added are described here (I have not tested it though): and include:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\AutoplayHandlers\Handlers
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage\Registered Applications
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StillImage\Events\STIProxyEvent

Autostart by re-using existing entries

Instead of adding new entries to Run/Startup folder, etc. malware can leverage existing registry entries. In many cases, swapping VERY common entries e.g. for jusched.exe from Java updater, or ctfmon.exe could do the trick. Another option is companion infection for active processes on the system – especially interesting for applications in a Portable format as they are used more and more often and not too many people actually inspect their content. They can also easily be hidden on an inspected system and escape routine analysis of Program Files directory.

Plugins,  Plugins,  Plugins

I mentioned plugins in a context of Windows Explorer alternatives, the same goes for various office suites, Drawing/design applications, gfx viewers (note e.g. Irfanview has a subfolder storing all the plugins – DLL files) and so on and so forth. This is a tip of an iceberg.

File System infection

One of the most interesting pieces of malware back in DOS era was DIR-II. It had a unique way of infecting executable files by modifying their cluster map in the FAT itself. Each .exe would point to a cluster containing the malicious code (always the same cluster) so with a malware NOT active in memory, the file system would appear to be corrupted (because of multiple entries pointing to the same cluster – a problem known as cross-linking). With malware active in memory it would ‘fix’ cross-linking on the fly and execute files properly.

The very same technique could be potentially implemented for NTFS – this would require placing a small .exe on a system then changing the cluster sequence within FILE Record to always point to a cluster occupied by .exe. Other alternative (especially for the one formatted with a FILE record larger than 1024 bytes) would require a tiny .exe that could be stored within the $MFT file record itself (replacing non-resident attribute with a resident attribute) while the actual clusters used by a host file could be stored either in a different part of the file record or within the malicious code itself. In both cases, small .exe would read original clusters and transfer control to the host. Very very non-trivial task. Luckily.

 

Random Stats from 1M samples – RegKeys

July 20, 2012 in Batch Analysis, Malware Analysis

Update

Harlan proposed to search for ‘system\’. I did and added stats below.

Old post

Corey asked on Twitter about stats for registry keys so I grepped the strings extracted from samples for traces of related artifacts. Since it’s a non-trivial task (at least dynamic analysis are needed to confirm which reg keys are really used during run-time and even more work is needed to confirm which keys are actually malware-related) I only searched for the ‘Software\’  string assuming that is is a decent keyword to start with. If you have better ideas, please let me know.

These are above 1000 occurrences for ‘SOFTWARE\':

 112294 SOFTWARE\Borland\Delphi\RTL
  89263 Software\Microsoft\Windows\CurrentVersion\Run
  81916 Software\Borland\Delphi\Locales
  80672 Software\Borland\Locales
  53495 Software\Microsoft\Windows\CurrentVersion
  48312 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  45933 Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  31554 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  21968 Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  21788 Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  21420 Software\Microsoft\Internet Explorer\Main
  20350 SOFTWARE\
  18188 Software\Microsoft\Windows\CurrentVersion\Policies\System
  17461 Software\
  16913 SOFTWARE\Microsoft\Windows\CurrentVersion
  16271 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  11711 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
  10785 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
  10471 SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
  10305 Software\Microsoft\Windows\CurrentVersion\Internet Settings
   9981 Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
   9894 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
   9443 SOFTWARE\Microsoft\Windows NT\CurrentVersion
   9285 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
   8805 Software\%s
   8371 Software\Microsoft\Windows\CurrentVersion\RunServices
   8215 SOFTWARE\Microsoft\Internet Explorer\Main
   8206 Software\Microsoft\Windows\CurrentVersion\Policies\Network
   7826 Software\Microsoft\Windows\CurrentVersion\RunOnce
   7614 Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
   7465 Software\Microsoft\Internet Explorer
   7252 SoftWare\Microsoft\Windows\CurrentVersion\Run
   7183 SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
   6988 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
   6918 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
   6187 Software\WinLicense
   5573 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
   5510 Software\Microsoft\Active Setup\Installed Components\
   5209 HKLM\Software\Microsoft\Windows\CurrentVersion
   5184 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
   4925 Software\Microsoft\Internet Explorer\PageSetup
   4886 Software\Microsoft\Windows NT\CurrentVersion\Winlogon
   4739 Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
   4625 Software\Microsoft\OLE
   4568 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   4396 SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
   4348 Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\
   4182 SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
   3994 Software\Classes\
   3933 SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   3739 Software\Microsoft\Windows\CurrentVersion\run
   3704 Software\Fenomen Games\Game Downloader\1.1\List
   3533 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
   3532 SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
   3506 Software\WinRAR SFX
   3498 SOFTWARE\SweetIM\Messenger
   3492 SOFTWARE\Microsoft\NET Framework Setup\NDP\v1.1.4322
   3420 Software\MediaGet
   3420 SOFTWARE\MediaGet
   3408 Software\Mediaget
   3408 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{70B96CD0-FDF2-489E-8FA0-0F92ED599368}
   3407 Software\Microsoft\Windows\CurrentVersion\Uninstall\MediaGet
   3316 SOFTWARE\BabylonToolbar\BabylonToolbar\Instl
   3302 Software\BioWare\NWN\Neverwinter
   3291 SOFTWARE\Microsoft\Security Center
   3281 SOFTWARE\Microsoft\NET Framework Setup\NDP
   3268 Software\Policies\Microsoft\Internet Explorer\Control Panel
   3238 Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
   3207 Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
   3149 Software\Microsoft\Windows NT\CurrentVersion\Windows
   2978 Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
   2899 SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
   2764 Software\Microsoft\Windows NT\CurrentVersion
   2763 Software\Microsoft\Internet Account Manager\Accounts
   2749 Software\Microsoft\Internet Explorer\TypedURLs
   2746 SOFTWARE\Microsoft\Internet Explorer
   2686 Software\Microsoft\Windows\CurrentVersion\Uninstall
   2643 Software\Microsoft\Windows\CurrentVersion\policies\explorer\run
   2619 Software\Microsoft\Windows\CurrentVersion\App Paths
   2527 Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0
   2513 Software\Microsoft\Windows\ShellNoRoam\MUICache
   2478 Software\Wine
   2402 Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
   2400 Software\Microsoft\Windows\CurrentVersion\Uninstall\
   2339 Software\Valve\Half-Life\Settings
   2308 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
   2299 Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
   2249 SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
   2244 SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
   2234 Software\Ask.com.tmp
   2133 Software\Valve\CounterStrike\Settings
   2107 SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
   2099 SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
   2098 Software\Activision\Soldier of Fortune II - Double Helix
   2033 SOFTWARE\Microsoft\Windows\CurrentVersion\
   1941 Software\Eugen Systems\The Gladiators
   1931 Software\AppDataLow
   1866 SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
   1851 SOFTWARE\WinRAR
   1842 Software\Microsoft\Windows\CurrentVersion\Explorer
   1841 Software\ASProtect\Key
   1833 Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%s
   1829 Software\Unreal Technology\Installed Apps\UT2003
   1822 SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
   1813 Software\Valve\Gunman\Settings
   1811 Software\JoWooD\InstalledGames\IG2
   1807 Software\Electronic Arts\EA GAMES\Generals\ergc
   1802 Software\Microsoft\Protected Storage System Provider
   1798 Software\Silver Style Entertainment\Soldiers Of Anarchy\Settings
   1791 Software\Electronic Arts\EA Sports\FIFA 2003\ergc
   1761 Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
   1687 Software\Microsoft\Internet Explorer\New Windows\Allow
   1686 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
   1665 Software\Microsoft\Internet Explorer\SearchScopes
   1646 SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
   1617 Software\Westwood\Tiberian Sun
   1606 Software\Westwood\Red Alert 2
   1576 Software\3d0\Status
   1571 Software\Electronic Arts\EA Sports\NHL 2003\ergc
   1571 Software\Electronic Arts\EA Sports\NHL 2002\ergc
   1570 Software\Techland\Chrome
   1570 Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
   1570 Software\Microsoft\Windows
   1565 Software\Electronic Arts\EA Sports\FIFA 2002\ergc
   1563 Software\Electronic Arts\EA GAMES\Battlefield 1942\ergc
   1560 Software\Microsoft\Internet Explorer\IntelliForms\Storage2
   1560 Software\Microsoft\%s %s Manager\%ss
   1560 Software\Electronic Arts\EA GAMES\Battlefield 1942 Secret Weapons of WWII\ergc
   1559 Software\Electronic Arts\EA GAMES\Battlefield 1942 The Road to Rome\ergc
   1555 Software\Electronic Arts\EA Sports\Nascar Racing 2002\ergc
   1553 Software\Electronic Arts\EA Sports\Nascar Racing 2003\ergc
   1545 Software\Westwood\Red Alert
   1541 Software\Fenomen Games\Game Downloader\1.1\Completed
   1534 Software\Illusion Softworks\Hidden & Dangerous 2
   1528 Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
   1515 Software\Unreal Technology\Installed Apps\UT2004
   1502 Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
   1490 Software\Electronic Arts\EA GAMES\Battlefield Vietnam\ergc
   1483 SOFTWARE\Mozilla\Mozilla Firefox
   1481 Software\Red Storm Entertainment\RAVENSHIELD
   1478 Software\Westwood\NOX
   1478 Software\Electronic Arts\EA GAMES\Command and Conquer Generals Zero Hour\ergc
   1475 Software\IGI 2 Retail
   1474 Software\Electronic Arts\EA GAMES\Need For Speed Hot Pursuit 2
   1472 Software\Electronic Arts\EA GAMES\Need For Speed Underground\ergc
   1461 Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault Spearhead\ergc
   1461 Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault Breakthrough\ergc
   1460 Software\Electronic Arts\EA GAMES\Shogun Total War - Warlord Edition\ergc
   1460 Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault\ergc
   1459 Software\Electronic Arts\EA GAMES\Black and White\ergc
   1458 Software\Policies\Microsoft\Internet Explorer\Restrictions
   1458 Software\Electronic Arts\EA GAMES\Global Operations\ergc
   1458 Software\Electronic Arts\EA Distribution\Freedom Force\ergc
   1457 Software\Electronic Arts\EA GAMES\James Bond 007 Nightfire\ergc
   1456 Software\Yahoo\Pager\View\YMSGR_Launchcast
   1433 SOFTWARE\Classes\http\shell\open\commandV
   1405 Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
   1373 SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
   1373 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
   1351 SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
   1342 SOFTWARE\Vitalwerks\DUC
   1337 SOFTWARE\Policies\Microsoft\Windows\Installer
   1300 Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\
   1296 SOFTWARE\CnNuo20\socket
   1287 Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
   1246 SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
   1246 SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
   1224 SOFTWARE\Microsoft\Active Setup\Installed Components
   1214 Software\Yahoo\Pager\View\YMSGR_buzz
   1195 Software\Microsoft\Internet Explorer\TypedAddress
   1190 SOFTWARE\Microsoft\IDSCNP
   1177 Software\Microsoft\Windows\CurrentVersion\Run\
   1170 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
   1165 SOFTWARE\Microsoft\Active Setup\Installed Components\
   1165 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   1150 Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
   1136 Software\Microsoft\Internet Explorer\Desktop\General
   1129 Software\EGDHTML
   1125 Software\Microsoft
   1121 SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
   1111 Software\Microsoft\Internet Explorer\Toolbar
   1102 Software\Microsoft\Windows\CurrentVersion\Network\LanMan
   1075 Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   1059 Software\Zylom\MyZylom\Credentials
   1058 Software\Microsoft\Windows\CurrentVersion\
   1054 SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
   1049 SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
   1040 Software\microsoft\windows\currentversion\Explorer\shellexecutehooks
   1039 Software\Borland\Database Engine
   1034 Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
   1034 SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
   1023 SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
   1023 SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
   1016 Software\Yahoo\Pager\View\YMSGR_Calendar
   1016 Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
   1013 Software\AppDataLow\RivalGamingData
   1009 Software\Classes\CLSID\%s\InprocServer32
   1002 Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu

'SYSTEM\'
  52751 System\CurrentControlSet\Control\Keyboard Layouts\%.8x
  14516 SYSTEM\CurrentControlSet\Services\
   6913 SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
   5894 SYSTEM\CurrentControlSet\Services\%s
   4994 SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
   4170 SYSTEM\CurrentControlSet\Control\Lsa
   3361 SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
   3081 SYSTEM\CurrentControlSet\Control\ProductOptions
   3022 System\CurrentControlSet\Control\Session Manager
   2722 SYSTEM\CurrentControlSet\Control\Terminal Server
   2575 SYSTEM\CurrentControlSet\Services
   2547 SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
   2486 System\CurrentControlSet\Services\
   2388 System\CurrentControlSet\Control\Session Manager\FileRenameOperations
   1468 SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
   1416 SYSTEM\
   1397 system\sservice.exe
   1341 SYSTEM\CurrentControlSet\Services\TermService
   1316 SYSTEM\CurrentControlSet\Services\TermDD
   1303 SYSTEM\CurrentControlSet\Control\Session Manager
   1215 SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
   1213 SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
   1203 SYSTEM\ControlSet001\Services\
   1171 SYSTEM\CurrentControlSet\Services\SharedAccess
   1135 system\
   1086 SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp
    964 SYSTEM\ControlSet001\Services\%s
    929 SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
    928 SYSTEM\CurrentControlSet\Services\%s\Performance
    920 SYSTEM\CurrentControlSet\Services\wscsvc
    914 SYSTEM\ControlSet001\Control\SafeBoot
    882 System\CurrentControlSet\Control\Windows
    828 SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
    822 SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
    757 SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    702 SYSTEM\CurrentControlSet\Services\EventLog\Application\
    695 SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
    691 System\CurrentControlSet\Services\VxD\VNETSUP
    691 SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
    687 System\
    683 SYSTEM\CurrentControlSet\Services\WinDHCPsvc
    656 SYSTEM\CurrentControlSet\Control
    618 System\CurrentControlSet\Control
    608 SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
    606 SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
    558 SYSTEM\CurrentControlSet
    556 SYSTEM\CurrentControlSet\Control\SafeBoot
    542 SYSTEM\CurrentControlSet\Services\srservice
    539 SYSTEM\CurrentControlSet\Services\Messenger
    517 SYSTEM\CurrentControlSet\Services\%s\Parameters
    496 System\CurrentControlSet\Control\ProductOptions
    481 SYSTEM\CurrentControlSet\Services\RemoteRegistry
    465 SYSTEM\CurrentControlSet\Services\WinSock2\speednet_sph
    462 SYSTEM\CurrentControlSet\Services\TlntSvr
    455 SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip
    452 SYSTEM\ControlSet001\Control\StorageDevicePolicies\WriteProtect
    437 System\CurrentControlSet\Services\RemoteAccess
    433 system\CurrentControlSet\Services\VxD\VNETSUP
    413 System\CurrentControlSet\Services\SharedAccess
    407 SYSTEM\CurrentControlSet\Services\CelInDrv
    404 System\CurrentControlSet\Control\ComputerName\ComputerName
    395 SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
    393 SYSTEM\CurrentControlSet\Control\SafeBoot\Network
    382 SYSTEM\MountedDevices
    374 SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
    372 SYSTEM\CurrentControlSet\Control\Nls\Language
    369 System\CurrentControlSet\Services\10DD75E0
    367 SYSTEM\CurrentControlSet\Control\Terminal Server\
    364 SYSTEM\CurrentControlSet\Services\wuauserv
    359 SYSTEM\ControlSet001\Services\srservice
    355 SYSTEM\CurrentControlSet\Services\navapsvc
    353 system\wininv.dll
    352 system\winkey.dll
    351 SYSTEM\ControlSet001\Services\navapsvc
    338 SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    337 SYSTEM\ControlSet002\Control\Terminal Server\
    318 SYSTEM\CurrentControlSet\Services\BITS\Parameters
    314 SYSTEM\CurrentControlSet\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\
    313 SYSTEM\CurrentControlSet\Services\10DD75E0
    312 SYSTEM\CurrentControlSet\Services\Winsock\Parameters
    310 SYSTEM\CurrentControlSet\Services\Winsock2\Parameters
    295 SYSTEM\CurrentControlSet\Control\SafeBoot\
    294 System\CurrentControlSet\Services\AE2CA9B0
    290 SYSTEM\InfoTime
    288 system\CurrentControlSet\Services
    284 SYSTEM\CurrentControlSet\Control\nls\codepage
    280 SYSTEM\ControlSet001\Services\kspooldaemon
    279 system\cURRENTcONTROLsET\sERVICES\%s
    278 System\CurrentControlSet\Services\VxD\MSTCP
    273 System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    272 SYSTEM\CurrentControlSet\Services\ERSvc
    271 System\CurrentControlSet\Control\MPRServices\TestService
    270 SYSTEM\ControlSet001\Enum\Root\LEGACY_KSPOOLDAEMON\0000
    266 SYSTEM\CurrentControlSet\Control\Session Manager\Environment
    262 SYSTEM\CurrentControlSet\Control\Windows
    261 System\CurrentControlSet\Control\Lsa
    254 System\CurrentControlSet\Services\KAVsys
    254 SYSTEM\ControlSet003\Services\BITS\Parameters
    252 SYSTEM\ControlSet001\Services\KSD2Service
    239 SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
    238 SYSTEM\ControlSet001\Services\wscsvc
    232 SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
    230 SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
    225 System\CurrentControlSet\Services\Tcpip\Parameters
    223 SYSTEM\CurrentControlSet\Services\AeLookupSvcs
    214 system\cURRENTcONTROLsET\sERVICES\
    214 SYSTEM\CurrentControlSet\Services\Schedule
    210 SYSTEM\CurrentControlSet\Control\Class
    209 System\CurrentControlSet\Services
    207 SYSTEM\CurrentControlSet\Services\kkdc
    205 System\CurrentControlSet\Services\%s
    202 SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    198 SYSTEM\ControlSet001\Services\wuauserv
    194 SYSTEM\CurrentControlSet\Services\NetBT\Parameters
    192 SYSTEM\CurrentControlSet\Services\CSNetManagerXp
    189 SYSTEM\ControlSet001\Services\SharedAccess
    188 System\CurrentControlSet\Services\Class\
    185 SYSTEM\CurrentControlSet\Services\Class
    182 SYSTEM\CurrentControlSet\Services\W32Time\Parameters
    180 System\CurrentControlSet\Services\WinSock2\Parameters\
    180 System\CurrentControlSet\Services\E2C9CC2C
    176 SYSTEM\CurrentControlSet\Services\SSHNAS
    175 System\CurrentControlSet\Control\Class\
    175 SYSTEM\Setup
    175 SYSTEM\CurrentControlSet\Services\BITS
    174 SYSTEM\CurrentControlSet\Services\DomainService
    174 SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
    173 SYSTEM\CurrentControlSet\Services\ManagereUpdate
    172 SYSTEM\CurrentControlSet\Services\WinSock2\ESPI11
    169 SYSTEM\CurrentControlSet\Services\acpidisk
    168 SYSTEM\CurrentControlSet\Services\Ball\
    167 SYSTEM\CurrentControlSet\Services\Medie Sariel Number Services
    166 SYSTEM\CurrentControlSet\Services\Kingsoft Antivirus WebShield Service
    164 System\WPA\ApplianceServer
    164 SYSTEM\CurrentControlSet\Services\Ball
    163 SYSTEM\CurrentControlSet\Control\TimeZoneInformation