WScript and ASP question

**jonpfl** · Jul 10 '08, 11:32 AM

I took some of my code out and now I am getting the following error :

Microsoft VBScript runtime error '800a0046'

Permission denied

/credit_reportin g/maintenance/business_subjec ts/jon.asp, line 11

Code:

<%@ Language=VBScript %>
<% Option Explicit %> 

<%
Dim WSHShell, sTemp
Set WSHShell = CreateObject("WScript.Shell")

sTemp = "cscript " & server.MapPath("\credit_reporting\maintenance\business_subjects\jon_email.vbs") & ", 2, true"
'WSHShell.Run server.MapPath("\credit_reporting\maintenance\business_subjects\jon_test.vbs"), 1, true
'WSHShell.Run "cscript cmd /c echo hi > c:\temp\test.txt" , 0, TRUE
WSHShell.Run sTemp
%> 

<html xmlns="http://www.w3.org/1999/xhtml">

	<head>
		<title>jon</title>
	</head>

<body onload="">
<table width="100%">
    <tr><td>test</td></tr>
</table>

</body>
</html>

Here is jon_email.vbs

Code:

dim Mail
set Mail = CreateObject("CDO.Message")

'fill email fields
Mail.From= "jonp@tampabay.rr.com"
Mail.To= "jpessano@nacmtampa.com"
Mail.Subject="test"
Mail.TextBody="test"

Mail.Send  'email this message

set Mail = Nothing

This is getting really frustrating. I have gone on the server and given Read/Execute permission for IUSR_.... for wscript.exe, cscript.exe, jon.asp, jon_email.vbs and cdosys.dll. What else could it be???

Thx
jonpfl

**jonpfl** · Jul 10 '08, 12:49 PM

Ok, I am really confused now.

I have the following code (notice I am only calling "cscript" with no parameters. I would assume it would at least run, right?

When I log onto my server and go to /windows/system32, I find the cscript.exe file and I verify the settings are there for IUSR_.... and set to Read and Read & Execute.

What else could be missing?

This is what I see when I run the code now.

Code:

Starts here

 
7/10/2008 8:45:27 AM 


Passed through
Error detected: 70: Permission denied

Code:

<%@ Language=VBScript %>
<% Option Explicit %> 

<%
Dim WSHShell, WshEnv, sTemp
Set WSHShell = CreateObject("WScript.Shell")
'Set WSHEnv = WSHShell.Environment("Process")
'WSHEnv("SEE_MASK_NOZONECHECKS") = 1
Response.Write("Starts here<br/>") 

on error resume next 

%> 
<pre> 
<%=now()%> 

</pre> 
<% 

'sTemp = "cscript " & server.MapPath("\credit_reporting\maintenance\business_subjects\jon_email.vbs") & ", 0, true"
'sTemp = "cscript " & ("c:\jon_temp\jon_email.vbs") & ", 0, true"
sTemp = "cscript"
'WSHShell.Run server.MapPath("\credit_reporting\maintenance\business_subjects\jon_test.vbs"), 1, true
'WSHShell.Run "cscript cmd /c echo hi > c:\temp\test.txt" , 0, TRUE
WSHShell.Run sTemp
'WSHEnv.Remove("SEE_MASK_NOZONECHECKS")
Response.write "Passed through<br/>" 

if err.number <> 0 then 
   response.write "Error detected: " & err.number & ": " & err.Description & "<br/>" 
   on error goto 0 
   response.end 
end if 
on error goto 0 
Response.write "Run sucessfully<br/>" 
%> 

<pre> 
<%=now()%> 

</pre> 

<html xmlns="http://www.w3.org/1999/xhtml">

	<head>
		<title>jon</title>
	</head>

<body onload="">
<table width="100%">
    <tr><td>test</td></tr>
</table>

</body>
</html>

**danp129** · Jul 10 '08, 02:19 PM

Download filemon or process monitor to see what is being denied access...
http://technet.microso ft.com/en-us/sysinternals/bb896645.aspx It's still probably cscript.exe.

You could probably have a trigger or something in your database run a job or make a small service that monitors a job table and create pdf's when a new job is found. Change the e-mail to say "Your PDF is being created it will be available at this URL when it is completed. If you cannot access this file within 10 minutes please run the report again..."

If it were me, I'd create a new site in IIS and use IPsec to only allow the server's IP to have access to the site. Configure the new site to run as a user that has access to run cscript. Create a page on the new site that will create the PDF files or call scripts. Have the main asp page on the original site do a server side ajax query to the page on the new site which will create the pdf and respond back with whatever information you need.

**jonpfl** · Jul 10 '08, 02:59 PM

Originally posted by danp129

Download filemon or process monitor to see what is being denied access...
http://technet.microso ft.com/en-us/sysinternals/bb896645.aspx It's still probably cscript.exe.

You could probably have a trigger or something in your database run a job or make a small service that monitors a job table and create pdf's when a new job is found. Change the e-mail to say "Your PDF is being created it will be available at this URL when it is completed. If you cannot access this file within 10 minutes please run the report again..."

If it were me, I'd create a new site in IIS and use IPsec to only allow the server's IP to have access to the site. Configure the new site to run as a user that has access to run cscript. Create a page on the new site that will create the PDF files or call scripts. Have the main asp page on the original site do a server side ajax query to the page on the new site which will create the pdf and respond back with whatever information you need.

Ok, here is my code (very simple)

Code:

<%@ Language=VBScript %>
<% Option Explicit %> 

<%
Dim WSHShell, WshEnv, sTemp
Set WSHShell = CreateObject("WScript.Shell")
Response.Write("Starts here<br/>") 

on error resume next 

%> 
<pre> 
<%=now()%> 

</pre> 
<% 

sTemp = "cscript"
WSHShell.Run sTemp
Response.write "Passed through<br/>" 

if err.number <> 0 then 
   response.write "Error detected: " & err.number & ": " & err.Description & "<br/>" 
   on error goto 0 
   response.end 
end if 
on error goto 0 
Response.write "Run sucessfully<br/>" 
%> 

<pre> 
<%=now()%> 

</pre> 

<html xmlns="http://www.w3.org/1999/xhtml">

	<head>
		<title>jon</title>
	</head>

<body onload="">
<table width="100%">
    <tr><td>test</td></tr>
</table>

</body>
</html>

Here is the response from Process Monitor

Code:

"Sequence","Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"31","10:50:42.4903682 AM","lsass.exe","472","RegOpenKey","HKLM\SECURITY\Policy","SUCCESS",""
"32","10:50:42.4904307 AM","lsass.exe","472","RegOpenKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS",""
"33","10:50:42.4904795 AM","lsass.exe","472","RegQueryValue","HKLM\SECURITY\Policy\SecDesc\(Default)","BUFFER OVERFLOW","Length: 12"
"34","10:50:42.4905103 AM","lsass.exe","472","RegCloseKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS",""
"35","10:50:42.4905385 AM","lsass.exe","472","RegOpenKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS",""
"36","10:50:42.4905757 AM","lsass.exe","472","RegQueryValue","HKLM\SECURITY\Policy\SecDesc\(Default)","SUCCESS","Type: REG_NONE, Length: 180, Data: 01 00 04 80 98 00 00 00 A8 00 00 00 00 00 00 00"
"37","10:50:42.4906050 AM","lsass.exe","472","RegCloseKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS",""
"38","10:50:42.4910430 AM","lsass.exe","472","RegCloseKey","HKLM\SECURITY\Policy","SUCCESS",""
"39","10:50:42.4917147 AM","services.exe","460","WriteFile","C:\WINDOWS\system32\config\SecEvent.Evt","SUCCESS","Offset: 31,305,552, Length: 304"
"40","10:50:42.4917769 AM","services.exe","460","WriteFile","C:\WINDOWS\system32\config\SecEvent.Evt","SUCCESS","Offset: 31,305,856, Length: 40"
"41","10:50:42.4925684 AM","snmp.exe","1412","RegOpenKey","HKLM\SOFTWARE\Microsoft\SNMP_EVENTS\EventLog\Sources\Security\578","NAME NOT FOUND",""
"42","10:50:42.4949583 AM","lsass.exe","472","RegOpenKey","HKLM\SECURITY\Policy","SUCCESS",""
"43","10:50:42.4950211 AM","lsass.exe","472","RegOpenKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS",""
"44","10:50:42.4950664 AM","lsass.exe","472","RegQueryValue","HKLM\SECURITY\Policy\SecDesc\(Default)","BUFFER OVERFLOW","Length: 12"
"45","10:50:42.4950971 AM","lsass.exe","472","RegCloseKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS",""
"46","10:50:42.4951228 AM","lsass.exe","472","RegOpenKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS",""
"47","10:50:42.4951600 AM","lsass.exe","472","RegQueryValue","HKLM\SECURITY\Policy\SecDesc\(Default)","SUCCESS","Type: REG_NONE, Length: 180, Data: 01 00 04 80 98 00 00 00 A8 00 00 00 00 00 00 00"
"48","10:50:42.4951892 AM","lsass.exe","472","RegCloseKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS",""
"49","10:50:42.4956395 AM","lsass.exe","472","RegCloseKey","HKLM\SECURITY\Policy","SUCCESS",""
"50","10:50:42.4962530 AM","services.exe","460","WriteFile","C:\WINDOWS\system32\config\SecEvent.Evt","SUCCESS","Offset: 31,305,856, Length: 304"
"51","10:50:42.4962875 AM","services.exe","460","WriteFile","C:\WINDOWS\system32\config\SecEvent.Evt","SUCCESS","Offset: 31,306,160, Length: 40"
"65","10:50:42.5029244 AM","lsass.exe","472","RegOpenKey","HKLM\SECURITY\Policy","SUCCESS",""
"66","10:50:42.5029885 AM","lsass.exe","472","RegOpenKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS",""
"67","10:50:42.5030337 AM","lsass.exe","472","RegQueryValue","HKLM\SECURITY\Policy\SecDesc\(Default)","BUFFER OVERFLOW","Length: 12"
"68","10:50:42.5030653 AM","lsass.exe","472","RegCloseKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS",""
"69","10:50:42.5030909 AM","lsass.exe","472","RegOpenKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS",""
"70","10:50:42.5031285 AM","lsass.exe","472","RegQueryValue","HKLM\SECURITY\Policy\SecDesc\(Default)","SUCCESS","Type: REG_NONE, Length: 180, Data: 01 00 04 80 98 00 00 00 A8 00 00 00 00 00 00 00"
"71","10:50:42.5031581 AM","lsass.exe","472","RegCloseKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS",""
"72","10:50:42.5035849 AM","lsass.exe","472","RegCloseKey","HKLM\SECURITY\Policy","SUCCESS",""
"73","10:50:42.5042146 AM","services.exe","460","WriteFile","C:\WINDOWS\system32\config\SecEvent.Evt","SUCCESS","Offset: 31,306,160, Length: 304"
"74","10:50:42.5042499 AM","services.exe","460","WriteFile","C:\WINDOWS\system32\config\SecEvent.Evt","SUCCESS","Offset: 31,306,464, Length: 40"
"837","10:50:42.6051412 AM","Explorer.EXE","1144","QueryOpen","C:\Documents and Settings\jpessano\Local Settings\Temp\1\Temporary Directory 2 for ProcessMonitor.zip\Procmon.exe","SUCCESS","CreationTime: 6/25/2008 8:07:14 AM, LastAccessTime: 7/10/2008 10:49:00 AM, LastWriteTime: 6/25/2008 8:07:14 AM, ChangeTime: 7/10/2008 10:48:19 AM, AllocationSize: 2,608,640, EndOfFile: 2,608,168, FileAttributes: RA"
"838","10:50:42.6058585 AM","Explorer.EXE","1144","CreateFile","C:\Documents and Settings\jpessano\Local Settings\Temp\1\Temporary Directory 2 for ProcessMonitor.zip\Procmon.exe","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"840","10:50:42.6059779 AM","Explorer.EXE","1144","QueryStandardInformationFile","C:\Documents and Settings\jpessano\Local Settings\Temp\1\Temporary Directory 2 for ProcessMonitor.zip\Procmon.exe","SUCCESS","AllocationSize: 2,608,640, EndOfFile: 2,608,168, NumberOfLinks: 1, DeletePending: False, Directory: False"
"844","10:50:42.6061897 AM","Explorer.EXE","1144","CloseFile","C:\Documents and Settings\jpessano\Local Settings\Temp\1\Temporary Directory 2 for ProcessMonitor.zip\Procmon.exe","SUCCESS",""
"7602","10:50:43.9218542 AM","w3wp.exe","4004","CreateFile","C:\Inetpub\test-vss-webdev\credit_reporting\maintenance\business_subjects\jon.asp","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: , Attributes: RE, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: CICSRV01\IUSR_CICSRV01, OpenResult: Opened"
"7603","10:50:43.9219567 AM","w3wp.exe","4004","QueryInformationVolume","C:\Inetpub\test-vss-webdev\credit_reporting\maintenance\business_subjects\jon.asp","BUFFER OVERFLOW","VolumeCreationTime: 9/21/2007 9:21:45 AM, VolumeSerialNumber: 485C-3961, SupportsObjects: True, VolumeLabel: WinΏ"
"7604","10:50:43.9219936 AM","w3wp.exe","4004","QueryAllInformationFile","C:\Inetpub\test-vss-webdev\credit_reporting\maintenance\business_subjects\jon.asp","BUFFER OVERFLOW","CreationTime: 7/9/2008 1:13:09 PM, LastAccessTime: 7/10/2008 10:46:06 AM, LastWriteTime: 7/10/2008 10:46:05 AM, ChangeTime: 7/10/2008 10:46:05 AM, FileAttributes: A, AllocationSize: 1,536, EndOfFile: 1,247, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0xc000000004507, EaSize: 0, Access: Generic Read, Position: 0, Mode: , AlignmentRequirement: Byte"
"7605","10:50:43.9220430 AM","w3wp.exe","4004","CloseFile","C:\Inetpub\test-vss-webdev\credit_reporting\maintenance\business_subjects\jon.asp","SUCCESS",""
"7607","10:50:43.9225201 AM","w3wp.exe","4004","Thread Create","","SUCCESS","Thread ID: 3024"
"7608","10:50:43.9243193 AM","w3wp.exe","4004","RegCloseKey","HKCR","SUCCESS",""
"7609","10:50:43.9243575 AM","w3wp.exe","4004","RegCloseKey","HKCR","SUCCESS",""
"7610","10:50:43.9244220 AM","w3wp.exe","4004","RegOpenKey","HKLM\Software\Microsoft\COM3","SUCCESS",""
"7611","10:50:43.9244891 AM","w3wp.exe","4004","RegQueryValue","HKLM\SOFTWARE\Microsoft\COM3\REGDBVersion","SUCCESS","Type: REG_BINARY, Length: 8, Data: 15 00 00 00 00 00 00 00"
"7612","10:50:43.9245262 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\COM3","SUCCESS",""
"7613","10:50:43.9246431 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_Classes","SUCCESS",""
"7614","10:50:43.9247035 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"7615","10:50:43.9247359 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\WScript.Shell","NAME NOT FOUND",""
"7616","10:50:43.9247667 AM","w3wp.exe","4004","RegOpenKey","HKCR\WScript.Shell","SUCCESS",""
"7617","10:50:43.9248140 AM","w3wp.exe","4004","RegCloseKey","HKU\S-1-5-20_CLASSES","SUCCESS",""
"7618","10:50:43.9248785 AM","w3wp.exe","4004","RegQueryKey","HKCR\WScript.Shell","SUCCESS","Query: Name"
"7619","10:50:43.9249333 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\WScript.Shell\CLSID","NAME NOT FOUND",""
"7620","10:50:43.9249703 AM","w3wp.exe","4004","RegOpenKey","HKCR\WScript.Shell\CLSID","SUCCESS",""
"7621","10:50:43.9250165 AM","w3wp.exe","4004","RegQueryKey","HKCR\WScript.Shell\CLSID","SUCCESS","Query: Name"
"7622","10:50:43.9250636 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\WScript.Shell\CLSID","NAME NOT FOUND",""
"7623","10:50:43.9250990 AM","w3wp.exe","4004","RegQueryValue","HKCR\WScript.Shell\CLSID\(Default)","SUCCESS","Type: REG_SZ, Length: 78, Data: {72C24DD5-D70A-438B-8A42-98424B88AFB8}"
"7624","10:50:43.9251298 AM","w3wp.exe","4004","RegCloseKey","HKCR\WScript.Shell\CLSID","SUCCESS",""
"7625","10:50:43.9251571 AM","w3wp.exe","4004","RegCloseKey","HKCR\WScript.Shell","SUCCESS",""
"7626","10:50:43.9251921 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"7627","10:50:43.9252211 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","NAME NOT FOUND",""
"7628","10:50:43.9252531 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS",""
"7629","10:50:43.9253038 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS","Query: Name"
"7630","10:50:43.9253551 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TreatAs","NAME NOT FOUND",""
"7631","10:50:43.9253934 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TreatAs","NAME NOT FOUND",""
"7632","10:50:43.9254247 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"7633","10:50:43.9254678 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES","ACCESS DENIED",""
"7635","10:50:43.9255501 AM","w3wp.exe","4004","RegOpenKey","HKCR","SUCCESS",""
"7636","10:50:43.9255967 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS",""
"7637","10:50:43.9256655 AM","w3wp.exe","4004","RegOpenKey","HKLM\Software\Microsoft\COM3","SUCCESS",""
"7638","10:50:43.9257123 AM","w3wp.exe","4004","RegQueryValue","HKLM\SOFTWARE\Microsoft\COM3\REGDBVersion","SUCCESS","Type: REG_BINARY, Length: 8, Data: 15 00 00 00 00 00 00 00"
"7639","10:50:43.9257427 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\COM3","SUCCESS",""
"7640","10:50:43.9258145 AM","w3wp.exe","4004","RegOpenKey","HKLM\Software\Microsoft\COM3","SUCCESS",""
"7641","10:50:43.9258568 AM","w3wp.exe","4004","RegQueryValue","HKLM\SOFTWARE\Microsoft\COM3\REGDBVersion","SUCCESS","Type: REG_BINARY, Length: 8, Data: 15 00 00 00 00 00 00 00"
"7642","10:50:43.9258853 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\COM3","SUCCESS",""
"7643","10:50:43.9259324 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"7644","10:50:43.9259626 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","NAME NOT FOUND",""
"7645","10:50:43.9259934 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS",""
"7646","10:50:43.9260408 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS","Query: Name"
"7647","10:50:43.9260926 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TreatAs","NAME NOT FOUND",""
"7648","10:50:43.9261477 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TreatAs","NAME NOT FOUND",""
"7649","10:50:43.9261787 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"7650","10:50:43.9262055 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES","ACCESS DENIED",""
"7652","10:50:43.9262772 AM","w3wp.exe","4004","RegOpenKey","HKCR","SUCCESS",""
"7653","10:50:43.9263234 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS",""
"7654","10:50:43.9263499 AM","w3wp.exe","4004","RegQueryKey","HKCR","SUCCESS","Query: Name"
"7655","10:50:43.9263993 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","NAME NOT FOUND",""
"7656","10:50:43.9264336 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS",""
"7657","10:50:43.9264762 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS","Query: Name"
"7658","10:50:43.9265284 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32","NAME NOT FOUND",""
"7659","10:50:43.9265668 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32","SUCCESS",""
"7660","10:50:43.9266183 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32","SUCCESS","Query: Name"
"7661","10:50:43.9266691 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32","NAME NOT FOUND",""
"7662","10:50:43.9267078 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\InprocServer32","NAME NOT FOUND","Length: 144"
"7663","10:50:43.9267391 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32","SUCCESS",""
"7664","10:50:43.9267830 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS","Query: Name"
"7665","10:50:43.9268497 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32","NAME NOT FOUND",""
"7666","10:50:43.9268878 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32","NAME NOT FOUND",""
"7667","10:50:43.9269201 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS","Query: Name"
"7668","10:50:43.9269694 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32","NAME NOT FOUND",""
"7669","10:50:43.9270061 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32","SUCCESS",""
"7670","10:50:43.9270498 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32","SUCCESS","Query: Name"
"7671","10:50:43.9270998 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32","NAME NOT FOUND",""
"7672","10:50:43.9271382 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)","SUCCESS","Type: REG_SZ, Length: 60, Data: C:\WINDOWS\system32\wshom.ocx"
"7673","10:50:43.9271709 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32","SUCCESS",""
"7674","10:50:43.9272036 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS","Query: Name"
"7675","10:50:43.9272533 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocHandler32","NAME NOT FOUND",""
"7676","10:50:43.9272916 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocHandler32","NAME NOT FOUND",""
"7677","10:50:43.9273230 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS","Query: Name"
"7678","10:50:43.9273860 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32","NAME NOT FOUND",""
"7679","10:50:43.9274237 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32","NAME NOT FOUND",""
"7680","10:50:43.9274541 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS","Query: Name"
"7681","10:50:43.9275029 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer","NAME NOT FOUND",""
"7682","10:50:43.9275397 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer","NAME NOT FOUND",""
"7683","10:50:43.9275698 AM","w3wp.exe","4004","RegQueryKey","HKCR","SUCCESS","Query: Name"
"7684","10:50:43.9276161 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","NAME NOT FOUND",""
"7685","10:50:43.9276499 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS",""
"7686","10:50:43.9276936 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS","Query: Name"
"7687","10:50:43.9277416 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","NAME NOT FOUND",""
"7688","10:50:43.9277775 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\AppID","NAME NOT FOUND","Length: 144"
"7689","10:50:43.9278071 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS",""
"7690","10:50:43.9278344 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}","SUCCESS",""
"7691","10:50:43.9280690 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"7692","10:50:43.9281066 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"7693","10:50:43.9281851 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\International","SUCCESS",""
"7694","10:50:43.9282324 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"7695","10:50:43.9282625 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\International\Locale","SUCCESS","Type: REG_SZ, Length: 18, Data: 00000409"
"7696","10:50:43.9282969 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\International","SUCCESS",""
"7697","10:50:43.9283616 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer","ACCESS DENIED",""
"7699","10:50:43.9290689 AM","w3wp.exe","4004","QueryOpen","C:\WINDOWS\system32\inetsrv","SUCCESS","CreationTime: 9/21/2007 9:17:53 AM, LastAccessTime: 7/10/2008 10:50:43 AM, LastWriteTime: 7/10/2008 9:56:37 AM, ChangeTime: 7/10/2008 9:56:37 AM, AllocationSize: 0, EndOfFile: 0, FileAttributes: D"
"7700","10:50:43.9295412 AM","w3wp.exe","4004","CreateFile","C:\WINDOWS\system32\inetsrv","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: CICSRV01\IUSR_CICSRV01, OpenResult: Opened"
"7701","10:50:43.9296207 AM","w3wp.exe","4004","QueryDirectory","C:\WINDOWS\system32\inetsrv\cscript.*","NO SUCH FILE","Filter: cscript.*"
"7702","10:50:43.9296780 AM","w3wp.exe","4004","CloseFile","C:\WINDOWS\system32\inetsrv","SUCCESS",""
"7704","10:50:43.9297961 AM","w3wp.exe","4004","RegOpenKey","HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace","SUCCESS",""
"7705","10:50:43.9298835 AM","w3wp.exe","4004","RegEnumKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace","SUCCESS","Index: 0, Name: {1f4de370-d627-11d1-ba4f-00a0c91eedba}"
"7706","10:50:43.9299241 AM","w3wp.exe","4004","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}","SUCCESS",""
"7707","10:50:43.9299865 AM","w3wp.exe","4004","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\SuppressionPolicy","NAME NOT FOUND","Length: 144"
"7708","10:50:43.9339976 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}","SUCCESS",""
"7709","10:50:43.9340446 AM","w3wp.exe","4004","RegEnumKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace","SUCCESS","Index: 1, Name: {450D8FBA-AD25-11D0-98A8-0800361B1103}"
"7710","10:50:43.9341049 AM","w3wp.exe","4004","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}","SUCCESS",""
"7711","10:50:43.9342405 AM","w3wp.exe","4004","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}\SuppressionPolicy","NAME NOT FOUND","Length: 144"
"7712","10:50:43.9342949 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}","SUCCESS",""
"7713","10:50:43.9343253 AM","w3wp.exe","4004","RegEnumKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace","SUCCESS","Index: 2, Name: {645FF040-5081-101B-9F08-00AA002F954E}"
"7714","10:50:43.9343636 AM","w3wp.exe","4004","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}","SUCCESS",""
"7715","10:50:43.9344194 AM","w3wp.exe","4004","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}\SuppressionPolicy","NAME NOT FOUND","Length: 144"
"7716","10:50:43.9344601 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}","SUCCESS",""
"7717","10:50:43.9344887 AM","w3wp.exe","4004","RegEnumKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace","SUCCESS","Index: 3, Name: {B73A057F-DC1B-4067-9D8E-B69A07A7C368}"
"7718","10:50:43.9345245 AM","w3wp.exe","4004","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{B73A057F-DC1B-4067-9D8E-B69A07A7C368}","SUCCESS",""
"7719","10:50:43.9345770 AM","w3wp.exe","4004","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{B73A057F-DC1B-4067-9D8E-B69A07A7C368}\SuppressionPolicy","NAME NOT FOUND","Length: 144"
"7720","10:50:43.9346165 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{B73A057F-DC1B-4067-9D8E-B69A07A7C368}","SUCCESS",""
"7721","10:50:43.9346456 AM","w3wp.exe","4004","RegEnumKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace","SUCCESS","Index: 4, Name: {e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
"7722","10:50:43.9346805 AM","w3wp.exe","4004","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}","SUCCESS",""
"7723","10:50:43.9347336 AM","w3wp.exe","4004","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\SuppressionPolicy","NAME NOT FOUND","Length: 144"
"7724","10:50:43.9347917 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}","SUCCESS",""
"7725","10:50:43.9348211 AM","w3wp.exe","4004","RegEnumKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace","NO MORE ENTRIES","Index: 5, Length: 288"
"7726","10:50:43.9348511 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace","SUCCESS",""
"7727","10:50:43.9348856 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace","NAME NOT FOUND",""
"7728","10:50:43.9349961 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"7729","10:50:43.9350331 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"7730","10:50:43.9350955 AM","w3wp.exe","4004","RegCreateKey","HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer","SUCCESS",""
"7731","10:50:43.9351550 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer","SUCCESS",""
"7732","10:50:43.9351986 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer","SUCCESS",""
"7733","10:50:43.9352220 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"7734","10:50:43.9352530 AM","w3wp.exe","4004","RegCreateKey","HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\.Default","NAME NOT FOUND",""
"7735","10:50:43.9352894 AM","w3wp.exe","4004","RegCreateKey","HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo","ACCESS DENIED",""
"7736","10:50:43.9353329 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer","SUCCESS",""
"7737","10:50:43.9353858 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"7738","10:50:43.9354422 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder","NAME NOT FOUND",""
"7739","10:50:43.9354784 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder","SUCCESS",""
"7740","10:50:43.9355672 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder","SUCCESS","Query: Name"
"7741","10:50:43.9356248 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder","NAME NOT FOUND",""
"7742","10:50:43.9356656 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName","NAME NOT FOUND","Length: 144"
"7743","10:50:43.9356985 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder","SUCCESS",""
"7744","10:50:43.9357334 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"7745","10:50:43.9357625 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder","NAME NOT FOUND",""
"7746","10:50:43.9357939 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder","SUCCESS",""
"7747","10:50:43.9358504 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder","SUCCESS","Query: Name"
"7748","10:50:43.9359024 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder","NAME NOT FOUND",""
"7749","10:50:43.9359562 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsParseDisplayName","NAME NOT FOUND","Length: 144"
"7750","10:50:43.9359861 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder","SUCCESS",""
"7751","10:50:43.9360204 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"7752","10:50:43.9360648 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder","NAME NOT FOUND",""
"7753","10:50:43.9360969 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder","SUCCESS",""
"7754","10:50:43.9361519 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder","SUCCESS","Query: Name"
"7755","10:50:43.9362016 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder","NAME NOT FOUND",""
"7756","10:50:43.9362404 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsParseDisplayName","SUCCESS","Type: REG_SZ, Length: 2, Data: "
"7757","10:50:43.9362759 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder","SUCCESS",""
"7758","10:50:43.9363272 AM","w3wp.exe","4004","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}","NAME NOT FOUND",""
"7759","10:50:43.9363937 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"7760","10:50:43.9364240 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32","NAME NOT FOUND",""
"7761","10:50:43.9364563 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32","SUCCESS",""
"7762","10:50:43.9365100 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32","SUCCESS","Query: Name"
"7763","10:50:43.9365663 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32","NAME NOT FOUND",""
"7764","10:50:43.9366062 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\(Default)","SUCCESS","Type: REG_SZ, Length: 64, Data: C:\WINDOWS\system32\ieframe.dll"
"7765","10:50:43.9366391 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32","SUCCESS","Query: Name"
"7766","10:50:43.9366901 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32","NAME NOT FOUND",""
"7767","10:50:43.9367476 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\LoadWithoutCOM","NAME NOT FOUND","Length: 144"
"7768","10:50:43.9367783 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32","SUCCESS",""
"7769","10:50:43.9368226 AM","w3wp.exe","4004","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked\{871C5380-42A0-1069-A2EA-08002B30309D}","NAME NOT FOUND","Length: 144"
"7770","10:50:43.9368808 AM","w3wp.exe","4004","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0x401","NAME NOT FOUND","Length: 144"
"7771","10:50:43.9375527 AM","w3wp.exe","4004","CreateFile","C:\WINDOWS\system32\verclsid.exe","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: CICSRV01\IUSR_CICSRV01, OpenResult: Opened"
"7778","10:50:43.9378384 AM","w3wp.exe","4004","QuerySecurityFile","C:\WINDOWS\system32\verclsid.exe","SUCCESS","Information: Owner, Group, DACL, SACL"
"7779","10:50:43.9378914 AM","w3wp.exe","4004","QueryBasicInformationFile","C:\WINDOWS\system32\verclsid.exe","SUCCESS","CreationTime: 9/21/2007 8:15:22 AM, LastAccessTime: 7/10/2008 10:48:56 AM, LastWriteTime: 2/18/2007 4:00:00 AM, ChangeTime: 7/10/2008 10:12:10 AM, FileAttributes: A"
"7780","10:50:43.9379110 AM","w3wp.exe","4004","QueryStandardInformationFile","C:\WINDOWS\system32\verclsid.exe","SUCCESS","AllocationSize: 29,184, EndOfFile: 29,184, NumberOfLinks: 1, DeletePending: False, Directory: False"
"7781","10:50:43.9379853 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND",""
"7782","10:50:43.9380441 AM","w3wp.exe","4004","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\verclsid.exe","NAME NOT FOUND",""
"7783","10:50:43.9381400 AM","w3wp.exe","4004","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\verclsid.exe","NAME NOT FOUND",""
"7784","10:50:43.9382899 AM","w3wp.exe","4004","QueryNameInformationFile","C:\WINDOWS\system32\verclsid.exe","BUFFER OVERFLOW","Name: \W"
"7785","10:50:43.9383291 AM","w3wp.exe","4004","QueryNameInformationFile","C:\WINDOWS\system32\verclsid.exe","SUCCESS","Name: \WINDOWS\system32\verclsid.exe"
"7786","10:50:43.9388655 AM","services.exe","460","WriteFile","C:\WINDOWS\system32\config\SecEvent.Evt","SUCCESS","Offset: 31,306,464, Length: 280"
"7787","10:50:43.9389083 AM","services.exe","460","WriteFile","C:\WINDOWS\system32\config\SecEvent.Evt","SUCCESS","Offset: 31,306,744, Length: 40"
"7788","10:50:43.9391235 AM","w3wp.exe","4004","RegOpenKey","HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide","SUCCESS",""
"7789","10:50:43.9392141 AM","w3wp.exe","4004","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest","NAME NOT FOUND","Length: 20"
"7790","10:50:43.9392462 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide","SUCCESS",""
"7791","10:50:43.9397836 AM","w3wp.exe","4004","CreateFile","C:\WINDOWS\system32\verclsid.exe.Manifest","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, Impersonating: CICSRV01\IUSR_CICSRV01"
"7792","10:50:43.9401406 AM","w3wp.exe","4004","Process Create","C:\WINDOWS\system32\verclsid.exe","SUCCESS","PID: 4032, Command line: /S /C {871C5380-42A0-1069-A2EA-08002B30309D} /I {000214E6-0000-0000-C000-000000000046} /X 0x401"
"7793","10:50:43.9401476 AM","verclsid.exe","4032","Process Start","","SUCCESS","Parent PID: 4004"
"7794","10:50:43.9401522 AM","verclsid.exe","4032","Thread Create","","SUCCESS","Thread ID: 2960"
"7795","10:50:43.9403344 AM","w3wp.exe","4004","CloseFile","C:\WINDOWS\system32\verclsid.exe","SUCCESS",""
"7797","10:50:43.9404622 AM","verclsid.exe","4032","QueryNameInformationFile","C:\WINDOWS\system32\verclsid.exe","SUCCESS","Name: \WINDOWS\system32\verclsid.exe"
"7799","10:50:43.9410680 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\verclsid.exe","SUCCESS","Image Base: 0x1000000, Image Size: 0xc000"
"7801","10:50:43.9417081 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\ntdll.dll","SUCCESS","Image Base: 0x7c800000, Image Size: 0xc0000"
"7802","10:50:43.9427081 AM","verclsid.exe","4032","CreateFile","C:\WINDOWS\system32\inetsrv","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"7803","10:50:43.9428198 AM","verclsid.exe","4032","FileSystemControl","C:\WINDOWS\system32\inetsrv","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
"7804","10:50:43.9431443 AM","verclsid.exe","4032","QueryOpen","C:\WINDOWS\system32\verclsid.exe.Local","NAME NOT FOUND",""
"7806","10:50:43.9439244 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\kernel32.dll","SUCCESS","Image Base: 0x77e40000, Image Size: 0x102000"
"7808","10:50:43.9457355 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\ole32.dll","SUCCESS","Image Base: 0x77670000, Image Size: 0x139000"
"7810","10:50:43.9471506 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\msvcrt.dll","SUCCESS","Image Base: 0x77ba0000, Image Size: 0x5a000"
"7812","10:50:43.9481306 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\gdi32.dll","SUCCESS","Image Base: 0x77c00000, Image Size: 0x48000"
"7814","10:50:43.9490753 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\user32.dll","SUCCESS","Image Base: 0x77380000, Image Size: 0x91000"
"7816","10:50:43.9501760 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\advapi32.dll","SUCCESS","Image Base: 0x77f50000, Image Size: 0x9b000"
"7818","10:50:43.9511684 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\rpcrt4.dll","SUCCESS","Image Base: 0x77c50000, Image Size: 0x9f000"
"7820","10:50:43.9522383 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\secur32.dll","SUCCESS","Image Base: 0x76f50000, Image Size: 0x13000"
"7821","10:50:43.9531756 AM","verclsid.exe","4032","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options","SUCCESS",""
"7822","10:50:43.9532885 AM","verclsid.exe","4032","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions","SUCCESS",""
"7823","10:50:43.9533415 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\msvcrt.dll","NAME NOT FOUND","Length: 1,024"
"7870","10:50:43.9683529 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\USER32.dll","NAME NOT FOUND","Length: 1,024"
"7871","10:50:43.9685816 AM","verclsid.exe","4032","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","REPARSE",""
"7872","10:50:43.9686459 AM","verclsid.exe","4032","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS",""
"7873","10:50:43.9687199 AM","verclsid.exe","4032","RegQueryValue","HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode","NAME NOT FOUND","Length: 16"
"7874","10:50:43.9687545 AM","verclsid.exe","4032","RegCloseKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS",""
"7875","10:50:43.9694220 AM","verclsid.exe","4032","QueryOpen","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 9/21/2007 8:07:16 AM, LastAccessTime: 7/10/2008 10:48:56 AM, LastWriteTime: 2/18/2007 4:00:00 AM, ChangeTime: 9/21/2007 9:24:30 AM, AllocationSize: 110,592, EndOfFile: 110,592, FileAttributes: A"
"7876","10:50:43.9698438 AM","verclsid.exe","4032","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"7878","10:50:43.9699446 AM","verclsid.exe","4032","QueryStandardInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","AllocationSize: 110,592, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False"
"7882","10:50:43.9700904 AM","verclsid.exe","4032","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
"7884","10:50:43.9705984 AM","verclsid.exe","4032","QueryOpen","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 9/21/2007 8:07:16 AM, LastAccessTime: 7/10/2008 10:50:43 AM, LastWriteTime: 2/18/2007 4:00:00 AM, ChangeTime: 9/21/2007 9:24:30 AM, AllocationSize: 110,592, EndOfFile: 110,592, FileAttributes: A"
"7885","10:50:43.9709757 AM","verclsid.exe","4032","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"7887","10:50:43.9710571 AM","verclsid.exe","4032","QueryStandardInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","AllocationSize: 110,592, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False"
"7891","10:50:43.9711726 AM","verclsid.exe","4032","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
"7893","10:50:43.9716000 AM","verclsid.exe","4032","QueryOpen","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 9/21/2007 8:07:16 AM, LastAccessTime: 7/10/2008 10:50:43 AM, LastWriteTime: 2/18/2007 4:00:00 AM, ChangeTime: 9/21/2007 9:24:30 AM, AllocationSize: 110,592, EndOfFile: 110,592, FileAttributes: A"
"7894","10:50:43.9719746 AM","verclsid.exe","4032","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"7901","10:50:43.9721748 AM","verclsid.exe","4032","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
"7904","10:50:43.9728405 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\imm32.dll","SUCCESS","Image Base: 0x76290000, Image Size: 0x1d000"
"7905","10:50:43.9733029 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\IMM32.DLL","NAME NOT FOUND","Length: 1,024"
"7906","10:50:43.9740005 AM","verclsid.exe","4032","QueryOpen","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 9/21/2007 8:07:16 AM, LastAccessTime: 7/10/2008 10:50:43 AM, LastWriteTime: 2/18/2007 4:00:00 AM, ChangeTime: 9/21/2007 9:24:30 AM, AllocationSize: 110,592, EndOfFile: 110,592, FileAttributes: A"
"7951","10:50:43.9809255 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ntdll.dll","NAME NOT FOUND","Length: 1,024"
"7952","10:50:43.9809894 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\kernel32.dll","NAME NOT FOUND","Length: 1,024"
"7953","10:50:43.9810227 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Secur32.dll","NAME NOT FOUND","Length: 1,024"
"7954","10:50:43.9810558 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\RPCRT4.dll","NAME NOT FOUND","Length: 1,024"
"7955","10:50:43.9810889 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ADVAPI32.dll","NAME NOT FOUND","Length: 1,024"
"7956","10:50:43.9811217 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\GDI32.dll","NAME NOT FOUND","Length: 1,024"
"7957","10:50:43.9811614 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ole32.dll","NAME NOT FOUND","Length: 1,024"
"7958","10:50:43.9817666 AM","verclsid.exe","4032","QueryOpen","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 9/21/2007 8:07:16 AM, LastAccessTime: 7/10/2008 10:50:43 AM, LastWriteTime: 2/18/2007 4:00:00 AM, ChangeTime: 9/21/2007 9:24:30 AM, AllocationSize: 110,592, EndOfFile: 110,592, FileAttributes: A"
"7959","10:50:43.9818594 AM","verclsid.exe","4032","RegOpenKey","HKLM\System\CurrentControlSet\Control\Error Message Instrument","REPARSE",""
"7960","10:50:43.9819167 AM","verclsid.exe","4032","RegOpenKey","HKLM\System\CurrentControlSet\Control\Error Message Instrument","NAME NOT FOUND",""
"7961","10:50:43.9819641 AM","verclsid.exe","4032","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize","SUCCESS",""
"7962","10:50:43.9820349 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles","NAME NOT FOUND","Length: 20"
"7963","10:50:43.9820654 AM","verclsid.exe","4032","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize","SUCCESS",""
"7964","10:50:43.9824251 AM","verclsid.exe","4032","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32","SUCCESS",""
"7965","10:50:43.9825165 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32\verclsid","NAME NOT FOUND","Length: 172"
"7966","10:50:43.9825530 AM","verclsid.exe","4032","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32","SUCCESS",""
"7967","10:50:43.9825812 AM","verclsid.exe","4032","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility","SUCCESS",""
"7968","10:50:43.9826288 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IME Compatibility\verclsid","NAME NOT FOUND","Length: 172"
"7969","10:50:43.9826639 AM","verclsid.exe","4032","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IME Compatibility","SUCCESS",""
"7970","10:50:43.9828576 AM","verclsid.exe","4032","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows","SUCCESS",""
"7971","10:50:43.9829162 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs","SUCCESS","Type: REG_SZ, Length: 2, Data: "
"7972","10:50:43.9829479 AM","verclsid.exe","4032","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows","SUCCESS",""
"7973","10:50:43.9830949 AM","winlogon.exe","412","RegOpenKey","HKU\S-1-5-18","SUCCESS",""
"7974","10:50:43.9831488 AM","winlogon.exe","412","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"7975","10:50:43.9832439 AM","winlogon.exe","412","RegOpenKey","HKU\S-1-5-18","SUCCESS",""
"7976","10:50:43.9832844 AM","winlogon.exe","412","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"7977","10:50:43.9834576 AM","verclsid.exe","4032","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","SUCCESS",""
"7978","10:50:43.9835132 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LeakTrack","NAME NOT FOUND","Length: 144"
"7979","10:50:43.9835514 AM","verclsid.exe","4032","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","SUCCESS",""
"7980","10:50:43.9835820 AM","verclsid.exe","4032","RegOpenKey","HKLM","SUCCESS",""
"7981","10:50:43.9836271 AM","verclsid.exe","4032","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics","NAME NOT FOUND",""
"7982","10:50:43.9837649 AM","verclsid.exe","4032","RegOpenKey","HKLM\SOFTWARE\Microsoft\OLE","SUCCESS",""
"7992","10:50:43.9880493 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap","NAME NOT FOUND","Length: 144"
"7993","10:50:43.9881031 AM","verclsid.exe","4032","RegCloseKey","HKLM\SOFTWARE\Microsoft\Ole","SUCCESS",""
"7994","10:50:43.9881501 AM","verclsid.exe","4032","RegOpenKey","HKLM\SOFTWARE\Microsoft\OLE","SUCCESS",""
"7995","10:50:43.9882220 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate","NAME NOT FOUND","Length: 144"
"7996","10:50:43.9882482 AM","verclsid.exe","4032","RegCloseKey","HKLM\SOFTWARE\Microsoft\Ole","SUCCESS",""
"7997","10:50:43.9883189 AM","verclsid.exe","4032","RegOpenKey","HKLM\Software\Microsoft\OLE\Tracing","NAME NOT FOUND",""
"7998","10:50:43.9886099 AM","verclsid.exe","4032","RegOpenKey","HKLM\System\CurrentControlSet\Control\WMI\Security","REPARSE",""
"7999","10:50:43.9886609 AM","verclsid.exe","4032","RegOpenKey","HKLM\System\CurrentControlSet\Control\WMI\Security","SUCCESS",""
"8000","10:50:43.9887229 AM","verclsid.exe","4032","RegQueryValue","HKLM\System\CurrentControlSet\Control\WMI\Security\DF8480A1-7492-4F45-AB78-1084642581FB","NAME NOT FOUND","Length: 130"
"8001","10:50:43.9888052 AM","verclsid.exe","4032","RegQueryValue","HKLM\System\CurrentControlSet\Control\WMI\Security\00000000-0000-0000-0000-000000000000","NAME NOT FOUND","Length: 130"
"8002","10:50:43.9888484 AM","verclsid.exe","4032","RegCloseKey","HKLM\System\CurrentControlSet\Control\WMI\Security","SUCCESS",""
"8003","10:50:43.9891705 AM","verclsid.exe","4032","Thread Create","","SUCCESS","Thread ID: 2688"
"8004","10:50:43.9896117 AM","verclsid.exe","4032","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: 79 9A 27 7D EB 00 5C 59 80 5E 03 D2 06 7D CE D8"
"8005","10:50:43.9896980 AM","verclsid.exe","4032","SetEndOfFileInformationFile","C:\WINDOWS\system32\config\software.LOG","SUCCESS","EndOfFile: 28,672"
"8006","10:50:43.9900784 AM","verclsid.exe","4032","RegOpenKey","HKLM\SYSTEM\CurrentControlSet\Control\Session Manager","REPARSE",""
"8007","10:50:43.9901352 AM","verclsid.exe","4032","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS",""
"8008","10:50:43.9902084 AM","verclsid.exe","4032","RegQueryValue","HKLM\System\CurrentControlSet\Control\Session Manager\CriticalSectionTimeout","SUCCESS","Type: REG_DWORD, Length: 4, Data: 2592000"
"8009","10:50:43.9902463 AM","verclsid.exe","4032","RegCloseKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS",""
"8010","10:50:43.9902730 AM","verclsid.exe","4032","RegOpenKey","HKLM\Software\Microsoft\Ole","SUCCESS",""
"8011","10:50:43.9903209 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Ole\RWLockResourceTimeOut","NAME NOT FOUND","Length: 144"
"8012","10:50:43.9903484 AM","verclsid.exe","4032","RegCloseKey","HKLM\SOFTWARE\Microsoft\Ole","SUCCESS",""
"8013","10:50:43.9904067 AM","verclsid.exe","4032","RegOpenKey","HKCR\Interface","SUCCESS",""
"8014","10:50:43.9904521 AM","verclsid.exe","4032","RegQueryValue","HKCR\Interface\InterfaceHelperDisableAll","NAME NOT FOUND","Length: 0"
"8015","10:50:43.9904765 AM","verclsid.exe","4032","RegQueryValue","HKCR\Interface\InterfaceHelperDisableAllForOle32","NAME NOT FOUND","Length: 0"
"8016","10:50:43.9905648 AM","verclsid.exe","4032","RegQueryValue","HKCR\Interface\InterfaceHelperDisableTypeLib","NAME NOT FOUND","Length: 0"
"8017","10:50:43.9905894 AM","verclsid.exe","4032","RegCloseKey","HKCR\Interface","SUCCESS",""
"8018","10:50:43.9906145 AM","verclsid.exe","4032","RegOpenKey","HKCR\Interface\{00020400-0000-0000-C000-000000000046}","SUCCESS",""
"8019","10:50:43.9906624 AM","verclsid.exe","4032","RegQueryValue","HKCR\Interface\{00020400-0000-0000-C000-000000000046}\InterfaceHelperDisableAll","NAME NOT FOUND","Length: 0"
"8020","10:50:43.9906892 AM","verclsid.exe","4032","RegQueryValue","HKCR\Interface\{00020400-0000-0000-C000-000000000046}\InterfaceHelperDisableAllForOle32","NAME NOT FOUND","Length: 0"
"8021","10:50:43.9907151 AM","verclsid.exe","4032","RegCloseKey","HKCR\Interface\{00020400-0000-0000-C000-000000000046}","SUCCESS",""
"8022","10:50:43.9915553 AM","verclsid.exe","4032","QueryOpen","C:\WINDOWS\system32\rpcss.dll","SUCCESS","CreationTime: 9/21/2007 8:11:38 AM, LastAccessTime: 7/10/2008 10:48:56 AM, LastWriteTime: 2/18/2007 4:00:00 AM, ChangeTime: 9/21/2007 9:24:31 AM, AllocationSize: 481,792, EndOfFile: 481,792, FileAttributes: A"
"8023","10:50:43.9919601 AM","verclsid.exe","4032","CreateFile","C:\WINDOWS\system32\rpcss.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"8025","10:50:43.9920551 AM","verclsid.exe","4032","QueryStandardInformationFile","C:\WINDOWS\system32\rpcss.dll","SUCCESS","AllocationSize: 481,792, EndOfFile: 481,792, NumberOfLinks: 1, DeletePending: False, Directory: False"
"8029","10:50:43.9921973 AM","verclsid.exe","4032","CloseFile","C:\WINDOWS\system32\rpcss.dll","SUCCESS",""
"8031","10:50:43.9925912 AM","verclsid.exe","4032","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: 28 47 83 FF 9F 57 BE 8C BD AB 28 A9 76 0C FB 6C"
"8032","10:50:43.9928643 AM","verclsid.exe","4032","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: FD 8A BA DF F3 A1 10 0B 9A A5 F5 89 38 10 A7 1D"
"8033","10:50:43.9930747 AM","verclsid.exe","4032","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: 5A 51 5A 8C B1 43 44 2B FA 99 28 AB 99 C2 EB 99"
"8034","10:50:44.0392933 AM","verclsid.exe","4032","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: 73 16 E0 6E 4B 6B F7 7D BB 6B E8 CF E7 AD 55 C0"
"8035","10:50:44.0396378 AM","verclsid.exe","4032","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: A6 62 C4 EE 30 F4 8F A4 0E 78 B4 86 14 BD 2D 35"
"8036","10:50:44.0398646 AM","verclsid.exe","4032","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: E1 CD F5 0C B9 92 DC 3D 5D 79 3F C5 D7 5E A7 1F"
"8037","10:50:44.0401703 AM","verclsid.exe","4032","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: 07 B7 46 D8 35 E9 9A 55 2A 40 88 32 9E 08 E2 8E"
"8038","10:50:44.0407427 AM","verclsid.exe","4032","Thread Create","","SUCCESS","Thread ID: 436"
"8039","10:50:44.0409015 AM","verclsid.exe","4032","RegOpenKey","HKLM\Software\Microsoft\COM3","SUCCESS",""
"8040","10:50:44.0409789 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\COM3\Com+Enabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"8041","10:50:44.0410174 AM","verclsid.exe","4032","RegCloseKey","HKLM\SOFTWARE\Microsoft\COM3","SUCCESS",""
"8042","10:50:44.0416415 AM","verclsid.exe","4032","QueryOpen","C:\WINDOWS\system32\clbcatq.dll","SUCCESS","CreationTime: 9/21/2007 1:45:45 PM, LastAccessTime: 7/10/2008 10:48:56 AM, LastWriteTime: 2/18/2007 4:00:00 AM, ChangeTime: 9/21/2007 1:45:45 PM, AllocationSize: 510,976, EndOfFile: 510,976, FileAttributes: A"
"8043","10:50:44.0420962 AM","verclsid.exe","4032","CreateFile","C:\WINDOWS\system32\clbcatq.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"8050","10:50:44.0423139 AM","verclsid.exe","4032","CloseFile","C:\WINDOWS\system32\clbcatq.dll","SUCCESS",""
"8053","10:50:44.0429666 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\clbcatq.dll","SUCCESS","Image Base: 0x777b0000, Image Size: 0x83000"
"8055","10:50:44.0439478 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\oleaut32.dll","SUCCESS","Image Base: 0x77d00000, Image Size: 0x8b000"
"8056","10:50:44.0450382 AM","verclsid.exe","4032","QueryOpen","C:\WINDOWS\system32\comres.dll","SUCCESS","CreationTime: 9/21/2007 8:05:34 AM, LastAccessTime: 7/10/2008 10:48:56 AM, LastWriteTime: 2/18/2007 4:00:00 AM, ChangeTime: 6/3/2008 10:54:34 AM, AllocationSize: 797,184, EndOfFile: 797,184, FileAttributes: A"
"8057","10:50:44.0454476 AM","verclsid.exe","4032","CreateFile","C:\WINDOWS\system32\comres.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"8064","10:50:44.0456595 AM","verclsid.exe","4032","CloseFile","C:\WINDOWS\system32\comres.dll","SUCCESS",""
"8085","10:50:44.0515739 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\comres.dll","SUCCESS","Image Base: 0x77010000, Image Size: 0xc6000"
"8087","10:50:44.0524607 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\version.dll","SUCCESS","Image Base: 0x77b90000, Image Size: 0x8000"
"8088","10:50:44.0529546 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\OLEAUT32.dll","NAME NOT FOUND","Length: 1,024"
"8089","10:50:44.0531166 AM","verclsid.exe","4032","RegOpenKey","HKLM\SOFTWARE\Microsoft\OLEAUT","NAME NOT FOUND",""
"8090","10:50:44.0531873 AM","verclsid.exe","4032","RegOpenKey","HKLM\SOFTWARE\Microsoft\OLEAUT\UserEra","NAME NOT FOUND",""
"8091","10:50:44.0532237 AM","verclsid.exe","4032","RegOpenKey","HKLM\SOFTWARE\Microsoft\OLEAUT","NAME NOT FOUND",""
"8092","10:50:44.0532626 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\COMRes.dll","NAME NOT FOUND","Length: 1,024"
"8093","10:50:44.0533115 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\VERSION.dll","NAME NOT FOUND","Length: 1,024"
"8094","10:50:44.0533517 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\CLBCatQ.DLL","NAME NOT FOUND","Length: 1,024"
"8095","10:50:44.0545882 AM","verclsid.exe","4032","QueryOpen","C:\WINDOWS\system32\clbcatq.dll","SUCCESS","CreationTime: 9/21/2007 1:45:45 PM, LastAccessTime: 7/10/2008 10:50:44 AM, LastWriteTime: 2/18/2007 4:00:00 AM, ChangeTime: 9/21/2007 1:45:45 PM, AllocationSize: 510,976, EndOfFile: 510,976, FileAttributes: A"
"8096","10:50:44.0550016 AM","verclsid.exe","4032","CreateFile","C:\WINDOWS\system32\clbcatq.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"8103","10:50:44.0552090 AM","verclsid.exe","4032","CloseFile","C:\WINDOWS\system32\clbcatq.dll","SUCCESS",""
"8106","10:50:44.0565081 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\clbcatq.dll","SUCCESS","Image Base: 0x777b0000, Image Size: 0x83000"
"8108","10:50:44.0574218 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\oleaut32.dll","SUCCESS","Image Base: 0x77d00000, Image Size: 0x8b000"
"8109","10:50:44.0584842 AM","verclsid.exe","4032","QueryOpen","C:\WINDOWS\system32\comres.dll","SUCCESS","CreationTime: 9/21/2007 8:05:34 AM, LastAccessTime: 7/10/2008 10:50:44 AM, LastWriteTime: 2/18/2007 4:00:00 AM, ChangeTime: 6/3/2008 10:54:34 AM, AllocationSize: 797,184, EndOfFile: 797,184, FileAttributes: A"
"8110","10:50:44.0588919 AM","verclsid.exe","4032","CreateFile","C:\WINDOWS\system32\comres.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"8117","10:50:44.0591015 AM","verclsid.exe","4032","CloseFile","C:\WINDOWS\system32\comres.dll","SUCCESS",""
"8156","10:50:44.0677054 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\comres.dll","SUCCESS","Image Base: 0x77010000, Image Size: 0xc6000"
"8158","10:50:44.0686034 AM","verclsid.exe","4032","Load Image","C:\WINDOWS\system32\version.dll","SUCCESS","Image Base: 0x77b90000, Image Size: 0x8000"
"8159","10:50:44.0690953 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\OLEAUT32.dll","NAME NOT FOUND","Length: 1,024"
"8160","10:50:44.0692277 AM","verclsid.exe","4032","RegOpenKey","HKLM\SOFTWARE\Microsoft\OLEAUT","NAME NOT FOUND",""
"8161","10:50:44.0692912 AM","verclsid.exe","4032","RegOpenKey","HKLM\SOFTWARE\Microsoft\OLEAUT\UserEra","NAME NOT FOUND",""
"8162","10:50:44.0693257 AM","verclsid.exe","4032","RegOpenKey","HKLM\SOFTWARE\Microsoft\OLEAUT","NAME NOT FOUND",""
"8163","10:50:44.0693640 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\COMRes.dll","NAME NOT FOUND","Length: 1,024"
"8164","10:50:44.0694136 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\VERSION.dll","NAME NOT FOUND","Length: 1,024"
"8165","10:50:44.0694538 AM","verclsid.exe","4032","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\CLBCatQ.DLL","NAME NOT FOUND","Length: 1,024"
"8166","10:50:44.0700467 AM","verclsid.exe","4032","RegOpenKey","HKCR","SUCCESS",""
"8167","10:50:44.0701449 AM","verclsid.exe","4032","RegOpenKey","HKCR\CLSID","SUCCESS",""
"8168","10:50:44.0702148 AM","verclsid.exe","4032","RegOpenKey","HKLM\Software\Microsoft\COM3","SUCCESS",""
"8169","10:50:44.0702808 AM","verclsid.exe","4032","RegOpenKey","HKU","SUCCESS",""
"8170","10:50:44.0714653 AM","verclsid.exe","4032","Thread Exit","","SUCCESS","User Time: 0.0000000, Kernel Time: 0.0000000"
"8171","10:50:44.0715791 AM","verclsid.exe","4032","Thread Exit","","SUCCESS","User Time: 0.0000000, Kernel Time: 0.0000000"
"8172","10:50:44.0716544 AM","verclsid.exe","4032","Thread Exit","","SUCCESS","User Time: 0.0156250, Kernel Time: 0.0156250"
"8749","10:50:44.2244924 AM","verclsid.exe","4032","Process Exit","","SUCCESS","Exit Status: 3, User Time: 0.0156250, Kernel Time: 0.0156250, Private Bytes: 405,504, Peak Private Bytes: 479,232, Working Set: 1,691,648, Peak Working Set: 1,843,200"
"8750","10:50:44.2249586 AM","services.exe","460","WriteFile","C:\WINDOWS\system32\config\SecEvent.Evt","SUCCESS","Offset: 31,306,744, Length: 268"
"8751","10:50:44.2249935 AM","services.exe","460","WriteFile","C:\WINDOWS\system32\config\SecEvent.Evt","SUCCESS","Offset: 31,307,012, Length: 40"
"8752","10:50:44.2251031 AM","verclsid.exe","4032","CloseFile","C:\WINDOWS\system32\inetsrv","SUCCESS",""
"8754","10:50:44.2252179 AM","verclsid.exe","4032","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options","SUCCESS",""
"8755","10:50:44.2252929 AM","verclsid.exe","4032","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions","SUCCESS",""
"8756","10:50:44.2253315 AM","verclsid.exe","4032","RegCloseKey","HKLM","SUCCESS",""
"8757","10:50:44.2254642 AM","verclsid.exe","4032","RegCloseKey","HKCR","SUCCESS",""
"8758","10:50:44.2255045 AM","verclsid.exe","4032","RegCloseKey","HKCR\CLSID","SUCCESS",""
"8759","10:50:44.2255640 AM","verclsid.exe","4032","RegCloseKey","HKLM\SOFTWARE\Microsoft\COM3","SUCCESS",""
"8760","10:50:44.2255911 AM","verclsid.exe","4032","RegCloseKey","HKU","SUCCESS",""
"8761","10:50:44.2260856 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8762","10:50:44.2261335 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder","NAME NOT FOUND",""
"8763","10:50:44.2261822 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder","SUCCESS",""
"8764","10:50:44.2262704 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder","SUCCESS","Query: Name"
"8765","10:50:44.2263349 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder","NAME NOT FOUND",""
"8766","10:50:44.2263792 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\WantsParseDisplayName","NAME NOT FOUND","Length: 144"
"8767","10:50:44.2264157 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder","SUCCESS",""
"8768","10:50:44.2264507 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8769","10:50:44.2264799 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder","NAME NOT FOUND",""
"8770","10:50:44.2265122 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder","SUCCESS",""
"8771","10:50:44.2265670 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder","SUCCESS","Query: Name"
"8772","10:50:44.2266178 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder","NAME NOT FOUND",""
"8773","10:50:44.2266569 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\WantsParseDisplayName","NAME NOT FOUND","Length: 144"
"8774","10:50:44.2267062 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder","SUCCESS",""
"8775","10:50:44.2267395 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8776","10:50:44.2267685 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder","NAME NOT FOUND",""
"8777","10:50:44.2267994 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder","SUCCESS",""
"8778","10:50:44.2268538 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder","SUCCESS","Query: Name"
"8779","10:50:44.2269042 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder","NAME NOT FOUND",""
"8780","10:50:44.2269438 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\WantsParseDisplayName","NAME NOT FOUND","Length: 144"
"8781","10:50:44.2269745 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder","SUCCESS",""
"8782","10:50:44.2270072 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8783","10:50:44.2270355 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\CLSID\{B73A057F-DC1B-4067-9D8E-B69A07A7C368}\ShellFolder","NAME NOT FOUND",""
"8784","10:50:44.2270664 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{B73A057F-DC1B-4067-9D8E-B69A07A7C368}\ShellFolder","SUCCESS",""
"8785","10:50:44.2271201 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{B73A057F-DC1B-4067-9D8E-B69A07A7C368}\ShellFolder","SUCCESS","Query: Name"
"8786","10:50:44.2271709 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{B73A057F-DC1B-4067-9D8E-B69A07A7C368}\ShellFolder","NAME NOT FOUND",""
"8787","10:50:44.2272092 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{B73A057F-DC1B-4067-9D8E-B69A07A7C368}\ShellFolder\WantsParseDisplayName","NAME NOT FOUND","Length: 144"
"8788","10:50:44.2272539 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{B73A057F-DC1B-4067-9D8E-B69A07A7C368}\ShellFolder","SUCCESS",""
"8789","10:50:44.2272866 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8790","10:50:44.2273156 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder","NAME NOT FOUND",""
"8791","10:50:44.2273470 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder","SUCCESS",""
"8792","10:50:44.2274010 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder","SUCCESS","Query: Name"
"8793","10:50:44.2274557 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder","NAME NOT FOUND",""
"8794","10:50:44.2274945 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParseDisplayName","NAME NOT FOUND","Length: 144"
"8795","10:50:44.2275392 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder","SUCCESS",""
"8796","10:50:44.2275944 AM","w3wp.exe","4004","RegOpenKey","HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks","SUCCESS",""
"8797","10:50:44.2276595 AM","w3wp.exe","4004","RegEnumValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks","SUCCESS","Index: 0, Name: {AEB6717E-7E19-11d0-97EE-00C04FD91972}, Type: REG_SZ, Length: 2, Data: "
"8798","10:50:44.2277198 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8799","10:50:44.2277511 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32","NAME NOT FOUND",""
"8800","10:50:44.2277829 AM","w3wp.exe","4004","RegOpenKey","HKCR\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32","SUCCESS",""
"8801","10:50:44.2313528 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32","SUCCESS","Query: Name"
"8802","10:50:44.2314580 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32","NAME NOT FOUND",""
"8803","10:50:44.2315097 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32\(Default)","SUCCESS","Type: REG_SZ, Length: 24, Data: shell32.dll"
"8804","10:50:44.2315497 AM","w3wp.exe","4004","RegQueryKey","HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32","SUCCESS","Query: Name"
"8805","10:50:44.2316072 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32","NAME NOT FOUND",""
"8806","10:50:44.2316473 AM","w3wp.exe","4004","RegQueryValue","HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32\LoadWithoutCOM","NAME NOT FOUND","Length: 144"
"8807","10:50:44.2316844 AM","w3wp.exe","4004","RegCloseKey","HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32","SUCCESS",""
"8808","10:50:44.2317387 AM","w3wp.exe","4004","RegEnumValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks","NO MORE ENTRIES","Index: 1, Length: 220"
"8809","10:50:44.2317696 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks","SUCCESS",""
"8810","10:50:44.2318201 AM","w3wp.exe","4004","RegOpenKey","HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cscript.exe","NAME NOT FOUND",""
"8811","10:50:44.2325206 AM","w3wp.exe","4004","CreateFile","C:\WINDOWS\system32\inetsrv","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: CICSRV01\IUSR_CICSRV01, OpenResult: Opened"
"8812","10:50:44.2326178 AM","w3wp.exe","4004","QueryDirectory","C:\WINDOWS\system32\inetsrv\cscript.*","NO SUCH FILE","Filter: cscript.*"
"8813","10:50:44.2326780 AM","w3wp.exe","4004","CloseFile","C:\WINDOWS\system32\inetsrv","SUCCESS",""
"8815","10:50:44.2330664 AM","w3wp.exe","4004","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: CICSRV01\IUSR_CICSRV01, OpenResult: Opened"
"8816","10:50:44.2331353 AM","w3wp.exe","4004","QueryDirectory","C:\WINDOWS\system32\cscript.*","SUCCESS","Filter: cscript.*, 1: cscript.exe"
"8817","10:50:44.2332563 AM","w3wp.exe","4004","QueryDirectory","C:\WINDOWS\system32","NO MORE FILES",""
"8818","10:50:44.2332893 AM","w3wp.exe","4004","CloseFile","C:\WINDOWS\system32","SUCCESS",""
"8820","10:50:44.2337562 AM","w3wp.exe","4004","QueryOpen","C:\WINDOWS\system32\cscript.exe","SUCCESS","CreationTime: 9/21/2007 8:05:38 AM, LastAccessTime: 7/10/2008 10:09:33 AM, LastWriteTime: 2/18/2007 4:00:00 AM, ChangeTime: 7/10/2008 10:12:45 AM, AllocationSize: 98,304, EndOfFile: 98,304, FileAttributes: A"
"8821","10:50:44.2338705 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8822","10:50:44.2339109 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.exe","NAME NOT FOUND",""
"8823","10:50:44.2339489 AM","w3wp.exe","4004","RegOpenKey","HKCR\.exe","SUCCESS",""
"8824","10:50:44.2340136 AM","w3wp.exe","4004","RegQueryKey","HKCR\.exe","SUCCESS","Query: Name"
"8825","10:50:44.2340749 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\.exe","NAME NOT FOUND",""
"8826","10:50:44.2341119 AM","w3wp.exe","4004","RegQueryValue","HKCR\.exe\(Default)","SUCCESS","Type: REG_SZ, Length: 16, Data: exefile"
"8827","10:50:44.2341479 AM","w3wp.exe","4004","RegCloseKey","HKCR\.exe","SUCCESS",""
"8828","10:50:44.2341781 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8829","10:50:44.2342071 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.ade","NAME NOT FOUND",""
"8830","10:50:44.2342346 AM","w3wp.exe","4004","RegOpenKey","HKCR\.ade","NAME NOT FOUND",""
"8831","10:50:44.2342727 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8832","10:50:44.2343300 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.adp","NAME NOT FOUND",""
"8833","10:50:44.2343577 AM","w3wp.exe","4004","RegOpenKey","HKCR\.adp","NAME NOT FOUND",""
"8834","10:50:44.2343940 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8835","10:50:44.2344220 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.app","NAME NOT FOUND",""
"8836","10:50:44.2344495 AM","w3wp.exe","4004","RegOpenKey","HKCR\.app","NAME NOT FOUND",""
"8837","10:50:44.2344850 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8838","10:50:44.2345130 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.asp","NAME NOT FOUND",""
"8839","10:50:44.2345409 AM","w3wp.exe","4004","RegOpenKey","HKCR\.asp","SUCCESS",""
"8840","10:50:44.2345898 AM","w3wp.exe","4004","RegQueryKey","HKCR\.asp","SUCCESS","Query: Name"
"8841","10:50:44.2346392 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\.asp","NAME NOT FOUND",""
"8842","10:50:44.2346720 AM","w3wp.exe","4004","RegQueryValue","HKCR\.asp\(Default)","SUCCESS","Type: REG_SZ, Length: 16, Data: aspfile"
"8843","10:50:44.2347015 AM","w3wp.exe","4004","RegCloseKey","HKCR\.asp","SUCCESS",""
"8844","10:50:44.2347278 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8845","10:50:44.2347567 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.bas","NAME NOT FOUND",""
"8846","10:50:44.2347843 AM","w3wp.exe","4004","RegOpenKey","HKCR\.bas","NAME NOT FOUND",""
"8847","10:50:44.2348331 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8848","10:50:44.2348614 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.bat","NAME NOT FOUND",""
"8849","10:50:44.2348892 AM","w3wp.exe","4004","RegOpenKey","HKCR\.bat","SUCCESS",""
"8850","10:50:44.2349364 AM","w3wp.exe","4004","RegQueryKey","HKCR\.bat","SUCCESS","Query: Name"
"8851","10:50:44.2349839 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\.bat","NAME NOT FOUND",""
"8852","10:50:44.2350174 AM","w3wp.exe","4004","RegQueryValue","HKCR\.bat\(Default)","SUCCESS","Type: REG_SZ, Length: 16, Data: batfile"
"8853","10:50:44.2350470 AM","w3wp.exe","4004","RegCloseKey","HKCR\.bat","SUCCESS",""
"8854","10:50:44.2350735 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8855","10:50:44.2351025 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.cer","NAME NOT FOUND",""
"8856","10:50:44.2351298 AM","w3wp.exe","4004","RegOpenKey","HKCR\.cer","SUCCESS",""
"8857","10:50:44.2351746 AM","w3wp.exe","4004","RegQueryKey","HKCR\.cer","SUCCESS","Query: Name"
"8858","10:50:44.2352209 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\.cer","NAME NOT FOUND",""
"8859","10:50:44.2352535 AM","w3wp.exe","4004","RegQueryValue","HKCR\.cer\(Default)","SUCCESS","Type: REG_EXPAND_SZ, Length: 16, Data: CERFile"
"8860","10:50:44.2352897 AM","w3wp.exe","4004","RegCloseKey","HKCR\.cer","SUCCESS",""
"8861","10:50:44.2353301 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8862","10:50:44.2353588 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.chm","NAME NOT FOUND",""
"8863","10:50:44.2353872 AM","w3wp.exe","4004","RegOpenKey","HKCR\.chm","SUCCESS",""
"8864","10:50:44.2354333 AM","w3wp.exe","4004","RegQueryKey","HKCR\.chm","SUCCESS","Query: Name"
"8865","10:50:44.2354806 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\.chm","NAME NOT FOUND",""
"8866","10:50:44.2355134 AM","w3wp.exe","4004","RegQueryValue","HKCR\.chm\(Default)","SUCCESS","Type: REG_SZ, Length: 18, Data: chm.file"
"8867","10:50:44.2355427 AM","w3wp.exe","4004","RegCloseKey","HKCR\.chm","SUCCESS",""
"8868","10:50:44.2355688 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8869","10:50:44.2355969 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.cmd","NAME NOT FOUND",""
"8870","10:50:44.2356251 AM","w3wp.exe","4004","RegOpenKey","HKCR\.cmd","SUCCESS",""
"8871","10:50:44.2356703 AM","w3wp.exe","4004","RegQueryKey","HKCR\.cmd","SUCCESS","Query: Name"
"8872","10:50:44.2357168 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\.cmd","NAME NOT FOUND",""
"8873","10:50:44.2357503 AM","w3wp.exe","4004","RegQueryValue","HKCR\.cmd\(Default)","SUCCESS","Type: REG_SZ, Length: 16, Data: cmdfile"
"8874","10:50:44.2357795 AM","w3wp.exe","4004","RegCloseKey","HKCR\.cmd","SUCCESS",""
"8875","10:50:44.2358191 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8876","10:50:44.2358483 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.com","NAME NOT FOUND",""
"8877","10:50:44.2358762 AM","w3wp.exe","4004","RegOpenKey","HKCR\.com","SUCCESS",""
"8878","10:50:44.2359224 AM","w3wp.exe","4004","RegQueryKey","HKCR\.com","SUCCESS","Query: Name"
"8879","10:50:44.2359693 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\.com","NAME NOT FOUND",""
"8880","10:50:44.2360020 AM","w3wp.exe","4004","RegQueryValue","HKCR\.com\(Default)","SUCCESS","Type: REG_SZ, Length: 16, Data: comfile"
"8881","10:50:44.2360313 AM","w3wp.exe","4004","RegCloseKey","HKCR\.com","SUCCESS",""
"8882","10:50:44.2360574 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8883","10:50:44.2360858 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.cpl","NAME NOT FOUND",""
"8884","10:50:44.2361135 AM","w3wp.exe","4004","RegOpenKey","HKCR\.cpl","SUCCESS",""
"8885","10:50:44.2361586 AM","w3wp.exe","4004","RegQueryKey","HKCR\.cpl","SUCCESS","Query: Name"
"8886","10:50:44.2362049 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\.cpl","NAME NOT FOUND",""
"8887","10:50:44.2362376 AM","w3wp.exe","4004","RegQueryValue","HKCR\.cpl\(Default)","SUCCESS","Type: REG_SZ, Length: 16, Data: cplfile"
"8888","10:50:44.2362671 AM","w3wp.exe","4004","RegCloseKey","HKCR\.cpl","SUCCESS",""
"8889","10:50:44.2363063 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8890","10:50:44.2363350 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.crt","NAME NOT FOUND",""
"8891","10:50:44.2363633 AM","w3wp.exe","4004","RegOpenKey","HKCR\.crt","SUCCESS",""
"8892","10:50:44.2364097 AM","w3wp.exe","4004","RegQueryKey","HKCR\.crt","SUCCESS","Query: Name"
"8893","10:50:44.2364567 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004_Classes\.crt","NAME NOT FOUND",""
"8894","10:50:44.2364902 AM","w3wp.exe","4004","RegQueryValue","HKCR\.crt\(Default)","SUCCESS","Type: REG_EXPAND_SZ, Length: 16, Data: CERFile"
"8895","10:50:44.2365225 AM","w3wp.exe","4004","RegCloseKey","HKCR\.crt","SUCCESS",""
"8896","10:50:44.2365490 AM","w3wp.exe","4004","RegQueryKey","HKU\S-1-5-20_CLASSES","SUCCESS","Query: Name"
"8897","10:50:44.2365773 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20_CLASSES\.csh","NAME NOT FOUND",""
"8898","10:50:44.2366051 AM","w3wp.exe","4004","RegOpenKey","HKCR\.csh","NAME NOT FOUND",""
"8899","10:50:44.2366633 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap","NAME NOT FOUND",""
"8900","10:50:44.2367025 AM","w3wp.exe","4004","RegOpenKey","HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap","SUCCESS",""
"8901","10:50:44.2367658 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap","NAME NOT FOUND",""
"8902","10:50:44.2367988 AM","w3wp.exe","4004","RegOpenKey","HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap","SUCCESS",""
"8903","10:50:44.2368929 AM","w3wp.exe","4004","RegOpenKey","HKLM\SOFTWARE\Microsoft\Internet Explorer\Security","SUCCESS",""
"8904","10:50:44.2369660 AM","w3wp.exe","4004","RegQueryValue","HKLM\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck","NAME NOT FOUND","Length: 144"
"8905","10:50:44.2369944 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\Internet Explorer\Security","SUCCESS",""
"8906","10:50:44.2370572 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap","SUCCESS",""
"8907","10:50:44.2370873 AM","w3wp.exe","4004","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap","SUCCESS",""
"8908","10:50:44.2372494 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"8909","10:50:44.2372845 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"8910","10:50:44.2373377 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\International","SUCCESS",""
"8911","10:50:44.2373785 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"8912","10:50:44.2374069 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\International\Locale","SUCCESS","Type: REG_SZ, Length: 18, Data: 00000409"
"8913","10:50:44.2374407 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\International","SUCCESS",""
"8914","10:50:44.2375328 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"8915","10:50:44.2375633 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"8916","10:50:44.2376060 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND",""
"8917","10:50:44.2376399 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8918","10:50:44.2377078 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
"8919","10:50:44.2377457 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8920","10:50:44.2377689 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"8921","10:50:44.2378102 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"8922","10:50:44.2378391 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"8923","10:50:44.2378785 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND",""
"8924","10:50:44.2379085 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8925","10:50:44.2379467 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
"8926","10:50:44.2379746 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8927","10:50:44.2379969 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"8928","10:50:44.2380502 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"8929","10:50:44.2380791 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"8930","10:50:44.2381175 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND",""
"8931","10:50:44.2381474 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8932","10:50:44.2381973 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
"8933","10:50:44.2382263 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8934","10:50:44.2382489 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"8935","10:50:44.2382886 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"8936","10:50:44.2383173 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"8937","10:50:44.2383568 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND",""
"8938","10:50:44.2383866 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8939","10:50:44.2384254 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
"8940","10:50:44.2384531 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8941","10:50:44.2384755 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"8942","10:50:44.2386425 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"8943","10:50:44.2386744 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"8944","10:50:44.2387179 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND",""
"8945","10:50:44.2387483 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8946","10:50:44.2387900 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
"8947","10:50:44.2388375 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8948","10:50:44.2388601 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"8949","10:50:44.2389003 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"8950","10:50:44.2389290 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"8951","10:50:44.2389684 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND",""
"8952","10:50:44.2389984 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8953","10:50:44.2390376 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
"8954","10:50:44.2390661 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8955","10:50:44.2390885 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"8956","10:50:44.2391347 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"8957","10:50:44.2391637 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"8958","10:50:44.2392027 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND",""
"8959","10:50:44.2392325 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8960","10:50:44.2392714 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
"8961","10:50:44.2392992 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8962","10:50:44.2393336 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"8963","10:50:44.2393735 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"8964","10:50:44.2394024 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"8965","10:50:44.2394453 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND",""
"8966","10:50:44.2394754 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8967","10:50:44.2395140 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
"8968","10:50:44.2395416 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8969","10:50:44.2395640 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"8970","10:50:44.2396116 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"8971","10:50:44.2396403 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"8972","10:50:44.2396787 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND",""
"8973","10:50:44.2397083 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"8974","10:50:44.2397473 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
"8975","10:50:44.2397752 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"9020","10:50:44.2929427 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"9021","10:50:44.2930682 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"9022","10:50:44.2931109 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"9023","10:50:44.2931741 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND",""
"9024","10:50:44.2932091 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"9025","10:50:44.2932634 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
"9026","10:50:44.2933047 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"9027","10:50:44.2933335 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"9028","10:50:44.2934070 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"9029","10:50:44.2934364 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"9030","10:50:44.2934764 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND",""
"9031","10:50:44.2935069 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"9032","10:50:44.2935472 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
"9033","10:50:44.2935760 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"9034","10:50:44.2935982 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""
"9035","10:50:44.2936713 AM","w3wp.exe","4004","RegOpenKey","HKU\S-1-5-21-149941166-331462245-346970542-1004","NAME NOT FOUND",""
"9036","10:50:44.2937006 AM","w3wp.exe","4004","RegOpenKey","HKU\.Default","SUCCESS",""
"9037","10:50:44.2937400 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND",""
"9038","10:50:44.2937697 AM","w3wp.exe","4004","RegOpenKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"9039","10:50:44.2938082 AM","w3wp.exe","4004","RegQueryValue","HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
"9040","10:50:44.2938359 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT\Control Panel\Desktop","SUCCESS",""
"9041","10:50:44.2938583 AM","w3wp.exe","4004","RegCloseKey","HKU\.DEFAULT","SUCCESS",""

WScript and ASP question

Comment

Comment

Comment

Comment