Reverse Engineering a Purported Microsoft Security Patch

 

By Charles Hornat

May 19, 2003

 

Overview

In this paper we will examine and dissect a malicious package sent to us as an attachment to an email that appeared to be sent from Microsoft that would fix all known vulnerabilities on our system.  In addition, we will review the delivery method, analyze the executable and study the impact it had on a system once it was installed.

 

Table of Contents

Reverse Engineering a Purported Microsoft Security Patch. 1

Overview.. 1

Table of Contents. 1

The Tools. 2

Tripwire. 2

Ethereal 2

Windows XP.. 2

GNU Strings. 2

The Delivery. 2

Notes on Delivery. 4

The Analysis. 5

Post Installation/Pre-Boot 5

Post Installation/Post-Boot 7

Final Analysis. 10

Additional Resources. 11

Appendix A.. 12

Strings of Malware. 12

Appendix B.. 52

Tripwire Report After Malware Installation. 52

Appendix C.. 119

Tripwire Report After Malware Install and Reboot 119

 

The Tools

Tripwire

Tripwire is a tool written by a personal friend of mine, Gene Kim, and Eugene Spafford.  Tripwire can be found at www.tripwire.com.  This tool was developed to take a snapshot of specific files and directories and monitor them for changes, whether authorized or not.  The snapshot is a gathering of hashes (e.g. MD5, SHA, and etc.) on the files and directories you chose.  It then stores that information in a secure database.  Tripwire scans files and/or directories you define on a manual or automated schedule and will alert you to whether a file has been added, changed or deleted.  In addition to monitoring files and directories, it can also monitor Windows Registries, File Access Times, File Flags and etc.

 

Ethereal

A network sniffing application that monitored all traffic coming from the test system during and after the installation of the malicious application.

 

Windows XP

The test systems Operating System.  This analysis was performed on a default Windows XP install, networked with no service packs or hotfixes applied.  The goal was to learn from it and its effect to the system, not to protect from it.

 

GNU Strings

GNU Strings is an application that comes with most UNIX like (LINUX) operating systems.  It prints, to screen or other location of your choice, the printable character sequences that are at least 4 characters long, or meet other requirements, and are followed by an unprintable character.  This is especially helpful in non-text files like Microsoft executables.

 

The Delivery

On May 11, 2003, we received the email as displayed in Figure 1.  The email is polite and colorful, adding to its believability.  Additionally, in the footer of the email is the copyright information that many people believe adds authenticity to the email.  This can be seen in Figure 2.  And finally, the header also adds some more credibility to those less technical and can be seen in Figure 3.  Note the email address that appears in the short header, advisor.microsoft.com. 

 

 

 

Figure 1:Delivery Method

 

Figure 2:Footer

 

Figure 3: Header

 

 

Notes on Delivery

When you first read the message of the email, certain key points should set off alarms in your mind.  The first is that this patch “eliminates all known security vulnerabilities”.  This would be great if true, but unfortunately, it is not.  There are service packs that attempt to include as many security hotfixes as possible, but they never eliminate all known security vulnerabilities.  Even if you look at the size of the attachment, this should tip you off as service packs are much larger in nature.

 

Figure 4:The attachment

 

Additionally, if we expand the header as seen in Figure 5, we will get more clues as to the real source of this email.

 

Figure 5:Header

 

The return path is ftballguy66@cox.net, which is obviously not a Microsoft address.  We can also see the From line states that iamlzytaw_903216@support.msdn.com is the spoofed email address that a return message, should we choose to send one, would be sent to.

 

Finally, one last point to be made is that Microsoft, and this can be said for most vendors, will NEVER email you the patch directly.  They will alert you to the vulnerability or purpose of the email and provide some high level information.  They will then give you a link for additional information and direct you to their site to download the patch.

 

The Analysis

The first part of reverse engineering performed was running the executable through strings.  The results can be seen in Appendix A.  Examining this information will alert you to the fact that there is text to simulate it as a legitimate Microsoft developed patch.  In particular are two sections that go into such detail about licensing and rights.  More than likely this was just copied to add realism to the installation that users will encounter.  The key here is to look for common terms or locate specific keywords and do a search in your favorite search engine. 

 

For example, a quick search in Google.com for “KaZaA uploDropper” brought up several pages talking about known worms and viri that contain this phrase.  Thus tipping one off to proceed with caution or perform further research.

 

Post Installation/Pre-Boot

For this project, we used Tripwire 4.0.  The report after the Malware was executed and prior to any reboot can be found in Appendix B.  All changes you see were directly related to the running of the Malware.  The Windows registry was most heavily impacted.  A quick overview of the results nets the following: 59 Registry Class Keys were added, 1 System startup Key was added, 5 OS Support files were added, and 1 file in the System32 folder was added.  There were no deletions or changes, only additions.

 

Added:
"C:\WINDOWS\WMSysDx.bin"
"C:\WINDOWS\DX3DRndr.exe"
"C:\WINDOWS\gibe.dll"
"C:\WINDOWS\MSBugAdv.exe"
"C:\WINDOWS\patch952.exe"
Added:
"C:\WINDOWS\System32\MSWinsck.ocx"
Modified:
"C:\WINDOWS\System32\services.msc"
Added:
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+ThreadingModel"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+"
Added:
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+"
Added:
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\+"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\+"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\+"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\+"
Added:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\+DxLoad"

 

Post Installation/Post-Boot

The next step was to reboot the Windows XP system to allow the malware to execute if needed in the ‘runas’ keys or startup folder.  Once the reboot is completed, a rescan was performed to identify additional changes that occurred.  In order to get an accurate understanding of what the Malware changed versus normal system file changes during a reboot, we identified all the common reboot file changes. 

 

Modified:
"C:\WINDOWS\0.log"
"C:\WINDOWS\bootstat.dat"
Modified:
"C:\WINDOWS\System32\config\systemprofile\Cookies\index.dat"
"C:\WINDOWS\System32\config\systemprofile\Local Settings\History\History.IE5\index.dat"
"C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat"
Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\+LsaPid"

 

If we remove those entries from the results after the reboot, we are left with following (The complete report can be found in Appendix C):

Modified:
"C:\WINDOWS\System32\wpa.dbl"
Removed:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+0"
Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmboot\+Start"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\+Sources"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\+Sources"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+Count"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+NextInstance"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\+SpecialPollTimeRemaining"
Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\SspiCache\+Time"
Added:
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002e.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002e.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000030.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000030.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000034.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000034.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000038.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000038.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000041.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000041.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000042.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000042.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000047.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000047.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000046.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000046.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000040.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000040.Translated"
Removed:
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002b.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002b.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002d.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002d.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000031.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000031.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000035.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000035.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003b.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003b.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003c.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003c.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003d.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003d.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000043.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000043.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000044.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000044.Translated"
Added:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1060284298-842925246-2146833427-1003\+OptimizedLogonStatus"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1060284298-842925246-2146833427-1003\+NextLogonCacheable"

Given the information above, it appears to impact the PnP Manager.  A quick search in Google.com turns up no results on OptomizedLogonStatus either.  The +OptomizedLogonStatus was set to a RED_DORD of 0x0000000b(11) and the NextLogonCacheable was set to RED_DWORD 0x00000001 (1).

 

The entry "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\+DxLoad" was supposed to launch the executable "C:\WINDOWS\DX3DRndr.exe".  This executable was indeed launched, but for some reason did not run as designed, or did it?  Since we did not write the program, we are not sure what the end result should have been.  An NMAP scan of the system that was infected produced no new TCP ports other than those already open by default.  Additionally, using Ethereal, there was no unusual traffic generated when rebooting or leaving the system idle for hours.  Researching some of the key parts of this package on the Internet does bring additional research, but the analysis we found was did not accurately represent our findings.

 

Finally, there wasn’t any new traffic generated by the infected system.  Sometimes Malware attempts to phone home to get further instructions, which may include connecting to an IRC server or downloading additional information.  In this particular case, no traffic was generated and no logs are included in this analysis.  The infected system was monitored from start to finish, including reboots.

 

Final Analysis

The final analysis we could determine is that this threat had minimal impact.  Yes, it did install and alter critical system files, but the impact to the user was non-existent.  When we downloaded it and installed it, we did not get any interaction with the malware.  It did not prompt us for any impute nor show any signs of success or failure.  When we reference back to the Strings portion of the evidence, we see a great amount of text that was probably meant to be displayed to the user, however was not.

 

It is important to note that both Mcafee and Norton identify and respond according to your settings when they encounter this file.  We conclude that this is an altered existing Malware.

Additional Resources

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GIBE.B

http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe@mm.html

 

 

 

 

 

 

Appendix A

Strings of Malware

 

   AutMSUpdate

    = 

VB5!

p214537

MSUpdate

MSUpdate

KaZaA uploDropper

MainForm

LicenseForm

MSUpdate

advapi32.dll

RegCreateKeyExA

hp&@

RegOpenKeyExA

RegSetValueExA

RegQueryValueExA

hL'@

RegEnumKeyExA

RegCloseKey

kernel32

GetWindowsDirectoryA

h8(@

GetSystemDirectoryA

GetTempPathA

shell32.dll

ShellExecuteA

h$)@

SHGetSpecialFolderLocation

hx)@

SHGetPathFromIDListA

Frame1

RegisterServiceProcess

h4*@

Sleep

ht*@

GetShortPathNameA

lz32.dll

LZOpenFileA

LZCopy

hT+@

LZClose

Command1

C:\Program Files\VB6\VB6.OLB

Label1

Label2

Command2

Text1

Form

Picture1

ProgressPic

VBA6.DLL

MainForm

 Installing Microsoft Update

vfff`

vfff

ffff

wwwwwp

vfffffff`

ff`wwp

vfffffff

ffffffff

xwwwwwwwwwwxp

wwwwwwwwwwwwp

Form1

Frame1

Picture1

Command1

&Cancel

ProgressPic

Label1

Extracting files ...

LicenseForm

 License

Form1

Command2

Text1

This product is protected by copyright laws and international

copyright treaties, as well as other intellectual property laws and

treaties.

ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE

PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND!

Microsoft and/or its respective suppliers hereby disclaim all warranties

and conditions with regard to this information, including all warranties

and conditions of merchantability, whether express, implied or

statutory, fitness for a particular purpose, title and non-infringement.

Microsoft does not warrant that the functions for the software or code

will meet your requirements, or that the operation of the software or

code will be uninterrupted or error-free, or that defects in the software

or code can be corrected.  Furthermore, Microsoft does not warrant

or make any representations regarding the use or the results of the

use of the software, code or related documentation in terms of their

correctness, accuracy, reliability, or otherwise. No oral or written

information or advice given by Microsoft or its authorized

representatives shall create a warranty or in any way increase the

scope of this warranty.  Should the software or code prove defective

after Microsoft has delivered the same, you, and you alone,

shall assume the entire cost associated with all necessary servicing,

repair or correction. In no event shall Microsoft and/or its respective

suppliers be liable for any special, indirect or consequential damages

or any damages whatsoever resulting from loss of use, data or profits,

whether in an action of contract, negligence or other tortious action,

arising out of or in connection with the use or performance of

software, documents, provision of or failure to provide services, or

information available from the services.

COPYRIGHT NOTICE.

Copyright

 2003 Microsoft Corporation, One Microsoft Way,

Redmond, Washington U.S.A. All rights reserved.

Command1

&Yes

Label2

Do you accept all of the terms of the preceding License Agreement? If you choose No, Install will close. To install you must accept this agreement.

Label1

Please read the following license agreement. Press the Page Down key to see the rest of the agreement.

MSVBVM60.DLL

MethCallEngine

EVENT_SINK_AddRef

DllFunctionCall

EVENT_SINK_Release

EVENT_SINK_QueryInterface

__vbaExceptHandler

ProcCallEngine

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

1u 

vfffffff`

ff`wwp

vfffffff

ffffffff

xwwwwwwwwwwxp

wwwwwwwwwwwwp

vfff`

vfff

ffff

wwwwwp

SZDD

0.abnorm

al.com:[

wait]

2-254-10

7-9.clie

nt.attbi^

41.40

2.155.12

94.1

33.[

08.36.

.230

8.26

21.E

4.8u

acs2.byu

.edu

ldrick.b

lic.net

racka.rz

.uni-aug

sburg.de

lob.lin

uxfr.org

olo.nai

zen.l

ogivisio

ossix.winf

tik=

kielJ

head.cyb

ertrailw

concern.

wolters-

kluwer.n

rreo.u

vigo.es

ypress.a

onews.mi

ndspring

man.

torun.p

'wftph mic9

.rip

gluq

.affrc.

graf.

magdeF

ieg.uo

wdu112.

hermes1

hs-brem<

 9tsrv

)humo

chivat

i da

ta.sL

ate.{ ac.yse

.rgv&

inx3

 miK.u

;ug'

ees.ho

kudai

sD$crosof

,Knarziss

e.h;

tfh-

wildauJ

0sha.nca

neptl b

IF aQb

vcinc

].ca

iwirel( 2

]+Qribsur<

 ;]cofc

Set*M

Siys

].dma

\sup

$cxal

.gam

(Rcc3ip

mU`db

D"htwm

d.mh

d+@g

fvar>

Qinwar

"o(~

ctcanad

eycap

eqms.konk

lkrs

@M}e-

yth.

@ves?tav.mx

=D"phoOenixeA

ypam[

zill.}

ohgD@b

LE!>

enhei

g|01=

1.sin

cach?e0.fre

trl-

pxwell.s

yrj]ssvr2

0-ex

digyiKser}v

enc-1

i|@ufl

@lope-

gw.oswe

xy.d

)pd0

a) u

tcM05

00tcex

outlC

(spa7rkyH dw

unu789:

r/uhr-

targe

easy,aT

~ ca

aI s

o.hpcH

 eh-b

sc5?

ikn@@

8v*p

ti>@

peuv-f

kfurt-o

xer05

www.foocal&

SZDD

!Thi

s progra

m cannot

 be run

in DOS m

ode.

.t7ext

datam

-'-7-G-W-g-w-

='=7=G=W=g=w=

M"M2MBMRMbMrM

]"]2]B]R]b]r]

y`(y`>y`Vy`

by`t

}`l}`

}`T}`

p>9pUR9p^9pr9p

9p29p

p*up<upUJupVupfupvup

upUt

Q e(*

X_^[

"NMN

otifyWin

dowClasL`

ock Gene

ral Prop

erty Pag

MSWINS

CKWnd>

SK98.chm

icrosof

trol, ve

rsion 6.

"}Q)

FL^]

ND}X

Vg#h

GDt   WV0

5(|

D| t1

T%V'

$| xP

DdJ8

Pmp7

Q d|

F8`A#

Nx<P

C9!@;(8

~ D"

t'h]AbC

F_4t:

!#T"t

!'T"L

dqYR

bI$

L$50i

%$pt}

B@t"

er(kr

,A9AE

ODeW@n

Y_^k3

jXV\

AXVS

l)oa

9mIm

!7n`3

f`_2

}<Tj

;< %

F8pH

Pmpd

R+`j

6a[S

3`&pf

!B0m

H&pu

Notifi

cation W_indow

ETT^

V#`-

qd-h-

=T$=05Q

D-T%

m m0m@mPm`m

m0}$}P}`}p}

T]dQ|0

%L}DyC

{~'>0

p,t"

Su 

v0{M

SP;h

p(~Z

SV V

Pu0q

~Ht&

9F0u

rLAQ0

Q0x!

q(%QQ

PS=0M

}7HQ;

gnPg

YN1T

0a3g

|     ?9]

trl.ocx

CLSID\{A

DB880A6-

D8FF-11C

F-9377-0

0AA003B7

A11}\Inp

rocServe

A40~

w$Hqu

hZ0Y

X^{P

:V1p

<-L-

b7`v-b

H7`q

+PL0

U"~3z

W@}T[AU

`Ssw

e5 ;

nB)Y5

*BPYq

!BPp

Hu1Vd

L0ES

$t{,r@

K$t>,rD

0}@q

:zPl

[B\n

F4Wsh

DAb6

(     9

tP~2

ItV3

t     9x

%V5

RH5

5 o0

MSWIN

SCK.OCX

DLLGetDo

cumentat

DllC

anUnload

ssObject

Registe

rServer

"255.

"6.00.88

socP`-

FrameWor?k_Refl

"T9 a9 -

i,Rj

 =sR

 >;)>

4N0pR3

QQVW{j?

!Qcn

FL!V

=PHt

oX_^

vR{a

KHtL

u     yqsb

hGbq

=3~P

kP[_D

4QNL+}

/at~

E gQ

p0`l

E 9n

oF$;

_^]=[e

C0;C4

K$)C(

K3`mPmp

C$Wj

F0;F4u}     u

~$)~(

u     !F kp

Cr'NSP

@@FF

H-X-

B0kP

v4Vz~1P

0FF@@

`$HtaHt

|}rt

DLMHt!HtG

Ht7H

31qA

Gl@C

m"QS

@tRf

@u:z

`~B=e

a;;`

tq!a

btH=

8Mr@

3QFqj

s+?E

`OaU

0!`uW

1Fm4

SShGj

F4Ph

|Q-`

~0W.

^4S.

F8PQ

7hNp

3`7`V

/Xp;

~ wZ`

CqWkj

kh6bA<

RPs#

9puCW

?Pu1{

#*QAD

AI#NM^H

$S/+R

1mAmQkP`m

!7}k

!&Gq

D}Ts

q^t}

I0dKp#

IQPS

!{~Z

@@FF

#PPw

AWS3

u     >0

P|J@

j@YY

@YY^

fJ@%

J@Bf

N9?}

!$?f9u

Pd0-

t Hu

*|($

t7Hu

f nT

@DE2

Yu)\"@

(DcY@t3BBAj

`u#f Wj?j?

v@f P

~83f

~WHt

9~?8u

r_a?

<#H-

%fr"

uhVS

6WtE

r;uFq

j?P[

u0K9

5}Eu

Z`+A

"B]n

bA.0B

tBJEL;

;,ziR

}19I

t?9E

|Q48

CQ4<

(@IA

0{F)FD

fAMxD

fAI&xD

;ALWuP

p|vQ|

re``

a!hlz-lhH

JtPJtB

JJt3

{P3m

HpYE

p{Hr

_][}

yPPp

;E[a

Pp9V

~\Ppc

I= '

NTx

{u,b

~0_t

Y_^3

SVW3

`p_(

}     U!43

tjcr

NAZ`i

p=D2

k!> _

UQ5g!

;u(-

$?6J

`90D

+BW5

$a9LM

QpMc

MR>7e

]Q:9R

"X5iH

"`5ktIb

zD|&

" ZpI`

pp\$

|$9]8t6

SVShT

Sh|5b$>4

9R,+

k9Yh

Y7A@R

0A2u

WShh

j [9]W

Yt_V

/q* V

[hX

R0    ;%<

=|)=90

=:z1

z1i==8

|0D@

S}V3

|9G`

wPN`.

/P$j

dY{j

0`ya,

0eC;

[03`

WPQRMj-

d:qY

7gbh

KSu,

7AAQ

"*`{t

~d]X

WgbT

gb\0

@PtD@

!F j

`PsP

G;~,r

7_^Y

Rq,L

bhPT

QM\2

%]5\

gJf;

d9XHu+

V]Vn

!U39

GPaS

RX_Pla

eTSK

RZCq

r}4|

/vq=

[Q#4

Z@D0K:

/4\K0

1t9@C

xbX3

p>Ptb

-t/v 

t HHuE

npSP

uQ7]

1ou@

@7Y0~9

-@R`

rTNqUpYp

Yt1h

~/!%

{[PY1

;{P}

Ktu>

9Kht0

sPgQQQ

@K@u

8D'f9x>

Sh(n

b9;u

y|pj

ts}T

qdQs|p3

i@tA

Du/2

um~%

A 4 ;

F`=`$

5<B"/p

W 48

3 1k

t_sP

p*wP

(q:b

s`i@

L#C`

QRk`j

t"pP;

+KTQ

F0=`

@92v

J"t2

oqu#

FyHA

a9T$u

&d4u

^4q?

SlBQH9u$

!zAH

P9 u 

<^0a

j`05

_Ffj

uwy9

L0<^0

Yt?h

5pSJ

0,w`G

Q[hh

$,}1r

PQVW

`u,h

V_p$V

's1b

 u@j

5:aQh1p

PQSQ

1_/h,'

EdOft$V|c

Eyt3#

C(^0

C4x`

@;oE

`q!24

@qV3

p 8vQzN`,n

qFG@Y

@.z0

@V}R4

|=@WW

t7f9

u     C@@f

a\Ad!

#d!\A

7W=`5

 q1A0

r7,q0

8}:q0$

8UPq0

8^q0

r7lq0

AWSOCK

32.dll

ERNEL

UwSER"Eole

ADVAPI"EO

LEAUT"EGD4EF

`.9p89pF9pZ

9pl9p

He_apFre

@hur

Alloc

GetProce

ssvq

strcpynA{

IsBad

WritePtr

WideC

harToMul

tiByte

aveC

pica

lSection

pCur

rentThre

adId

Enter

ormatM

qTic

kCoun

etLastEr

oduleFil

eNam`

aliz

Delet

zqLibr

sable$

alls

uAd;dr

Attribut

qWin

dowsDir

eInfo

pkedI

ncrem!

kResour

qurRe

Peek

Regis

las@

Kill

Longn

poMyI

endZ

tD?lgItem

TKex

qSy:

Bictm

alogm

ramA

Draw

ws}p<

leaseDC

Show

pChild

qKeySt

Focu

ffse

_Equal

PtIn4

oTas)

mzrD

stan

dviseHo

/Open

Enum

Query:

viceCaps

iewport;Ex

LPtoDPw

 1L!`#

nsIe

0B`

$1|!

2! $1P*p-

"%s%s.DL

%t!CtL

{%08lX-7%04A62XM1L6

CLSID

pServer3

Apart

y<p2

9Typ

2p9Con

Misc

lbox\

K\HEL%

ed C

goriv

0ERSION

FfoS

G]W\j[

PDQ>Lan

gReft!DIS

PLAY

0 - v4

3mCmSmcmpi

i#}3}C}S}c}s}

s, U

ew, 

D Xl$

 &    "p[

/MSFTv

@Y,x

`H'2G

a| T

Q M\[

]0I,e

)lGmWmgm

9m,d

R8axa

tdole2.t_lbWWW,e

,e,}

mpQL  1I0

@1,-

#8QQL]4C

@!tJ,e

,eUd

insockLi

8xGPr

otocolCo

nstants

trol

Stat

rror

hsckTCP

outBox

emoteHos

Local

Na{me

etHandl}e

ytesReceoived)

necn

Listen

Accep

SendDa

ta,e

;d|M

GetL

@type

dmax

Numbe

 Descr

iption

/Scod(

Sourc

lpFil

+Cance

lDisplay

rival

gress

ining

Complet=e8u 0q

Resol

pertyVal{ue{

NotSuppX

Unsj

ang(

Wrong

ould

ready,

TooBigPu

Availa{bl

etwor

bsMy

fferSpac

imed

InWitiB

<TryAg

cover

zl!

rosoft

 6.0 (oSP4)

Sck.Ocx

NSK98.ch

5metho

ds S

 8}=

turns/

 the

aH"}E

 IP a\

al m

i/ne n&

}Me l

 to

be c

?Qon

W0@)]9T

CaW*

[F7Bof

?QV]

 fM@i

04mDiW

?QZ]W)mQ

Look

at_g

 it f

BbB"W

 curr

E@Ps

pecific:S^

1adapfQ:m]

S@PidG

IDoc

qs wh

bhasBP.`

tFT H

f`@PFT

Aihr

vdurea

uaffP

0bIg|`

teW(

ea`uh^

p\ae

taAI

Pwrite-

only

MQransa

 paseta

funCcw

pno

`1`m

C3sw

WW}=

non-b

wwillI (

x.C NAP)

gram

qtoWo l

e?Qf

`Cin

Pd{0

 W1   eQ

rSO_K

EEPALIVE

Dslp

s(H!

WW!)

rejf#"

BRal~

rst$

wer:

PU57

<@A<

<pA$

LP<Q

QHTo

aH)<

!P$1$1

0L!L!

 qsaL

(di0

(dyP

iqu@Xu@

td(x`Px`,

WRk=m

Bp:F

fffhIC

/qcG

      0-tTm

_u`E

Ny`Ir

@>qa

s+ri

@Jw&}6sW\

b2qc

k9tn

`r1prw6

xMw`W

r0W0|}8y].

TErUd

psw}

seSp

6}Fy.W0

|*0

}ra6)

,W0n

`UL}`S

AD]2V

\18D

T=d=t=

M$M4M

DMTMdMtM

]4]8

D]T]d]t]

$m4m

#dE&V+

-v%

D=v%Z;

F%Z=Nq

=w$F

At    "

E&M,;?

MNq7

p.QDR!v

ET]d]

5L;(L'h1

tCF} V}f}^#f!

L!*&

"3m1

P{"d

Dg0J

ok2|]

v%.Q #lm

!r}p

g.1f

QhA.1f=

d     "h5P

Bg2(N

!ra`

prk0Na@

L'%y"4

2.Sh1P

1`W}B&

GP->!%

,Q~A

) @qt

Rx7+

Msc@

LUrK"

~cL!

#L!f

0[<"

9/FRq

&/FL}FI.

Ydar

@EJ,

! -0

"t1T

3]3p3

v3|3

94C4I4U4

5(5<5

X5\5`5d5

h5l5p5t5

x586<6@6

D6H6L6P6

T6Y6i6r6

x6~6

7 7(7T7

a7i7o7{7

7@8b8

h8y8

9^9d9

l9q9w9~9

A:\:j:p:

G<e<q<

m>t>z>

>t?}?o

*21282?2

F2M2T2[2

b2i2p2w2

3,3G3

M3`3f

#4*4

1484?4F4

M4T-

b4i4

p4w4

1585_5

/7n7

8"8*8

68[8

)90969F9

0:D:

N;T;\;a;

h;p;

<Q>~>

-?7?=?D?

_?i?

0^0d0w0

1#1/15

2;2}2

2$3$

W4^4e4l4

s4z4

a6h6o6

v6}6

\7c7

(8,80848

88<8@8D8

H8L8P8T8

X8\8`8d

l8p8t8x8

9 9$9(9

4989@9

D9H9L9P9

T9X9\9`9

p9t9x9

 :$:(:,:

0:4:8:<:

@     H:L:P:

`:d:

t:x:

$;(;,;0;

4;8;<;@;_D;H;P

"t;x;

$<(<,<

0<4<8<<<

@<D<H<L<

P<T<X<\<

`<d<h<l<

p<t<x<|<

= =$=(=

,=0=4=8=

<=@=D=H=

L=P=T=X=

\=`=d=h=

l=p=t=x=

> >$

0>4>8><>

@>D>H>L>

P>T>X>`>

d>h>l>p

x>|>

 ?$?(?,?

0?4?8?<?

@= H?P?T?

X?\?`?d?

h?l?p?t?

x?|?

0$0(0,00

04080<0@

0D0H0L0P

0T0X0\0`

U h0l0p0t

0x0|0

1 1$

1(1,1014

181@1D1H

1L1P1T1X

1`1d1h1l

1p1t1x1|

2 2(2,20

<2@2D

2H2L2PW

2\2`2d2h

t2x2

3 3$3(

034383<

3@3D3H3L

3P3T3X3\

d3h3l

4$4(4,40

<4@4D

4H4P

4`4d4h

4t4x4 5$

,5054

?7E7`7

8!8K8

:':;

:     M@N;l

<+=F

=4>W>j

C`.o`

2A2^2f2<

@"<f

=>>O>}

?"?'?/?A

?V? f?

0R0q0}

1)1V1f

3!3N3b

4K5Q

6=6C

Y6le

AMQH^KLkLl

3?S)

7;9A9b

<;B;j

V0_0

+36y

X3g3

k3o3s3w3

`5<i

7,757

V:u:

6>7I

;3;U

APk=

:9W9

&<?O<v<

2*5;5

A5UA

h5n5]~

7B7O7

A9Gw0

J:e:}k

W@p;

1<7<]

==aPo=v=

>#>)>2>

#?Q?Z?

`M0i

191a1w1~

5O5Z5

7G7p7

;/a@A

!='=/UP>

=E_PS=Z=g

=u=}{P

5>K>

=`"= J[`e

?r?{{`

ApC1b1

i3}Y

26?6Q_

)747H7

EP,=6

I0e0}

1-c

U1m1}3

J6W6^/

<8I'0

9':}

929i9

:N:W:f:o

;I;R;s;y

V]`f

?s?yo`

%0-03

090J0Q0a

Cp3Ip?

p029}

425r

M6T6e

6k6t

@n<5

 H*5

ocx\mswi

nsck.dbg

M+M;MKM[MkM{M

Y0W034X

<]RO

tmP>sQ

0Pa1

Interne

VeriSig

n, Inc.1w301

 Commerc

ial Soft

ware Pub

lishers

10723595

="HHW

qd1<<

fTrust

Network`e

im1,0*}c#

ime Sta

mping Se

rvice Ro

ot1402}c+

NO LIABI

LITY ACC

EPTED, (

c)97 kk+b9

11165k6De

`mpg

0D}c=www.

vl`sp`.com

/reposit

ory/RPAta

orp. by

Ref.,

81.0,

 SW1

X#`R

'ht?tps://

O`fc

Lm\mlm|m

)c8`4>`6f104

ID C

lass 3 -

 Micros

Validat

ion v21

Washm

dmond1

Qt+n

#QGW

This

certific

ate i

refere

nce, and

 its us

s strict

subje

ct to, t

temeont (

 avai

labl

 Oat:

E-mG

requests

, 2593

ntaO

View

pyrigh~0

c)1996

  All R

ed.

CERTAIN

WARRANTI

ES DISCL

AIMED AN

LIMI

NING:

THE USE

ICATE ~

TRICTLY

SUBJECT

VERI

SIGN

 PRACTICyE

MENT

ISSUl

 A_UTHOR

 IMPLI

EXPRESS

NCLUD

MERC

OR FI

!FD A P

CULAR

PURPOSE,

WILL NOoT

LEN"

CONSEQU

IAL,_ NIT

IVf$

DAMAGES.

 SEE

ed non

fiedS

value

not _be co

as accu

forma

logo.gif

 l=|6

 Tel. +1

 (415) 9

61-8830

aM|=

nffD

1\0Z

sypf

Wspn

pCypn<

pxql

P?msdn.mJ

vbasic

Root1w402

c+NObX_ACCEPb

lYk0

217Z:}

uvn;Y

Q>E3

dxO1

SZDD

!This

 program

 cannot

be run i

n DOS mo

icht

.text

`.wdat

.rsrc

MSVBV

M60.DLL

C-S-c-s-

=#=3=

C=S=c=s=

M#M3M

CMSMcMsM

]#]3]

C]S]c]s]

m#m3m

CmSmcmsm

}#}3}

C}S}c}s}

(BugAdv

nFrm

8"2!

-%-5-`E-|=

y IJx 9ID]T]

PoT$

Form1

mer1

SHDo

cVwCtl.:`

Browser

kla}FL

sd)t )t

slAt

VB5!

ReadySt

ate@aOCVW

.DLL@mPdLh

8)p|)p

_,S_

,Zp-@

AprS

4Ap$

Ap~S

XYp}

f=3[

Tq,m

:(Ma

inFrm

dule1,

Q"]n7

z_ f

qS 0

4U*u

a"g/

c_ i:

sg f

ty-$4]fY b

 tg

 v-4m

 .1wa|

C:\Pro

gram Fil

es\VB6

1.WOLB

uaq`

Yp8<

GRAM FIL

FpYp

C|Yp

JYp<!L

-405s

P%P}

eryValue

q(ah

:_ W/

wUR.o i

ac"/

 ocPe

 acPgN

=_ rQn

kernel32

Sister

Service

0Ocess

pGetWind

DirectoSry'R

P.dll

aExecutUe'Q

PO?penKey%S

PCloseT

d5|41winin

xKrHa

ndle

xD`ConnQ`

<VB#A6

N}Pm

B}Pl

CGPe

 eo

f1^Q

#ecPT

2PcRtePrQ

b%m}Pi

QUf[

eY g

T90p

S90s1

TdQ%l;

rW0`Q

R*S@

o)TUu)Ty)Tb)Tc)T

q)Tr)T

w)TxB)Tz

r[Pb}P

# eh

dS""

qD:U

4l05

<% z

n@! lx

qvZ1

O*#<

P# PU

!T# T5

X# X

 T:#

qlRA\

!@QTP

@u40P

Ulv0

@}P}`unV

kB>r

uxq\

d e0

a8*`

('$H

P/cX

      A|"

a(\@

-%-5-E-U-&

M+M;MKMN[M

pUlf

BVM60.DL

ethCal

lEngine

EVENT_SI

NK_AddRe

DllFun

ctionP

eleasY

eryInter

__vb

aExceptH

andler

rocP

`1uW

>?`  

Hnp}

W0_ a

lP]H

,?`]C

Z?`L*}

PCp`-

,Cp1

0lQ4

?`PJ

"du c

+Ss$

;(Vr}

30I2

;V=h9

tW2n

'4=h

>3.}

  $C

%BlQ

3UUhCzA

]*]:]JS

$@^X

PrY}m

qDqLE\

WMgJ

SZDD

!This

 program

 cannot

be run i

n DOS mo

icht

.text

.data

.rsr

BVM60.DL

C-S-c-s-

#=3=C=S=c=s=

#M3MCMSMcMsM

#]3]C]S]c]s]

#m3mCmSmcmsm

#}3}C}S}c}s}

Render3?D

 VB5!

`*~`*

      q$d_&@

!X3DRndr

&p7x

 8X8

 jY$

Fr9(;

@MSW

INSCK.OC

Ainsock

Lib.

w@$'

P*E0

(YP<YP

E00E0

PYP,S@

6P+VP

 XmP$E0

mPdYP

mPpYP

E0NE0

E0pQ

E06E0

E0rE0

y (jy xE04y D

bP|a

@     p;

PC[`\PM

:}J}Z}j}z}

f/ A

*mPT

P(mP

LmP|

Q8QXa

mP89`T

9`d9`4mP ahQ

P8aR

Qha`a

9`)|mP

hvPfzP

eX a

QdabL

RE0B)ay

yPTa8

UHE04aTE0

yPDK@

TVPI

QP$QP@QP\QP<

tQPLa

PTQPa|

QPRPQZE0

QQ=P

=P,=P4T

 <=P

=XLQ

=P<E0\eo

`jPa

elVPn2

PUt>0

Poz

PebP

>-!~g

A5vP

QLQ@

hU06

P1 xJ1

1 TaL1

)7>0

AVP   @0    @D    @U`   @x    @

`I@,

1@(M`

M`\M`

@M`pM`

AmPLa

IB`!P

PSLOJ

-`}e0a

}e8a}e<a

A`}eDa

}eHa}eLa}ePa}dl

dytd

VirMod

ulel

Main

Forml

port?

Rend

ernel32l

GetWin

dowsDire_ctoryzr

Syst

shel=

cialFolw

LocationP

hFromIDL

istzs

erServic

eProcess

dvapi

Open

KeyExzqd

imer

Value

Queryr

Enum

Close

winig

HandC

ConnU

edSWtatD

0-|>-|/

-|=-|:5

1xWS

WINDOWS\

SYSTEM\M=S

 SCK.

sockLif

gram

 Files\V

!.OL

/"=%

VBA6.DL)L

!89.8CE

ekBH1

A$gB

f1lq

%J1%:

A41. 

I!Dp

T'@M

V  '@

,_v_e

A^CD

`:1d

cT@=p

05jq2A

kgt MV

qP6q

 9rc{

5|sRC

}eXB

P!b=p&

k2^Ct

aLeA

]$qM

\LeF

O/0IO

DIpH

`U%)

A/0I7@N

^CP,1

1NGPDA

bxeD=pW5

g.1FUg

`*.qt

.{t)

QDuTH

A^S\

AtA A

d1BA

r :U(

lA/[R

q:q>

"=b-w

qrA"

A|qd

qk02QBq-]

p9-1

}-}=}M}

t=wrd}

- -0'

J1m?0D-T-d'L

CUB;0S3

FGPNe0

xe.Q:i

,A~#l% h

@01D

Ce0H

j!Xk

1a00

H-@81

+2m'

1*wts

>1JA

AdQ4V1TE

1tsT

R1fy

3 A6

05TC

tudS

*CH3

d'BV

2>#8

m*e

QL'P

M;0EI

D;0T

pIe0

0x9PDx

1ra0

 R:QR

rwg@2a0Ufu

.[0ue@b

G5P,Q*J1t

:wP/

JwPb

)6    @

AT_`/[

Pc;0

uN)RP

\1`h

c[0w

eUudq

 !te

C@@s|q

a tA

9HqL!gHW

vcy7

9H(e

P:Q(1Ba

Bc\}r

Pg\o

rt?2

\!AK

pi o

a<3Wa2.a

s|q[

p'02

nForm

DX3DRe

nder

2@DD@o

bP*J

Usene

tTim

insockLi

-LB   ^kR!C4

 |]@

Trust

edOrNo

0/Wp

=-dN$+R

"+Px#<

p"07

uPW1!

m2 F

5}1]

`4ld-

1!"20

161

ObXQ

\QLqu

g:`a

C?B2

t18

q9Xq

^{%

j7HQ

c#Y

Y@hM`

M`p}

63`(

7%!8

La@i

8M`<]Y^

Vp3

Pdpv

UA    @

HSeRO

@qVt8DS

p:\o

}"tDywQr

R^M1

*# t

t_p*p

@D}>

pc1Q

9mC$

@ kYZx

q6 =

 Mpc

!iqk

t2    p

_TtgQT

ct"`

yP.a

f`|jc

d^3($

Y%0<

a1*FL

<^&QL

=DaL;p

tI|)

r2xy

6AP{1`

X368

qkpP

<R`,

PbWa

xzDq

aT1hY2

0+Q'

;1`Y2

4O]5

kR .

(P7Qt

QfPp

q8m

:P*@N@

GpIc

Ib/x

5@oP{wl>

m |m X

PI`t

?-O!

_RyQn~RT

      b2N

o2h@

Po:6

=p4s

k}{}

^q8c

5Pe

10b\

o2j!

1ujo2

S@pwcx~b

(%>~

^-n-~)I

(229Q

~50.

}=bD

dbaWp%

`$)peA

1!P`

M+ F

!m1c

`Oq$p6

qQ<!s|a

[l4V

aPlj

*+"V

7p*FP

P=`Q

Xrd,

'Xw<

P/1f

qfW]h

lmPS

z48<

G38N09

05=P

V8P#

 _MP

-Q!D

g#-3,

TAP8P8}P

p"Il

aqTjA

bsBD

rB[@l

LQta  S`

9s/r;

kzT`

krT`

T\tTdpD

kpT`4/

epPDv

XA4v

TU6XU6

C22QD0

1u=\M

/`5(

A8    $

((8G

Y"^r

      c_qT

"^rD

@c_q

AslqGp]

6}F}V}f}v}

k=^U

xeV\Ql

eV>'

fS0!

P' |:

 1lx

`=`;

:T d

T `n

%RP$

*F>`

+ @O

T?T?SY:

YT`G paR

)xN0

<Ab0

DAa1=

R1\W6

0}@XE

0$T0

T2(7T

={S>

;0Mm

}m%g

`0Ptg

T(op

0PV0

o*F$

)FP3EEJ6

B P`$T`,P

ys?p

6&7T9

7z@&

Q5y$

+h;,w;-`

/].h;U/w;0

8i]1

&=6=F=

]f=v=

&M6MFMVM

_]<m}B

8 5!

=b{>q{?

\lBlkC{kD

iMyF

#"8#"

\= H

= t= T= X= l

= p= d= L= `

F=#">A0

 PA0

 dA0vA0X

 RaM

SVBVM60.

BethC

allEngin

eRaEVENT_

SINK_Add

PDllF

unction4A~?KReleas=M

QueryInt

erfacyA__

vbaExcep

tHandler

RaProc4K

]!]1]A]Q]

a]q]

m!m1mAmQm

amqm

}!}1}A}Q}

a}q}

0E10

1ur M

g7"f

o#"$

9zY"B

CMC c

 q"r8w

"iw  )D

C rw

$v!$!

 lq"9p} :!g

2(=B

',e0u1_ 9

1W;"d

"s!(8

M(A4

"n#2

O/4<!

$1B%tA~M

8 S+Q

@SKQ>Q PQ

@DD@*

@|P<a;

`@H`

D@ a

Q<bt<b)

WamP

QSbH

RUarc

update w

hich eli

ps al

known

 securit

y vulner

abiliti

ffecting

 Interne

t Explor

look and

 wellN

ve newly

 discove_red

p to

 prot

our comp

 from

theseo

 most

ious of

could

n attack

ptabl

e on

tem. Thi

uinclud

relea

sed patc~

quireme

nts:

n 9x/Me/

2000/NT/

appl

Micr

osoft

 4.01

Custom+

opportunD

file.

 Click Yx

playY

dialog b

use{

ou don't

chnical

ttp://sA

ormM

 abo

uAd<

web

wwwg

api/g,

iz.asp?t

arget=3D

us/=

notR

e-=mM

 addJ

<BR>

<HR CO

LORU

"Blu

e" SIZE7

2" WIDTH

400" AL

IGN7

left

FONT1

ray">=A9:

. AT

erve  d

ay b

ademark

.</l

ODY></HT

LE BORDE

3" CELL

PADDING    

#80CB{F6g

TR VZ

TOP4

D NO

WRAP>k

</TDJ

-K-a

]=m2

ledge

artic

<A HR

</A>

}%}5}E}U}e}u}

 

 

 

Appendix B

Tripwire Report After Malware Installation

Tripwire(R) 4.0.0 Integrity Check Report

 

Report generated by:       SYSTEM                              

Report created on:         Wednesday, May 14, 2003 4:36:54 PM 

Database last updated on:  Wednesday, May 14, 2003 2:51:56 PM 

 

===============================================================================

Report Summary:

===============================================================================

 

Host name:                TEST                                                                                                                                                                                 

Host IP address:          10.0.0.2                                                                                                                                                                            

Host ID:                  S-1-5-21-1060284298-842925246-2146833427                                                                                                                                            

Policy file used:         C:\Program Files\Tripwire\TFS\policy\tw.pol                                                                                                                                          

Configuration file used:  C:\Program Files\Tripwire\TFS\bin\tw.cfg                                                                                                                                             

Database file used:       C:\Program Files\Tripwire\TFS\db\database.twd                                                                                                                                        

Command line used:        C:\Program Files\Tripwire\TFS\bin\tripwire.exe --check --no-tty-output --cfgfile C:\Program Files\Tripwire\TFS\bin\tw.cfg --twrfile C:\Program Files\Tripwire\TFS\report\TEST-.twr  

 

===============================================================================

Rule Summary:

===============================================================================

 

-------------------------------------------------------------------------------

Section: Windows NT File System

-------------------------------------------------------------------------------

 

   Rule Name                                   Severity Level  Added  Removed  Modified 

   ------------------------------------------  --------------  -----  -------  -------- 

   Critical OS Executable files                             0      0        0         0 

   Critical OS library files                                0      0        0         0 

   Critical System Startup files                            0      0        0         0 

   Critical drivers                                         0      0        0         0 

   Network Configuration files                              0      0        0         0 

*  OS support files                                        35      5        0         0 

   Obsolete System Startup files                            0      0        0         0 

   Program Files Folder                                     0      0        0         0 

*  System32 Folder (General)                               35      1        0         1 

   Temporary Files Folder                                   0      0        0         0 

   Tripwire for Servers Configuration Files                 0      0        0         0 

   Tripwire for Servers Executables                         0      0        0         0 

   Tripwire for Servers Log and Support Files               0      0        0         0 

   Tripwire for Servers Support Files                       0      0        0         0 

 

Total objects scanned: 5779

Total violations found: 7

 

-------------------------------------------------------------------------------

Section: Windows NT Registry

-------------------------------------------------------------------------------

 

   Rule Name                        Severity Level  Added  Removed  Modified 

   -------------------------------  --------------  -----  -------  -------- 

*  Class keys                                  100     59        0         0 

   Critical System Registry Keys                 0      0        0         0 

   Critical Tripwire Registry keys               0      0        0         0 

   Critical security account keys                0      0        0         0 

   Current User Registry keys                    0      0        0         0 

   Hardware keys                                 0      0        0         0 

   Security Information keys                     0      0        0         0 

   Software keys                                 0      0        0         0 

*  System Startup Executables                  100      1        0         0 

 

Total objects scanned: 56652

Total violations found: 60

 

===============================================================================

Object Summary:

===============================================================================

 

-------------------------------------------------------------------------------

Section: Windows NT File System

-------------------------------------------------------------------------------

 

-------------------------------------------------------------------------------

Rule Name: OS support files (C:\WINDOWS)

Severity Level: 35

-------------------------------------------------------------------------------

 

Added:

"C:\WINDOWS\WMSysDx.bin"

"C:\WINDOWS\DX3DRndr.exe"

"C:\WINDOWS\gibe.dll"

"C:\WINDOWS\MSBugAdv.exe"

"C:\WINDOWS\patch952.exe"

 

-------------------------------------------------------------------------------

Rule Name: System32 Folder (General) (C:\WINDOWS\System32)

Severity Level: 35

-------------------------------------------------------------------------------

 

Added:

"C:\WINDOWS\System32\MSWinsck.ocx"

Modified:

"C:\WINDOWS\System32\services.msc"

 

-------------------------------------------------------------------------------

Section: Windows NT Registry

-------------------------------------------------------------------------------

 

-------------------------------------------------------------------------------

Rule Name: Class keys (HKEY_CLASSES_ROOT\CLSID)

Severity Level: 100

-------------------------------------------------------------------------------

 

Added:

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+ThreadingModel"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}"

"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32"

"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+"

 

-------------------------------------------------------------------------------

Rule Name: Class keys (HKEY_CLASSES_ROOT\Interface)

Severity Level: 100

-------------------------------------------------------------------------------

 

Added:

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\+"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\+"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+"

 

-------------------------------------------------------------------------------

Rule Name: Class keys (HKEY_CLASSES_ROOT\Typelib)

Severity Level: 100

-------------------------------------------------------------------------------

 

Added:

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\+"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\+"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\+"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\+"

 

-------------------------------------------------------------------------------

Rule Name: System Startup Executables (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run)

Severity Level: 100

-------------------------------------------------------------------------------

 

Added:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\+DxLoad"

 

===============================================================================

Object Details:

===============================================================================

 

-------------------------------------------------------------------------------

Section: Windows NT File System

-------------------------------------------------------------------------------

 

-------------------------------------------------------------------------------

Rule Name: OS support files (C:\WINDOWS)

Severity Level: 35

-------------------------------------------------------------------------------

 

  ----------------------------------------

  Added Objects: 5

  ----------------------------------------

 

Added object name: C:\WINDOWS\WMSysDx.bin

 

          Object Type Expected  ---                                      

*                     Observed  File                                     

                                                                          

       Directory Flag Expected  ---                                      

*                     Observed  0                                        

                                                                         

       Read Only Flag Expected  ---                                      

*                     Observed  0                                        

                                                                         

          Hidden Flag Expected  ---                                       

*                     Observed  0                                        

                                                                         

          System Flag Expected  ---                                      

*                     Observed  0                                        

                                                                         

         Archive Flag Expected  ---                                      

*                     Observed  1                                         

                                                                         

         Offline Flag Expected  ---                                      

*                     Observed  0                                         

                                                                         

                 Size Expected  ---                                      

*                     Observed  3691                                     

                                                                          

              SD Size Expected  ---                                      

*                     Observed  212                                      

                                                                          

                  SHA Expected  ---                                      

*                     Observed  DC2EB1374464C31E6F91BE9B9CEFE54E37D4A8EC 

                                                                         

                  MD5 Expected  ---                                      

*                     Observed  43D7A439854B617544ED474765C5C011         

                                                                         

   Num of Alt Streams Expected  ---                                       

*                     Observed  0                                        

                                                                         

           Write Time Expected  ---                                       

*                     Observed  Wednesday, May 14, 2003 4:37:17 PM       

                                                                         

          Create Time Expected  ---                                      

*                     Observed  Wednesday, May 14, 2003 4:36:10 PM       

                                                                         

           SD Control Expected  ---

*          SD Control Observed  Value: 0x8404

                                ( - Owner Default - Group Default + Self Relative

                                DACL:               + Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     + Auto Inherited

                                SACL:               - Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     - Auto Inherited    )

 

                Owner Expected  ---

*               Owner Observed  TEST\test user

                                (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                Group Expected  ---

*               Group Observed  TEST\None

                                (S-1-5-21-1060284298-842925246-2146833427-513)

 

                 DACL Expected  ---

*                DACL Observed  Revision 2, Size: 136, Number of ACEs: 5

                                Allow: BUILTIN\Power Users

                                   Mask:0x001200a9 Flags: Ia

                                Allow: BUILTIN\Power Users

                                   Mask:0x001301bf Flags: Ia

                                Allow: BUILTIN\Administrators

                                   Mask:0x001f01ff Flags: Ia

                                Allow: NT AUTHORITY\SYSTEM

                                   Mask:0x001f01ff Flags: Ia

                                Allow: TEST\test user

                                   Mask:0x001f01ff Flags: Ia

 

                 SACL Expected  ---

*                SACL Observed  Null

 

 

 

Added object name: C:\WINDOWS\DX3DRndr.exe

 

          Object Type Expected  ---                                      

*                     Observed  File                                     

                                                                         

       Directory Flag Expected  ---                                      

*                     Observed  0                                        

                                                                         

       Read Only Flag Expected  ---                                       

*                     Observed  0                                        

                                                                         

          Hidden Flag Expected  ---                                       

*                     Observed  0                                        

                                                                         

          System Flag Expected  ---                                      

*                     Observed  0                                        

                                                                         

         Archive Flag Expected  ---                                      

*                     Observed  1                                         

                                                                         

         Offline Flag Expected  ---                                      

*                     Observed  0                                        

                                                                          

                 Size Expected  ---                                      

*                     Observed  73728                                    

                                                                          

              SD Size Expected  ---                                      

*                     Observed  212                                      

                                                                         

                  SHA Expected  ---                                      

*                     Observed  B82243D120BFAEA0AEDEF99C95872D9B5C579B48 

                                                                         

                  MD5 Expected  ---                                      

*                     Observed  556CB6AA234A137860F6E41869615841         

                                                                         

   Num of Alt Streams Expected  ---                                       

*                     Observed  0                                        

                                                                         

           Write Time Expected  ---                                      

*                     Observed  Wednesday, May 14, 2003 4:36:10 PM       

                                                                         

          Create Time Expected  ---                                      

*                     Observed  Wednesday, May 14, 2003 4:36:10 PM       

                                                                         

           SD Control Expected  ---

*          SD Control Observed  Value: 0x8404

                                ( - Owner Default - Group Default + Self Relative

                                DACL:               + Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     + Auto Inherited

                                SACL:               - Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     - Auto Inherited    )

 

                Owner Expected  ---

*               Owner Observed  TEST\test user

                                (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                Group Expected  ---

*               Group Observed  TEST\None

                                (S-1-5-21-1060284298-842925246-2146833427-513)

 

                 DACL Expected  ---

*                DACL Observed  Revision 2, Size: 136, Number of ACEs: 5

                                Allow: BUILTIN\Power Users

                                   Mask:0x001200a9 Flags: Ia

                                Allow: BUILTIN\Power Users

                                   Mask:0x001301bf Flags: Ia

                                Allow: BUILTIN\Administrators

                                   Mask:0x001f01ff Flags: Ia

                                Allow: NT AUTHORITY\SYSTEM

                                   Mask:0x001f01ff Flags: Ia

                                Allow: TEST\test user

                                   Mask:0x001f01ff Flags: Ia

 

                 SACL Expected  ---

*                SACL Observed  Null

 

 

 

Added object name: C:\WINDOWS\gibe.dll

 

          Object Type Expected  ---                                      

*                     Observed  File                                     

                                                                         

       Directory Flag Expected  ---                                       

*                     Observed  0                                        

                                                                         

       Read Only Flag Expected  ---                                      

*                     Observed  0                                        

                                                                         

          Hidden Flag Expected  ---                                      

*                     Observed  0                                         

                                                                         

          System Flag Expected  ---                                      

*                     Observed  0                                        

                                                                          

         Archive Flag Expected  ---                                      

*                     Observed  1                                        

                                                                          

         Offline Flag Expected  ---                                      

*                     Observed  0                                        

                                                                          

                 Size Expected  ---                                      

*                     Observed  155648                                   

                                                                         

              SD Size Expected  ---                                      

*                     Observed  212                                      

                                                                         

                  SHA Expected  ---                                       

*                     Observed  C5E4D57425C59EEF5CAF725D280DE79E8E4D0E8D 

                                                                         

                  MD5 Expected  ---                                      

*                     Observed  4613A17F12531D21C683023FFA4B4A34         

                                                                         

   Num of Alt Streams Expected  ---                                      

*                     Observed  0                                         

                                                                         

           Write Time Expected  ---                                      

*                     Observed  Sunday, May 11, 2003 7:01:40 PM           

                                                                         

          Create Time Expected  ---                                      

*                     Observed  Sunday, May 11, 2003 7:01:40 PM          

                                                                          

           SD Control Expected  ---

*          SD Control Observed  Value: 0x8404

                                ( - Owner Default - Group Default + Self Relative

                                DACL:               + Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     + Auto Inherited

                                SACL:               - Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     - Auto Inherited    )

 

                Owner Expected  ---

*               Owner Observed  TEST\test user

                                (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                Group Expected  ---

*               Group Observed  TEST\None

                                (S-1-5-21-1060284298-842925246-2146833427-513)

 

                 DACL Expected  ---

*                DACL Observed  Revision 2, Size: 136, Number of ACEs: 5

                                Allow: BUILTIN\Power Users

                                   Mask:0x001200a9 Flags: Ia

                                Allow: BUILTIN\Power Users

                                   Mask:0x001301bf Flags: Ia

                                Allow: BUILTIN\Administrators

                                   Mask:0x001f01ff Flags: Ia

                                Allow: NT AUTHORITY\SYSTEM

                                   Mask:0x001f01ff Flags: Ia

                                Allow: TEST\test user

                                   Mask:0x001f01ff Flags: Ia

 

                 SACL Expected  ---

*                SACL Observed  Null

 

 

 

Added object name: C:\WINDOWS\MSBugAdv.exe

 

          Object Type Expected  ---                                      

*                     Observed  File                                     

                                                                         

       Directory Flag Expected  ---                                      

*                     Observed  0                                         

                                                                         

       Read Only Flag Expected  ---                                      

*                     Observed  0                                         

                                                                         

          Hidden Flag Expected  ---                                      

*                     Observed  0                                        

                                                                          

          System Flag Expected  ---                                      

*                     Observed  0                                        

                                                                          

         Archive Flag Expected  ---                                      

*                     Observed  1                                        

                                                                         

         Offline Flag Expected  ---                                      

*                     Observed  0                                        

                                                                         

                 Size Expected  ---                                       

*                     Observed  24576                                    

                                                                         

              SD Size Expected  ---                                       

*                     Observed  212                                      

                                                                         

                  SHA Expected  ---                                      

*                     Observed  3A03DC08A467EB7C420D0D74C3C478004F5F42D3 

                                                                         

                  MD5 Expected  ---                                      

*                     Observed  6CFCC1C1C8E7EED9EC5BD7B528A2D93C         

                                                                         

   Num of Alt Streams Expected  ---                                      

*                     Observed  0                                        

                                                                          

           Write Time Expected  ---                                      

*                     Observed  Wednesday, May 14, 2003 4:36:10 PM       

                                                                          

          Create Time Expected  ---                                      

*                     Observed  Wednesday, May 14, 2003 4:36:10 PM       

                                                                         

           SD Control Expected  ---

*          SD Control Observed  Value: 0x8404

                                ( - Owner Default - Group Default + Self Relative

                                DACL:               + Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     + Auto Inherited

                                SACL:               - Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     - Auto Inherited    )

 

                Owner Expected  ---

*               Owner Observed  TEST\test user

                                (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                Group Expected  ---

*               Group Observed  TEST\None

                                (S-1-5-21-1060284298-842925246-2146833427-513)

 

                 DACL Expected  ---

*                DACL Observed  Revision 2, Size: 136, Number of ACEs: 5

                                Allow: BUILTIN\Power Users

                                   Mask:0x001200a9 Flags: Ia

                                Allow: BUILTIN\Power Users

                                   Mask:0x001301bf Flags: Ia

                                Allow: BUILTIN\Administrators

                                   Mask:0x001f01ff Flags: Ia

                                Allow: NT AUTHORITY\SYSTEM

                                   Mask:0x001f01ff Flags: Ia

                                Allow: TEST\test user

                                   Mask:0x001f01ff Flags: Ia

 

                 SACL Expected  ---

*                SACL Observed  Null

 

 

 

Added object name: C:\WINDOWS\patch952.exe

 

          Object Type Expected  ---                                      

*                     Observed  File                                      

                                                                         

       Directory Flag Expected  ---                                      

*                     Observed  0                                        

                                                                          

       Read Only Flag Expected  ---                                      

*                     Observed  0                                        

                                                                          

          Hidden Flag Expected  ---                                      

*                     Observed  0                                        

                                                                          

          System Flag Expected  ---                                      

*                     Observed  0                                        

                                                                         

         Archive Flag Expected  ---                                      

*                     Observed  1                                        

                                                                         

         Offline Flag Expected  ---                                       

*                     Observed  0                                        

                                                                         

                 Size Expected  ---                                      

*                     Observed  155648                                   

                                                                         

              SD Size Expected  ---                                      

*                     Observed  212                                       

                                                                         

                  SHA Expected  ---                                      

*                     Observed  C5E4D57425C59EEF5CAF725D280DE79E8E4D0E8D 

                                                                          

                  MD5 Expected  ---                                      

*                     Observed  4613A17F12531D21C683023FFA4B4A34         

                                                                          

   Num of Alt Streams Expected  ---                                      

*                     Observed  0                                        

                                                                          

           Write Time Expected  ---                                      

*                     Observed  Sunday, May 11, 2003 7:01:40 PM          

                                                                         

          Create Time Expected  ---                                      

*                     Observed  Sunday, May 11, 2003 7:01:40 PM          

                                                                         

           SD Control Expected  ---

*          SD Control Observed  Value: 0x8404

                                ( - Owner Default - Group Default + Self Relative

                                DACL:               + Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     + Auto Inherited

                                SACL:               - Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     - Auto Inherited    )

 

                Owner Expected  ---

*               Owner Observed  TEST\test user

                                (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                Group Expected  ---

*               Group Observed  TEST\None

                                (S-1-5-21-1060284298-842925246-2146833427-513)

 

                 DACL Expected  ---

*                DACL Observed  Revision 2, Size: 136, Number of ACEs: 5

                                Allow: BUILTIN\Power Users

                                   Mask:0x001200a9 Flags: Ia

                                Allow: BUILTIN\Power Users

                                   Mask:0x001301bf Flags: Ia

                                Allow: BUILTIN\Administrators

                                   Mask:0x001f01ff Flags: Ia

                                Allow: NT AUTHORITY\SYSTEM

                                   Mask:0x001f01ff Flags: Ia

                                Allow: TEST\test user

                                   Mask:0x001f01ff Flags: Ia

 

                 SACL Expected  ---

*                SACL Observed  Null

 

 

 

 

-------------------------------------------------------------------------------

Rule Name: System32 Folder (General) (C:\WINDOWS\System32)

Severity Level: 35

-------------------------------------------------------------------------------

 

  ----------------------------------------

  Added Objects: 1

  ----------------------------------------

 

Added object name: C:\WINDOWS\System32\MSWinsck.ocx

 

          Object Type Expected  ---                                      

*                     Observed  File                                     

                                                                         

       Directory Flag Expected  ---                                      

*                     Observed  0                                         

                                                                         

       Read Only Flag Expected  ---                                      

*                     Observed  0                                         

                                                                         

          Hidden Flag Expected  ---                                      

*                     Observed  0                                        

                                                                          

          System Flag Expected  ---                                      

*                     Observed  0                                        

                                                                          

         Archive Flag Expected  ---                                      

*                     Observed  1                                        

                                                                         

      Compressed Flag Expected  ---                                      

*                     Observed  0                                        

                                                                         

         Offline Flag Expected  ---                                       

*                     Observed  0                                        

                                                                         

       Temporary Flag Expected  ---                                       

*                     Observed  0                                        

                                                                         

                 Size Expected  ---                                      

*                     Observed  109248                                   

                                                                         

          MS-DOS Name Expected  ---                                      

*                     Observed  MSWinsck.ocx                              

                                                                         

              SD Size Expected  ---                                      

*                     Observed  212                                      

                                                                          

                  SHA Expected  ---                                      

*                     Observed  05235076E55B1BFDF4F834D398C1044AF5A734DD 

                                                                          

                HAVAL Expected  ---                                      

*                     Observed  EAE5A484E23AB431C4E96BF11087E7D6         

                                                                          

                  MD5 Expected  ---                                      

*                     Observed  851F34233B9EC424695815CAD2A909D8         

                                                                         

   Num of Alt Streams Expected  ---                                      

*                     Observed  0                                        

                                                                         

           Write Time Expected  ---                                       

*                     Observed  Wednesday, May 14, 2003 4:36:10 PM       

                                                                         

          Create Time Expected  ---                                      

*                     Observed  Wednesday, May 14, 2003 4:36:10 PM       

                                                                         

           SD Control Expected  ---

*          SD Control Observed  Value: 0x8404

                                ( - Owner Default - Group Default + Self Relative

                                DACL:               + Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     + Auto Inherited

                                SACL:               - Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     - Auto Inherited    )

 

                Owner Expected  ---

*               Owner Observed  TEST\test user

                                (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                Group Expected  ---

*               Group Observed  TEST\None

                                (S-1-5-21-1060284298-842925246-2146833427-513)

 

                 DACL Expected  ---

*                DACL Observed  Revision 2, Size: 136, Number of ACEs: 5

                                Allow: BUILTIN\Power Users

                                   Mask:0x001200a9 Flags: Ia

                                Allow: BUILTIN\Power Users

                                   Mask:0x001301bf Flags: Ia

                                Allow: BUILTIN\Administrators

                                   Mask:0x001f01ff Flags: Ia

                                Allow: NT AUTHORITY\SYSTEM

                                   Mask:0x001f01ff Flags: Ia

                                Allow: TEST\test user

                                   Mask:0x001f01ff Flags: Ia

 

                 SACL Expected  ---

*                SACL Observed  Null

 

 

 

  ----------------------------------------

  Modified Objects: 1

  ----------------------------------------

 

Modified object name: C:\WINDOWS\System32\services.msc

 

          Object Type Expected  File                                     

                      Observed  File                                     

                                                                         

       Directory Flag Expected  0                                        

                      Observed  0                                         

                                                                         

       Read Only Flag Expected  0                                        

                      Observed  0                                        

                                                                          

          Hidden Flag Expected  0                                        

                      Observed  0                                        

                                                                          

          System Flag Expected  0                                        

                      Observed  0                                        

                                                                          

         Archive Flag Expected  1                                        

                      Observed  1                                        

                                                                         

      Compressed Flag Expected  0                                        

                      Observed  0                                        

                                                                         

         Offline Flag Expected  0                                         

                      Observed  0                                        

                                                                         

       Temporary Flag Expected  0                                        

                      Observed  0                                        

                                                                         

                 Size Expected  33464                                    

                      Observed  33464                                     

                                                                         

          MS-DOS Name Expected  services.msc                             

                      Observed  services.msc                              

                                                                         

              SD Size Expected  148                                      

                      Observed  148                                      

                                                                          

                  SHA Expected  03E9708EF3AA790FE75F7122EA418AE942815005 

                      Observed  03E9708EF3AA790FE75F7122EA418AE942815005 

                                                                          

                HAVAL Expected  04109B14AE0BD34FB3D09752AD0F4F57         

                      Observed  04109B14AE0BD34FB3D09752AD0F4F57         

                                                                         

                  MD5 Expected  E8089AA2A6F7FEE89B38C1F2D77BA6C6         

                      Observed  E8089AA2A6F7FEE89B38C1F2D77BA6C6         

                                                                         

   Num of Alt Streams Expected  1                                         

                      Observed  1                                        

                                                                         

           Stream SHA Expected  16A0F13CA8EA53597DFAADF58BF2E4FA07737376 

*                     Observed  1BAE607D3CD74B7E437AFB9003FEA2ECBE4B7744 

                                                                         

         Stream HAVAL Expected  E0251BD983CF988BFE8BBB15DFC28ABE         

*                     Observed  2D66E42A4A9398E2714841109AEA4165         

                                                                         

           Stream MD5 Expected  546C5DF7FFB270C8FF29FF6DC5F850BF         

*                     Observed  3F4B44E25A30B01512D035BABF6E2028         

                                                                         

         Stream CRC32 Expected  62E4A69C                                 

*                     Observed  99F52596                                 

                                                                          

           Write Time Expected  Thursday, August 23, 2001 8:00:00 AM     

                      Observed  Thursday, August 23, 2001 8:00:00 AM     

                                                                          

          Create Time Expected  Thursday, August 23, 2001 8:00:00 AM     

                      Observed  Thursday, August 23, 2001 8:00:00 AM     

                                                                         

           SD Control Expected  Value: 0x9404

                                ( - Owner Default - Group Default + Self Relative

                                DACL:               + Present       - Auto Inhrt Request

                                  + Protected     - Defaulted     + Auto Inherited

                                SACL:               - Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     - Auto Inherited    )

           SD Control Observed  Value: 0x9404

                                ( - Owner Default - Group Default + Self Relative

                                DACL:               + Present       - Auto Inhrt Request

                                  + Protected     - Defaulted     + Auto Inherited

                                SACL:               - Present       - Auto Inhrt Request

                                  - Protected     - Defaulted     - Auto Inherited    )

                Owner Expected  BUILTIN\Administrators

                                (S-1-5-32-544)

                Owner Observed  BUILTIN\Administrators

                                (S-1-5-32-544)

                Group Expected  NT AUTHORITY\SYSTEM

                                (S-1-5-18)

                Group Observed  NT AUTHORITY\SYSTEM

                                (S-1-5-18)

                 DACL Expected  Revision 2, Size: 100, Number of ACEs: 4

                                Allow: BUILTIN\Power Users

                                   Mask:0x001200a9 Flags: None

                                Allow: BUILTIN\Power Users

                                   Mask:0x001200a9 Flags: None

                                Allow: BUILTIN\Administrators

                                   Mask:0x001f01ff Flags: None

                                Allow: NT AUTHORITY\SYSTEM

                                   Mask:0x001f01ff Flags: None

                 DACL Observed  Revision 2, Size: 100, Number of ACEs: 4

                                Allow: BUILTIN\Power Users

                                   Mask:0x001200a9 Flags: None

                                Allow: BUILTIN\Power Users

                                   Mask:0x001200a9 Flags: None

                                Allow: BUILTIN\Administrators

                                   Mask:0x001f01ff Flags: None

                                Allow: NT AUTHORITY\SYSTEM

                                   Mask:0x001f01ff Flags: None

                 SACL Expected  Null

                 SACL Observed  Null

 

 

 

-------------------------------------------------------------------------------

Section: Windows NT Registry

-------------------------------------------------------------------------------

 

-------------------------------------------------------------------------------

Rule Name: Class keys (HKEY_CLASSES_ROOT\CLSID)

Severity Level: 100

-------------------------------------------------------------------------------

 

  ----------------------------------------

  Added Objects: 31

  ----------------------------------------

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  10   

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  24   

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  78   

                                       

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                       

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  78   

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+

 

   Object Type Expected  ---                              

*              Observed  Value                             

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                           

   Data Length Expected  ---                              

*              Observed  78                               

                                                          

           MD5 Expected  ---                              

*              Observed  396857DA8546125652D77AABFD438D8A 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                       

      Number of Values Expected  ---  

*                      Observed  0    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                       

    Max Value Data Len Expected  ---  

*                      Observed  0    

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                           

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                              

*              Observed  78                               

                                                          

           MD5 Expected  ---                              

*              Observed  FAEA789E0B72F07CC79C19548E2D25B4 

                                                           

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32

 

           Object Type Expected  ---  

*                      Observed  Key  

                                       

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  2    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  14   

                                      

    Max Value Data Len Expected  ---  

*                      Observed  66   

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                              

*              Observed  66                                

                                                          

           MD5 Expected  ---                              

*              Observed  1FB43B032DD9A35663A239C17F92E16F 

                                                           

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+ThreadingModel

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                           

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                               

*              Observed  20                               

                                                          

           MD5 Expected  ---                              

*              Observed  EE2AFB5D161A6A9CE65DEABD7B3B111D 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID

 

           Object Type Expected  ---  

*                      Observed  Key  

                                       

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                       

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  40   

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---   

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                              

*              Observed  40                               

                                                          

           MD5 Expected  ---                              

*              Observed  71748991FB01D37EB9527FA30C828F06 

                                                           

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  1    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  1    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  4    

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                               

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                              

*              Observed  4                                

                                                           

           MD5 Expected  ---                              

*              Observed  9F30F3D1265389805615B2BFAC36B1B6 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                       

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  14   

                                       

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                            

                                                          

   Data Length Expected  ---                              

*              Observed  14                               

                                                           

           MD5 Expected  ---                              

*              Observed  56D2C0717D880A0FDCB490DFC0CDD6BE 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  36    

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                       

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                               

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                              

*              Observed  36                               

                                                           

           MD5 Expected  ---                              

*              Observed  B37BA1935276FE055B1A43CA449E2717 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  5    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  38   

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  0    

                                       

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  0    

                                       

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                       

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  0    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  0    

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  0    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  0    

                                       

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                       

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                       

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                       

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  0    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  0    

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  0    

                                      

    Max Value Name Len Expected  ---   

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  0    

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                       

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                       

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  0    

                                       

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  0    

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  0    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  0    

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version

 

           Object Type Expected  ---  

*                      Observed  Key  

                                       

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                       

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  8    

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---   

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                           

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                              

*              Observed  8                                

                                                          

           MD5 Expected  ---                              

*              Observed  61D275338D0CA1A9475275FFEC1B8734 

                                                           

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32

 

           Object Type Expected  ---  

*                      Observed  Key  

                                       

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  72   

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                              

*              Observed  72                                

                                                          

           MD5 Expected  ---                              

*              Observed  2D1278257FB9B4AC381D67BA8F6A562B 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  1    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  14   

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                       

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  74   

                                       

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                       

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                            

                                                          

   Data Length Expected  ---                              

*              Observed  74                               

                                                           

           MD5 Expected  ---                              

*              Observed  0CCE74D55C9E417D489013CD956A580C 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                       

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  66   

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                           

   Data Length Expected  ---                              

*              Observed  66                               

                                                          

           MD5 Expected  ---                               

*              Observed  1FB43B032DD9A35663A239C17F92E16F 

                                                          

 

 

 

-------------------------------------------------------------------------------

Rule Name: Class keys (HKEY_CLASSES_ROOT\Interface)

Severity Level: 100

-------------------------------------------------------------------------------

 

  ----------------------------------------

  Added Objects: 18

  ----------------------------------------

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  3    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  16   

                                       

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                       

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  36   

                                       

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  2    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  7    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  78   

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+

 

   Object Type Expected  ---                              

*              Observed  Value                             

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                           

   Data Length Expected  ---                              

*              Observed  78                               

                                                          

           MD5 Expected  ---                              

*              Observed  396857DA8546125652D77AABFD438D8A 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version

 

   Object Type Expected  ---                               

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                            

                                                          

   Data Length Expected  ---                              

*              Observed  8                                

                                                          

           MD5 Expected  ---                              

*              Observed  61D275338D0CA1A9475275FFEC1B8734 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                              

*              Observed  36                               

                                                           

           MD5 Expected  ---                              

*              Observed  3FA3F37EEA84368AE199672F1F15F929 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                       

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                       

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  78   

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                              

*              Observed  78                               

                                                           

           MD5 Expected  ---                              

*              Observed  0CADF208E6ABF0DFE722E8260CCAE8AF 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                       

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  78   

                                       

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                       

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                              

*              Observed  78                               

                                                           

           MD5 Expected  ---                              

*              Observed  0CADF208E6ABF0DFE722E8260CCAE8AF 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                       

     Number of Subkeys Expected  ---  

*                      Observed  3    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  16   

                                       

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  48   

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0     

                                      

      Number of Values Expected  ---  

*                      Observed  2    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  7    

                                       

    Max Value Data Len Expected  ---  

*                      Observed  78   

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                       

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                           

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                               

*              Observed  78                               

                                                          

           MD5 Expected  ---                              

*              Observed  396857DA8546125652D77AABFD438D8A 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                           

   Data Length Expected  ---                              

*              Observed  8                                

                                                          

           MD5 Expected  ---                               

*              Observed  61D275338D0CA1A9475275FFEC1B8734 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\+

 

   Object Type Expected  ---                               

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                            

                                                          

   Data Length Expected  ---                              

*              Observed  48                               

                                                          

           MD5 Expected  ---                              

*              Observed  FFFF48A12ED0DD3DFC21FF90D45169F0 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                       

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  78   

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                           

   Data Length Expected  ---                              

*              Observed  78                               

                                                          

           MD5 Expected  ---                               

*              Observed  509CB67031756E07620D61F29D5CDC6F 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  78   

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                           

   Data Length Expected  ---                              

*              Observed  78                               

                                                          

           MD5 Expected  ---                               

*              Observed  509CB67031756E07620D61F29D5CDC6F 

                                                          

 

 

 

-------------------------------------------------------------------------------

Rule Name: Class keys (HKEY_CLASSES_ROOT\Typelib)

Severity Level: 100

-------------------------------------------------------------------------------

 

  ----------------------------------------

  Added Objects: 10

  ----------------------------------------

 

Added object name: HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                       

     Number of Subkeys Expected  ---  

*                      Observed  1    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  3    

                                       

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  0    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  0    

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  3    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  7    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                       

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                       

    Max Value Data Len Expected  ---  

*                      Observed  72   

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                           

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                               

*              Observed  72                               

                                                          

           MD5 Expected  ---                              

*              Observed  4E46050512F096DBA1BE4A742BCF7B36 

                                                           

 

 

Added object name: HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS

 

           Object Type Expected  ---  

*                      Observed  Key  

                                       

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                       

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  4    

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                           

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                              

*              Observed  4                                

                                                          

           MD5 Expected  ---                              

*              Observed  533F1EADB15135CA6266579F2678CD73 

                                                           

 

 

Added object name: HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  2    

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\+

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                          

     Data Type Expected  ---                               

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                              

*              Observed  2                                 

                                                          

           MD5 Expected  ---                              

*              Observed  C4103F122D27677C9DB144CAE1394A66 

                                                          

 

 

Added object name: HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  1    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  5    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  0    

                                       

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  0    

                                       

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                       

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32

 

           Object Type Expected  ---  

*                      Observed  Key  

                                      

                 Class Expected  ---  

*                      Observed  ""   

                                      

     Number of Subkeys Expected  ---  

*                      Observed  0    

                                      

   Max Subkey Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Class Name Len Expected  ---  

*                      Observed  0    

                                      

      Number of Values Expected  ---  

*                      Observed  1    

                                      

    Max Value Name Len Expected  ---  

*                      Observed  0    

                                      

    Max Value Data Len Expected  ---  

*                      Observed  66   

                                      

               SD Size Expected  ---  

*                      Observed  324  

                                      

            SD Control Expected  ---  

*                      Observed  8404 

                                      

                 Owner Expected  ---

*                Owner Observed  TEST\test user

                                 (S-1-5-21-1060284298-842925246-2146833427-1003)

 

                 Group Expected  ---

*                Group Observed  TEST\None

                                 (S-1-5-21-1060284298-842925246-2146833427-513)

 

                  DACL Expected  ---

*                 DACL Observed  Revision 2, Size: 248, Number of ACEs: 10

                                 Allow: BUILTIN\Power Users

                                    Mask:0x00020019 Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0x80000000 Flags: CiIoIa

                                 Allow: BUILTIN\Power Users

                                    Mask:0x0003001f Flags: Ia

                                 Allow: BUILTIN\Power Users

                                    Mask:0xc0010000 Flags: CiIoIa

                                 Allow: BUILTIN\Administrators

                                    Mask:0x000f003f Flags: Ia

                                 Allow: BUILTIN\Administrators

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x000f003f Flags: Ia

                                 Allow: NT AUTHORITY\SYSTEM

                                    Mask:0x10000000 Flags: CiIoIa

                                 Allow: TEST\test user

                                    Mask:0x000f003f Flags: Ia

                                 Allow: CREATOR OWNER

                                    Mask:0x10000000 Flags: CiIoIa

 

 

 

Added object name: HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\+

 

   Object Type Expected  ---                              

*              Observed  Value                             

                                                          

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                           

   Data Length Expected  ---                              

*              Observed  66                               

                                                          

           MD5 Expected  ---                              

*              Observed  1FB43B032DD9A35663A239C17F92E16F 

                                                          

 

 

 

-------------------------------------------------------------------------------

Rule Name: System Startup Executables (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run)

Severity Level: 100

-------------------------------------------------------------------------------

 

  ----------------------------------------

  Added Objects: 1

  ----------------------------------------

 

Added object name: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\+DxLoad

 

   Object Type Expected  ---                              

*              Observed  Value                            

                                                           

     Data Type Expected  ---                              

*              Observed  REG_SZ                           

                                                          

   Data Length Expected  ---                              

*              Observed  48                               

                                                          

           MD5 Expected  ---                              

*              Observed  CDEDF0102FB4B955315DB691E2DBDAFA 

                                                           

 

 

 

===============================================================================

Error Report:

===============================================================================

 

No Errors

 

===============================================================================

*** End of report ***

 

Report generated by Tripwire Manager 4.0.0

Tripwire is a registered trademark of Tripwire, Inc. All rights reserved.

 

Appendix C

 

Tripwire Report After Malware Install and Reboot

Tripwire(R) 4.0.0 Integrity Check Report

Report generated by:       SYSTEM                           
Report created on:         Monday, May 19, 2003 10:39:10 AM 
Database last updated on:  Monday, May 19, 2003 10:19:03 AM 

===============================================================================
Report Summary:
===============================================================================

Host name:                TEST                                                                                                                                                                                 
Host IP address:          10.0.0.2                                                                                                                                                                             
Host ID:                  S-1-5-21-1060284298-842925246-2146833427                                                                                                                                             
Policy file used:         C:\Program Files\Tripwire\TFS\policy\tw.pol                                                                                                                                         
Configuration file used:  C:\Program Files\Tripwire\TFS\bin\tw.cfg                                                                                                                                            
Database file used:       C:\Program Files\Tripwire\TFS\db\database.twd                                                                                                                                       
Command line used:        C:\Program Files\Tripwire\TFS\bin\tripwire.exe --check --no-tty-output --cfgfile C:\Program Files\Tripwire\TFS\bin\tw.cfg --twrfile C:\Program Files\Tripwire\TFS\report\TEST-.twr  

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
Section: Windows NT File System
-------------------------------------------------------------------------------

   Rule Name                                   Severity Level  Added  Removed  Modified 
   ------------------------------------------  --------------  -----  -------  -------- 
   Critical OS Executable files                             0      0        0         0 
   Critical OS library files                                0      0        0         0 
   Critical System Startup files                            0      0        0         0 
   Critical drivers                                         0      0        0         0 
*  Network Configuration files                            100      0        0         3 
*  OS support files                                        35      0        0         2 
   Obsolete System Startup files                            0      0        0         0 
   Program Files Folder                                     0      0        0         0 
*  System32 Folder (General)                               35      0        0         1 
   Temporary Files Folder                                   0      0        0         0 
   Tripwire for Servers Configuration Files                 0      0        0         0 
   Tripwire for Servers Executables                         0      0        0         0 
   Tripwire for Servers Log and Support Files               0      0        0         0 
   Tripwire for Servers Support Files                       0      0        0         0 

Total objects scanned: 5779
Total violations found: 6

-------------------------------------------------------------------------------
Section: Windows NT Registry
-------------------------------------------------------------------------------

   Rule Name                        Severity Level  Added  Removed  Modified 
   -------------------------------  --------------  -----  -------  -------- 
   Class keys                                    0      0        0         0 
*  Critical System Registry Keys              1000      2        1         6 
   Critical Tripwire Registry keys               0      0        0         0 
*  Critical security account keys             1000      0        0         2 
   Current User Registry keys                    0      0        0         0 
*  Hardware keys                                35     18       18         0 
   Security Information keys                     0      0        0         0 
   Software keys                                 0      0        0         0 
   System Startup Executables                    0      0        0         0 

Total objects scanned: 56654
Total violations found: 47

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
Section: Windows NT File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: OS support files (C:\WINDOWS)
Severity Level: 35
-------------------------------------------------------------------------------

Modified:
"C:\WINDOWS\0.log"
"C:\WINDOWS\bootstat.dat"

-------------------------------------------------------------------------------
Rule Name: System32 Folder (General) (C:\WINDOWS\System32)
Severity Level: 35
-------------------------------------------------------------------------------

Modified:
"C:\WINDOWS\System32\wpa.dbl"

-------------------------------------------------------------------------------
Rule Name: Network Configuration files (C:\WINDOWS\System32\config)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"C:\WINDOWS\System32\config\systemprofile\Cookies\index.dat"
"C:\WINDOWS\System32\config\systemprofile\Local Settings\History\History.IE5\index.dat"
"C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat"

-------------------------------------------------------------------------------
Section: Windows NT Registry
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Critical System Registry Keys (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services)
Severity Level: 1000
-------------------------------------------------------------------------------

Removed:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+0"
Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmboot\+Start"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\+Sources"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\+Sources"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+Count"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+NextInstance"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\+SpecialPollTimeRemaining"

-------------------------------------------------------------------------------
Rule Name: Critical security account keys (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA)
Severity Level: 1000
-------------------------------------------------------------------------------

Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\+LsaPid"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\SspiCache\+Time"

-------------------------------------------------------------------------------
Rule Name: Hardware keys (HKEY_LOCAL_MACHINE\hardware)
Severity Level: 35
-------------------------------------------------------------------------------

Added:
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002e.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002e.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000030.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000030.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000034.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000034.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000038.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000038.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000041.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000041.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000042.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000042.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000047.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000047.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000046.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000046.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000040.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000040.Translated"
Removed:
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002b.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002b.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002d.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002d.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000031.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000031.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000035.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000035.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003b.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003b.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003c.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003c.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003d.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003d.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000043.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000043.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000044.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000044.Translated"

-------------------------------------------------------------------------------
Rule Name: Critical System Registry Keys (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList)
Severity Level: 1000
-------------------------------------------------------------------------------

Added:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1060284298-842925246-2146833427-1003\+OptimizedLogonStatus"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1060284298-842925246-2146833427-1003\+NextLogonCacheable"

===============================================================================
Object Details:
===============================================================================

-------------------------------------------------------------------------------
Section: Windows NT File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: OS support files (C:\WINDOWS)
Severity Level: 35
-------------------------------------------------------------------------------

  ----------------------------------------
  Modified Objects: 2
  ----------------------------------------

Modified object name: C:\WINDOWS\0.log

          Object Type Expected  File                                     
                      Observed  File                                     
                                                                         
       Directory Flag Expected  0                                        
                      Observed  0                                        
                                                                         
       Read Only Flag Expected  0                                        
                      Observed  0                                         
                                                                         
          Hidden Flag Expected  0                                        
                      Observed  0                                        
                                                                          
          System Flag Expected  0                                        
                      Observed  0                                        
                                                                          
         Archive Flag Expected  1                                        
                      Observed  1                                        
                                                                         
         Offline Flag Expected  0                                        
                      Observed  0                                        
                                                                         
                 Size Expected  0                                         
                      Observed  0                                        
                                                                         
              SD Size Expected  148                                       
                      Observed  148                                      
                                                                         
                  SHA Expected  DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 
                      Observed  DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 
                                                                         
                  MD5 Expected  D41D8CD98F00B204E9800998ECF8427E         
                      Observed  D41D8CD98F00B204E9800998ECF8427E         
                                                                         
   Num of Alt Streams Expected  0                                        
                      Observed  0                                        
                                                                          
           Write Time Expected  Wednesday, May 14, 2003 10:44:30 AM      
*                     Observed  Monday, May 19, 2003 10:30:42 AM         
                                                                          
          Create Time Expected  Wednesday, May 14, 2003 10:44:30 AM      
                      Observed  Wednesday, May 14, 2003 10:44:30 AM      
                                                                          
           SD Control Expected  Value: 0x8404
                                ( - Owner Default - Group Default + Self Relative
                                DACL:               + Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     + Auto Inherited
                                SACL:               - Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited    )
           SD Control Observed  Value: 0x8404
                                ( - Owner Default - Group Default + Self Relative
                                DACL:               + Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     + Auto Inherited
                                SACL:               - Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited    )
                Owner Expected  BUILTIN\Administrators
                                (S-1-5-32-544)
                Owner Observed  BUILTIN\Administrators
                                (S-1-5-32-544)
                Group Expected  NT AUTHORITY\SYSTEM
                                (S-1-5-18)
                Group Observed  NT AUTHORITY\SYSTEM
                                (S-1-5-18)
                 DACL Expected  Revision 2, Size: 100, Number of ACEs: 4
                                Allow: BUILTIN\Power Users
                                   Mask:0x001200a9 Flags: Ia
                                Allow: BUILTIN\Power Users
                                   Mask:0x001301bf Flags: Ia
                                Allow: BUILTIN\Administrators
                                   Mask:0x001f01ff Flags: Ia
                                Allow: NT AUTHORITY\SYSTEM
                                   Mask:0x001f01ff Flags: Ia
                 DACL Observed  Revision 2, Size: 100, Number of ACEs: 4
                                Allow: BUILTIN\Power Users
                                   Mask:0x001200a9 Flags: Ia
                                Allow: BUILTIN\Power Users
                                   Mask:0x001301bf Flags: Ia
                                Allow: BUILTIN\Administrators
                                   Mask:0x001f01ff Flags: Ia
                                Allow: NT AUTHORITY\SYSTEM
                                   Mask:0x001f01ff Flags: Ia
                 SACL Expected  Null
                 SACL Observed  Null


Modified object name: C:\WINDOWS\bootstat.dat

          Object Type Expected  File                                     
                      Observed  File                                     
                                                                         
       Directory Flag Expected  0                                        
                      Observed  0                                        
                                                                         
       Read Only Flag Expected  0                                         
                      Observed  0                                        
                                                                         
          Hidden Flag Expected  0                                         
                      Observed  0                                        
                                                                         
          System Flag Expected  1                                        
                      Observed  1                                        
                                                                         
         Archive Flag Expected  1                                        
                      Observed  1                                         
                                                                         
         Offline Flag Expected  0                                        
                      Observed  0                                        
                                                                          
                 Size Expected  2048                                     
                      Observed  2048                                     
                                                                          
              SD Size Expected  148                                      
                      Observed  148                                      
                                                                          
                  SHA Expected  8895FF16D9470572B773836E7CEAA6224A54551F 
                      Observed  8895FF16D9470572B773836E7CEAA6224A54551F 
                                                                         
                  MD5 Expected  6A2CB42966136854F4464516FBB4AE72         
                      Observed  6A2CB42966136854F4464516FBB4AE72         
                                                                         
   Num of Alt Streams Expected  0                                         
                      Observed  0                                        
                                                                         
           Write Time Expected  Wednesday, May 14, 2003 10:35:00 AM      
*                     Observed  Monday, May 19, 2003 10:30:10 AM         
                                                                         
          Create Time Expected  Wednesday, May 14, 2003 10:33:40 AM      
                      Observed  Wednesday, May 14, 2003 10:33:40 AM      
                                                                         
           SD Control Expected  Value: 0x8404
                                ( - Owner Default - Group Default + Self Relative
                                DACL:               + Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     + Auto Inherited
                                SACL:               - Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited    )
           SD Control Observed  Value: 0x8404
                                ( - Owner Default - Group Default + Self Relative
                                DACL:               + Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     + Auto Inherited
                                SACL:               - Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited    )
                Owner Expected  BUILTIN\Administrators
                                (S-1-5-32-544)
                Owner Observed  BUILTIN\Administrators
                                (S-1-5-32-544)
                Group Expected  NT AUTHORITY\SYSTEM
                                (S-1-5-18)
                Group Observed  NT AUTHORITY\SYSTEM
                                (S-1-5-18)
                 DACL Expected  Revision 2, Size: 100, Number of ACEs: 4
                                Allow: BUILTIN\Power Users
                                   Mask:0x001200a9 Flags: Ia
                                Allow: BUILTIN\Power Users
                                   Mask:0x001301bf Flags: Ia
                                Allow: BUILTIN\Administrators
                                   Mask:0x001f01ff Flags: Ia
                                Allow: NT AUTHORITY\SYSTEM
                                   Mask:0x001f01ff Flags: Ia
                 DACL Observed  Revision 2, Size: 100, Number of ACEs: 4
                                Allow: BUILTIN\Power Users
                                   Mask:0x001200a9 Flags: Ia
                                Allow: BUILTIN\Power Users
                                   Mask:0x001301bf Flags: Ia
                                Allow: BUILTIN\Administrators
                                   Mask:0x001f01ff Flags: Ia
                                Allow: NT AUTHORITY\SYSTEM
                                   Mask:0x001f01ff Flags: Ia
                 SACL Expected  Null
                 SACL Observed  Null



-------------------------------------------------------------------------------
Rule Name: System32 Folder (General) (C:\WINDOWS\System32)
Severity Level: 35
-------------------------------------------------------------------------------

  ----------------------------------------
  Modified Objects: 1
  ----------------------------------------

Modified object name: C:\WINDOWS\System32\wpa.dbl

          Object Type Expected  File                                     
                      Observed  File                                     
                                                                         
       Directory Flag Expected  0                                         
                      Observed  0                                        
                                                                         
       Read Only Flag Expected  0                                        
                      Observed  0                                        
                                                                         
          Hidden Flag Expected  0                                        
                      Observed  0                                         
                                                                         
          System Flag Expected  0                                        
                      Observed  0                                        
                                                                          
         Archive Flag Expected  1                                        
                      Observed  1                                        
                                                                          
      Compressed Flag Expected  0                                        
                      Observed  0                                        
                                                                          
         Offline Flag Expected  0                                        
                      Observed  0                                        
                                                                         
       Temporary Flag Expected  0                                        
                      Observed  0                                        
                                                                         
                 Size Expected  2184                                      
                      Observed  2184                                     
                                                                         
          MS-DOS Name Expected  wpa.dbl                                  
                      Observed  wpa.dbl                                  
                                                                         
              SD Size Expected  148                                      
                      Observed  148                                       
                                                                         
                  SHA Expected  EB581F35C0D56DE5E106EF8762D4E66824648969 
*                     Observed  4A9D62E0B5BF610826C59FA1F5BC3234AED10B83 
                                                                         
                HAVAL Expected  837DF784C0D507618692596378482091         
*                     Observed  1276343C49D2B1673017C26AE14FB0DB         
                                                                          
                  MD5 Expected  64B396FE92A6C131ADEFB9C39A4A9476         
*                     Observed  AF3389D30224FB76B68A8677739DCEB7         
                                                                          
   Num of Alt Streams Expected  0                                        
                      Observed  0                                        
                                                                         
           Write Time Expected  Wednesday, May 14, 2003 10:44:24 AM      
*                     Observed  Monday, May 19, 2003 10:30:21 AM         
                                                                         
          Create Time Expected  Thursday, August 23, 2001 8:00:00 AM     
                      Observed  Thursday, August 23, 2001 8:00:00 AM     
                                                                         
           SD Control Expected  Value: 0x9404
                                ( - Owner Default - Group Default + Self Relative
                                DACL:               + Present       - Auto Inhrt Request
                                  + Protected     - Defaulted     + Auto Inherited
                                SACL:               - Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited    )
           SD Control Observed  Value: 0x9404
                                ( - Owner Default - Group Default + Self Relative
                                DACL:               + Present       - Auto Inhrt Request
                                  + Protected     - Defaulted     + Auto Inherited
                                SACL:               - Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited    )
                Owner Expected  BUILTIN\Administrators
                                (S-1-5-32-544)
                Owner Observed  BUILTIN\Administrators
                                (S-1-5-32-544)
                Group Expected  NT AUTHORITY\SYSTEM
                                (S-1-5-18)
                Group Observed  NT AUTHORITY\SYSTEM
                                (S-1-5-18)
                 DACL Expected  Revision 2, Size: 100, Number of ACEs: 4
                                Allow: BUILTIN\Power Users
                                   Mask:0x001200a9 Flags: None
                                Allow: BUILTIN\Power Users
                                   Mask:0x001200a9 Flags: None
                                Allow: BUILTIN\Administrators
                                   Mask:0x001f01ff Flags: None
                                Allow: NT AUTHORITY\SYSTEM
                                   Mask:0x001f01ff Flags: None
                 DACL Observed  Revision 2, Size: 100, Number of ACEs: 4
                                Allow: BUILTIN\Power Users
                                   Mask:0x001200a9 Flags: None
                                Allow: BUILTIN\Power Users
                                   Mask:0x001200a9 Flags: None
                                Allow: BUILTIN\Administrators
                                   Mask:0x001f01ff Flags: None
                                Allow: NT AUTHORITY\SYSTEM
                                   Mask:0x001f01ff Flags: None
                 SACL Expected  Null
                 SACL Observed  Null



-------------------------------------------------------------------------------
Rule Name: Network Configuration files (C:\WINDOWS\System32\config)
Severity Level: 100
-------------------------------------------------------------------------------

  ----------------------------------------
  Modified Objects: 3
  ----------------------------------------

Modified object name: C:\WINDOWS\System32\config\systemprofile\Cookies\index.dat

          Object Type Expected  File                                     
                      Observed  File                                     
                                                                          
       Directory Flag Expected  0                                        
                      Observed  0                                        
                                                                          
       Read Only Flag Expected  0                                        
                      Observed  0                                        
                                                                          
          Hidden Flag Expected  0                                        
                      Observed  0                                        
                                                                         
          System Flag Expected  0                                        
                      Observed  0                                        
                                                                         
         Archive Flag Expected  1                                         
                      Observed  1                                        
                                                                         
         Offline Flag Expected  0                                        
                      Observed  0                                        
                                                                         
                 Size Expected  16384                                    
                      Observed  16384                                     
                                                                         
              SD Size Expected  100                                      
                      Observed  100                                       
                                                                         
                  SHA Expected  15740B197555BA8E162C37A60BA655151E3BEBAE 
                      Observed  15740B197555BA8E162C37A60BA655151E3BEBAE 
                                                                          
                  MD5 Expected  D7A950FEFD60DBAA01DF2D85FEFB3862         
                      Observed  D7A950FEFD60DBAA01DF2D85FEFB3862         
                                                                          
   Num of Alt Streams Expected  0                                        
                      Observed  0                                        
                                                                         
           Write Time Expected  Wednesday, May 14, 2003 10:35:31 AM      
*                     Observed  Monday, May 19, 2003 10:32:07 AM         
                                                                         
          Create Time Expected  Wednesday, May 14, 2003 10:32:54 AM      
                      Observed  Wednesday, May 14, 2003 10:32:54 AM      
                                                                         
           SD Control Expected  Value: 0x8004
                                ( - Owner Default - Group Default + Self Relative
                                DACL:               + Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited
                                SACL:               - Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited    )
           SD Control Observed  Value: 0x8004
                                ( - Owner Default - Group Default + Self Relative
                                DACL:               + Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited
                                SACL:               - Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited    )
                Owner Expected  BUILTIN\Administrators
                                (S-1-5-32-544)
                Owner Observed  BUILTIN\Administrators
                                (S-1-5-32-544)
                Group Expected  NT AUTHORITY\SYSTEM
                                (S-1-5-18)
                Group Observed  NT AUTHORITY\SYSTEM
                                (S-1-5-18)
                 DACL Expected  Revision 2, Size: 52, Number of ACEs: 2
                                Allow: NT AUTHORITY\SYSTEM
                                   Mask:0x001f01ff Flags: None
                                Allow: BUILTIN\Administrators
                                   Mask:0x001f01ff Flags: None
                 DACL Observed  Revision 2, Size: 52, Number of ACEs: 2
                                Allow: NT AUTHORITY\SYSTEM
                                   Mask:0x001f01ff Flags: None
                                Allow: BUILTIN\Administrators
                                   Mask:0x001f01ff Flags: None
                 SACL Expected  Null
                 SACL Observed  Null


Modified object name: C:\WINDOWS\System32\config\systemprofile\Local Settings\History\History.IE5\index.dat

          Object Type Expected  File                                     
                      Observed  File                                     
                                                                          
       Directory Flag Expected  0                                        
                      Observed  0                                        
                                                                         
       Read Only Flag Expected  0                                        
                      Observed  0                                        
                                                                         
          Hidden Flag Expected  0                                         
                      Observed  0                                        
                                                                         
          System Flag Expected  0                                        
                      Observed  0                                        
                                                                         
         Archive Flag Expected  1                                        
                      Observed  1                                         
                                                                         
         Offline Flag Expected  0                                        
                      Observed  0                                         
                                                                         
                 Size Expected  32768                                    
                      Observed  32768                                    
                                                                          
              SD Size Expected  100                                      
                      Observed  100                                      
                                                                          
                  SHA Expected  DAF36D444C25ED303635E00190AEE676D4303785 
                      Observed  DAF36D444C25ED303635E00190AEE676D4303785 
                                                                         
                  MD5 Expected  F7C2ECE57046EA17DD66D133FD3E9A90         
                      Observed  F7C2ECE57046EA17DD66D133FD3E9A90         
                                                                         
   Num of Alt Streams Expected  0                                         
                      Observed  0                                        
                                                                         
           Write Time Expected  Wednesday, May 14, 2003 10:35:31 AM       
*                     Observed  Monday, May 19, 2003 10:32:07 AM         
                                                                         
          Create Time Expected  Wednesday, May 14, 2003 10:32:54 AM      
                      Observed  Wednesday, May 14, 2003 10:32:54 AM      
                                                                         
           SD Control Expected  Value: 0x8004
                                ( - Owner Default - Group Default + Self Relative
                                DACL:               + Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited
                                SACL:               - Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited    )
           SD Control Observed  Value: 0x8004
                                ( - Owner Default - Group Default + Self Relative
                                DACL:               + Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited
                                SACL:               - Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited    )
                Owner Expected  BUILTIN\Administrators
                                (S-1-5-32-544)
                Owner Observed  BUILTIN\Administrators
                                (S-1-5-32-544)
                Group Expected  NT AUTHORITY\SYSTEM
                                (S-1-5-18)
                Group Observed  NT AUTHORITY\SYSTEM
                                (S-1-5-18)
                 DACL Expected  Revision 2, Size: 52, Number of ACEs: 2
                                Allow: NT AUTHORITY\SYSTEM
                                   Mask:0x001f01ff Flags: None
                                Allow: BUILTIN\Administrators
                                   Mask:0x001f01ff Flags: None
                 DACL Observed  Revision 2, Size: 52, Number of ACEs: 2
                                Allow: NT AUTHORITY\SYSTEM
                                   Mask:0x001f01ff Flags: None
                                Allow: BUILTIN\Administrators
                                   Mask:0x001f01ff Flags: None
                 SACL Expected  Null
                 SACL Observed  Null


Modified object name: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

          Object Type Expected  File                                     
                      Observed  File                                     
                                                                         
       Directory Flag Expected  0                                        
                      Observed  0                                        
                                                                         
       Read Only Flag Expected  0                                         
                      Observed  0                                        
                                                                         
          Hidden Flag Expected  0                                        
                      Observed  0                                        
                                                                         
          System Flag Expected  0                                        
                      Observed  0                                         
                                                                         
         Archive Flag Expected  1                                        
                      Observed  1                                         
                                                                         
         Offline Flag Expected  0                                        
                      Observed  0                                        
                                                                          
                 Size Expected  32768                                    
                      Observed  32768                                    
                                                                          
              SD Size Expected  100                                      
                      Observed  100                                      
                                                                         
                  SHA Expected  2597C58779213BDD46E28FE874184CE13989E9E4 
                      Observed  2597C58779213BDD46E28FE874184CE13989E9E4 
                                                                         
                  MD5 Expected  8F7DEF4557C883E255D3DA7754B278ED         
                      Observed  8F7DEF4557C883E255D3DA7754B278ED         
                                                                         
   Num of Alt Streams Expected  0                                        
                      Observed  0                                        
                                                                         
           Write Time Expected  Wednesday, May 14, 2003 10:35:31 AM      
*                     Observed  Monday, May 19, 2003 10:32:07 AM         
                                                                         
          Create Time Expected  Wednesday, May 14, 2003 10:32:54 AM      
                      Observed  Wednesday, May 14, 2003 10:32:54 AM      
                                                                         
           SD Control Expected  Value: 0x8004
                                ( - Owner Default - Group Default + Self Relative
                                DACL:               + Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited
                                SACL:               - Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited    )
           SD Control Observed  Value: 0x8004
                                ( - Owner Default - Group Default + Self Relative
                                DACL:               + Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited
                                SACL:               - Present       - Auto Inhrt Request
                                  - Protected     - Defaulted     - Auto Inherited    )
                Owner Expected  BUILTIN\Administrators
                                (S-1-5-32-544)
                Owner Observed  BUILTIN\Administrators
                                (S-1-5-32-544)
                Group Expected  NT AUTHORITY\SYSTEM
                                (S-1-5-18)
                Group Observed  NT AUTHORITY\SYSTEM
                                (S-1-5-18)
                 DACL Expected  Revision 2, Size: 52, Number of ACEs: 2
                                Allow: NT AUTHORITY\SYSTEM
                                   Mask:0x001f01ff Flags: None
                                Allow: BUILTIN\Administrators
                                   Mask:0x001f01ff Flags: None
                 DACL Observed  Revision 2, Size: 52, Number of ACEs: 2
                                Allow: NT AUTHORITY\SYSTEM
                                   Mask:0x001f01ff Flags: None
                                Allow: BUILTIN\Administrators
                                   Mask:0x001f01ff Flags: None
                 SACL Expected  Null
                 SACL Observed  Null



-------------------------------------------------------------------------------
Section: Windows NT Registry
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Critical System Registry Keys (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services)
Severity Level: 1000
-------------------------------------------------------------------------------

  ----------------------------------------
  Removed Objects: 1
  ----------------------------------------

Removed object name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+0

   Object Type Expected  Value                                    
*              Observed  ---                                      
                                                                  
     Data Type Expected  REG_SZ                                    
*              Observed  ---                                      
                                                                  
   Data Length Expected  162                                      
*              Observed  ---                                       
                                                                  
           MD5 Expected  679C308D6EF52EBD634DBC1EB565A6BA         
*              Observed  ---                                      
                                                                   
           SHA Expected  5C56A43C8BB403176C05A45E2EA1A5DFD18FE238 
*              Observed  ---                                      
                                                                  


  ----------------------------------------
  Modified Objects: 6
  ----------------------------------------

Modified object name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmboot\+Start

   Object Type Expected  Value                                     
               Observed  Value                                    
                                                                  
     Data Type Expected  REG_DWORD                                
               Observed  REG_DWORD                                 
                                                                  
   Data Length Expected  4                                        
               Observed  4                                        
                                                                   
           MD5 Expected  F1D3FF8443297732862DF21DC4E57262         
*              Observed  1036E3DDDC89A4E68D8A33F3823A180E         
                                                                  
           SHA Expected  9069CA78E7450A285173431B3E52C5C25299E473 
*              Observed  D6459AB29C7B9A9FBF0C7C15FA35FAA30FBF8CC6 
                                                                  


Modified object name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\+Sources

   Object Type Expected  Value                                    
               Observed  Value                                    
                                                                  
     Data Type Expected  REG_MULTI_SZ                             
               Observed  REG_MULTI_SZ                             
                                                                  
   Data Length Expected  1286                                      
               Observed  1286                                     
                                                                  
           MD5 Expected  C7CA955C6A48537BF90E25AB1C48BCE3         
*              Observed  E9DEBDD3C0AD798F9CB8F84E954DBE41         
                                                                  
           SHA Expected  B488843F2241E80D8F4A51A18B7A317E6809AF76 
*              Observed  DCAD442E20D43C6A93E03F7508946A734F1BF494 
                                                                   


Modified object name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\+Sources

   Object Type Expected  Value                                    
               Observed  Value                                     
                                                                  
     Data Type Expected  REG_MULTI_SZ                             
               Observed  REG_MULTI_SZ                             
                                                                   
   Data Length Expected  3012                                     
               Observed  3012                                     
                                                                  
           MD5 Expected  C9258ED0926D44D75FB9218CD62DAF37         
*              Observed  88390F14376D6FDA5CDF80E8E1713FDF         
                                                                  
           SHA Expected  081A94486DFDC151D28A30405BD5E0F69BC33C26  
*              Observed  6A691BC1306202AD55E1E890EAEC4B4ED55EE907 
                                                                  


Modified object name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+Count

   Object Type Expected  Value                                    
               Observed  Value                                    
                                                                  
     Data Type Expected  REG_DWORD                                
               Observed  REG_DWORD                                
                                                                  
   Data Length Expected  4                                        
               Observed  4                                         
                                                                  
           MD5 Expected  4352D88A78AA39750BF70CD6F27BCAA5         
*              Observed  F1D3FF8443297732862DF21DC4E57262         
                                                                   
           SHA Expected  3C585604E87F855973731FEA83E21FAB9392D2FC 
*              Observed  9069CA78E7450A285173431B3E52C5C25299E473 
                                                                  


Modified object name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+NextInstance

   Object Type Expected  Value                                    
               Observed  Value                                    
                                                                   
     Data Type Expected  REG_DWORD                                
               Observed  REG_DWORD                                
                                                                  
   Data Length Expected  4                                        
               Observed  4                                        
                                                                  
           MD5 Expected  4352D88A78AA39750BF70CD6F27BCAA5         
*              Observed  F1D3FF8443297732862DF21DC4E57262         
                                                                  
           SHA Expected  3C585604E87F855973731FEA83E21FAB9392D2FC 
*              Observed  9069CA78E7450A285173431B3E52C5C25299E473 
                                                                  


Modified object name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\+SpecialPollTimeRemaining

   Object Type Expected  Value                                     
               Observed  Value                                    
                                                                  
     Data Type Expected  REG_MULTI_SZ                             
               Observed  REG_MULTI_SZ                             
                                                                  
   Data Length Expected  2                                        
*              Observed  72                                       
                                                                   
           MD5 Expected  C4103F122D27677C9DB144CAE1394A66         
*              Observed  0B69B6DA3F39A2AE34F59C2B6034A87D         
                                                                   
           SHA Expected  1489F923C4DCA729178B3E3233458550D8DDDF29 
*              Observed  8EA89D955B89CE92E8F515B72BEB5E3D23E74722 
                                                                  



-------------------------------------------------------------------------------
Rule Name: Critical security account keys (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA)
Severity Level: 1000
-------------------------------------------------------------------------------

  ----------------------------------------
  Modified Objects: 2
  ----------------------------------------

Modified object name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\+LsaPid

   Object Type Expected  Value                            
               Observed  Value                            
                                                          
     Data Type Expected  REG_DWORD                        
               Observed  REG_DWORD                        
                                                           
   Data Length Expected  4                                
               Observed  4                                
                                                          
           MD5 Expected  0935BE897827BA1AFDE368A5FEF7BEE2 
*              Observed  1021FAA46D25B5EDA7CFC3FA2CF3A761 
                                                          


Modified object name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\SspiCache\+Time

   Object Type Expected  Value                             
               Observed  Value                            
                                                          
     Data Type Expected  REG_BINARY                       
               Observed  REG_BINARY                        
                                                          
   Data Length Expected  8                                
               Observed  8                                
                                                          
           MD5 Expected  AFA2925C1F3DB76220B83F58FA9859B1 
*              Observed  DB6BE0E5E688BA36EA1B846693930034 
                                                          



-------------------------------------------------------------------------------
Rule Name: Hardware keys (HKEY_LOCAL_MACHINE\hardware)
Severity Level: 35
-------------------------------------------------------------------------------

  ----------------------------------------
  Added Objects: 18
  ----------------------------------------

Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002e.Raw

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002e.Translated

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                            


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000030.Raw

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000030.Translated

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                            


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000034.Raw

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000034.Translated

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000038.Raw

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000038.Translated

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000041.Raw

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000041.Translated

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000042.Raw

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000042.Translated

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000047.Raw

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000047.Translated

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000046.Raw

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000046.Translated

   Object Type Expected  ---                
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000040.Raw

   Object Type Expected  ---               
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


Added object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000040.Translated

   Object Type Expected  ---                
*              Observed  Value             
                                           
     Data Type Expected  ---               
*              Observed  REG_RESOURCE_LIST 
                                           


  ----------------------------------------
  Removed Objects: 18
  ----------------------------------------

Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002b.Raw

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002b.Translated

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002d.Raw

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002d.Translated

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST  
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000031.Raw

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000031.Translated

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000035.Raw

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000035.Translated

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003b.Raw

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003b.Translated

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003c.Raw

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003c.Translated

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003d.Raw

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003d.Translated

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000043.Raw

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000043.Translated

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000044.Raw

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           


Removed object name: HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000044.Translated

   Object Type Expected  Value             
*              Observed  ---               
                                           
     Data Type Expected  REG_RESOURCE_LIST 
*              Observed  ---               
                                           



-------------------------------------------------------------------------------
Rule Name: Critical System Registry Keys (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList)
Severity Level: 1000
-------------------------------------------------------------------------------

  ----------------------------------------
  Added Objects: 2
  ----------------------------------------

Added object name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1060284298-842925246-2146833427-1003\+OptimizedLogonStatus

   Object Type Expected  ---       
*              Observed  Value     
                                    
     Data Type Expected  ---       
*              Observed  REG_DWORD 
                                   
   Data Length Expected  ---       
*              Observed  4         
                                   


Added object name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1060284298-842925246-2146833427-1003\+NextLogonCacheable

   Object Type Expected  ---       
*              Observed  Value     
                                   
     Data Type Expected  ---       
*              Observed  REG_DWORD 
                                   
   Data Length Expected  ---       
*              Observed  4         
                                   



===============================================================================
Error Report:
===============================================================================

No Errors

===============================================================================
*** End of report ***

Report generated by Tripwire Manager 4.0.0
Tripwire is a registered trademark of Tripwire, Inc. All rights reserved.