Adware downloaders – How do they work? – Technical Information


Many, and I mean MANY computers get infected with adware every day. It’s becoming more and more popular for legitimate and suspicious free-download websites to monetize their free downloads with adware. Monetizing the downloads are a valuable method of making money online, there are lots of services that offer services for the website owners to pack their free downloads with download managers.

The distributors of these download managers, known as “affiliates” get paid for every adware and potentially unwanted program installation thru the download manager. This where the problem persists, as with everything that is related to money there are also affiliates that try to create fake installs using their own download managers.

download managerAs you can imagine, the services that offer the service for every pay-per-install adware installation do not like these fake installs, this costs them money by affiliates creating fake installations. So, they brought up a magnificent idea to protect (secure) their download manager from virtualized environments.

Protection against Virtual Machines is for both, the pay-per-install service and the pay-per-install affiliate a win. The pay-per-install service reduces the fake install count and saves money, and the affiliate is “not” at risk that their adware is installed on malware analyzing environments.

The anti-virtual machine/debugging protection against unwanted installations is implemented by many services that offer the use of custom installers to bundle any software they want you to install.

How do adware downloaders work?

File details

In order to investigate how an adware dropper works, we need a sample. We used the following sample (MD5) 582de1a89b4bb98b0173b2aee0f291a5. The sample is from the “StartSurf” family, this is how Malheur(1) identified the sample.

malheur startsurf detection

  1. What is Malheur? Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures. Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.

Antivirus engines detected the sample at a ratio of 100%, according to virustotal.

Antivirus scan with virustotal

MicroWorld-eScan: Trojan.Agent.CNBM
CAT-QuickHeal: PUA.Startsurf.S1461571
ALYac: Trojan.Agent.CNBM
VIPRE: Adware.Win32.StartSurf
K7GW: Trojan ( 00517cf81 )
K7AntiVirus: Trojan ( 00517cf81 )
Arcabit: Trojan.Agent.CNBM
Invincea: heuristic
F-Prot: W32/StartSurf.AJ.gen!Eldorado
Symantec: PUA.Gen.2
TrendMicro-HouseCall: TROJ_GEN.R002C0PIO17
Avast: Win32:Adware-gen [Adw]
Kaspersky: not-a-virus:AdWare.Win32.StartSurf.afsc
BitDefender: Trojan.Agent.CNBM
NANO-Antivirus: Riskware.Win32.StartSurf.eswrky
Paloalto: generic.ml
Tencent: Win32.Adware.Startsurf.Suob
Ad-Aware: Trojan.Agent.CNBM
Emsisoft: Trojan.Agent.CNBM (B)
Comodo: Application.Win32.IStartSurf.EH
F-Secure: Trojan.Agent.CNBM
DrWeb: Trojan.Vittalia.13155
TrendMicro: TROJ_GEN.R002C0PIO17
McAfee-GW-Edition: BehavesLike.Win32.MysticCompressor.jh
Sophos: Mal/Generic-S
SentinelOne: static engine – malicious
Cyren: W32/Trojan.VCBK-0694
Jiangmin: AdWare.StartSurf.ad
Webroot: W32.Adware.Gen
Avira: TR/Kryptik.ezxkz
Antiy-AVL: GrayWare[AdWare]/Win32.StartSurf
Microsoft: SoftwareBundler:Win32/Prepscram
Endgame: malicious (high confidence)
ViRobot: Trojan.Win32.Z.Startsurf.622592.AI
ZoneAlarm: not-a-virus:AdWare.Win32.StartSurf.afsc
GData: Trojan.Agent.CNBM
AhnLab-V3: PUP/Win32.StartSurf.R209457
McAfee: Packed-RD!582DE1A89B4B
AVware: Adware.Win32.StartSurf
MAX: malware (ai score=99)
VBA32: AdWare.StartSurf
Cylance: Unsafe
ESET-NOD32: a variant of Win32/Kryptik.FWSC
Rising: Malware.Heuristic!ET#99% (RDM+:cmRtazpU5touUcj9as/pyt7f0ITX)
Yandex: Trojan.Kryptik!bBX6cEIYkMU
Ikarus: Virus.Win32.Sality
eGambit: malicious_confidence_99%
Fortinet: Adware/StartSurf
AVG: Win32:Adware-gen [Adw]
Panda: Trj/GdSda.A
CrowdStrike: malicious_confidence_100% (D)

Dropped files

The first thing we noticed when we ran the sample is that the sample dropped 1 file onto the sandbox.

Filename: normal_bg4[1].png
Location: C:\Users\Desktop\AppData\Local\Microsoft\Windows\INetCache\IE\HTURY22W\normal_bg4[1].png
File Type: PNG image data, 581 x 441, 8-bit colormap, non-interlaced

This is a PNG image the installer used as a background to look good. It’s used as a background for some styling. Nothing special, move on.

PE Data

Let’s look at some PE data extracted from the sample.

Image base: 0x00400000
Entry point: 0x00421715
Reported checksum: 0x0006313e
Actual checksum: 0x000a0210
Minimum OS version: 5.1 (means Windows XP)
Time the sample been compiled on the developer’s machine (not ours): 2017-09-19 07:31:41
Import hash: e2e45031593dd6438129b9f4a28eba8e

Detected signatures

Attempts to connect to a dead ip and port

IP: 52.218.160.92:443 (United States, Amazon AWS)
IP: 54.88.21.193:80 (United States, Amazon AWS)
IP: 54.192.185.31:80 (United States, Amazon AWS)

Creates RWX memory

This is done for process injection.

Malware related traffic

This is the most interesting part for us. Take a look at what download managers collect from your computer, and how they use HTTP POST requests to identify a computer and it’s installer.

Every HTTP request (GET / POST) is done with the same user-agent. This will identify the download manager to the server where the request is sent to. Other User-Agents are not allowed.
User-Agent: InstallCapital is allowed.

malware related traffic

post_no_referer: HTTP traffic contains a POST request with no referer header

suspicious_request: http://empty.townbeef.bid/http://empty.townbeef.bid/installer.php?affId=1462&instId=803&ho_trackingid=102b59512e4196b1d4148c0eafd619&trackingId=274445168&cc=XX&untracked=&uac=1&osd=&cid=e92db1782a7e6915fb32184bdedd338a&v=3

suspicious_request: http://gold.apparelflesh.bid/http://gold.apparelflesh.bid/installer.php?affId=1462&instId=803&ho_trackingid=102b59512e4196b1d4148c0eafd619&trackingId=274445168&cc=XX&untracked=&uac=1&osd=&cid=e92db1782a7e6915fb32184bdedd338a&v=3

suspicious_request: http://gold.apparelflesh.bid/report.php?typ=conversion&transId=274445168&affId=1462&instId=803&ho_transId=102b59512e4196b1d4148c0eafd619&s1=577a44716bfd1&s2=215&s3=&s4=&s5=1146441204&cid=e92db1782a7e6915fb32184bdedd338a&uac=true&randid=0.7843831083887609

suspicious_request: http://gold.apparelflesh.bid/report.php?typ=sys&affId=1462&instId=803&ho_transId=102b59512e4196b1d4148c0eafd619&transId=274445168&chk_s_b=&chk_s_v=CHANGED&chk_c_ma=XXX&chk_c_mo=XXX&chk_mac=CHANGED00000000&randid=0.042124604682700184

suspicious_request: http://d2adi7hu49xk5t.cloudfront.net/normal_bg4.png

Let’s take a look at which domains are contacted with their IP and WHOIS information.

Domains: empty.townbeef.bid, gold.apparelflesh.bid and d2adi7hu49xk5t.cloudfront.net. Below you can see the hidden whois information for both townbeef.bid and apparelflesh.bid. It’s legitimate to hide your Privacy information from WHOIS.

Domain Name: townbeef.bid
Registry Domain ID: D982058B917204E3A80A0A0CA5552D853-NSR
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2017-10-01T16:24:03Z
Creation Date: 2017-09-26T16:24:03Z
Registry Expiry Date: 2018-09-26T16:24:03Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: C97B1096C55E14DBFBE0C34B364E4639A-NSR
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant Street:
Registrant Street:
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code:
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID: C493A113F507744BE83565858D7007450-NSR
Admin Name: WhoisGuard Protected
Admin Organization: WhoisGuard, Inc.
Admin Street: P.O. Box 0823-03411
Admin Street:
Admin Street:
Admin City: Panama
Admin State/Province: Panama
Admin Postal Code:
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email:
Registry Tech ID: CAA35DD667C0F46FF8798EE4DC8AB8075-NSR
Tech Name: WhoisGuard Protected
Tech Organization: WhoisGuard, Inc.
Tech Street: P.O. Box 0823-03411
Tech Street:
Tech Street:
Tech City: Panama
Tech State/Province: Panama
Tech Postal Code:
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email:
Name Server: dns2.registrar-servers.com
Name Server: dns1.registrar-servers.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

Domain Name: apparelflesh.bid
Registry Domain ID: DCFBA8571172A45289EBC1EB61B664CA8-NSR
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2017-10-29T09:39:06Z
Creation Date: 2017-10-29T09:39:04Z
Registry Expiry Date: 2018-10-29T09:39:04Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID: C6B6274482AE341A6BCDA443487F2C7A6-NSR
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant Street:
Registrant Street:
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code:
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email:
Registry Admin ID: C71D82312E2624216B59B723FC2660CBF-NSR
Admin Name: WhoisGuard Protected
Admin Organization: WhoisGuard, Inc.
Admin Street: P.O. Box 0823-03411
Admin Street:
Admin Street:
Admin City: Panama
Admin State/Province: Panama
Admin Postal Code:
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email:
Registry Tech ID: C861CBF028B2D45F9B556130BBFA2901A-NSR
Tech Name: WhoisGuard Protected
Tech Organization: WhoisGuard, Inc.
Tech Street: P.O. Box 0823-03411
Tech Street:
Tech Street:
Tech City: Panama
Tech State/Province: Panama
Tech Postal Code:
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: [email protected]
Name Server: dns2.registrar-servers.com
Name Server: dns1.registrar-servers.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

Now we are going to split the arguments from the URL to the contacted hosts POST Requests in order to see what the download manager sends back to the service.

URL: http://gold.apparelflesh.bid/http://gold.apparelflesh.bid/installer.php?affId=1462&instId=803&ho_trackingid=102b59512e4196b1d4148c0eafd619&trackingId=284455168&cc=CHANGED&untracked=&uac=1&osd=&cid=e92db1782a7e7915fb32184bdedd338a&v=3

The blue color is the argument passed to the service (the information that is sent) and the red color is the data the download manager collected from our computer and IP-address. The red data is also sent back to the service.

installer.php is the file used to process the POST request, it will store the passed arguments in a database.
affId is the affiliate id, the id (ref. number) of the person that receives money for every adware install.
instId is the id of the number of installations.
ho_trackingid we’re not sure about this one, can’t be good.
trackingId some general tracking, we’re not sure about this one either.
cc is the country, based on IP.
untracked we’re not sure, if you know, leave a comment.
uac is user account control disabled.
osd we’re not sure, if you know, leave a comment.
cid we’re not sure, if you know, leave a comment.
v is version.

That a download manager includes this information in a POST (send back to server request) to the defined malware URL is an indication that your information is not safe and can be used for other purposes.

The apparelflesh.bid domain reports more information about the “infected” computer to their server. Take a look at this URL (POST Send back request).

http://gold.apparelflesh.bid/report.php?typ=sys&affId=1462&instId=803&ho_transId=102b59512e4196b1d4148c0eafd619&transId=274445168&chk_s_b=&chk_s_v=CHANGED&chk_c_ma=CHANGED&chk_c_mo=CHANGED&chk_mac=CHANGED&randid=0.042124604682700184

report.php is used to collect the passed arguments in the URL to a database.
typ is unknown to us, could be used to identify some specific system (ie, PC, Server, Workstation versions).
affId is the number of the affiliate ID receiving a commission for every adware install.
instId is the number of installations.
ho_transid we’re not sure about this one, can’t be good. Do you know what it means, let us know in the comments.
transId we don’t know, if you know leave a comment with the answer.
chk_s_b is the BIOS name.
chk_s_v is the BIOS Version
chk_s_ma is the BIOS Manufacture
chk_c_mo is the BIOS Description
chk_mac is the MAC Address of the installed adapters.
rand_id is a random id, generated to send multiple requests to the server.

As you can see there is a lot of sensitive data sent from our machine to the server. This data is not used to personalize advertisements or to infect the computer even more. All these checks are used to prevent fake installs by their affiliates, or analysis and debugging in virtualized environments by malware analysts.

Stealthy techniques the Download Manager tries to detect a debugger or Virtual Machine.

So, this download manager tries many different techniques to prevent unwanted installations. The techniques as described above are sent back over the internet. However, how does this download manager detect a virtualized environment locally?

The sample we used, described as “download manager” doesn’t like Virtual Machines, and it doesn’t like malware analyzing tools either. As soon as the sample is executed it tries to unhook some features from a specific Sandbox. This .. should .. *grin* prevent the sandbox from monitoring and report the (malicious) behavior of the download manager to the malware analyst.

Function Unhook’s

The function’s the download manager tries to unhook are, HTTPSFinalProv, type: removal and HTTPSCertificateTrust, type: removal. This is another indication of the malicious malware like techniques used by adware bundled download managers.

It gets worse, or as we say more interesting ;-). The download manager does not only unhook windows functions, it also looks for antivirus installations in the Windows Registry by querying some registry-keys for its existence. If so, the download manager stops and terminates immediately.

key: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Avira (Avira Antivirus)
key: HKEY_LOCAL_MACHINE\Software\Avira (Avira Antivirus)
key: HKEY_LOCAL_MACHINE\SOFTWARE\Avira (Avira Antivirus)
key: HKEY_CURRENT_USER\Software\Avira (Avira Antivirus)
key: HKEY_CURRENT_USER\SOFTWARE\Eset (ESET NOD32 Antivirus)
key: HKEY_LOCAL_MACHINE\SOFTWARE\Eset (ESET NOD32 Antivirus)
key: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos (Sophos Antivirus)

It’s a small list, there are more antivirus vendors but somehow the StartSurf download manager only checks for these specific registry-keys.

Read files

The download manager reads the following files or at least touches them for many reasons.

C:\Windows\System32\dwmapi.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\System32\twinapi.appcore.dll
C:\Windows\System32\rmclient.dll
C:\Windows\System32\en-US\ieframe.dll.mui
C:\Windows\WindowsShell.manifest
C:\Windows\System32\srpapi.dll
C:\Windows\System32\en-US\urlmon.dll.mui
C:\Users\Desktop\AppData\Local\Temp\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
C:\Windows\System32\resourcepolicyclient.dll
C:\Windows\System32\en-US\mshtml.dll.mui
C:\
C:\Users\
C:\Users\Desktop\
C:\Users\Desktop\AppData\
C:\Users\Desktop\AppData\Local\
C:\Windows\win.ini
C:\Windows\System32\en-US\DDRAW.dll.mui
C:\Windows\System32\ddraw.dll
C:\Users\Desktop\AppData\Local\Temp\\xc2\xa0\x01
C:\Windows\System32\sxs.dll
C:\Windows\SysWOW64\dxtmsft.dll
C:\Windows\SysWOW64\stdole2.tlb
C:\Windows\SysWOW64\dxtrans.dll
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\System32\winnsi.dll
\Device\RasAcd
C:\Windows\System32\en-US\mswsock.dll.mui
C:\Windows\System32\wshqos.dll
C:\Windows\System32\en-US\wshqos.dll.mui
C:\Users\Desktop\AppData\Local\Temp\31735062\dlreport
C:\Windows\System32\en-US\CRYPT32.dll.mui
C:\Windows\System32\TextInputFramework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\System32\en-US\WINMM.dll.mui

Changed files

The following files are changed by the Download Manager.

C:\Users\Desktop\AppData\Local\Temp\31735062\dlreport (IMPORTANT: this file contains a log from the download manager, http logs)
C:\Users\Desktop\AppData\Local\Microsoft\Windows\INetCache\IE\HTURY22W\normal_bg4[1].png

Read Registry Keys

the download manager reads the following registry keys (see below). By reading the registry keys the downloads is able to detect a Virtual Machine or a Sandboxed Microsoft Windows environment. The download manager also reads Windows Security registry keys, Such as User Account Control, Firewall etc and .NET Framework for example.

If the download manager detects a value it is programmed with to identify, the download manager shuts down and displays a “your downloads are ready” message, indicating it did not perform its initial action, dropping adware.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\CDF\v4.0\version
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\CDF\version
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\1033\version
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\version
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\1033\version
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\version
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\version
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4.0\Client\version
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4.0\version
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\version
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Progid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000160-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\Extensions\DragDropExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS\*
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\NavigationDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ValidateRegItems
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\MonitorRegistry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\DocObjectView\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\about\CLSID
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\*
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\No3DBorder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\No3DBorder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\*
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7\*
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IsTextPlainHonored
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FEEDS\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FEEDS\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2703
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2703
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2106
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2106
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Zoom\ZoomDisabled
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\MinimumSystemTimerResolution
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\MinimumSystemTimerResolution
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\RenderingLoopMaxTime
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\RtfConverterFlags
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use_DlgBox_Colors
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Anchor Underline
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\CSS_Compat
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Expand Alt Text
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Display Inline Images
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Display Inline Videos
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Display Inline Videos
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Play_Animations
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup\Print_Background
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SmoothScroll
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\XMLHTTP
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Show image placeholders
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show image placeholders
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Disable Diagnostics Mode
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Disable Diagnostics Mode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Move System Caret
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Enable AutoImageResize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Enable AutoImageResize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\UseHR
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Q300829
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Cleanup HTCs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\XDomainRequest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\XDomainRequest
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\DOMStorage
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\DOMStorage
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\JScriptProfileCacheEventDelay
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Default_CodePage
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AutoDetect
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\Default_IEFontSizePrivate
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Anchor Color
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Anchor Color Visited
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Anchor Color Hover
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Always Use My Colors
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Always Use My Font Size
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Always Use My Font Face
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Disable Visited Hyperlinks
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Use Anchor Hover Color
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\MiscFlags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Allow Programmatic Cut_Copy_Paste
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Theme\FontScale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFontSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFontSizePrivate
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFixedFontName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IESerifFontName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IESansSerifFontName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEUIFontName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AcceptLanguage
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\*
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Version Vector\IE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Version Vector\VML
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2700
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2700
HKEY_CURRENT_USER\Software\Classes\MIME\Database\Content Type\text/xml\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/xml\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ProtectedModeOffForAllZones
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\MinLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\RecommendedLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\MinLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\RecommendedLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\MinLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\RecommendedLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\MinLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\RecommendedLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\MinLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\RecommendedLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Direct3D\Drivers\Size
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Direct3D\Drivers\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Direct3D\DX6TextureEnumInclusionList\Size
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Direct3D\DX6TextureEnumInclusionList\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\TransientObjects\%5C%5C.%5CRpc%5CAllowLpacAppExperience%5CInterface\SecurityDescriptor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\GipActivityBypass
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME\*
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2000
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2000
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default Behaviors\DXTFilterBehavior
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Bug!\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Bug!\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Bug!\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\DemolitionDerby2\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\DemolitionDerby2\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\DemolitionDerby2\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Diablo\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Diablo\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Diablo\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\MortalKombat3\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\MortalKombat3\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\MortalKombat3\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\MsGolf98\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\MsGolf98\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\MsGolf98\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\NHLPowerPlay\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\NHLPowerPlay\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\NHLPowerPlay\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\NortonSystemInfo\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\NortonSystemInfo\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\NortonSystemInfo\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Rogue Squadron\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Rogue Squadron\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Rogue Squadron\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Savage\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Savage\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Savage\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\ScorchedPlanet\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\ScorchedPlanet\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\ScorchedPlanet\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\SilentThunder\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\SilentThunder\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\SilentThunder\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\StarCraft100\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\StarCraft100\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\StarCraft100\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\StarCraft115\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\StarCraft115\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\StarCraft115\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\StarCraftDemo\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\StarCraftDemo\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\StarCraftDemo\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Terracide\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Terracide\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\Terracide\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\ThirdDimension\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\ThirdDimension\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\ThirdDimension\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\ZiffDavisQualityBenchmark\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\ZiffDavisQualityBenchmark\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\ZiffDavisQualityBenchmark\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\ZiffDavisWinMarkBenchmark\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\ZiffDavisWinMarkBenchmark\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\Compatibility\ZiffDavisWinMarkBenchmark\ID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\ModeXOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\EmulationOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\ShowFrameRate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\EnablePrintScreen
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\ForceAGPSupport
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\DisableAGPSupport
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\DisableMMX
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\DisableDDSCAPSInDDSD
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\DisableWiderSurfaces
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\UseNonLocalVidMem
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\ForceRefreshRate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Direct3D\FlipNoVsync
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\OWNDC
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5E77EB03-937C-11D1-B047-00AA003B6061}\1.1\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{54314D1D-35FE-11D1-81A1-0000F87557DB}\1.1\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\*
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\2370ae8e13ced7d522837eb373bac13095ddbe64606f8f1f8228445147850df7.bin
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DialupAutodetect
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SQMServiceList\SQMServiceList
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinHttpAutoProxySvc\Parameters\ProxyDllFile
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\AutoProxyAutoLogonIfChallenged
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttpLowerCaseHost
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableUTF8
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecurityIdIUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecurityIdIUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecurityIdIUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SecurityIdIUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedPC\EduSharedPCMode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityCRL\LoginUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\Providers\{B16898C6-A148-4967-9171-64D755DA8520}\LoadParameters\LoginUri
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\Permissions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableSerialChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertSyncDeltaTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableAutoFlushProcessNameList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlushFirstDeltaSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlushNextDeltaSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A9D53002E97E00E043244F3D170D6F4C414104FD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A9D53002E97E00E043244F3D170D6F4C414104FD
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\A9D53002E97E00E043244F3D170D6F4C414104FD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\A9D53002E97E00E043244F3D170D6F4C414104FD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A9D53002E97E00E043244F3D170D6F4C414104FD
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\A9D53002E97E00E043244F3D170D6F4C414104FD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\A9D53002E97E00E043244F3D170D6F4C414104FD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\PinRulesLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\PinRules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\PinRulesLastSyncTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\PinRulesEncodedCtl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\javascript\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07034fd-6caa-4954-ac3f-97a27216f98a}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript\URL Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD17328B-E4EF-4215-A92D-62A914658F82}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\StorageDelegateSuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\StorageDelegate

Modified registry keys

The following keys were modified by the Download Manager. The Download Manager tries to change some Security settings within Internet Explorer.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\8\52C64B7E\LanguageList

Adware Download Manager prevention

By showing and explaining some basic information about this specific Download Manager, we hope our visitors understand the danger of download managers. In order to prevent (detect) these download managers on your computer, install an anti-malware solution such as Malwarebytes, HitmanPRO or Emsisoft.

Help other people! Share this information using social media.

Popular Posts

 

Join us on Youtube for weekly new informative videos.


2 Shares
+1
Tweet1
Share
Share1
Pin
Reddit