├── .gitignore ├── README.md └── sysmonconfig-export.xml /.gitignore: -------------------------------------------------------------------------------- 1 | sysmonconfig-export.xml.bak 2 | sysmonconfignxg.txt 3 | sysmon.exe 4 | *.exe 5 | *.cfg 6 | *.zip 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # sysmon-config | A Sysmon configuration file for everybody to fork # 2 | 3 | This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing. 4 | 5 | The file should function as a great starting point for system change monitoring in a self-contained and accessible package. This configuration and results should give you a good idea of what's possible for Sysmon. Note that this does not track things like authentication and other Windows events that are also vital for incident investigation. 6 | 7 |       **[sysmonconfig-export.xml](https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml)** 8 | 9 | Because virtually every line is commented and sections are marked with explanations, it should also function as a tutorial for Sysmon and a guide to critical monitoring areas in Windows systems. 10 | 11 | - For a far more exhaustive and detailed approach to Sysmon configuration from a different approach, see also **[sysmon-modular](https://github.com/olafhartong/sysmon-modular)** by [@olafhartong](https://twitter.com/olafhartong), which can act as a superset of sysmon-config. 12 | 13 | - Sysmon is a compliment to native Windows logging abilities, not a replacement for it. For valuable advice on these configurations, see **[MalwareArchaeology Logging Cheat Sheets](https://www.malwarearchaeology.com/cheat-sheets)** by [@HackerHurricane](https://twitter.com/hackerhurricane). 14 | 15 | Note: Exact syntax and filtering choices in the configuration are highly deliberate in what they target, and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of paths. 16 | 17 |       **[See other forks of this configuration](https://github.com/SwiftOnSecurity/sysmon-config/network)** 18 | 19 | ## Use ## 20 | ### Install ### 21 | Run with administrator rights 22 | ~~~~ 23 | sysmon.exe -accepteula -i sysmonconfig-export.xml 24 | ~~~~ 25 | 26 | ### Update existing configuration ### 27 | Run with administrator rights 28 | ~~~~ 29 | sysmon.exe -c sysmonconfig-export.xml 30 | ~~~~ 31 | 32 | ### Uninstall ### 33 | Run with administrator rights 34 | ~~~~ 35 | sysmon.exe -u 36 | ~~~~ 37 | 38 | ## Required actions ## 39 | 40 | ### Prerequisites ### 41 | Highly recommend using [Notepad++](https://notepad-plus-plus.org/) to edit this configuration. It understands UNIX newline format and does XML syntax highlighting, which makes this very understandable. I do not recommend using the built-in Notepad.exe. 42 | 43 | ### Customization ### 44 | You will need to install and observe the results of the configuration in your own environment before deploying it widely. For example, you will need to exclude actions of your antivirus, which will otherwise likely fill up your logs with useless information. 45 | 46 | The configuration is highly commented and designed to be self-explanatory to assist you in this customization to your environment. 47 | 48 | ### Design notes ### 49 | This configuration expects software to be installed system-wide and NOT in the C:\Users folder. Various pieces of software install themselves in User directories, which are subject to extra monitoring. Where possible, you should install the system-wide version of these pieces of software, like Chrome. See the configuration file for more instructions. 50 | -------------------------------------------------------------------------------- /sysmonconfig-export.xml: -------------------------------------------------------------------------------- 1 | 62 | 63 | 64 | 65 | md5,sha256,IMPHASH 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 81 | 82 | 83 | 84 | 85 | 86 | "C:\Windows\system32\wermgr.exe" "-queuereporting_svc" 87 | C:\Windows\system32\DllHost.exe /Processid 88 | C:\Windows\system32\wbem\wmiprvse.exe -Embedding 89 | C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 90 | C:\Windows\system32\wermgr.exe -upload 91 | C:\Windows\system32\SearchIndexer.exe /Embedding 92 | C:\windows\system32\wermgr.exe -queuereporting 93 | \??\C:\Windows\system32\autochk.exe * 94 | \SystemRoot\System32\smss.exe 95 | C:\Windows\System32\RuntimeBroker.exe -Embedding 96 | C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe 97 | C:\Windows\System32\TokenBrokerCookies.exe 98 | C:\Windows\System32\plasrv.exe 99 | C:\Windows\System32\wifitask.exe 100 | C:\Windows\system32\CompatTelRunner.exe 101 | C:\Windows\system32\PrintIsolationHost.exe 102 | C:\Windows\system32\SppExtComObj.Exe 103 | C:\Windows\system32\audiodg.exe 104 | C:\Windows\system32\conhost.exe 105 | C:\Windows\system32\mobsync.exe 106 | C:\Windows\system32\musNotification.exe 107 | C:\Windows\system32\musNotificationUx.exe 108 | C:\Windows\system32\powercfg.exe 109 | C:\Windows\system32\sndVol.exe 110 | C:\Windows\system32\sppsvc.exe 111 | C:\Windows\system32\wbem\WmiApSrv.exe 112 | AppContainer 113 | %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows 114 | C:\windows\system32\wermgr.exe -queuereporting 115 | C:\WINDOWS\system32\devicecensus.exe UserCxt 116 | C:\Windows\System32\usocoreworker.exe -Embedding 117 | C:\Windows\system32\SearchIndexer.exe 118 | 119 | C:\Windows\system32\svchost.exe -k appmodel -s StateRepository 120 | C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc 121 | C:\Windows\system32\svchost.exe -k appmodel 122 | C:\Windows\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc 123 | C:\Windows\system32\svchost.exe -k camera -s FrameServer 124 | C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM 125 | C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay 126 | C:\Windows\system32\svchost.exe -k defragsvc 127 | C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc 128 | C:\Windows\system32\svchost.exe -k imgsvc 129 | C:\Windows\system32\svchost.exe -k localService -s EventSystem 130 | C:\Windows\system32\svchost.exe -k localService -s bthserv 131 | C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc 132 | C:\Windows\system32\svchost.exe -k localService -s nsi 133 | C:\Windows\system32\svchost.exe -k localService -s w32Time 134 | C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation 135 | C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p 136 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp 137 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog 138 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc 139 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc 140 | C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -s BTAGService 141 | C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService 142 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted 143 | C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc 144 | C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p -s SSDPSRV 145 | C:\Windows\system32\svchost.exe -k localServiceNoNetwork 146 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum 147 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc 148 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService 149 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService 150 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService 151 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService 152 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService 153 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum 154 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc 155 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc 156 | C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SCardSvr 157 | C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv 158 | C:\Windows\System32\svchost.exe -k netsvcs -p -s SessionEnv 159 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost 160 | C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted -p -s WdiSystemHost 161 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted 162 | C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc 163 | C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc 164 | C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC 165 | C:\Windows\System32\svchost.exe -k netsvcs -p -s BDESVC 166 | C:\Windows\system32\svchost.exe -k netsvcs -p -s BITS 167 | C:\Windows\system32\svchost.exe -k netsvcs -s BITS 168 | C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc 169 | C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc 170 | C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo 171 | C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc 172 | C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc 173 | C:\Windows\system32\svchost.exe -k netsvcs -s SENS 174 | C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv 175 | C:\Windows\system32\svchost.exe -k netsvcs -s Themes 176 | C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt 177 | C:\Windows\system32\svchost.exe -k netsvcs 178 | C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc 179 | C:\Windows\system32\svchost.exe -k networkService -s Dnscache 180 | C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation 181 | C:\Windows\system32\svchost.exe -k networkService -s NlaSvc 182 | C:\Windows\system32\svchost.exe -k networkService -s TermService 183 | C:\Windows\system32\svchost.exe -k networkService 184 | C:\Windows\system32\svchost.exe -k networkService -p 185 | C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted 186 | C:\Windows\system32\svchost.exe -k rPCSS 187 | C:\Windows\system32\svchost.exe -k secsvcs 188 | C:\Windows\system32\svchost.exe -k swprv 189 | C:\Windows\system32\svchost.exe -k unistackSvcGroup 190 | C:\Windows\system32\svchost.exe -k utcsvc 191 | C:\Windows\system32\svchost.exe -k wbioSvcGroup 192 | C:\Windows\system32\svchost.exe -k werSvcGroup 193 | C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc 194 | C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC 195 | C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc 196 | C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC 197 | C:\Windows\system32\svchost.exe -k wsappx 198 | C:\Windows\system32\svchost.exe -k netsvcs 199 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted 200 | C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM 201 | 202 | "C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe" --type= 203 | 204 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 205 | C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe 206 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe 207 | C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe 208 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 209 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 210 | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 211 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe 212 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 213 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe 214 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 215 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe 216 | 217 | C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE 218 | C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE 219 | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 220 | C:\Program Files\Microsoft Office\Office16\msoia.exe 221 | C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe 222 | 223 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe 224 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 225 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe 226 | 227 | C:\Program Files\Windows Media Player\wmpnscfg.exe 228 | 229 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type= 230 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type= 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | C:\Users 241 | .exe 242 | \Device\HarddiskVolumeShadowCopy 243 | 244 | 245 | 246 | 247 | 248 | OneDrive.exe 249 | C:\Windows\system32\backgroundTaskHost.exe 250 | setup 251 | install 252 | Update\ 253 | redist.exe 254 | msiexec.exe 255 | TrustedInstaller.exe 256 | \NVIDIA\NvBackend\ApplicationOntology\ 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | C:\Users 274 | C:\Recycle 275 | C:\ProgramData 276 | C:\Windows\Temp 277 | \ 278 | C:\perflogs 279 | C:\intel 280 | C:\Windows\fonts 281 | C:\Windows\system32\config 282 | 283 | at.exe 284 | certutil.exe 285 | cmd.exe 286 | cmstp.exe 287 | cscript.exe 288 | driverquery.exe 289 | dsquery.exe 290 | hh.exe 291 | infDefaultInstall.exe 292 | java.exe 293 | javaw.exe 294 | javaws.exe 295 | mmc.exe 296 | msbuild.exe 297 | mshta.exe 298 | msiexec.exe 299 | nbtstat.exe 300 | net.exe 301 | net1.exe 302 | notepad.exe 303 | nslookup.exe 304 | powershell.exe 305 | powershell_ise.exe 306 | qprocess.exe 307 | qwinsta.exe 308 | qwinsta.exe 309 | reg.exe 310 | regsvcs.exe 311 | regsvr32.exe 312 | rundll32.exe 313 | rwinsta.exe 314 | sc.exe 315 | schtasks.exe 316 | taskkill.exe 317 | tasklist.exe 318 | wmic.exe 319 | wscript.exe 320 | 321 | bitsadmin.exe 322 | esentutl.exe 323 | expand.exe 324 | extrac32.exe 325 | findstr.exe 326 | GfxDownloadWrapper.exe 327 | ieexec.exe 328 | makecab.exe 329 | replace.exe 330 | Excel.exe 331 | Powerpnt.exe 332 | Winword.exe 333 | squirrel.exe 334 | 335 | nc.exe 336 | ncat.exe 337 | psexec.exe 338 | psexesvc.exe 339 | tor.exe 340 | vnc.exe 341 | vncservice.exe 342 | vncviewer.exe 343 | winexesvc.exe 344 | nmap.exe 345 | psinfo.exe 346 | 347 | 22 348 | 23 349 | 25 350 | 143 351 | 3389 352 | 5800 353 | 5900 354 | 4444 355 | 356 | 1080 357 | 3128 358 | 8080 359 | 360 | 1723 361 | 9001 362 | 9030 363 | 364 | 365 | 366 | 367 | 368 | 369 | C:\ProgramData\Microsoft\Windows Defender\Platform\ 370 | AppData\Local\Microsoft\Teams\current\Teams.exe 371 | .microsoft.com 372 | microsoft.com.akadns.net 373 | microsoft.com.nsatc.net 374 | 375 | 23.4.43.27 376 | 72.21.91.29 377 | 378 | 127.0.0.1 379 | fe80:0:0:0 380 | 381 | 382 | 383 | 384 | 385 | 386 | 387 | 388 | 389 | 390 | 391 | 392 | 393 | 394 | C:\Users 395 | \ 396 | 397 | 398 | 399 | 400 | 401 | 402 | 403 | 404 | 405 | 408 | 409 | 410 | 411 | 412 | 413 | microsoft 414 | windows 415 | Intel 416 | 417 | 418 | 419 | 420 | 421 | 422 | 423 | 424 | 425 | 426 | 427 | 428 | 429 | 430 | 431 | 433 | 434 | 435 | 436 | 437 | 438 | C:\Windows\system32\wbem\WmiPrvSE.exe 439 | C:\Windows\system32\svchost.exe 440 | C:\Windows\system32\wininit.exe 441 | C:\Windows\system32\csrss.exe 442 | C:\Windows\system32\services.exe 443 | C:\Windows\system32\winlogon.exe 444 | C:\Windows\system32\audiodg.exe 445 | C:\Windows\system32\kernel32.dll 446 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 447 | 448 | 449 | 450 | 451 | 452 | 453 | 456 | 457 | 458 | 459 | 460 | 461 | 462 | 463 | 464 | 465 | 466 | 467 | 468 | 469 | 470 | 471 | 472 | 473 | 474 | 475 | 476 | 477 | 478 | 479 | 480 | 481 | 482 | 483 | 484 | 485 | \Start Menu 486 | \Startup\ 487 | \Content.Outlook\ 488 | \Downloads\ 489 | .application 490 | .appref-ms 491 | .bat 492 | .chm 493 | .cmd 494 | .cmdline 495 | .crx 496 | .dmp 497 | .docm 498 | .dll 499 | .exe 500 | .exe.log 501 | .jar 502 | .jnlp 503 | .jse 504 | .hta 505 | .job 506 | .pptm 507 | .ps1 508 | .sct 509 | .sys 510 | .scr 511 | .vbe 512 | .vbs 513 | .wsc 514 | .wsf 515 | .xlsm 516 | .ocx 517 | proj 518 | .sln 519 | .xls 520 | C:\Users\Default 521 | C:\Windows\system32\Drivers 522 | C:\Windows\SysWOW64\Drivers 523 | C:\Windows\system32\GroupPolicy\Machine\Scripts 524 | C:\Windows\system32\GroupPolicy\User\Scripts 525 | C:\Windows\system32\Wbem 526 | C:\Windows\SysWOW64\Wbem 527 | C:\Windows\system32\WindowsPowerShell 528 | C:\Windows\SysWOW64\WindowsPowerShell 529 | C:\Windows\Tasks\ 530 | C:\Windows\system32\Tasks 531 | C:\Windows\SysWOW64\Tasks 532 | \Device\HarddiskVolumeShadowCopy 533 | 534 | C:\Windows\AppPatch\Custom 535 | VirtualStore 536 | 537 | .xls 538 | .ppt 539 | .rtf 540 | 541 | 542 | 543 | 544 | 545 | 546 | C:\Program Files (x86)\EMET 5.5\EMET_Service.exe 547 | 548 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe 549 | 550 | C:\Windows\system32\smss.exe 551 | C:\Windows\system32\CompatTelRunner.exe 552 | \\?\C:\Windows\system32\wbem\WMIADAP.EXE 553 | C:\Windows\system32\mobsync.exe 554 | C:\Windows\system32\DriverStore\Temp\ 555 | C:\Windows\system32\wbem\Performance\ 556 | C:\Windows\Installer\ 557 | 558 | C:\$WINDOWS.~BT\Sources\ 559 | C:\Windows\winsxs\amd64_microsoft-windows 560 | 561 | 562 | 563 | 564 | 565 | 566 | 567 | 568 | 569 | 570 | 571 | 572 | 573 | 574 | 575 | 576 | 577 | 578 | 579 | 582 | 583 | 584 | 585 | 586 | 587 | 588 | 589 | 590 | 591 | 592 | CurrentVersion\Run 593 | Policies\Explorer\Run 594 | Group Policy\Scripts 595 | Windows\System\Scripts 596 | CurrentVersion\Windows\Load 597 | CurrentVersion\Windows\Run 598 | CurrentVersion\Winlogon\Shell 599 | CurrentVersion\Winlogon\System 600 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 601 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell 602 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit 603 | HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 604 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute 605 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug 606 | UserInitMprLogonScript 607 | user shell folders\startup 608 | 609 | \ServiceDll 610 | \ServiceManifest 611 | \ImagePath 612 | \Start 613 | 614 | Control\Terminal Server\WinStations\RDP-Tcp\PortNumber 615 | Control\Terminal Server\fSingleSessionPerUser 616 | fDenyTSConnections 617 | LastLoggedOnUser 618 | RDP-tcp\PortNumber 619 | Services\PortProxy\v4tov4 620 | 621 | \command\ 622 | \ddeexec\ 623 | {86C86720-42A0-1069-A2E8-08002B30309D} 624 | exefile 625 | 626 | \InprocServer32\(Default) 627 | 628 | \Hidden 629 | \ShowSuperHidden 630 | \HideFileExt 631 | 632 | Classes\*\ 633 | Classes\AllFilesystemObjects\ 634 | Classes\Directory\ 635 | Classes\Drive\ 636 | Classes\Folder\ 637 | Classes\PROTOCOLS\ 638 | ContextMenuHandlers\ 639 | CurrentVersion\Shell 640 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks 641 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad 642 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers 643 | 644 | HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ 645 | 646 | HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram 647 | 648 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ 649 | 650 | HKLM\SYSTEM\CurrentControlSet\Services\WinSock 651 | \ProxyServer 652 | 653 | HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider 654 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ 655 | HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders 656 | HKLM\Software\Microsoft\Netsh 657 | Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable 658 | 659 | HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ 660 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles 661 | \EnableFirewall 662 | \DoNotAllowExceptions 663 | HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 664 | HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List 665 | 666 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ 667 | HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ 668 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\ 669 | 670 | Microsoft\Office\Outlook\Addins\ 671 | Office Test\ 672 | Security\Trusted Documents\TrustRecords 673 | \EnableBHO 674 | 675 | Internet Explorer\Toolbar\ 676 | Internet Explorer\Extensions\ 677 | Browser Helper Objects\ 678 | \DisableSecuritySettingsCheck 679 | \3\1206 680 | \3\2500 681 | \3\1809 682 | 683 | HKLM\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ 684 | HKLM\Software\Classes\WOW6432Node\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ 685 | HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ 686 | HKLM\Software\Classes\WOW6432Node\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ 687 | 688 | \UrlUpdateInfo 689 | \InstallSource 690 | \EulaAccepted 691 | 692 | \DisableAntiSpyware 693 | \DisableAntiVirus 694 | \SpynetReporting 695 | DisableRealtimeMonitoring 696 | \SubmitSamplesConsent 697 | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\ 698 | 699 | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 700 | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy 701 | 702 | HKLM\Software\Microsoft\Security Center\ 703 | SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth 704 | 705 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom 706 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB 707 | VirtualStore 708 | 709 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ 710 | HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\ 711 | HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\ 712 | HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\ 713 | \FriendlyName 714 | HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) 715 | HKLM\Software\Microsoft\Tracing\RASAPI32 716 | HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\ 717 | \Keyboard Layout\Preload 718 | \Keyboard Layout\Substitutes 719 | 720 | \LowerCaseLongPath 721 | \Publisher 722 | \BinProductVersion 723 | \DriverVersion 724 | \DriverVerVersion 725 | \LinkDate 726 | Compatibility Assistant\Store\ 727 | 728 | regedit.exe 729 | \ 730 | 731 | 732 | 733 | 734 | 735 | 736 | 737 | \{CAFEEFAC- 738 | CreateKey 739 | HKLM\COMPONENTS 740 | 741 | HKLM\Software\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache 742 | 743 | Toolbar\WebBrowser 744 | Browser\ITBar7Height 745 | Browser\ITBar7Layout 746 | Internet Explorer\Toolbar\Locked 747 | Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93} 748 | }\PreviousPolicyAreas 749 | \Control\WMI\Autologger\ 750 | HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start 751 | \Lsa\OfflineJoin\CurrentValue 752 | HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\ 753 | _Classes\AppX 754 | HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\ 755 | 756 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid 757 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache 758 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains 759 | 760 | \Services\BITS\Start 761 | \services\clr_optimization_v2.0.50727_32\Start 762 | \services\clr_optimization_v2.0.50727_64\Start 763 | \services\clr_optimization_v4.0.30319_32\Start 764 | \services\clr_optimization_v4.0.30319_64\Start 765 | \services\deviceAssociationService\Start 766 | \services\fhsvc\Start 767 | \services\nal\Start 768 | \services\trustedInstaller\Start 769 | \services\tunnel\Start 770 | \services\usoSvc\Start 771 | 772 | \UserChoice\ProgId 773 | \UserChoice\Hash 774 | \OpenWithList\MRUList 775 | Shell Extentions\Cached 776 | 777 | HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups 778 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder 779 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID 780 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID 781 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell 782 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime 783 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder 784 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID 785 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID 786 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell 787 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime 788 | \safer\codeidentifiers\0\HASHES\{ 789 | 790 | VirtualStore\MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\ 791 | HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ 792 | 793 | C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe 794 | HKCR\VLC. 795 | HKCR\iTunes. 796 | 797 | HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{945a8954-c147-4acd-923f-40c45405a658} 798 | 799 | 800 | 801 | 802 | 803 | 807 | 808 | 809 | 810 | 811 | Downloads 812 | Temp\7z 813 | Startup 814 | .bat 815 | .cmd 816 | .doc 817 | .hta 818 | .jse 819 | .lnk 820 | .ppt 821 | .ps1 822 | .ps2 823 | .reg 824 | .sct 825 | .vb 826 | .vbe 827 | .vbs 828 | .wsc 829 | .wsf 830 | 831 | 832 | 833 | 834 | 835 | 836 | 837 | 838 | 839 | 840 | 841 | 842 | 843 | 844 | 845 | 846 | 847 | 848 | 849 | 850 | 851 | 852 | 853 | 854 | 855 | paexec;remcom;csexec 856 | 857 | \lsadump;\cachedump;\wceservicepipe 858 | 859 | \isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\svcctl;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc 860 | \atctl;\userpipe;\iehelper;\sdlrpc;\comnap 861 | 862 | MSSE-;-server 863 | \postex_ 864 | \postex_ssh_ 865 | \status_ 866 | \msagent_ 867 | 868 | 869 | 870 | 871 | 872 | 873 | 874 | 875 | 876 | 877 | 878 | 879 | 880 | 881 | 882 | 883 | 884 | 885 | 886 | 887 | 888 | 889 | 890 | 893 | 894 | 896 | 897 | 903 | 904 | 905 | 906 | 907 | 908 | 909 | 910 | 911 | 912 | 913 | 914 | 915 | 916 | 917 | 918 | 919 | 920 | 921 | 922 | 923 | 924 | .arpa. 925 | .arpa 926 | .msftncsi.com 927 | ..localmachine 928 | localhost 929 | 930 | -pushp.svc.ms 931 | .b-msedge.net 932 | .bing.com 933 | .hotmail.com 934 | .live.com 935 | .live.net 936 | .s-microsoft.com 937 | .microsoft.com 938 | .microsoftonline.com 939 | .microsoftstore.com 940 | .ms-acdc.office.com 941 | .msedge.net 942 | .msn.com 943 | .msocdn.com 944 | .skype.com 945 | .skype.net 946 | .windows.com 947 | .windows.net.nsatc.net 948 | .windowsupdate.com 949 | .xboxlive.com 950 | login.windows.net 951 | C:\ProgramData\Microsoft\Windows Defender\Platform\ 952 | 953 | .activedirectory.windowsazure.com 954 | .aria.microsoft.com 955 | .msauth.net 956 | .msftauth.net 957 | .office.net 958 | .opinsights.azure.com 959 | .res.office365.com 960 | acdc-direct.office.com 961 | atm-fp-direct.office.com 962 | loki.delve.office.com 963 | management.azure.com 964 | messaging.office.com 965 | outlook.office365.com 966 | portal.azure.com 967 | protection.outlook.com 968 | substrate.office.com 969 | .measure.office.com 970 | 971 | .adobe.com 972 | .adobe.io 973 | .mozaws.net 974 | .mozilla.com 975 | .mozilla.net 976 | .mozilla.org 977 | .spotify.com 978 | .spotify.map.fastly.net 979 | .wbx2.com 980 | .webex.com 981 | clients1.google.com 982 | clients2.google.com 983 | clients3.google.com 984 | clients4.google.com 985 | clients5.google.com 986 | clients6.google.com 987 | safebrowsing.googleapis.com 988 | 989 | .akadns.net 990 | .netflix.com 991 | aspnetcdn.com 992 | ajax.googleapis.com 993 | cdnjs.cloudflare.com 994 | fonts.googleapis.com 995 | .typekit.net 996 | cdnjs.cloudflare.com 997 | .stackassets.com 998 | .steamcontent.com 999 | play.google.com 1000 | content-autofill.googleapis.com 1001 | 1002 | .disqus.com 1003 | .fontawesome.com 1004 | disqus.com 1005 | 1006 | .1rx.io 1007 | .2mdn.net 1008 | .3lift.com 1009 | .adadvisor.net 1010 | .adap.tv 1011 | .addthis.com 1012 | .adform.net 1013 | .adnxs.com 1014 | .adroll.com 1015 | .adrta.com 1016 | .adsafeprotected.com 1017 | .adsrvr.org 1018 | .adsymptotic.com 1019 | .advertising.com 1020 | .agkn.com 1021 | .amazon-adsystem.com 1022 | .amazon-adsystem.com 1023 | .analytics.yahoo.com 1024 | .aol.com 1025 | .betrad.com 1026 | .bidswitch.net 1027 | .casalemedia.com 1028 | .chartbeat.net 1029 | .cnn.com 1030 | .convertro.com 1031 | .criteo.com 1032 | .criteo.net 1033 | .crwdcntrl.net 1034 | .demdex.net 1035 | .domdex.com 1036 | .dotomi.com 1037 | .doubleclick.net 1038 | .doubleverify.com 1039 | .emxdgt.com 1040 | .everesttech.net 1041 | .exelator.com 1042 | .google-analytics.com 1043 | .googleadservices.com 1044 | .googlesyndication.com 1045 | .googletagmanager.com 1046 | .googlevideo.com 1047 | .gstatic.com 1048 | .gvt1.com 1049 | .gvt2.com 1050 | .ib-ibi.com 1051 | .jivox.com 1052 | .krxd.net 1053 | .lijit.com 1054 | .mathtag.com 1055 | .moatads.com 1056 | .moatpixel.com 1057 | .mookie1.com 1058 | .myvisualiq.net 1059 | .netmng.com 1060 | .nexac.com 1061 | .openx.net 1062 | .optimizely.com 1063 | .outbrain.com 1064 | .pardot.com 1065 | .phx.gbl 1066 | .pinterest.com 1067 | .pubmatic.com 1068 | .quantcount.com 1069 | .quantserve.com 1070 | .revsci.net 1071 | .rfihub.net 1072 | .rlcdn.com 1073 | .rubiconproject.com 1074 | .scdn.co 1075 | .scorecardresearch.com 1076 | .serving-sys.com 1077 | .sharethrough.com 1078 | .simpli.fi 1079 | .sitescout.com 1080 | .smartadserver.com 1081 | .snapads.com 1082 | .spotxchange.com 1083 | .taboola.com 1084 | .taboola.map.fastly.net 1085 | .tapad.com 1086 | .tidaltv.com 1087 | .trafficmanager.net 1088 | .tremorhub.com 1089 | .tribalfusion.com 1090 | .turn.com 1091 | .twimg.com 1092 | .tynt.com 1093 | .w55c.net 1094 | .ytimg.com 1095 | .zorosrv.com 1096 | 1rx.io 1097 | adservice.google.com 1098 | ampcid.google.com 1099 | clientservices.googleapis.com 1100 | googleadapis.l.google.com 1101 | imasdk.googleapis.com 1102 | l.google.com 1103 | ml314.com 1104 | mtalk.google.com 1105 | update.googleapis.com 1106 | www.googletagservices.com 1107 | 1108 | .pscp.tv 1109 | 1110 | .amazontrust.com 1111 | .digicert.com 1112 | .globalsign.com 1113 | .globalsign.net 1114 | .intel.com 1115 | .symcb.com 1116 | .symcd.com 1117 | .thawte.com 1118 | .usertrust.com 1119 | .verisign.com 1120 | ocsp.identrust.com 1121 | pki.goog 1122 | msocsp.com 1123 | ocsp.comodoca.com 1124 | ocsp.entrust.net 1125 | ocsp.godaddy.com 1126 | ocsp.int-x3.letsencrypt.org 1127 | ocsp.msocsp.com 1128 | pki.goog 1129 | ocsp.godaddy.com 1130 | amazontrust.com 1131 | ocsp.sectigo.com 1132 | pki-goog.l.google.com 1133 | .usertrust.com 1134 | ocsp.comodoca.com 1135 | ocsp.verisign.com 1136 | ocsp.entrust.net 1137 | ocsp.identrust.com 1138 | status.rapidssl.com 1139 | status.thawte.com 1140 | ocsp.int-x3.letsencrypt.org 1141 | 1142 | 1143 | 1144 | 1145 | 1146 | 1149 | 1150 | 1151 | 1152 | 1158 | 1159 | 1160 | 1161 | 1163 | 1164 | 1165 | 1166 | 1176 | 1177 | 1178 | 1179 | 1182 | 1183 | 1184 | 1185 | 1192 | 1193 | 1194 | 1197 | 1198 | 1199 | 1200 | 1201 | --------------------------------------------------------------------------------