├── .gitignore ├── LICENSE ├── README.md ├── script_python ├── WellKnownWnfNames.py ├── WnfClientServer.py ├── WnfDump.py ├── WnfNameDumper.py └── wnfcom.py ├── wnftools_x64 ├── wnfclient-nt.exe ├── wnfclient-rtl.exe ├── wnfdump.exe └── wnfserver.exe └── wnftools_x86 ├── wnfclient-nt.exe ├── wnfclient-rtl.exe ├── wnfdump.exe └── wnfserver.exe /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.suo 8 | *.user 9 | *.userosscache 10 | *.sln.docstates 11 | 12 | # User-specific files (MonoDevelop/Xamarin Studio) 13 | *.userprefs 14 | 15 | # Build results 16 | [Dd]ebug/ 17 | [Dd]ebugPublic/ 18 | [Rr]elease/ 19 | [Rr]eleases/ 20 | x64/ 21 | x86/ 22 | bld/ 23 | [Bb]in/ 24 | [Oo]bj/ 25 | [Ll]og/ 26 | 27 | # Visual Studio 2015/2017 cache/options directory 28 | .vs/ 29 | # Uncomment if you have tasks that create the project's static files in wwwroot 30 | #wwwroot/ 31 | 32 | # Visual Studio 2017 auto generated files 33 | Generated\ Files/ 34 | 35 | # MSTest test Results 36 | [Tt]est[Rr]esult*/ 37 | [Bb]uild[Ll]og.* 38 | 39 | # NUNIT 40 | *.VisualState.xml 41 | TestResult.xml 42 | 43 | # Build Results of an ATL Project 44 | [Dd]ebugPS/ 45 | [Rr]eleasePS/ 46 | dlldata.c 47 | 48 | # Benchmark Results 49 | BenchmarkDotNet.Artifacts/ 50 | 51 | # .NET Core 52 | project.lock.json 53 | project.fragment.lock.json 54 | artifacts/ 55 | 56 | # StyleCop 57 | StyleCopReport.xml 58 | 59 | # Files built by Visual Studio 60 | *_i.c 61 | *_p.c 62 | *_h.h 63 | *.ilk 64 | *.meta 65 | *.obj 66 | *.iobj 67 | *.pch 68 | *.pdb 69 | *.ipdb 70 | *.pgc 71 | *.pgd 72 | *.rsp 73 | *.sbr 74 | *.tlb 75 | *.tli 76 | *.tlh 77 | *.tmp 78 | *.tmp_proj 79 | *.log 80 | *.vspscc 81 | *.vssscc 82 | .builds 83 | *.pidb 84 | *.svclog 85 | *.scc 86 | 87 | # Chutzpah Test files 88 | _Chutzpah* 89 | 90 | # Visual C++ cache files 91 | ipch/ 92 | *.aps 93 | *.ncb 94 | *.opendb 95 | *.opensdf 96 | *.sdf 97 | *.cachefile 98 | *.VC.db 99 | *.VC.VC.opendb 100 | 101 | # Visual Studio profiler 102 | *.psess 103 | *.vsp 104 | *.vspx 105 | *.sap 106 | 107 | # Visual Studio Trace Files 108 | *.e2e 109 | 110 | # TFS 2012 Local Workspace 111 | $tf/ 112 | 113 | # Guidance Automation Toolkit 114 | *.gpState 115 | 116 | # ReSharper is a .NET coding add-in 117 | _ReSharper*/ 118 | *.[Rr]e[Ss]harper 119 | *.DotSettings.user 120 | 121 | # JustCode is a .NET coding add-in 122 | .JustCode 123 | 124 | # TeamCity is a build add-in 125 | _TeamCity* 126 | 127 | # DotCover is a Code Coverage Tool 128 | *.dotCover 129 | 130 | # AxoCover is a Code Coverage Tool 131 | .axoCover/* 132 | !.axoCover/settings.json 133 | 134 | # Visual Studio code coverage results 135 | *.coverage 136 | *.coveragexml 137 | 138 | # NCrunch 139 | _NCrunch_* 140 | .*crunch*.local.xml 141 | nCrunchTemp_* 142 | 143 | # MightyMoose 144 | *.mm.* 145 | AutoTest.Net/ 146 | 147 | # Web workbench (sass) 148 | .sass-cache/ 149 | 150 | # Installshield output folder 151 | [Ee]xpress/ 152 | 153 | # DocProject is a documentation generator add-in 154 | DocProject/buildhelp/ 155 | DocProject/Help/*.HxT 156 | DocProject/Help/*.HxC 157 | DocProject/Help/*.hhc 158 | DocProject/Help/*.hhk 159 | DocProject/Help/*.hhp 160 | DocProject/Help/Html2 161 | DocProject/Help/html 162 | 163 | # Click-Once directory 164 | publish/ 165 | 166 | # Publish Web Output 167 | *.[Pp]ublish.xml 168 | *.azurePubxml 169 | # Note: Comment the next line if you want to checkin your web deploy settings, 170 | # but database connection strings (with potential passwords) will be unencrypted 171 | *.pubxml 172 | *.publishproj 173 | 174 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 175 | # checkin your Azure Web App publish settings, but sensitive information contained 176 | # in these scripts will be unencrypted 177 | PublishScripts/ 178 | 179 | # NuGet Packages 180 | *.nupkg 181 | # The packages folder can be ignored because of Package Restore 182 | **/[Pp]ackages/* 183 | # except build/, which is used as an MSBuild target. 184 | !**/[Pp]ackages/build/ 185 | # Uncomment if necessary however generally it will be regenerated when needed 186 | #!**/[Pp]ackages/repositories.config 187 | # NuGet v3's project.json files produces more ignorable files 188 | *.nuget.props 189 | *.nuget.targets 190 | 191 | # Microsoft Azure Build Output 192 | csx/ 193 | *.build.csdef 194 | 195 | # Microsoft Azure Emulator 196 | ecf/ 197 | rcf/ 198 | 199 | # Windows Store app package directories and files 200 | AppPackages/ 201 | BundleArtifacts/ 202 | Package.StoreAssociation.xml 203 | _pkginfo.txt 204 | *.appx 205 | 206 | # Visual Studio cache files 207 | # files ending in .cache can be ignored 208 | *.[Cc]ache 209 | # but keep track of directories ending in .cache 210 | !*.[Cc]ache/ 211 | 212 | # Others 213 | ClientBin/ 214 | ~$* 215 | *~ 216 | *.dbmdl 217 | *.dbproj.schemaview 218 | *.jfm 219 | *.pfx 220 | *.publishsettings 221 | orleans.codegen.cs 222 | 223 | # Including strong name files can present a security risk 224 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 225 | #*.snk 226 | 227 | # Since there are multiple workflows, uncomment next line to ignore bower_components 228 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 229 | #bower_components/ 230 | 231 | # RIA/Silverlight projects 232 | Generated_Code/ 233 | 234 | # Backup & report files from converting an old project file 235 | # to a newer Visual Studio version. Backup files are not needed, 236 | # because we have git ;-) 237 | _UpgradeReport_Files/ 238 | Backup*/ 239 | UpgradeLog*.XML 240 | UpgradeLog*.htm 241 | ServiceFabricBackup/ 242 | *.rptproj.bak 243 | 244 | # SQL Server files 245 | *.mdf 246 | *.ldf 247 | *.ndf 248 | 249 | # Business Intelligence projects 250 | *.rdl.data 251 | *.bim.layout 252 | *.bim_*.settings 253 | *.rptproj.rsuser 254 | 255 | # Microsoft Fakes 256 | FakesAssemblies/ 257 | 258 | # GhostDoc plugin setting file 259 | *.GhostDoc.xml 260 | 261 | # Node.js Tools for Visual Studio 262 | .ntvs_analysis.dat 263 | node_modules/ 264 | 265 | # Visual Studio 6 build log 266 | *.plg 267 | 268 | # Visual Studio 6 workspace options file 269 | *.opt 270 | 271 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 272 | *.vbw 273 | 274 | # Visual Studio LightSwitch build output 275 | **/*.HTMLClient/GeneratedArtifacts 276 | **/*.DesktopClient/GeneratedArtifacts 277 | **/*.DesktopClient/ModelManifest.xml 278 | **/*.Server/GeneratedArtifacts 279 | **/*.Server/ModelManifest.xml 280 | _Pvt_Extensions 281 | 282 | # Paket dependency manager 283 | .paket/paket.exe 284 | paket-files/ 285 | 286 | # FAKE - F# Make 287 | .fake/ 288 | 289 | # JetBrains Rider 290 | .idea/ 291 | *.sln.iml 292 | 293 | # CodeRush 294 | .cr/ 295 | 296 | # Python Tools for Visual Studio (PTVS) 297 | __pycache__/ 298 | *.pyc 299 | 300 | # Cake - Uncomment if you are using it 301 | # tools/** 302 | # !tools/packages.config 303 | 304 | # Tabs Studio 305 | *.tss 306 | 307 | # Telerik's JustMock configuration file 308 | *.jmconfig 309 | 310 | # BizTalk build output 311 | *.btp.cs 312 | *.btm.cs 313 | *.odx.cs 314 | *.xsd.cs 315 | 316 | # OpenCover UI analysis results 317 | OpenCover/ 318 | 319 | # Azure Stream Analytics local run output 320 | ASALocalRun/ 321 | 322 | # MSBuild Binary and Structured Log 323 | *.binlog 324 | 325 | # NVidia Nsight GPU debugger configuration file 326 | *.nvuser 327 | 328 | # MFractors (Xamarin productivity tool) working folder 329 | .mfractor/ 330 | 331 | # Local History for Visual Studio 332 | .localhistory/ 333 | 334 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 2-Clause License 2 | 3 | Copyright (c) 2018, Alex Ionescu 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 20 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 23 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 25 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WNFUN 2 | WNF Utilities 4 Newbies (WNFUN) is the repository for the Python scripts and C tools that Gabrielle Viala (@pwissenlit) and Alex Ionescu (@aionescu) wrote for their BlackHat 2018 presentation on the Windows Notification Facility. 3 | 4 | ## Caveat 5 | 6 | These tools are still in PoC stage which we hope the community can use to build more mature and better tools. We will probably be making small improvements to them from time to time, especially error handling and better help, but we wanted to be able to share them with the public ahead of time. 7 | 8 | ## References 9 | 10 | You should read Gabrielle's great blog post at https://blog.quarkslab.com/playing-with-the-windows-notification-facility-wnf.html 11 | 12 | The slides from our presentation will shortly be posted at http://alex-ionescu.com/publications/BlackHat/blackhat2018.pdf 13 | 14 | If you would like to know more about my research or work, I invite you to check out my blog at http://www.alex-ionescu.com as well as my training & consulting company, Winsider Seminars & Solutions Inc., at http://www.windows-internals.com. 15 | 16 | ## License 17 | 18 | ``` 19 | Copyright 2018 Alex Ionescu and Gabrielle Viala. All rights reserved. 20 | 21 | Redistribution and use in source and binary forms, with or without modification, are permitted provided 22 | that the following conditions are met: 23 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and 24 | the following disclaimer. 25 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions 26 | and the following disclaimer in the documentation and/or other materials provided with the 27 | distribution. 28 | 29 | THIS SOFTWARE IS PROVIDED BY ALEX IONESCU ``AS IS'' AND ANY EXPRESS OR IMPLIED 30 | WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 31 | FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ALEX IONESCU 32 | OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 33 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 34 | OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 35 | AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 36 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 37 | ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 38 | 39 | The views and conclusions contained in the software and documentation are those of the authors and 40 | should not be interpreted as representing official policies, either expressed or implied, of Alex Ionescu 41 | and Gabrielle Viala. 42 | ``` -------------------------------------------------------------------------------- /script_python/WellKnownWnfNames.py: -------------------------------------------------------------------------------- 1 | g_WellKnownWnfNames = { "WNF_A2A_APPURIHANDLER_INSTALLED": 0x41877c2ca3bc0875, 2 | "WNF_AAD_DEVICE_REGISTRATION_STATUS_CHANGE": 0x41820f2ca3bc0875, 3 | "WNF_AA_CURATED_TILE_COLLECTION_STATUS": 0x41c60f2ca3bc1075, 4 | "WNF_AA_LOCKDOWN_CHANGED": 0x41c60f2ca3bc0875, 5 | "WNF_AA_MDM_STATUS_EVENT_LOGGED": 0x41c60f2ca3bc1875, 6 | "WNF_ACC_EC_ENABLED": 0x41850d2ca3bc0835, 7 | "WNF_ACHK_SP_CORRUPTION_DETECTED": 0xa8e0d2ca3bc0875, 8 | "WNF_ACT_DATA_UPDATED": 0x41920d2ca3bc0835, 9 | "WNF_AFD_IGNORE_ORDERLY_RELEASE_CHANGE": 0x4182082ca3bc0875, 10 | "WNF_AI_PACKAGEINSTALL": 0x41c6072ca3bc1075, 11 | "WNF_AI_PACKAGEUNINSTALL": 0x41c6072ca3bc2075, 12 | "WNF_AI_PACKAGEUPDATE": 0x41c6072ca3bc1875, 13 | "WNF_AI_USERTILE": 0x41c6072ca3bc0875, 14 | "WNF_AOW_BOOT_PROGRESS": 0x4191012ca3bc0875, 15 | "WNF_APXI_CRITICAL_PACKAGES_INSTALLED": 0x89e1e2ca3bc0875, 16 | "WNF_ATP_PUSH_NOTIFICATION_RECEIVED": 0x41961a2ca3bc0875, 17 | "WNF_AUDC_CAPTURE": 0x2821b2ca3bc4075, 18 | "WNF_AUDC_CHAT_APP_CONTEXT": 0x2821b2ca3bc6075, 19 | "WNF_AUDC_CPUSET_ID": 0x2821b2ca3bc08b5, 20 | "WNF_AUDC_CPUSET_ID_SYSTEM": 0x2821b2ca3bc2875, 21 | "WNF_AUDC_DEFAULT_RENDER_ENDPOINT_PROPERTIES": 0x2821b2ca3bc5875, 22 | "WNF_AUDC_HEALTH_PROBLEM": 0x2821b2ca3bc2075, 23 | "WNF_AUDC_PHONECALL_ACTIVE": 0x2821b2ca3bc1075, 24 | "WNF_AUDC_RENDER": 0x2821b2ca3bc3075, 25 | "WNF_AUDC_RINGERVIBRATE_STATE_CHANGED": 0x2821b2ca3bc4875, 26 | "WNF_AUDC_SPATIAL_STATUS": 0x2821b2ca3bc5075, 27 | "WNF_AUDC_TUNER_DEVICE_AVAILABILITY": 0x2821b2ca3bc1875, 28 | "WNF_AUDC_VOLUME_CONTEXT": 0x2821b2ca3bc3875, 29 | "WNF_AVA_SOUNDDETECTOR_PATTERN_MATCH": 0x4187182ca3bc0875, 30 | "WNF_AVLC_DRIVER_REQUEST": 0x28a182ca3bc0875, 31 | "WNF_AVLC_SHOW_VOLUMELIMITWARNING": 0x28a182ca3bc1875, 32 | "WNF_AVLC_VOLUME_WARNING_ACCEPTED": 0x28a182ca3bc1075, 33 | "WNF_BCST_APP_BROADCAST_STREAM_STATE": 0x15950d2fa3bc0875, 34 | "WNF_BI_APPLICATION_SERVICING_START_CHANNEL": 0x41c6072fa3bc3875, 35 | "WNF_BI_APPLICATION_SERVICING_STOP_CHANNEL": 0x41c6072fa3bc4075, 36 | "WNF_BI_APPLICATION_UNINSTALL_CHANNEL": 0x41c6072fa3bc3075, 37 | "WNF_BI_BI_READY": 0x41c6072fa3bc6835, 38 | "WNF_BI_BROKER_WAKEUP_CHANNEL": 0x41c6072fa3bc0875, 39 | "WNF_BI_EVENT_DELETION": 0x41c6072fa3bc5075, 40 | "WNF_BI_LOCK_SCREEN_UPDATE_CHANNEL": 0x41c6072fa3bc4875, 41 | "WNF_BI_NETWORK_LIMITED_CHANNEL": 0x41c6072fa3bc8075, 42 | "WNF_BI_NOTIFY_NEW_SESSION": 0x41c6072fa3bc7075, 43 | "WNF_BI_PSM_TEST_HOOK_CHANNEL": 0x41c6072fa3bc5875, 44 | "WNF_BI_QUERY_APP_USAGE": 0x41c6072fa3bc7875, 45 | "WNF_BI_QUIET_MODE_UPDATE_CHANNEL": 0x41c6072fa3bc6075, 46 | "WNF_BI_SESSION_CONNECT_CHANNEL": 0x41c6072fa3bc2075, 47 | "WNF_BI_SESSION_DISCONNECT_CHANNEL": 0x41c6072fa3bc2875, 48 | "WNF_BI_USER_LOGOFF_CHANNEL": 0x41c6072fa3bc1875, 49 | "WNF_BI_USER_LOGON_CHANNEL": 0x41c6072fa3bc1075, 50 | "WNF_BLTH_BLUETOOTH_AUDIO_GATEWAY_STATUS": 0x992022fa3bc1075, 51 | "WNF_BLTH_BLUETOOTH_AVRCP_VOLUME_CHANGED": 0x992022fa3bc4075, 52 | "WNF_BLTH_BLUETOOTH_CONNECTION_STATE_CHANGE": 0x992022fa3bc2075, 53 | "WNF_BLTH_BLUETOOTH_DEVICE_BATTERY_IS_LOW": 0x992022fa3bc4875, 54 | "WNF_BLTH_BLUETOOTH_DEVICE_DOCK_STATUS": 0x992022fa3bc6075, 55 | "WNF_BLTH_BLUETOOTH_GATT_CLIENT_LEGACY_INVALIDATE_TOKEN": 0x992022fa3bc3075, 56 | "WNF_BLTH_BLUETOOTH_GATT_CLIENT_LEGACY_REQUEST": 0x992022fa3bc2875, 57 | "WNF_BLTH_BLUETOOTH_HFP_HF_LINE_AVAILABLE": 0x992022fa3bc6875, 58 | "WNF_BLTH_BLUETOOTH_LE_ADV_SCANNING_STATUS": 0x992022fa3bc5075, 59 | "WNF_BLTH_BLUETOOTH_MAP_STATUS": 0x992022fa3bc1875, 60 | "WNF_BLTH_BLUETOOTH_QUICKPAIR_STATUS_CHANGED": 0x992022fa3bc3875, 61 | "WNF_BLTH_BLUETOOTH_SHOW_PBAP_CONSENT": 0x992022fa3bc5875, 62 | "WNF_BLTH_BLUETOOTH_STATUS": 0x992022fa3bc0875, 63 | "WNF_BMP_BG_PLAYBACK_REVOKED": 0x4196032fa3bc1075, 64 | "WNF_BMP_BG_PLAYSTATE_CHANGED": 0x4196032fa3bc0875, 65 | "WNF_BOOT_DIRTY_SHUTDOWN": 0x1589012fa3bc0875, 66 | "WNF_BOOT_INVALID_TIME_SOURCE": 0x1589012fa3bc1075, 67 | "WNF_BOOT_MEMORY_PARTITIONS_RESTORE": 0x1589012fa3bc1875, 68 | "WNF_BRI_ACTIVE_WINDOW": 0x418f1c2fa3bc0875, 69 | "WNF_CAM_ACTIVITY_ACCESS_CHANGED": 0x418b0f2ea3bcd875, 70 | "WNF_CAM_APPACTIVATION_WITHVOICEABOVELOCK_CHANGED": 0x418b0f2ea3bcf875, 71 | "WNF_CAM_APPACTIVATION_WITHVOICE_CHANGED": 0x418b0f2ea3bcf075, 72 | "WNF_CAM_APPDIAGNOSTICS_ACCESS_CHANGED": 0x418b0f2ea3bc0875, 73 | "WNF_CAM_APPOINTMENTS_ACCESS_CHANGED": 0x418b0f2ea3bc1075, 74 | "WNF_CAM_BLUETOOTHSYNC_ACCESS_CHANGED": 0x418b0f2ea3bce075, 75 | "WNF_CAM_BLUETOOTH_ACCESS_CHANGED": 0x418b0f2ea3bc1875, 76 | "WNF_CAM_BROADFILESYSTEMACCESS_ACCESS_CHANGED": 0x418b0f2ea3bcd075, 77 | "WNF_CAM_CAMERA_ACCESS_CHANGED": 0x418b0f2ea3bc2075, 78 | "WNF_CAM_CELLULARDATA_ACCESS_CHANGED": 0x418b0f2ea3bc2875, 79 | "WNF_CAM_CHAT_ACCESS_CHANGED": 0x418b0f2ea3bc3075, 80 | "WNF_CAM_CONTACTS_ACCESS_CHANGED": 0x418b0f2ea3bc3875, 81 | "WNF_CAM_DOCUMENTSLIBRARY_ACCESS_CHANGED": 0x418b0f2ea3bcb075, 82 | "WNF_CAM_EMAIL_ACCESS_CHANGED": 0x418b0f2ea3bc4075, 83 | "WNF_CAM_GAZEINPUT_ACCESS_CHANGED": 0x418b0f2ea3bcc875, 84 | "WNF_CAM_HID_ACCESS_CHANGED": 0x418b0f2ea3bc4875, 85 | "WNF_CAM_LOCATION_ACCESS_CHANGED": 0x418b0f2ea3bc5075, 86 | "WNF_CAM_MICROPHONE_ACCESS_CHANGED": 0x418b0f2ea3bc5875, 87 | "WNF_CAM_PHONECALLHISTORY_ACCESS_CHANGED": 0x418b0f2ea3bc6875, 88 | "WNF_CAM_PHONECALL_ACCESS_CHANGED": 0x418b0f2ea3bc6075, 89 | "WNF_CAM_PICTURESLIBRARY_ACCESS_CHANGED": 0x418b0f2ea3bcb875, 90 | "WNF_CAM_POS_ACCESS_CHANGED": 0x418b0f2ea3bc7075, 91 | "WNF_CAM_RADIOS_ACCESS_CHANGED": 0x418b0f2ea3bc7875, 92 | "WNF_CAM_SENSORSCUSTOM_ACCESS_CHANGED": 0x418b0f2ea3bc8075, 93 | "WNF_CAM_SERIAL_ACCESS_CHANGED": 0x418b0f2ea3bc8875, 94 | "WNF_CAM_USB_ACCESS_CHANGED": 0x418b0f2ea3bc9075, 95 | "WNF_CAM_USERACCOUNTINFO_ACCESS_CHANGED": 0x418b0f2ea3bc9875, 96 | "WNF_CAM_USERDATATASKS_ACCESS_CHANGED": 0x418b0f2ea3bca075, 97 | "WNF_CAM_USERNOTIFICATIONLISTENER_ACCESS_CHANGED": 0x418b0f2ea3bca875, 98 | "WNF_CAM_VIDEOSLIBRARY_ACCESS_CHANGED": 0x418b0f2ea3bcc075, 99 | "WNF_CAM_WIFIDIRECT_ACCESS_CHANGED": 0x418b0f2ea3bce875, 100 | "WNF_CAPS_CENTRAL_ACCESS_POLICIES_CHANGED": 0x12960f2ea3bc0875, 101 | "WNF_CCTL_BUTTON_REQUESTS": 0xd920d2ea3bc08b5, 102 | "WNF_CDP_ALLOW_CLIPBOARDHISTORY_POLICY_CHANGE": 0x41960a2ea3bc8075, 103 | "WNF_CDP_ALLOW_CROSSDEVICECLIPBOARD_POLICY_CHANGE": 0x41960a2ea3bc8875, 104 | "WNF_CDP_CDPSVC_READY": 0x41960a2ea3bc0875, 105 | "WNF_CDP_CDPSVC_STOPPING": 0x41960a2ea3bc1075, 106 | "WNF_CDP_CDPUSERSVC_READY": 0x41960a2ea3bc1835, 107 | "WNF_CDP_CDPUSERSVC_STOPPING": 0x41960a2ea3bc2035, 108 | "WNF_CDP_CDP_ACTIVITIES_RECIEVED": 0x41960a2ea3bc3075, 109 | "WNF_CDP_CDP_LOCAL_ACTIVITIES_RECIEVED": 0x41960a2ea3bc6875, 110 | "WNF_CDP_CDP_MESSAGES_QUEUED": 0x41960a2ea3bc2875, 111 | "WNF_CDP_CDP_NOTIFICATION_ACTION_FORWARD_FAILURE": 0x41960a2ea3bc4075, 112 | "WNF_CDP_ENABLE_ACTIVITYFEED_POLICY_CHANGE": 0x41960a2ea3bc5875, 113 | "WNF_CDP_PUBLISH_USER_ACTIVITIES_POLICY_CHANGE": 0x41960a2ea3bc6075, 114 | "WNF_CDP_UPLOAD_USER_ACTIVITIES_POLICY_CHANGE": 0x41960a2ea3bc7875, 115 | "WNF_CDP_USERAUTH_POLICY_CHANGE": 0x41960a2ea3bc3875, 116 | "WNF_CDP_USER_NEAR_SHARE_SETTING_CHANGE": 0x41960a2ea3bc5035, 117 | "WNF_CDP_USER_RESOURCE_INFO_CHANGED": 0x41960a2ea3bc7075, 118 | "WNF_CDP_USER_ROME_SETTING_CHANGE": 0x41960a2ea3bc4835, 119 | "WNF_CELL_AIRPLANEMODE": 0xd8a0b2ea3bc3075, 120 | "WNF_CELL_AIRPLANEMODE_DETAILS": 0xd8a0b2ea3bc9075, 121 | "WNF_CELL_AVAILABLE_OPERATORS_CAN0": 0xd8a0b2ea3bc5075, 122 | "WNF_CELL_AVAILABLE_OPERATORS_CAN1": 0xd8a0b2ea3bd5875, 123 | "WNF_CELL_CALLFORWARDING_STATUS_CAN0": 0xd8a0b2ea3bd0075, 124 | "WNF_CELL_CALLFORWARDING_STATUS_CAN1": 0xd8a0b2ea3bde075, 125 | "WNF_CELL_CAN_CONFIGURATION_SET_COMPLETE_MODEM0": 0xd8a0b2ea3be5875, 126 | "WNF_CELL_CAN_STATE_CAN0": 0xd8a0b2ea3bc8075, 127 | "WNF_CELL_CAN_STATE_CAN1": 0xd8a0b2ea3bd9075, 128 | "WNF_CELL_CDMA_ACTIVATION_CAN0": 0xd8a0b2ea3bc4075, 129 | "WNF_CELL_CDMA_ACTIVATION_CAN1": 0xd8a0b2ea3bd4875, 130 | "WNF_CELL_CONFIGURED_LINES_CAN0": 0xd8a0b2ea3bdf475, 131 | "WNF_CELL_CONFIGURED_LINES_CAN1": 0xd8a0b2ea3bdfc75, 132 | "WNF_CELL_CSP_WWAN_PLUS_READYNESS": 0xd8a0b2ea3bcf875, 133 | "WNF_CELL_DATA_ENABLED_BY_USER_MODEM0": 0xd8a0b2ea3bc6475, 134 | "WNF_CELL_DEVICE_INFO_CAN0": 0xd8a0b2ea3bc5875, 135 | "WNF_CELL_DEVICE_INFO_CAN1": 0xd8a0b2ea3bd6075, 136 | "WNF_CELL_EMERGENCY_CALLBACK_MODE_STATUS": 0xd8a0b2ea3be6875, 137 | "WNF_CELL_HOME_OPERATOR_CAN0": 0xd8a0b2ea3bcc075, 138 | "WNF_CELL_HOME_OPERATOR_CAN1": 0xd8a0b2ea3bda875, 139 | "WNF_CELL_HOME_PRL_ID_CAN0": 0xd8a0b2ea3bcc875, 140 | "WNF_CELL_HOME_PRL_ID_CAN1": 0xd8a0b2ea3bdb075, 141 | "WNF_CELL_IMSI_CAN0": 0xd8a0b2ea3be2075, 142 | "WNF_CELL_IMSI_CAN1": 0xd8a0b2ea3be2875, 143 | "WNF_CELL_IMS_STATUS_CAN0": 0xd8a0b2ea3be8075, 144 | "WNF_CELL_IMS_STATUS_CAN1": 0xd8a0b2ea3be8875, 145 | "WNF_CELL_IWLAN_AVAILABILITY_CAN0": 0xd8a0b2ea3be9075, 146 | "WNF_CELL_IWLAN_AVAILABILITY_CAN1": 0xd8a0b2ea3be9875, 147 | "WNF_CELL_LEGACY_SETTINGS_MIGRATION": 0xd8a0b2ea3be3075, 148 | "WNF_CELL_NETWORK_TIME_CAN0": 0xd8a0b2ea3bc4875, 149 | "WNF_CELL_NETWORK_TIME_CAN1": 0xd8a0b2ea3bd5075, 150 | "WNF_CELL_NITZ_INFO": 0xd8a0b2ea3bed075, 151 | "WNF_CELL_OPERATOR_NAME_CAN0": 0xd8a0b2ea3bc3875, 152 | "WNF_CELL_OPERATOR_NAME_CAN1": 0xd8a0b2ea3bd4075, 153 | "WNF_CELL_PERSO_STATUS_CAN0": 0xd8a0b2ea3bcb875, 154 | "WNF_CELL_PERSO_STATUS_CAN1": 0xd8a0b2ea3bde875, 155 | "WNF_CELL_PHONE_NUMBER_CAN0": 0xd8a0b2ea3bc6875, 156 | "WNF_CELL_PHONE_NUMBER_CAN1": 0xd8a0b2ea3bd7075, 157 | "WNF_CELL_POSSIBLE_DATA_ACTIVITY_CHANGE_MODEM0": 0xd8a0b2ea3bc9875, 158 | "WNF_CELL_POWER_STATE_MODEM0": 0xd8a0b2ea3bc0875, 159 | "WNF_CELL_PREFERRED_LANGUAGES_SLOT0": 0xd8a0b2ea3be1075, 160 | "WNF_CELL_PREFERRED_LANGUAGES_SLOT1": 0xd8a0b2ea3be1875, 161 | "WNF_CELL_PS_MEDIA_PREFERENCES_CAN0": 0xd8a0b2ea3bea475, 162 | "WNF_CELL_PS_MEDIA_PREFERENCES_CAN1": 0xd8a0b2ea3beac75, 163 | "WNF_CELL_RADIO_TYPE_MODEM0": 0xd8a0b2ea3bd0c75, 164 | "WNF_CELL_REGISTRATION_CHANGED_TRIGGER_MV": 0xd8a0b2ea3be6075, 165 | "WNF_CELL_REGISTRATION_PREFERENCES_CAN0": 0xd8a0b2ea3bc7c75, 166 | "WNF_CELL_REGISTRATION_PREFERENCES_CAN1": 0xd8a0b2ea3bd8c75, 167 | "WNF_CELL_REGISTRATION_STATUS_CAN0": 0xd8a0b2ea3bc2075, 168 | "WNF_CELL_REGISTRATION_STATUS_CAN1": 0xd8a0b2ea3bd2075, 169 | "WNF_CELL_REGISTRATION_STATUS_DETAILS_CAN0": 0xd8a0b2ea3bca875, 170 | "WNF_CELL_REGISTRATION_STATUS_DETAILS_CAN1": 0xd8a0b2ea3bd9875, 171 | "WNF_CELL_SIGNAL_STRENGTH_BARS_CAN0": 0xd8a0b2ea3bc1075, 172 | "WNF_CELL_SIGNAL_STRENGTH_BARS_CAN1": 0xd8a0b2ea3bd1075, 173 | "WNF_CELL_SIGNAL_STRENGTH_DETAILS_CAN0": 0xd8a0b2ea3be7075, 174 | "WNF_CELL_SIGNAL_STRENGTH_DETAILS_CAN1": 0xd8a0b2ea3be7875, 175 | "WNF_CELL_SUPPORTED_SYSTEM_TYPES_CAN0": 0xd8a0b2ea3bcb075, 176 | "WNF_CELL_SUPPORTED_SYSTEM_TYPES_CAN1": 0xd8a0b2ea3bda075, 177 | "WNF_CELL_SYSTEM_CONFIG": 0xd8a0b2ea3bca475, 178 | "WNF_CELL_SYSTEM_TYPE_CAN0": 0xd8a0b2ea3bc1875, 179 | "WNF_CELL_SYSTEM_TYPE_CAN1": 0xd8a0b2ea3bd1875, 180 | "WNF_CELL_UICC_ATR_SLOT0": 0xd8a0b2ea3be3875, 181 | "WNF_CELL_UICC_ATR_SLOT1": 0xd8a0b2ea3be4075, 182 | "WNF_CELL_UICC_PIN_STATE_SLOT0": 0xd8a0b2ea3bec075, 183 | "WNF_CELL_UICC_PIN_STATE_SLOT1": 0xd8a0b2ea3bec875, 184 | "WNF_CELL_UICC_SIMSEC_SLOT0": 0xd8a0b2ea3be4875, 185 | "WNF_CELL_UICC_SIMSEC_SLOT1": 0xd8a0b2ea3be5075, 186 | "WNF_CELL_UICC_STATUS_DETAILS_SLOT0": 0xd8a0b2ea3be0075, 187 | "WNF_CELL_UICC_STATUS_DETAILS_SLOT1": 0xd8a0b2ea3be0875, 188 | "WNF_CELL_UICC_STATUS_SLOT0": 0xd8a0b2ea3bc2875, 189 | "WNF_CELL_UICC_STATUS_SLOT1": 0xd8a0b2ea3bd2875, 190 | "WNF_CELL_USER_PREFERRED_POWER_STATE_MODEM0": 0xd8a0b2ea3bc8c75, 191 | "WNF_CELL_UTK_PROACTIVE_CMD": 0xd8a0b2ea3bcf075, 192 | "WNF_CELL_UTK_SETUP_MENU_SLOT0": 0xd8a0b2ea3bce875, 193 | "WNF_CELL_UTK_SETUP_MENU_SLOT1": 0xd8a0b2ea3bdd075, 194 | "WNF_CELL_VOICEMAIL_NUMBER_CAN0": 0xd8a0b2ea3bc7075, 195 | "WNF_CELL_WIFI_CALL_SETTINGS_CAN0": 0xd8a0b2ea3beb075, 196 | "WNF_CELL_WIFI_CALL_SETTINGS_CAN1": 0xd8a0b2ea3beb875, 197 | "WNF_CERT_FLUSH_CACHE_STATE": 0x15940b2ea3bc1075, 198 | "WNF_CERT_FLUSH_CACHE_TRIGGER": 0x15940b2ea3bc0875, 199 | "WNF_CFCL_SC_CONFIGURATIONS_ADDED": 0xd85082ea3bc1875, 200 | "WNF_CFCL_SC_CONFIGURATIONS_CHANGED": 0xd85082ea3bc0875, 201 | "WNF_CFCL_SC_CONFIGURATIONS_DELETED": 0xd85082ea3bc1075, 202 | "WNF_CI_SMODE_CHANGE": 0x41c6072ea3bc0875, 203 | "WNF_CLIP_CLIPBOARD_HISTORY_ENABLED_CHANGED": 0x118f022ea3bc2035, 204 | "WNF_CLIP_CLIPBOARD_USERSVC_READY": 0x118f022ea3bc2835, 205 | "WNF_CLIP_CLIPBOARD_USERSVC_STOPPED": 0x118f022ea3bc3035, 206 | "WNF_CLIP_CONTENT_CHANGED": 0x118f022ea3bc0875, 207 | "WNF_CLIP_HISTORY_CHANGED": 0x118f022ea3bc1035, 208 | "WNF_CLIP_ROAMING_CLIPBOARD_ENABLED_CHANGED": 0x118f022ea3bc1835, 209 | "WNF_CNET_CELLULAR_CONNECTIONS_AVAILABLE": 0x1583002ea3bc4875, 210 | "WNF_CNET_DPU_GLOBAL_STATE_NOT_TRACKED": 0x1583002ea3bc3075, 211 | "WNF_CNET_DPU_GLOBAL_STATE_OFF_TRACK": 0x1583002ea3bc1875, 212 | "WNF_CNET_DPU_GLOBAL_STATE_ON_TRACK": 0x1583002ea3bc2075, 213 | "WNF_CNET_DPU_GLOBAL_STATE_OVER_LIMIT": 0x1583002ea3bc1075, 214 | "WNF_CNET_DPU_GLOBAL_STATE_UNDER_TRACK": 0x1583002ea3bc2875, 215 | "WNF_CNET_NON_CELLULAR_CONNECTED": 0x1583002ea3bc6875, 216 | "WNF_CNET_RADIO_ACTIVITY": 0x1583002ea3bc7875, 217 | "WNF_CNET_RADIO_ACTIVITY_OR_NON_CELLULAR_CONNECTED": 0x1583002ea3bc7075, 218 | "WNF_CNET_WIFI_ACTIVITY": 0x1583002ea3bc8075, 219 | "WNF_CONT_RESTORE_FROM_SNAPSHOT_COMPLETE": 0x1588012ea3bc0875, 220 | "WNF_CSC_SERVICE_START": 0x41851d2ea3bc0875, 221 | "WNF_CSHL_COMPOSER_CONTEXT_CHANGED": 0xd8e1d2ea3bc3835, 222 | "WNF_CSHL_COMPOSER_LAUNCH_READY": 0xd8e1d2ea3bc0835, 223 | "WNF_CSHL_COMPOSER_TEARDOWN": 0xd8e1d2ea3bc3035, 224 | "WNF_CSHL_PRODUCT_READY": 0xd8e1d2ea3bc2835, 225 | "WNF_CSHL_SKIP_OOBE_CXH": 0xd8e1d2ea3bc4035, 226 | "WNF_CSHL_UI_AUTOMATION": 0xd8e1d2ea3bc1035, 227 | "WNF_CSHL_VIEWHOSTING_READY": 0xd8e1d2ea3bc2035, 228 | "WNF_CSH_LAUNCH_EXPLORER_REQUESTED": 0x418e1d2ea3bc08f5, 229 | "WNF_CXH_APP_FINISHED": 0x418e162ea3bc1035, 230 | "WNF_CXH_BACK": 0x418e162ea3bc2035, 231 | "WNF_CXH_BACK_STATE": 0x418e162ea3bc1835, 232 | "WNF_CXH_OOBE_APP_READY": 0x418e162ea3bc2875, 233 | "WNF_CXH_WEBAPP_STATUS": 0x418e162ea3bc0835, 234 | "WNF_DBA_DEVICE_ACCESS_CHANGED": 0x41870c29a3bc0875, 235 | "WNF_DEP_OOBE_COMPLETE": 0x41960b29a3bc0c75, 236 | "WNF_DEP_UNINSTALL_DISABLED": 0x41960b29a3bc1475, 237 | "WNF_DEVM_DMWAPPUSHSVC_READY": 0xc900b29a3bc1875, 238 | "WNF_DEVM_MULTIVARIANT_PROVISIONING_SESSIONS": 0xc900b29a3bc3075, 239 | "WNF_DEVM_PROVISIONING_COMPLETE": 0xc900b29a3bc0875, 240 | "WNF_DICT_CONTENT_ADDED": 0x15850729a3bc0875, 241 | "WNF_DICT_PERSONALIZATION_FEEDBACK_SIGNAL": 0x15850729a3bc1075, 242 | "WNF_DISK_SCRUB_REQUIRED": 0xa950729a3bc0875, 243 | "WNF_DMF_MIGRATION_COMPLETE": 0x41800329a3bc1075, 244 | "WNF_DMF_MIGRATION_PROGRESS": 0x41800329a3bc1875, 245 | "WNF_DMF_MIGRATION_STARTED": 0x41800329a3bc0875, 246 | "WNF_DMF_UX_COMPLETE": 0x41800329a3bc2075, 247 | "WNF_DNS_ALL_SERVER_TIMEOUT": 0x41950029a3bc1075, 248 | "WNF_DO_MANAGER_ACTIVE": 0x41c60129a3bc0875, 249 | "WNF_DO_POLICY_CHANGED": 0x41c60129a3bc1075, 250 | "WNF_DSM_DSMAPPINSTALLED": 0x418b1d29a3bc0c75, 251 | "WNF_DSM_DSMAPPREMOVED": 0x418b1d29a3bc1475, 252 | "WNF_DUSM_IS_CELLULAR_BACKGROUND_RESTRICTED": 0xc951b29a3bc1075, 253 | "WNF_DUSM_TASK_TOAST": 0xc951b29a3bc0875, 254 | "WNF_DWM_COMPOSITIONCAPABILITIES": 0x418b1929a3bc2835, 255 | "WNF_DWM_HOLOGRAPHIC_COMPOSITOR_EXCLUSIVE": 0x418b1929a3bc3035, 256 | "WNF_DWM_HOLOGRAPHIC_COMPOSITOR_EXCLUSIVE_LOW_FRAMERATE": 0x418b1929a3bc1035, 257 | "WNF_DWM_HOLOGRAPHIC_COMPOSITOR_HAS_PROTECTED_CONTENT": 0x418b1929a3bc1835, 258 | "WNF_DWM_HOLOGRAPHIC_COMPOSITOR_LOW_FRAMERATE": 0x418b1929a3bc2035, 259 | "WNF_DWM_RUNNING": 0x418b1929a3bc0835, 260 | "WNF_DXGK_ADAPTER_TDR_NOTIFICATION": 0xa811629a3bc0875, 261 | "WNF_DXGK_PATH_FAILED_OR_INVALIDATED": 0xa811629a3bc1075, 262 | "WNF_DX_ADAPTER_START": 0x41c61629a3bc8075, 263 | "WNF_DX_ADAPTER_STOP": 0x41c61629a3bc8875, 264 | "WNF_DX_COLOR_OVERRIDE_STATE_CHANGE": 0x41c61629a3bc9875, 265 | "WNF_DX_COLOR_PROFILE_CHANGE": 0x41c61629a3bc7035, 266 | "WNF_DX_DEVICE_REMOVAL": 0x41c61629a3bc60b5, 267 | "WNF_DX_DISPLAY_COLORIMETRY_DATA_CHANGED": 0x41c61629a3bca075, 268 | "WNF_DX_DISPLAY_CONFIG_CHANGE_NOTIFICATION": 0x41c61629a3bc5835, 269 | "WNF_DX_GPM_TARGET": 0x41c61629a3bc7875, 270 | "WNF_DX_HARDWARE_CONTENT_PROTECTION_TILT_NOTIFICATION": 0x41c61629a3bc4075, 271 | "WNF_DX_INTERNAL_PANEL_DIMENSIONS": 0x41c61629a3bc4875, 272 | "WNF_DX_MODERN_OUTPUTDUPLICATION": 0x41c61629a3bc5035, 273 | "WNF_DX_MODERN_OUTPUTDUPLICATION_CONTEXTS": 0x41c61629a3bc6835, 274 | "WNF_DX_MODE_CHANGE_NOTIFICATION": 0x41c61629a3bc1035, 275 | "WNF_DX_MONITOR_CHANGE_NOTIFICATION": 0x41c61629a3bc2835, 276 | "WNF_DX_NETWORK_DISPLAY_STATE_CHANGE_NOTIFICATION": 0x41c61629a3bc2035, 277 | "WNF_DX_OCCLUSION_CHANGE_NOTIFICATION": 0x41c61629a3bc1835, 278 | "WNF_DX_SDR_WHITE_LEVEL_CHANGED": 0x41c61629a3bc9035, 279 | "WNF_DX_STEREO_CONFIG": 0x41c61629a3bc0c75, 280 | "WNF_DX_VAIL_CHANGE_NOTIFICATION": 0x41c61629a3bca8b5, 281 | "WNF_DX_VIDMM_BUDGETCHANGE_NOTIFICATION": 0x41c61629a3bc3875, 282 | "WNF_DX_VIDMM_TRIM_NOTIFICATION": 0x41c61629a3bc30b5, 283 | "WNF_EAP_APPLICATION_HANDLE": 0x41960f28a3bc0875, 284 | "WNF_EDGE_EXTENSION_AVAILABLE": 0x4810a28a3bc18f5, 285 | "WNF_EDGE_EXTENSION_INSTALLED": 0x4810a28a3bc10f5, 286 | "WNF_EDGE_INPRIVATE_EXTENSION_AVAILABLE": 0x4810a28a3bc20f5, 287 | "WNF_EDGE_LAST_NAVIGATED_HOST": 0x4810a28a3bc08f5, 288 | "WNF_EDP_AAD_REAUTH_REQUIRED": 0x41960a28a3bc3875, 289 | "WNF_EDP_APP_UI_ENTERPRISE_CONTEXT_CHANGED": 0x41960a28a3bc3035, 290 | "WNF_EDP_CLIPBOARD_METADATA_CHANGED": 0x41960a28a3bc2035, 291 | "WNF_EDP_CREDENTIALS_UPDATING": 0x41960a28a3bc7075, 292 | "WNF_EDP_DIALOG_CANCEL": 0x41960a28a3bc2835, 293 | "WNF_EDP_DPL_KEYS_DROPPING": 0x41960a28a3bc5875, 294 | "WNF_EDP_DPL_KEYS_STATE": 0x41960a28a3bc1875, 295 | "WNF_EDP_ENTERPRISE_CONTEXTS_UPDATED": 0x41960a28a3bc4475, 296 | "WNF_EDP_IDENTITY_REVOKED": 0x41960a28a3bc10f5, 297 | "WNF_EDP_MISSING_CREDENTIALS": 0x41960a28a3bc6075, 298 | "WNF_EDP_PROCESS_TLS_INDEX": 0x41960a28a3bc50b5, 299 | "WNF_EDP_PROCESS_UI_ENFORCEMENT": 0x41960a28a3bc4875, 300 | "WNF_EDP_PURGE_APP_LEARNING_EVT": 0x41960a28a3bc6875, 301 | "WNF_EDP_TAGGED_APP_LAUNCHED": 0x41960a28a3bc0835, 302 | "WNF_EDU_PRINTER_POLICY_CHANGED": 0x41930a28a3bc0875, 303 | "WNF_EFS_SERVICE_START": 0x41950828a3bc0875, 304 | "WNF_EFS_SOFTWARE_HIVE_AVAILABLE": 0x41950828a3bc1075, 305 | "WNF_ENTR_ABOVELOCK_POLICY_VALUE_CHANGED": 0x13920028a3bc7875, 306 | "WNF_ENTR_ACCOUNTS_POLICY_VALUE_CHANGED": 0x13920028a3bc3075, 307 | "WNF_ENTR_ALLOWALLTRUSTEDAPPS_POLICY_VALUE_CHANGED": 0x13920028a3bcf875, 308 | "WNF_ENTR_ALLOWAPPLICATIONS_POLICY_VALUE_CHANGED": 0x13920028a3bc8075, 309 | "WNF_ENTR_ALLOWCELLULARDATAROAMING_POLICY_VALUE_CHANGED": 0x13920028a3bd4875, 310 | "WNF_ENTR_ALLOWCELLULARDATA_POLICY_VALUE_CHANGED": 0x13920028a3bd5075, 311 | "WNF_ENTR_ALLOWDEVELOPERUNLOCK_POLICY_VALUE_CHANGED": 0x13920028a3bd1875, 312 | "WNF_ENTR_ALLOWDEVICEHEALTHMONITORING_POLICY_VALUE_CHANGED": 0x13920028a3bda075, 313 | "WNF_ENTR_ALLOWINPUTPANEL_POLICY_VALUE_CHANGED": 0x13920028a3bca875, 314 | "WNF_ENTR_ALLOWMANUALWIFICONFIGURATION_POLICY_VALUE_CHANGED": 0x13920028a3bdb875, 315 | "WNF_ENTR_ALLOWMESSAGESYNC_POLICY_VALUE_CHANGED": 0x13920028a3bd6875, 316 | "WNF_ENTR_ALLOWMESSAGE_MMS_POLICY_VALUE_CHANGED": 0x13920028a3bdd875, 317 | "WNF_ENTR_ALLOWMESSAGE_RCS_POLICY_VALUE_CHANGED": 0x13920028a3bde075, 318 | "WNF_ENTR_ALLOWNONMICROSOFTSIGNEDUPDATE_POLICY_VALUE_CHANGED": 0x13920028a3bd3075, 319 | "WNF_ENTR_ALLOWPROJECTIONFROMPC_POLICY_VALUE_CHANGED": 0x13920028a3be0075, 320 | "WNF_ENTR_ALLOWPROJECTIONTOPC_POLICY_VALUE_CHANGED": 0x13920028a3bdd075, 321 | "WNF_ENTR_ALLOWSET24HOURCLOCK_POLICY_VALUE_CHANGED": 0x13920028a3bdf875, 322 | "WNF_ENTR_ALLOWSHAREDUSERDATA_POLICY_VALUE_CHANGED": 0x13920028a3bd0075, 323 | "WNF_ENTR_ALLOWUPDATESERVICE_POLICY_VALUE_CHANGED": 0x13920028a3bd2075, 324 | "WNF_ENTR_ALLOWWIFIDIRECT_POLICY_VALUE_CHANGED": 0x13920028a3bdc875, 325 | "WNF_ENTR_ALLOWWIFI_POLICY_VALUE_CHANGED": 0x13920028a3bdb075, 326 | "WNF_ENTR_ALLOW_WBA_EXECUTION_POLICY_VALUE_CHANGED": 0x13920028a3bd3875, 327 | "WNF_ENTR_APPHVSI_CACHED_POLICY_VALUE_CHANGED": 0x13920028a3bd8475, 328 | "WNF_ENTR_APPHVSI_POLICY_VALUE_CHANGED": 0x13920028a3bdf075, 329 | "WNF_ENTR_APPLICATIONMANAGEMENT_POLICY_VALUE_CHANGED": 0x13920028a3bc5875, 330 | "WNF_ENTR_APPPRIVACY_POLICY_VALUE_CHANGED": 0x13920028a3be1875, 331 | "WNF_ENTR_BITS_POLICY_VALUE_CHANGED": 0x13920028a3be6875, 332 | "WNF_ENTR_BLUETOOTH_POLICY_VALUE_CHANGED": 0x13920028a3bcd875, 333 | "WNF_ENTR_BROWSER_POLICY_VALUE_CHANGED": 0x13920028a3bc4075, 334 | "WNF_ENTR_CAMERA_POLICY_VALUE_CHANGED": 0x13920028a3bc5075, 335 | "WNF_ENTR_CONNECTIVITY_POLICY_VALUE_CHANGED": 0x13920028a3bc2075, 336 | "WNF_ENTR_CONTEXT_STATE_CHANGE": 0x13920028a3bc9875, 337 | "WNF_ENTR_DEVICELOCK_POLICY_VALUE_CHANGED": 0x13920028a3bc0875, 338 | "WNF_ENTR_DISABLEADVERTISINGID_POLICY_VALUE_CHANGED": 0x13920028a3bd7075, 339 | "WNF_ENTR_DOMAIN_NAMES_FOR_EMAIL_SYNC_POLICY_VALUE_CHANGED": 0x13920028a3bd4075, 340 | "WNF_ENTR_EDPENFORCEMENTLEVEL_CACHED_POLICY_VALUE_CHANGED": 0x13920028a3bd5c75, 341 | "WNF_ENTR_EDPENFORCEMENTLEVEL_POLICY_VALUE_CHANGED": 0x13920028a3bc8875, 342 | "WNF_ENTR_EDPNETWORKING_POLICY_VALUE_CHANGED": 0x13920028a3bce075, 343 | "WNF_ENTR_EDPSHOWICONS_CACHED_POLICY_VALUE_CHANGED": 0x13920028a3bd9c75, 344 | "WNF_ENTR_EDPSMB_POLICY_VALUE_CHANGED": 0x13920028a3bde875, 345 | "WNF_ENTR_EMOJI_AVAILABILITY_POLICY_VALUE_CHANGED": 0x13920028a3be5075, 346 | "WNF_ENTR_ENABLETOUCHKEYBOARDAUTOINVOKE_POLICY_VALUE_CHANGED": 0x13920028a3be2075, 347 | "WNF_ENTR_EVALUATE_APPHVSI_CONFIGURATION_STATE": 0x13920028a3bd9075, 348 | "WNF_ENTR_EVALUATE_EDP_CONFIGURATION_STATE": 0x13920028a3bd7875, 349 | "WNF_ENTR_EXPERIENCE_POLICY_VALUE_CHANGED": 0x13920028a3bc2875, 350 | "WNF_ENTR_EXPLOITGUARD_POLICY_VALUE_CHANGED": 0x13920028a3be0875, 351 | "WNF_ENTR_FORCEDOCKED_TOUCHKEYBOARD_POLICY_VALUE_CHANGED": 0x13920028a3be5875, 352 | "WNF_ENTR_FULLLAYOUT_AVAILABILITY_POLICY_VALUE_CHANGED": 0x13920028a3be2875, 353 | "WNF_ENTR_HANDWRITING_AVAILABILITY_POLICY_VALUE_CHANGED": 0x13920028a3be4075, 354 | "WNF_ENTR_NARROWLAYOUT_AVAILABILITY_POLICY_VALUE_CHANGED": 0x13920028a3be3875, 355 | "WNF_ENTR_NETWORKISOLATION_POLICY_VALUE_CHANGED": 0x13920028a3bd8875, 356 | "WNF_ENTR_PROTECTEDDOMAINNAMES_CACHED_POLICY_VALUE_CHANGED": 0x13920028a3bd6475, 357 | "WNF_ENTR_PUSH_NOTIFICATION_RECEIVED": 0x13920028a3bc6875, 358 | "WNF_ENTR_PUSH_RECEIVED": 0x13920028a3bca075, 359 | "WNF_ENTR_REMOVABLEDISK_DENY_WRITE_POLICY_VALUE_CHANGED": 0x13920028a3be7075, 360 | "WNF_ENTR_REQUIRE_DEVICE_ENCRYPTION_POLICY_VALUE_CHANGED": 0x13920028a3bc6075, 361 | "WNF_ENTR_REQUIRE_DPL_POLICY_VALUE_CHANGED": 0x13920028a3bce875, 362 | "WNF_ENTR_RESTRICTAPPDATATOSYTEMVOLUME_POLICY_VALUE_CHANGED": 0x13920028a3bd1075, 363 | "WNF_ENTR_RESTRICTAPPTOSYTEMVOLUME_POLICY_VALUE_CHANGED": 0x13920028a3bd0875, 364 | "WNF_ENTR_SEARCH_ALLOW_INDEXER": 0x13920028a3bdc075, 365 | "WNF_ENTR_SEARCH_ALLOW_INDEXING_ENCRYPTED_STORES_OR_ITEMS": 0x13920028a3bcd075, 366 | "WNF_ENTR_SEARCH_ALLOW_USING_DIACRITICS": 0x13920028a3bcb075, 367 | "WNF_ENTR_SEARCH_ALWAYS_USE_AUTO_LANG_DETECTION": 0x13920028a3bcb875, 368 | "WNF_ENTR_SEARCH_DISABLE_REMOVABLE_DRIVE_INDEXING": 0x13920028a3bcc075, 369 | "WNF_ENTR_SEARCH_POLICY_VALUE_CHANGED": 0x13920028a3bc7075, 370 | "WNF_ENTR_SEARCH_PREVENT_INDEXING_LOW_DISK_SPACE_MB": 0x13920028a3bcc875, 371 | "WNF_ENTR_SECURITY_POLICY_VALUE_CHANGED": 0x13920028a3bc3875, 372 | "WNF_ENTR_SPLITLAYOUT_AVAILABILITY_POLICY_VALUE_CHANGED": 0x13920028a3be4875, 373 | "WNF_ENTR_SYSTEM_POLICY_VALUE_CHANGED": 0x13920028a3bc1875, 374 | "WNF_ENTR_TOUCHKEYBOARDDICTATION_POLICY_VALUE_CHANGED": 0x13920028a3be6075, 375 | "WNF_ENTR_UPDATESERVICEURL_POLICY_VALUE_CHANGED": 0x13920028a3bd2875, 376 | "WNF_ENTR_UPDATE_POLICY_VALUE_CHANGED": 0x13920028a3bc4875, 377 | "WNF_ENTR_WAP_MESSAGE_FOR_DMWAPPUSHSVC_READY": 0x13920028a3bc9075, 378 | "WNF_ENTR_WIDELAYOUT_AVAILABILITY_POLICY_VALUE_CHANGED": 0x13920028a3be3075, 379 | "WNF_ENTR_WIFI_POLICY_VALUE_CHANGED": 0x13920028a3bc1075, 380 | "WNF_ENTR_WINDOWSDEFENDERSECURITYCENTER_POLICY_VALUE_CHANGED": 0x13920028a3be1075, 381 | "WNF_ENTR_WINDOWS_DEFENDER_POLICY_VALUE_CHANGED": 0x13920028a3bcf075, 382 | "WNF_EOA_ATMANAGER_ATS_STARTED": 0x41870128a3bc2035, 383 | "WNF_EOA_NARRATOR_FOCUS_CHANGE": 0x41870128a3bc08f5, 384 | "WNF_EOA_NARRATOR_KEYBOARD_REMAP": 0x41870128a3bc2875, 385 | "WNF_EOA_NARRATOR_RUNNING": 0x41870128a3bc1075, 386 | "WNF_EOA_UISETTINGS_CHANGED": 0x41870128a3bc1875, 387 | "WNF_ETW_SUBSYSTEM_INITIALIZED": 0x41911a28a3bc0875, 388 | "WNF_EXEC_OSTASKCOMPLETION_REVOKED": 0x2831628a3bc0875, 389 | "WNF_EXEC_THERMAL_LIMITER_CLOSE_APPLICATION_VIEWS": 0x2831628a3bc1875, 390 | "WNF_EXEC_THERMAL_LIMITER_DISPLAY_WARNING": 0x2831628a3bc2875, 391 | "WNF_EXEC_THERMAL_LIMITER_STOP_MRC": 0x2831628a3bc3075, 392 | "WNF_EXEC_THERMAL_LIMITER_TERMINATE_BACKGROUND_TASKS": 0x2831628a3bc2075, 393 | "WNF_FDBK_QUESTION_NOTIFICATION": 0xa840a2ba3bc0875, 394 | "WNF_FLTN_WNF_ARRIVED": 0xf92022ba3bc0875, 395 | "WNF_FLT_RUNDOWN_WAIT": 0x4192022ba3bc0875, 396 | "WNF_FLYT_IDS_CHANGED": 0x159f022ba3bc0875, 397 | "WNF_FOD_STATE_CHANGE": 0x4182012ba3bc0875, 398 | "WNF_FSRL_OPLOCK_BREAK": 0xd941d2ba3bc1075, 399 | "WNF_FSRL_TIERED_VOLUME_DETECTED": 0xd941d2ba3bc0875, 400 | "WNF_FVE_BDESVC_TRIGGER_START": 0x4183182ba3bc3075, 401 | "WNF_FVE_BITLOCKER_ENCRYPT_ALL_DRIVES": 0x4183182ba3bc6875, 402 | "WNF_FVE_DETASK_SYNC_PROVISIONING_COMPLETE": 0x4183182ba3bc7075, 403 | "WNF_FVE_DETASK_TRIGGER_START": 0x4183182ba3bc6075, 404 | "WNF_FVE_DE_MANAGED_VOLUMES_COUNT": 0x4183182ba3bc1075, 405 | "WNF_FVE_DE_SUPPORT": 0x4183182ba3bc0875, 406 | "WNF_FVE_MDM_POLICY_REFRESH": 0x4183182ba3bc4075, 407 | "WNF_FVE_REQUIRE_SDCARD_ENCRYPTION": 0x4183182ba3bc4875, 408 | "WNF_FVE_SDCARD_ENCRYPTION_REQUEST": 0x4183182ba3bc5075, 409 | "WNF_FVE_SDCARD_ENCRYPTION_STATUS": 0x4183182ba3bc5875, 410 | "WNF_FVE_STATE_CHANGE": 0x4183182ba3bc3875, 411 | "WNF_FVE_WIM_HASH_DELETION_TRIGGER": 0x4183182ba3bc2875, 412 | "WNF_FVE_WIM_HASH_GENERATION_COMPLETION": 0x4183182ba3bc2075, 413 | "WNF_FVE_WIM_HASH_GENERATION_TRIGGER": 0x4183182ba3bc1875, 414 | "WNF_GC_INITIAL_PRESENT": 0x41c60d2aa3bc0875, 415 | "WNF_GIP_ADAPTER_CHANGE": 0x4196072aa3bc0875, 416 | "WNF_GLOB_USERPROFILE_LANGLIST_CHANGED": 0x389022aa3bc0875, 417 | "WNF_GPOL_SYSTEM_CHANGES": 0xd891e2aa3bc0875, 418 | "WNF_GPOL_USER_CHANGES": 0xd891e2aa3bc10f5, 419 | "WNF_HAM_SYSTEM_STATE_CHANGED": 0x418b0f25a3bc0875, 420 | "WNF_HAS_VERIFY_HEALTH_CERT": 0x41950f25a3bc0875, 421 | "WNF_HOLO_CAPTURE_STATE": 0xe8a0125a3bcc035, 422 | "WNF_HOLO_DISPLAY_QUALITY_LEVEL": 0xe8a0125a3bc7835, 423 | "WNF_HOLO_ENVIRONMENT_AUDIO_ASSET": 0xe8a0125a3bc5075, 424 | "WNF_HOLO_FORCE_ROOM_BOUNDARY": 0xe8a0125a3bc2835, 425 | "WNF_HOLO_INPUT_FOCUS_CHANGE": 0xe8a0125a3bc2075, 426 | "WNF_HOLO_PROJECTION_REQUEST": 0xe8a0125a3bcb835, 427 | "WNF_HOLO_REQUEST_HMD_USE_STATE": 0xe8a0125a3bc9035, 428 | "WNF_HOLO_REQUEST_HOLOGRAPHIC_ACTIVATION_REALM": 0xe8a0125a3bc9835, 429 | "WNF_HOLO_RESET_IDLE_TIMER": 0xe8a0125a3bca035, 430 | "WNF_HOLO_RETAIL_DEMO_TIMER": 0xe8a0125a3bc7035, 431 | "WNF_HOLO_ROOM_BOUNDARY_DATA_CHANGED": 0xe8a0125a3bc3835, 432 | "WNF_HOLO_ROOM_BOUNDARY_VISIBILITY": 0xe8a0125a3bc4035, 433 | "WNF_HOLO_SET_SHELL_SPAWN_POINT": 0xe8a0125a3bc6835, 434 | "WNF_HOLO_SHARING_SESSION_CONTEXT": 0xe8a0125a3bcb035, 435 | "WNF_HOLO_SHELL_INPUT_3DSWITCH_DISABLE": 0xe8a0125a3bc4835, 436 | "WNF_HOLO_SHELL_STATE": 0xe8a0125a3bc1835, 437 | "WNF_HOLO_SHELL_STATE_INTERACTIVE_USER": 0xe8a0125a3bca875, 438 | "WNF_HOLO_STREAMING_STATE": 0xe8a0125a3bc3035, 439 | "WNF_HOLO_SYSTEM_DISPLAY_CONTEXT_CHANGE": 0xe8a0125a3bc8875, 440 | "WNF_HOLO_UNINSTALL_COMPLETE": 0xe8a0125a3bc6075, 441 | "WNF_HOLO_UNINSTALL_PREPARE": 0xe8a0125a3bc5875, 442 | "WNF_HOLO_UNINSTALL_PREPARE_COMPLETE": 0xe8a0125a3bc8075, 443 | "WNF_HOLO_USER_DISPLAY_CONTEXT": 0xe8a0125a3bc0835, 444 | "WNF_HOLO_USER_INPUT_CONTEXT": 0xe8a0125a3bc1035, 445 | "WNF_HVL_CPU_MGMT_PARTITION": 0x418a1825a3bc0875, 446 | "WNF_HYPV_HOST_WMI_EVENT_PROVIDER_STATE": 0x17961725a3bc1075, 447 | "WNF_HYPV_HOST_WMI_OBJECT_PROVIDER_STATE": 0x17961725a3bc0875, 448 | "WNF_IME_AUTOMATIC_PRIVATE_MODE": 0x41830324a3bc1835, 449 | "WNF_IME_EXPLICIT_PRIVATE_MODE": 0x41830324a3bc1035, 450 | "WNF_IME_INPUT_MODE_LABEL": 0x41830324a3bc0875, 451 | "WNF_IME_INPUT_SWITCH_NOTIFY": 0x41830324a3bc2035, 452 | "WNF_IMSN_GLOBALLIGHTSINVALIDATED": 0xf950324a3bc4835, 453 | "WNF_IMSN_IMMERSIVEMONITORCHANGED": 0xf950324a3bc1835, 454 | "WNF_IMSN_KILL_LOGICAL_FOCUS": 0xf950324a3bc3035, 455 | "WNF_IMSN_LAUNCHERVISIBILITY": 0xf950324a3bc1035, 456 | "WNF_IMSN_MONITORMODECHANGED": 0xf950324a3bc0835, 457 | "WNF_IMSN_PROJECTIONDISPLAYAVAILABLE": 0xf950324a3bc3835, 458 | "WNF_IMSN_TRANSPARENCYPOLICY": 0xf950324a3bc4035, 459 | "WNF_IMS_PUSH_NOTIFICATION_RECEIVED": 0x41950324a3bc0875, 460 | "WNF_IOT_EMBEDDED_MODE_POLICY_VALUE_CHANGED": 0x41920124a3bc0875, 461 | "WNF_IOT_STARTUP_SETTINGS_CHANGED": 0x41920124a3bc1075, 462 | "WNF_ISM_CURSOR_MANAGER_READY": 0x418b1d24a3bc1835, 463 | "WNF_ISM_GAMECONTROLLER_ZEPHYRUS_FAULT": 0x418b1d24a3bc2075, 464 | "WNF_ISM_INPUT_UPDATE_AFTER_TRACK_INTERVAL": 0x418b1d24a3bc1035, 465 | "WNF_ISM_LAST_USER_ACTIVITY": 0x418b1d24a3bc0835, 466 | "WNF_IUIS_SCALE_CHANGED": 0x128f1b24a3bc0835, 467 | "WNF_KSV_CAMERAPRIVACY": 0x41901d26a3bc2875, 468 | "WNF_KSV_DEVICESTATE": 0x41901d26a3bc1075, 469 | "WNF_KSV_FSSTREAMACTIVITY": 0x41901d26a3bc1875, 470 | "WNF_KSV_KSSTREAMACTIVITY": 0x41901d26a3bc2075, 471 | "WNF_KSV_STREAMSTATE": 0x41901d26a3bc0875, 472 | "WNF_LANG_FOD_INSTALLATION_STARTED": 0x6880f21a3bc0875, 473 | "WNF_LED_SETTINGSCHANGED": 0x41820b21a3bc0875, 474 | "WNF_LFS_ACTION_DIALOG_AVAILABLE": 0x41950821a3bc4875, 475 | "WNF_LFS_CLIENT_RECALCULATE_PERMISSIONS": 0x41950821a3bc3875, 476 | "WNF_LFS_GEOFENCETRACKING_STATE": 0x41950821a3bc2075, 477 | "WNF_LFS_LOCATION_MDM_AREA_POLICY_CHANGED": 0x41950821a3bc6075, 478 | "WNF_LFS_LOCATION_MDM_POLICY_ENABLELOCATION_CHANGED": 0x41950821a3bc6875, 479 | "WNF_LFS_MASTERSWITCH_STATE": 0x41950821a3bc1875, 480 | "WNF_LFS_PERMISSION_TO_SHOW_ICON_CHANGED": 0x41950821a3bc4075, 481 | "WNF_LFS_POSITION_AVAILABLE": 0x41950821a3bc3075, 482 | "WNF_LFS_RESERVED_WNF_EVENT_2": 0x41950821a3bc2875, 483 | "WNF_LFS_RUNNING_STATE": 0x41950821a3bc1075, 484 | "WNF_LFS_SIGNIFICANT_LOCATION_EVENT": 0x41950821a3bc5075, 485 | "WNF_LFS_STATE": 0x41950821a3bc0875, 486 | "WNF_LFS_VISITS_SIGNIFICANT_LOCATION_EVENT": 0x41950821a3bc5875, 487 | "WNF_LIC_DEVICE_LICENSE_MISSING": 0x41850721a3bc3075, 488 | "WNF_LIC_DEVICE_LICENSE_REMOVED": 0x41850721a3bc2875, 489 | "WNF_LIC_DEVICE_LICENSE_UPDATED": 0x41850721a3bc2075, 490 | "WNF_LIC_HARDWAREID_IN_DEVICE_LICENSE_IN_TOLERANCE": 0x41850721a3bc1875, 491 | "WNF_LIC_HARDWAREID_IN_DEVICE_LICENSE_OUT_OF_TOLERANCE": 0x41850721a3bc1075, 492 | "WNF_LIC_INT_DEVICE_LICENSE_EXPIRED": 0x41850721a3bc3875, 493 | "WNF_LIC_LOCAL_MIGRATED_LICENSES_FOUND": 0x41850721a3bc4075, 494 | "WNF_LIC_MANAGE_DEVICE_REGISTRATION_AND_REACTIVATION": 0x41850721a3bc4875, 495 | "WNF_LIC_NO_APPLICABLE_LICENSES_FOUND": 0x41850721a3bc0875, 496 | "WNF_LM_APP_LICENSE_EVENT": 0x41c60321a3bc2875, 497 | "WNF_LM_CONTENT_LICENSE_CHANGED": 0x41c60321a3bc1075, 498 | "WNF_LM_LICENSE_REFRESHED": 0x41c60321a3bc3875, 499 | "WNF_LM_OFFLINE_PC_CHANGED": 0x41c60321a3bc3075, 500 | "WNF_LM_OPTIONAL_PACKAGE_SUSPEND_REQUIRED": 0x41c60321a3bc2075, 501 | "WNF_LM_PACKAGE_SUSPEND_REQUIRED": 0x41c60321a3bc0875, 502 | "WNF_LM_ROOT_LICENSE_CHANGED": 0x41c60321a3bc1875, 503 | "WNF_LOC_DEVICE_BROKER_ACCESS_CHANGED": 0x41850121a3bc0875, 504 | "WNF_LOC_RESERVED_WNF_EVENT": 0x41850121a3bc1075, 505 | "WNF_LOC_SHOW_SYSTRAY": 0x41850121a3bc1875, 506 | "WNF_LOGN_BIO_ENROLLMENT_APP_INSTANCE_CHANGED": 0xf810121a3bc4075, 507 | "WNF_LOGN_CREDENTIAL_TILE_SELECTION_CHANGED": 0xf810121a3bc3075, 508 | "WNF_LOGN_EOA_FLYOUT_POSITION": 0xf810121a3bc0835, 509 | "WNF_LOGN_LOCAL_SIGNON": 0xf810121a3bc2875, 510 | "WNF_LOGN_PINPAD_VISIBLE": 0xf810121a3bc2035, 511 | "WNF_LOGN_RETURN_TO_LOCK": 0xf810121a3bc1835, 512 | "WNF_LOGN_SLIDE_TO_SHUTDOWN": 0xf810121a3bc1035, 513 | "WNF_LOGN_SUPPRESS_FINGERPRINT_WAKE": 0xf810121a3bc3835, 514 | "WNF_MAPS_MAPLOADER_PACKAGE_CHANGE": 0x12960f20a3bc2075, 515 | "WNF_MAPS_MAPLOADER_PROGRESS": 0x12960f20a3bc1075, 516 | "WNF_MAPS_MAPLOADER_STATUS_CHANGE": 0x12960f20a3bc1875, 517 | "WNF_MM_BAD_MEMORY_PENDING_REMOVAL": 0x41c60320a3bc0875, 518 | "WNF_MM_PHYSICAL_MEMORY_CHANGE": 0x41c60320a3bc1075, 519 | "WNF_MON_THERMAL_CAP_CHANGED": 0x41880120a3bc0875, 520 | "WNF_MRT_MERGE_SYSTEM_PRI_FILES": 0x41921c20a3bc2075, 521 | "WNF_MRT_PERSISTENT_QUALIFIER_CHANGED": 0x41921c20a3bc1c75, 522 | "WNF_MRT_QUALIFIER_CONTRAST_CHANGED": 0x41921c20a3bc0875, 523 | "WNF_MRT_QUALIFIER_THEME_CHANGED": 0x41921c20a3bc1075, 524 | "WNF_MRT_SYSTEM_PRI_MERGE": 0x41921c20a3bc2875, 525 | "WNF_MSA_ACCOUNTSTATECHANGE": 0x41871d20a3bc0835, 526 | "WNF_MSA_TPM_AVAILABLE": 0x41871d20a3bc1475, 527 | "WNF_MSA_TPM_SERVER_CLIENT_KEY_STATE_UPDATED": 0x41871d20a3bc1875, 528 | "WNF_MUR_MEDIA_UI_REQUEST_LAN": 0x41941b20a3bc1075, 529 | "WNF_MUR_MEDIA_UI_REQUEST_WLAN": 0x41941b20a3bc0875, 530 | "WNF_NASV_DYNAMIC_LOCK_BLUETOOTH_STATUS": 0x17950f23a3bc2075, 531 | "WNF_NASV_SERVICE_RUNNING": 0x17950f23a3bc1075, 532 | "WNF_NASV_USER_AUTHENTICATION": 0x17950f23a3bc1835, 533 | "WNF_NASV_USER_PRESENT": 0x17950f23a3bc0835, 534 | "WNF_NCB_APP_AVAILABLE": 0x41840d23a3bc0875, 535 | "WNF_NDIS_ADAPTER_ARRIVAL": 0x128f0a23a3bc0875, 536 | "WNF_NDIS_CORRUPTED_STORE": 0x128f0a23a3bc1075, 537 | "WNF_NFC_SE_CARD_EMULATION_STATE_CHANGED": 0x41850823a3bc0875, 538 | "WNF_NGC_AIKCERT_TRIGGER": 0x41850923a3bc1075, 539 | "WNF_NGC_CREDENTIAL_REFRESH_REQUIRED": 0x41850923a3bc3875, 540 | "WNF_NGC_CREDENTIAL_RESET_EXPERIENCE_ACTIVE": 0x41850923a3bc5075, 541 | "WNF_NGC_CRYPTO_MDM_POLICY_CHANGED": 0x41850923a3bc3075, 542 | "WNF_NGC_GESTURE_AUTHENTICATED": 0x41850923a3bc2875, 543 | "WNF_NGC_LAUNCH_NTH_USER_SCENARIO": 0x41850923a3bc6075, 544 | "WNF_NGC_LAUNCH_PIN_RESET_SCENARIO": 0x41850923a3bc4875, 545 | "WNF_NGC_PIN_RESET_SCENARIO_STATE_CHANGE": 0x41850923a3bc4035, 546 | "WNF_NGC_PREGEN_DELAY_TRIGGER": 0x41850923a3bc2075, 547 | "WNF_NGC_PREGEN_NGCISOCTNR_TRIGGER": 0x41850923a3bc6875, 548 | "WNF_NGC_PREGEN_TRIGGER": 0x41850923a3bc0875, 549 | "WNF_NGC_PRO_CSP_POLICY_CHANGED": 0x41850923a3bc1875, 550 | "WNF_NLA_CAPABILITY_CHANGE": 0x41870223a3bc0875, 551 | "WNF_NLA_TASK_TRIGGER": 0x41870223a3bc1875, 552 | "WNF_NLM_HNS_HIDDEN_INTERFACE": 0x418b0223a3bc1875, 553 | "WNF_NLM_INTERNET_PRESENT": 0x418b0223a3bc1075, 554 | "WNF_NLM_VPN_RECONNECT_CHANGE": 0x418b0223a3bc0875, 555 | "WNF_NLS_GEOID_CHANGED": 0x41950223a3bc2035, 556 | "WNF_NLS_LOCALE_INFO_CHANGED": 0x41950223a3bc1835, 557 | "WNF_NLS_USER_DEFAULT_LOCALE_CHANGED": 0x41950223a3bc0835, 558 | "WNF_NLS_USER_UILANG_CHANGED": 0x41950223a3bc1035, 559 | "WNF_NPSM_SERVICE_STARTED": 0xc951e23a3bc0875, 560 | "WNF_NSI_SERVICE_STATUS": 0x418f1d23a3bc0875, 561 | "WNF_OLIC_OS_EDITION_CHANGE": 0x28f0222a3bc5075, 562 | "WNF_OLIC_OS_LICENSE_NON_GENUINE": 0x28f0222a3bc6875, 563 | "WNF_OLIC_OS_LICENSE_POLICY_CHANGE": 0x28f0222a3bc5875, 564 | "WNF_OLIC_OS_LICENSE_TERMS_ACCEPTED": 0x28f0222a3bc6075, 565 | "WNF_OOBE_SHL_MAGNIFIER_CONFIRM": 0x4840122a3bc1035, 566 | "WNF_OOBE_SHL_MAGNIFIER_QUERY": 0x4840122a3bc0835, 567 | "WNF_OOBE_SHL_MONITOR_STATE": 0x4840122a3bc1875, 568 | "WNF_OOBE_SHL_SPEECH_CONTROLLER": 0x4840122a3bc2035, 569 | "WNF_OSWN_STORAGE_APP_PAIRING_CHANGE": 0xf911d22a3bc8075, 570 | "WNF_OSWN_STORAGE_FINISHED_USAGE_CATEGORY_UPDATE": 0xf911d22a3bcb875, 571 | "WNF_OSWN_STORAGE_FREE_SPACE_CHANGE": 0xf911d22a3bc7075, 572 | "WNF_OSWN_STORAGE_PRESENCE_CHANGE": 0xf911d22a3bc6075, 573 | "WNF_OSWN_STORAGE_SHELLHWD_EVENT": 0xf911d22a3bcc075, 574 | "WNF_OSWN_STORAGE_TEMP_CLEANUP_CHANGE": 0xf911d22a3bc7875, 575 | "WNF_OSWN_STORAGE_VOLUME_STATUS_CHANGE": 0xf911d22a3bc6875, 576 | "WNF_OSWN_SYSTEM_CLOCK_CHANGED": 0xf911d22a3bc5875, 577 | "WNF_OS_IP_OVER_USB_AVAILABLE": 0x41c61d22a3bc8075, 578 | "WNF_OS_IU_PROGRESS_REPORT": 0x41c61d22a3bc8875, 579 | "WNF_OVRD_OVERRIDESCALEUPDATED": 0x5941822a3bc0875, 580 | "WNF_PAY_CANMAKEPAYMENT_BROKER_READY": 0x419f0f3da3bc0875, 581 | "WNF_PFG_PEN_FIRST_DRAG": 0x4181083da3bc1075, 582 | "WNF_PFG_PEN_FIRST_TAP": 0x4181083da3bc0875, 583 | "WNF_PHNL_LINE1_READY": 0xd88063da3bc4075, 584 | "WNF_PHNP_ANNOTATION_ENDPOINT": 0x1188063da3bc4875, 585 | "WNF_PHNP_SERVICE_INITIALIZED": 0x1188063da3bc3875, 586 | "WNF_PHNP_SIMSEC_READY": 0x1188063da3bc4075, 587 | "WNF_PHN_CALLFORWARDING_STATUS_LINE0": 0x4188063da3bc3075, 588 | "WNF_PHN_CALL_STATUS": 0x4188063da3bc2875, 589 | "WNF_PMEM_MEMORY_ERROR": 0xc83033da3bc0875, 590 | "WNF_PNPA_DEVNODES_CHANGED": 0x96003da3bc0875, 591 | "WNF_PNPA_DEVNODES_CHANGED_SESSION": 0x96003da3bc1035, 592 | "WNF_PNPA_HARDWAREPROFILES_CHANGED": 0x96003da3bc2875, 593 | "WNF_PNPA_HARDWAREPROFILES_CHANGED_SESSION": 0x96003da3bc3035, 594 | "WNF_PNPA_PORTS_CHANGED": 0x96003da3bc3875, 595 | "WNF_PNPA_PORTS_CHANGED_SESSION": 0x96003da3bc4035, 596 | "WNF_PNPA_VOLUMES_CHANGED": 0x96003da3bc1875, 597 | "WNF_PNPA_VOLUMES_CHANGED_SESSION": 0x96003da3bc2035, 598 | "WNF_PNPB_AWAITING_RESPONSE": 0x396003da3bc0875, 599 | "WNF_PNPC_CONTAINER_CONFIG_REQUESTED": 0x296003da3bc1875, 600 | "WNF_PNPC_DEVICE_INSTALL_REQUESTED": 0x296003da3bc1075, 601 | "WNF_PNPC_REBOOT_REQUIRED": 0x296003da3bc0875, 602 | "WNF_PO_BACKGROUND_ACTIVITY_POLICY": 0x41c6013da3bc9075, 603 | "WNF_PO_BASIC_BRIGHTNESS_ENGINE_DISABLED": 0x41c6013da3bcd075, 604 | "WNF_PO_BATTERY_CHARGE_LEVEL": 0x41c6013da3bc8075, 605 | "WNF_PO_BATTERY_CHARGE_LIMITING_MODE": 0x41c6013da3bd3875, 606 | "WNF_PO_BATTERY_DISCHARGING": 0x41c6013da3bc9875, 607 | "WNF_PO_BRIGHTNESS_ALS_OFFSET": 0x41c6013da3bcd875, 608 | "WNF_PO_CAD_STICKY_DISABLE_CHARGING": 0x41c6013da3bcf075, 609 | "WNF_PO_CHARGE_ESTIMATE": 0x41c6013da3bc6075, 610 | "WNF_PO_COMPOSITE_BATTERY": 0x41c6013da3bc1075, 611 | "WNF_PO_DISCHARGE_ESTIMATE": 0x41c6013da3bc5075, 612 | "WNF_PO_DISCHARGE_START_FILETIME": 0x41c6013da3bc5c75, 613 | "WNF_PO_DISPLAY_REQUEST_ACTIVE": 0x41c6013da3bc7835, 614 | "WNF_PO_DRIPS_DEVICE_CONSTRAINTS_REGISTERED": 0x41c6013da3bcc875, 615 | "WNF_PO_ENERGY_SAVER_OVERRIDE": 0x41c6013da3bc3075, 616 | "WNF_PO_ENERGY_SAVER_SETTING": 0x41c6013da3bc2875, 617 | "WNF_PO_ENERGY_SAVER_STATE": 0x41c6013da3bc2075, 618 | "WNF_PO_INPUT_SUPPRESS_NOTIFICATION": 0x41c6013da3bd1875, 619 | "WNF_PO_INPUT_SUPPRESS_NOTIFICATION_EX": 0x41c6013da3bd3075, 620 | "WNF_PO_MODERN_STANDBY_EXIT_INITIATED": 0x41c6013da3bcb875, 621 | "WNF_PO_OPPORTUNISTIC_CS": 0x41c6013da3bd2875, 622 | "WNF_PO_OVERLAY_POWER_SCHEME_UPDATE": 0x41c6013da3bce875, 623 | "WNF_PO_POWER_BUTTON_STATE": 0x41c6013da3bcf875, 624 | "WNF_PO_POWER_STATE_CHANGE": 0x41c6013da3bc1875, 625 | "WNF_PO_PRESLEEP_NOTIFICATION": 0x41c6013da3bd1075, 626 | "WNF_PO_PREVIOUS_SHUTDOWN_STATE": 0x41c6013da3bcb075, 627 | "WNF_PO_PRIMARY_DISPLAY_LOGICAL_STATE": 0x41c6013da3bca875, 628 | "WNF_PO_PRIMARY_DISPLAY_VISIBLE_STATE": 0x41c6013da3bca075, 629 | "WNF_PO_SCENARIO_CHANGE": 0x41c6013da3bc0875, 630 | "WNF_PO_SLEEP_STUDY_USER_PRESENCE_CHANGED": 0x41c6013da3bc8875, 631 | "WNF_PO_SW_HW_DRIPS_DIVERGENCE": 0x41c6013da3bcc075, 632 | "WNF_PO_SYSTEM_TIME_CHANGED": 0x41c6013da3bd0075, 633 | "WNF_PO_THERMAL_HIBERNATE_OCCURRED": 0x41c6013da3bc4875, 634 | "WNF_PO_THERMAL_OVERTHROTTLE": 0x41c6013da3bc6875, 635 | "WNF_PO_THERMAL_SHUTDOWN_OCCURRED": 0x41c6013da3bc4075, 636 | "WNF_PO_THERMAL_STANDBY": 0x41c6013da3bc3875, 637 | "WNF_PO_USER_AWAY_PREDICTION": 0x41c6013da3bc7075, 638 | "WNF_PO_VIDEO_INITIALIALIZED": 0x41c6013da3bce075, 639 | "WNF_PO_WAKE_ON_VOICE_STATE": 0x41c6013da3bd2075, 640 | "WNF_PO_WEAK_CHARGER": 0x41c6013da3bd0875, 641 | "WNF_PROV_AUTOPILOT_ASYNC_COMPLETE": 0x17891c3da3bc2075, 642 | "WNF_PROV_AUTOPILOT_PROFILE_AVAILABLE": 0x17891c3da3bc1875, 643 | "WNF_PROV_AUTOPILOT_TPM_MSA_TRIGGER": 0x17891c3da3bc2875, 644 | "WNF_PROV_DEVICE_BOOTSTRAP_COMPLETE": 0x17891c3da3bc3475, 645 | "WNF_PROV_TPM_ATTEST_COMPLETE": 0x17891c3da3bc1075, 646 | "WNF_PROV_TURN_COMPLETE": 0x17891c3da3bc0875, 647 | "WNF_PS_WAKE_CHARGE_RESOURCE_POLICY": 0x41c61d3da3bc0875, 648 | "WNF_PTI_WNS_RECEIVED": 0x418f1a3da3bc0875, 649 | "WNF_RDR_SMB1_NOT_IN_USE_STATE_CHANGE": 0x41940a3fa3bc0875, 650 | "WNF_RM_GAME_MODE_ACTIVE": 0x41c6033fa3bc1075, 651 | "WNF_RM_MEMORY_MONITOR_USAGE_METRICS": 0x41c6033fa3bc0875, 652 | "WNF_RM_QUIET_MODE": 0x41c6033fa3bc1875, 653 | "WNF_RPCF_FWMAN_RUNNING": 0x7851e3fa3bc0875, 654 | "WNF_RTDS_NAMED_PIPE_TRIGGER_CHANGED": 0x12821a3fa3bc1875, 655 | "WNF_RTDS_RPC_INTERFACE_TRIGGER_CHANGED": 0x12821a3fa3bc0875, 656 | "WNF_RTSC_PRIVACY_SETTINGS_CHANGED": 0x2951a3fa3bc0875, 657 | "WNF_SBS_UPDATE_AVAILABLE": 0x41950c3ea3bc0875, 658 | "WNF_SCM_AUTOSTART_STATE": 0x418b0d3ea3bc0875, 659 | "WNF_SDO_ORIENTATION_CHANGE": 0x41890a3ea3bc0875, 660 | "WNF_SEB_AIRPLANE_MODE_DISABLED_FOR_EMERGENCY_CALL": 0x41840b3ea3bd7075, 661 | "WNF_SEB_APP_LAUNCH_PREFETCH": 0x41840b3ea3bd1075, 662 | "WNF_SEB_APP_RESUME": 0x41840b3ea3bd2075, 663 | "WNF_SEB_AUDIO_ACTIVITY": 0x41840b3ea3bdb075, 664 | "WNF_SEB_BACKGROUND_WORK_COST_CHANGE": 0x41840b3ea3bc8875, 665 | "WNF_SEB_BACKGROUND_WORK_COST_HIGH": 0x41840b3ea3bc9075, 666 | "WNF_SEB_BATTERY_LEVEL": 0x41840b3ea3bc5075, 667 | "WNF_SEB_BOOT": 0x41840b3ea3bc6075, 668 | "WNF_SEB_CACHED_FILE_UPDATED": 0x41840b3ea3bcc875, 669 | "WNF_SEB_CALL_HISTORY_CHANGED": 0x41840b3ea3bd6075, 670 | "WNF_SEB_CALL_STATE_CHANGED": 0x41840b3ea3bd5075, 671 | "WNF_SEB_DEFAULT_SIGN_IN_ACCOUNT_CHANGE": 0x41840b3ea3bd9875, 672 | "WNF_SEB_DEPRECATED1": 0x41840b3ea3bd1875, 673 | "WNF_SEB_DEPRECATED2": 0x41840b3ea3bd2875, 674 | "WNF_SEB_DEPRECATED3": 0x41840b3ea3bd3075, 675 | "WNF_SEB_DEPRECATED4": 0x41840b3ea3bd3875, 676 | "WNF_SEB_DEPRECATED5": 0x41840b3ea3bd4075, 677 | "WNF_SEB_DEPRECATED6": 0x41840b3ea3bd4875, 678 | "WNF_SEB_DEPRECATED7": 0x41840b3ea3bce075, 679 | "WNF_SEB_DEPRECATED8": 0x41840b3ea3bce875, 680 | "WNF_SEB_DEV_MNF_CUSTOM_NOTIFICATION_RECEIVED": 0x41840b3ea3bcb875, 681 | "WNF_SEB_DOMAIN_JOINED": 0x41840b3ea3bc5875, 682 | "WNF_SEB_FREE_NETWORK_PRESENT": 0x41840b3ea3bc1075, 683 | "WNF_SEB_FULL_SCREEN_HDR_VIDEO_PLAYBACK": 0x41840b3ea3bdb875, 684 | "WNF_SEB_FULL_SCREEN_VIDEO_PLAYBACK": 0x41840b3ea3bd0075, 685 | "WNF_SEB_GAME_MODE": 0x41840b3ea3bdd875, 686 | "WNF_SEB_GEOLOCATION": 0x41840b3ea3bcb075, 687 | "WNF_SEB_INCOMING_CALL_DISMISSED": 0x41840b3ea3bde075, 688 | "WNF_SEB_INTERNET_PRESENT": 0x41840b3ea3bc0875, 689 | "WNF_SEB_IP_ADDRESS_AVAILABLE": 0x41840b3ea3bc8075, 690 | "WNF_SEB_LINE_CHANGED": 0x41840b3ea3bd6875, 691 | "WNF_SEB_LOW_LATENCY_POWER_REQUEST": 0x41840b3ea3bcf075, 692 | "WNF_SEB_MBAE_NOTIFICATION_RECEIVED": 0x41840b3ea3bc2875, 693 | "WNF_SEB_MIXED_REALITY": 0x41840b3ea3bdd075, 694 | "WNF_SEB_MOBILE_BROADBAND_DEVICE_SERVICE_NOTIFICATION": 0x41840b3ea3bd9075, 695 | "WNF_SEB_MOBILE_BROADBAND_PCO_VALUE_CHANGE": 0x41840b3ea3bdc875, 696 | "WNF_SEB_MOBILE_BROADBAND_PIN_LOCK_STATE_CHANGE": 0x41840b3ea3bd8875, 697 | "WNF_SEB_MOBILE_BROADBAND_RADIO_STATE_CHANGE": 0x41840b3ea3bd8075, 698 | "WNF_SEB_MOBILE_BROADBAND_REGISTRATION_STATE_CHANGE": 0x41840b3ea3bd7875, 699 | "WNF_SEB_MOB_OPERATOR_CUSTOM_NOTIFICATION_RECEIVED": 0x41840b3ea3bcc075, 700 | "WNF_SEB_MONITOR_ON": 0x41840b3ea3bc7875, 701 | "WNF_SEB_NETWORK_CONNECTIVITY_IN_STANDBY": 0x41840b3ea3bda075, 702 | "WNF_SEB_NETWORK_CONTROL_CHANNEL_TRIGGER_RESET": 0x41840b3ea3bc3075, 703 | "WNF_SEB_NETWORK_STATE_CHANGES": 0x41840b3ea3bc2075, 704 | "WNF_SEB_NFC_PERF_BOOST": 0x41840b3ea3bd0875, 705 | "WNF_SEB_ONLINE_ID_CONNECTED_STATE_CHANGE": 0x41840b3ea3bc4075, 706 | "WNF_SEB_RESILIENCY_NOTIFICATION_PHASE": 0x41840b3ea3bcf875, 707 | "WNF_SEB_SMART_CARD_FIELD_INFO_NOTIFICATION": 0x41840b3ea3bcd075, 708 | "WNF_SEB_SMART_CARD_HCE_APPLICATION_ACTIVATION_NOTIFICATION": 0x41840b3ea3bcd875, 709 | "WNF_SEB_SMART_CARD_TRANSACTION_NOTIFICATION": 0x41840b3ea3bca075, 710 | "WNF_SEB_SMS_RECEIVED": 0x41840b3ea3bc1875, 711 | "WNF_SEB_SYSTEM_AC": 0x41840b3ea3bc7075, 712 | "WNF_SEB_SYSTEM_IDLE": 0x41840b3ea3bc4875, 713 | "WNF_SEB_SYSTEM_LPE": 0x41840b3ea3bc9875, 714 | "WNF_SEB_SYSTEM_MAINTENANCE": 0x41840b3ea3bca875, 715 | "WNF_SEB_TIME_ZONE_CHANGE": 0x41840b3ea3bc3875, 716 | "WNF_SEB_USER_PRESENCE_CHANGED": 0x41840b3ea3bda875, 717 | "WNF_SEB_USER_PRESENT": 0x41840b3ea3bc6875, 718 | "WNF_SEB_UWP_APP_LAUNCH": 0x41840b3ea3bdc075, 719 | "WNF_SEB_VOICEMAIL_CHANGED": 0x41840b3ea3bd5875, 720 | "WNF_SFA_AUTHENTICATION_STAGE_CHANGED": 0x4187083ea3bc0875, 721 | "WNF_SHEL_ABOVE_LOCK_APP_ACTIVE": 0xd83063ea3bd9835, 722 | "WNF_SHEL_ABOVE_LOCK_BIO_ACTIVE": 0xd83063ea3bda835, 723 | "WNF_SHEL_ACTIONCENTER_READY": 0xd83063ea3bf9835, 724 | "WNF_SHEL_ACTIONCENTER_VIEWSTATE_CHANGED": 0xd83063ea3bed035, 725 | "WNF_SHEL_APPLICATION_SPATIAL_INFO_UPDATE": 0xd83063ea3bdd875, 726 | "WNF_SHEL_APPLICATION_STARTED": 0xd83063ea3be0075, 727 | "WNF_SHEL_APPLICATION_STATE_UPDATE": 0xd83063ea3bc7075, 728 | "WNF_SHEL_APPLICATION_TERMINATED": 0xd83063ea3be0875, 729 | "WNF_SHEL_APPLIFECYCLE_INSTALL_STATE": 0xd83063ea3bee875, 730 | "WNF_SHEL_APPRESOLVER_SCAN": 0xd83063ea3bc5075, 731 | "WNF_SHEL_ASSISTANT_STATE_CHANGE": 0xd83063ea3bf8875, 732 | "WNF_SHEL_CACHED_CLOUD_NETWORK_STATE": 0xd83063ea3bed875, 733 | "WNF_SHEL_CALM_DISPLAY_ACTIVE": 0xd83063ea3bdb875, 734 | "WNF_SHEL_CDM_FEATURE_CONFIG_FIRST_USAGE": 0xd83063ea3bdf875, 735 | "WNF_SHEL_CDM_FEATURE_USAGE": 0xd83063ea3be9075, 736 | "WNF_SHEL_CDM_REGISTRATION_COMPLETE": 0xd83063ea3be6835, 737 | "WNF_SHEL_CLOUD_FILE_INDEXED_CHANGE": 0xd83063ea3bea875, 738 | "WNF_SHEL_CLOUD_FILE_PROGRESS_CHANGE": 0xd83063ea3beb075, 739 | "WNF_SHEL_CONTENT_DELIVERY_MANAGER_MONITORING": 0xd83063ea3be70f5, 740 | "WNF_SHEL_CONTENT_DELIVERY_MANAGER_NEEDS_REMEDIATION": 0xd83063ea3be4875, 741 | "WNF_SHEL_CORTANA_APPINDEX_UPDATED": 0xd83063ea3bc9875, 742 | "WNF_SHEL_CORTANA_AUDIO_ACTIVE": 0xd83063ea3bde075, 743 | "WNF_SHEL_CORTANA_BEACON_STATE_CHANGED": 0xd83063ea3bf1075, 744 | "WNF_SHEL_CORTANA_CAPABILTIES_CHANGED": 0xd83063ea3bf7035, 745 | "WNF_SHEL_CORTANA_MIC_TRAINING_COMPLETE": 0xd83063ea3be88f5, 746 | "WNF_SHEL_CORTANA_QUIET_MOMENT_AT_HOME": 0xd83063ea3bf0475, 747 | "WNF_SHEL_CORTANA_SPEECH_CANCELHANDSFREE_REQUESTED": 0xd83063ea3bdb035, 748 | "WNF_SHEL_CREATIVE_EVENT_BATTERY_SAVER_OVERRIDE_TRIGGERED": 0xd83063ea3bf3075, 749 | "WNF_SHEL_CREATIVE_EVENT_TRIGGERED": 0xd83063ea3bcd875, 750 | "WNF_SHEL_DDC_COMMAND_AVAILABLE": 0xd83063ea3bd2075, 751 | "WNF_SHEL_DDC_CONNECTED_ACCOUNTS_CHANGED": 0xd83063ea3bd6075, 752 | "WNF_SHEL_DDC_SMS_COMMAND": 0xd83063ea3bd3075, 753 | "WNF_SHEL_DDC_WNS_COMMAND": 0xd83063ea3bd2875, 754 | "WNF_SHEL_DESKTOP_APPLICATION_STARTED": 0xd83063ea3be5075, 755 | "WNF_SHEL_DESKTOP_APPLICATION_TERMINATED": 0xd83063ea3be5875, 756 | "WNF_SHEL_DEVICE_LOCKED": 0xd83063ea3bd3875, 757 | "WNF_SHEL_DEVICE_OPEN": 0xd83063ea3bf2875, 758 | "WNF_SHEL_DEVICE_UNLOCKED": 0xd83063ea3bcc075, 759 | "WNF_SHEL_DICTATION_RUNNING": 0xd83063ea3bd1835, 760 | "WNF_SHEL_ENTERPRISE_HIDE_PEOPLE_BAR_POLICY_VALUE_CHANGED": 0xd83063ea3be8075, 761 | "WNF_SHEL_ENTERPRISE_START_LAYOUT_POLICY_VALUE_CHANGED": 0xd83063ea3bc9475, 762 | "WNF_SHEL_ENTERPRISE_START_PLACES_POLICY_VALUE_CHANGED": 0xd83063ea3bec075, 763 | "WNF_SHEL_FOCUS_CHANGE": 0xd83063ea3bc7875, 764 | "WNF_SHEL_GAMECONTROLLER_FOCUS_INFO": 0xd83063ea3bc8875, 765 | "WNF_SHEL_GAMECONTROLLER_LISTENER_INFO": 0xd83063ea3bc8075, 766 | "WNF_SHEL_GAMECONTROLLER_NEXUS_INFO": 0xd83063ea3bcf075, 767 | "WNF_SHEL_HEALTH_STATE_CHANGED": 0xd83063ea3be4075, 768 | "WNF_SHEL_IMMERSIVE_SHELL_RUNNING": 0xd83063ea3bc0875, 769 | "WNF_SHEL_INSTALL_PLACEHOLDER_TILES": 0xd83063ea3bdc075, 770 | "WNF_SHEL_JUMPLIST_CHANGED": 0xd83063ea3bce075, 771 | "WNF_SHEL_LATEST_CONNECTED_AUTOPLAY_DEVICE": 0xd83063ea3bef875, 772 | "WNF_SHEL_LOCKAPPHOST_ACTIVE": 0xd83063ea3bf6835, 773 | "WNF_SHEL_LOCKSCREEN_ACTIVE": 0xd83063ea3bc5835, 774 | "WNF_SHEL_LOCKSCREEN_IMAGE_CHANGED": 0xd83063ea3bd5075, 775 | "WNF_SHEL_LOCKSCREEN_INFO_UPDATED": 0xd83063ea3bde835, 776 | "WNF_SHEL_LOCKSTATE": 0xd83063ea3bdd075, 777 | "WNF_SHEL_LOCK_APP_READY": 0xd83063ea3be3035, 778 | "WNF_SHEL_LOCK_APP_RELOCK": 0xd83063ea3be2835, 779 | "WNF_SHEL_LOCK_APP_REQUESTING_UNLOCK": 0xd83063ea3bd7835, 780 | "WNF_SHEL_LOCK_APP_SHOWN": 0xd83063ea3bd7035, 781 | "WNF_SHEL_LOCK_ON_LOGON": 0xd83063ea3bf2035, 782 | "WNF_SHEL_LOGON_COMPLETE": 0xd83063ea3bc1875, 783 | "WNF_SHEL_NEXT_NOTIFICATION_SINK_SESSION_ID": 0xd83063ea3bf5875, 784 | "WNF_SHEL_NOTIFICATIONS": 0xd83063ea3bc1035, 785 | "WNF_SHEL_NOTIFICATIONS_CRITICAL": 0xd83063ea3bca835, 786 | "WNF_SHEL_NOTIFICATION_SETTINGS_CHANGED": 0xd83063ea3bc3835, 787 | "WNF_SHEL_OOBE_ENABLE_PROVISIONING": 0xd83063ea3bd6835, 788 | "WNF_SHEL_OOBE_PROVISIONING_COMPLETE": 0xd83063ea3be9c75, 789 | "WNF_SHEL_OOBE_USER_LOGON_COMPLETE": 0xd83063ea3bc2475, 790 | "WNF_SHEL_PEOPLE_PANE_VIEW_CHANGED": 0xd83063ea3be2035, 791 | "WNF_SHEL_PEOPLE_PINNED_LIST_CHANGED": 0xd83063ea3bdc835, 792 | "WNF_SHEL_PLACES_CHANGED": 0xd83063ea3bcc875, 793 | "WNF_SHEL_QUIETHOURS_ACTIVE_PROFILE_CHANGED": 0xd83063ea3bf1c75, 794 | "WNF_SHEL_QUIET_MOMENT_SHELL_MODE_CHANGED": 0xd83063ea3bf5075, 795 | "WNF_SHEL_RADIALCONTROLLER_EXPERIENCE_RESTART": 0xd83063ea3bda035, 796 | "WNF_SHEL_REQUEST_CORTANA_SETTINGSCONSTRAINTINDEX_BUILD": 0xd83063ea3bd1075, 797 | "WNF_SHEL_RESTORE_PAYLOAD_COMPLETE": 0xd83063ea3bef075, 798 | "WNF_SHEL_SCREEN_COVERED": 0xd83063ea3bd5875, 799 | "WNF_SHEL_SESSION_LOGON_COMPLETE": 0xd83063ea3be3835, 800 | "WNF_SHEL_SETTINGS_CHANGED": 0xd83063ea3bcf875, 801 | "WNF_SHEL_SETTINGS_ENVIRONMENT_CHANGED": 0xd83063ea3bf4875, 802 | "WNF_SHEL_SIGNALMANAGER_NEW_SIGNAL_REGISTERED": 0xd83063ea3bfa035, 803 | "WNF_SHEL_SIGNAL_LOGONUI": 0xd83063ea3be7835, 804 | "WNF_SHEL_SIGNAL_MANAGER_FEATURE_TRIGGERED": 0xd83063ea3bec875, 805 | "WNF_SHEL_SIGNAL_MANAGER_SIGNAL_TRIGGERED": 0xd83063ea3bea075, 806 | "WNF_SHEL_SIGNAL_MANAGER_TESTING": 0xd83063ea3bee075, 807 | "WNF_SHEL_SOFTLANDING_PUBLISHED": 0xd83063ea3bd0835, 808 | "WNF_SHEL_SOFTLANDING_RULES_UPDATED": 0xd83063ea3bca075, 809 | "WNF_SHEL_SOFTLANDING_RULE_TRIGGERED": 0xd83063ea3bc4075, 810 | "WNF_SHEL_START_APPLIFECYCLE_DOWNLOAD_STARTED": 0xd83063ea3bc6875, 811 | "WNF_SHEL_START_APPLIFECYCLE_INSTALL_FINISHED": 0xd83063ea3bc6075, 812 | "WNF_SHEL_START_APPLIFECYCLE_UNINSTALL_FINISHED": 0xd83063ea3bce875, 813 | "WNF_SHEL_START_LAYOUT_MIGRATED": 0xd83063ea3beb8f5, 814 | "WNF_SHEL_START_LAYOUT_READY": 0xd83063ea3bc4875, 815 | "WNF_SHEL_START_PROCESS_SUSPENDED_INTERNAL": 0xd83063ea3bf3835, 816 | "WNF_SHEL_START_VISIBILITY_CHANGED": 0xd83063ea3bcb035, 817 | "WNF_SHEL_SUGGESTED_APP_READY": 0xd83063ea3be60f5, 818 | "WNF_SHEL_SUSPEND_APP_BACKGROUND_ACTIVITY": 0xd83063ea3bcd075, 819 | "WNF_SHEL_SYSTEMDIALOG_PUBLISHED": 0xd83063ea3bf4035, 820 | "WNF_SHEL_TAB_SHELL_INIT_COMPLETE": 0xd83063ea3bf6035, 821 | "WNF_SHEL_TARGETED_CONTENT_SUBSCRIPTION_ACTIVATED": 0xd83063ea3bd4075, 822 | "WNF_SHEL_TARGETED_CONTENT_SUBSCRIPTION_UPDATED": 0xd83063ea3bd4875, 823 | "WNF_SHEL_TASKBAR_PINS_UPDATED": 0xd83063ea3bf7875, 824 | "WNF_SHEL_TILECHANGE": 0xd83063ea3bc3075, 825 | "WNF_SHEL_TILEINSTALL": 0xd83063ea3bd8075, 826 | "WNF_SHEL_TILEUNINSTALL": 0xd83063ea3bd9075, 827 | "WNF_SHEL_TILEUPDATE": 0xd83063ea3bd8875, 828 | "WNF_SHEL_TOAST_PUBLISHED": 0xd83063ea3bd0035, 829 | "WNF_SHEL_TOAST_PUBLISHED_SYSTEMSCOPE": 0xd83063ea3bf9075, 830 | "WNF_SHEL_TRAY_SEARCHBOX_VISIBILITY_CHANGED": 0xd83063ea3bcb875, 831 | "WNF_SHEL_USER_IDLE": 0xd83063ea3be1875, 832 | "WNF_SHEL_VEEVENT_DISPATCHER_CLIENT_PIPE_CLOSED": 0xd83063ea3bc2875, 833 | "WNF_SHEL_WCOS_SESSION_ID": 0xd83063ea3bf8075, 834 | "WNF_SHEL_WINDOWSTIP_CONTENT_PUBLISHED": 0xd83063ea3be10f5, 835 | "WNF_SHR_DHCP_IPv4_FASTIP_ADDRS": 0x4194063ea3bc1875, 836 | "WNF_SHR_DHCP_IPv4_LEASE_LIST": 0x4194063ea3bc1075, 837 | "WNF_SHR_SHARING_CHANGED": 0x4194063ea3bc0835, 838 | "WNF_SIO_BIO_ENROLLED": 0x4189073ea3bc1075, 839 | "WNF_SIO_PIN_ENROLLED": 0x4189073ea3bc0875, 840 | "WNF_SKYD_FILE_SYNC": 0x59f053ea3bc0875, 841 | "WNF_SKYD_QUOTA_CHANGE": 0x59f053ea3bc1075, 842 | "WNF_SMSR_NEW_MESSAGE_RECEIVED": 0x1395033ea3bc1875, 843 | "WNF_SMSR_READY": 0x1395033ea3bc0875, 844 | "WNF_SMSR_WWAN_READ_DONE": 0x1395033ea3bc1075, 845 | "WNF_SMSS_MEMORY_COOLING_COMPATIBLE": 0x1295033ea3bc0875, 846 | "WNF_SMS_CHECK_ACCESS": 0x4195033ea3bc0875, 847 | "WNF_SPAC_SPACEPORT_PROPERTY_CHANGED": 0x2871e3ea3bc0875, 848 | "WNF_SPAC_SPACEPORT_WORK_REQUESTED": 0x2871e3ea3bc1075, 849 | "WNF_SPCH_ALLOW_REMOTE_SPEECH_SERVICES": 0x9851e3ea3bc2075, 850 | "WNF_SPCH_DISABLE_KWS_REQUEST": 0x9851e3ea3bc1875, 851 | "WNF_SPCH_INPUT_STATE_UPDATE": 0x9851e3ea3bc0835, 852 | "WNF_SPCH_REMOTE_SESSION_REQUEST": 0x9851e3ea3bc1075, 853 | "WNF_SPI_LOGICALDPIOVERRIDE": 0x418f1e3ea3bc0835, 854 | "WNF_SPI_PRIMARY_MONITOR_DPI_CHANGED": 0x418f1e3ea3bc1035, 855 | "WNF_SRC_SYSTEM_RADIO_CHANGED": 0x41851c3ea3bc0875, 856 | "WNF_SRT_WINRE_CONFIGURATION_CHANGE": 0x41921c3ea3bc0875, 857 | "WNF_SRUM_SCREENONSTUDY_SESSION": 0xc931c3ea3bc0875, 858 | "WNF_SRV_SMB1_NOT_IN_USE_STATE_CHANGE": 0x41901c3ea3bc1075, 859 | "WNF_SRV_SRV2_STATE_CHANGE": 0x41901c3ea3bc0875, 860 | "WNF_STOR_CONFIGURATION_DEVICE_INFO_UPDATED": 0x13891a3ea3bc0875, 861 | "WNF_STOR_CONFIGURATION_MO_TASK_RUNNING": 0x13891a3ea3bc1075, 862 | "WNF_STOR_CONFIGURATION_OEM_TASK_RUNNING": 0x13891a3ea3bc1875, 863 | "WNF_SUPP_ENABLE_ERROR_DETAILS_CACHE": 0x11961b3ea3bc0875, 864 | "WNF_SYNC_REQUEST_PROBE": 0x288173ea3bc0875, 865 | "WNF_SYS_SHUTDOWN_IN_PROGRESS": 0x4195173ea3bc0875, 866 | "WNF_TB_SYSTEM_TIME_CHANGED": 0x41c60c39a3bc0875, 867 | "WNF_TEAM_SHELL_HOTKEY_PRESSED": 0xc870b39a3bc0875, 868 | "WNF_TEL_DAILY_UPLOAD_QUOTA": 0x418a0b39a3be1075, 869 | "WNF_TEL_ONESETTINGS_UPDATED": 0x418a0b39a3be1875, 870 | "WNF_TEL_SETTINGS_PUSH_NOTIFICATION_RECEIVED": 0x418a0b39a3be2075, 871 | "WNF_TEL_STORAGE_CAPACITY": 0x418a0b39a3be0875, 872 | "WNF_TEL_TIMER_RECONFIGURED": 0x418a0b39a3be2875, 873 | "WNF_TETH_AUTOSTART_BLUETOOTH": 0x9920b39a3bc1075, 874 | "WNF_TETH_TETHERING_STATE": 0x9920b39a3bc0875, 875 | "WNF_THME_THEME_CHANGED": 0x48b0639a3bc0875, 876 | "WNF_TKBN_AUTOCOMPLETE": 0xf840539a3bc4835, 877 | "WNF_TKBN_CANDIDATE_WINDOW_STATE": 0xf840539a3bc7835, 878 | "WNF_TKBN_CARET_TRACKING": 0xf840539a3bc4035, 879 | "WNF_TKBN_COMPOSITION_STATE": 0xf840539a3bc9035, 880 | "WNF_TKBN_DESKTOP_MODE_AUTO_IHM": 0xf840539a3bcb035, 881 | "WNF_TKBN_FOREGROUND_WINDOW": 0xf840539a3bc3835, 882 | "WNF_TKBN_IMMERSIVE_FOCUS_TRACKING": 0xf840539a3bc1835, 883 | "WNF_TKBN_INPUT_PANE_DISPLAY_POLICY": 0xf840539a3bca835, 884 | "WNF_TKBN_KEYBOARD_GESTURE": 0xf840539a3bc6835, 885 | "WNF_TKBN_KEYBOARD_LAYOUT_CHANGE": 0xf840539a3bc8035, 886 | "WNF_TKBN_KEYBOARD_SET_VISIBLE": 0xf840539a3bcb835, 887 | "WNF_TKBN_KEYBOARD_SET_VISIBLE_NOTIFICATION": 0xf840539a3bcc035, 888 | "WNF_TKBN_KEYBOARD_VIEW_CHANGE": 0xf840539a3bc5835, 889 | "WNF_TKBN_KEYBOARD_VISIBILITY": 0xf840539a3bc0835, 890 | "WNF_TKBN_LANGUAGE": 0xf840539a3bc3035, 891 | "WNF_TKBN_MODERN_KEYBOARD_FOCUS_TRACKING": 0xf840539a3bc5035, 892 | "WNF_TKBN_RESTRICTED_KEYBOARD_GESTURE": 0xf840539a3bc7035, 893 | "WNF_TKBN_RESTRICTED_KEYBOARD_LAYOUT_CHANGE": 0xf840539a3bc8835, 894 | "WNF_TKBN_RESTRICTED_KEYBOARD_VIEW_CHANGE": 0xf840539a3bc6035, 895 | "WNF_TKBN_RESTRICTED_KEYBOARD_VISIBILITY": 0xf840539a3bc1035, 896 | "WNF_TKBN_RESTRICTED_TOUCH_EVENT": 0xf840539a3bc2835, 897 | "WNF_TKBN_SYSTEM_IMMERSIVE_FOCUS_TRACKING": 0xf840539a3bc9835, 898 | "WNF_TKBN_SYSTEM_TOUCH_EVENT": 0xf840539a3bca035, 899 | "WNF_TKBN_TOUCH_EVENT": 0xf840539a3bc2035, 900 | "WNF_TKBR_CHANGE_APP": 0x13840539a3bc1075, 901 | "WNF_TKBR_CHANGE_APP_INTERNAL": 0x13840539a3bc18f5, 902 | "WNF_TKBR_CHANGE_SYSTEM": 0x13840539a3bc08f5, 903 | "WNF_TMCN_ISTABLETMODE": 0xf850339a3bc0835, 904 | "WNF_TOPE_INP_POINTER_DEVICE_ACTIVITY": 0x4960139a3bc0875, 905 | "WNF_TPM_CLEAR_PENDING": 0x418b1e39a3bc2075, 906 | "WNF_TPM_CLEAR_RESULT": 0x418b1e39a3bc2875, 907 | "WNF_TPM_DEVICEID_STATE": 0x418b1e39a3bc1075, 908 | "WNF_TPM_DISABLE_DEACTIVATE_PENDING": 0x418b1e39a3bc3075, 909 | "WNF_TPM_ENABLE_ACTIVATE_COMPLETED": 0x418b1e39a3bc3875, 910 | "WNF_TPM_MAINTENANCE_TASK_STATUS": 0x418b1e39a3bc4075, 911 | "WNF_TPM_OWNERSHIP_TAKEN": 0x418b1e39a3bc0875, 912 | "WNF_TPM_PROVISION_TRIGGER": 0x418b1e39a3bc1875, 913 | "WNF_TZ_AUTOTIMEUPDATE_STATE_CHANGED": 0x41c61439a3bc3075, 914 | "WNF_TZ_LAST_TIME_SYNC_INFO": 0x41c61439a3bc2075, 915 | "WNF_TZ_LEGACY_STORE_CHANGED": 0x41c61439a3bc0875, 916 | "WNF_TZ_NETWORK_TIME_SYNC_TRIGGER": 0x41c61439a3bc2875, 917 | "WNF_TZ_STORE_CHANGED": 0x41c61439a3bc1075, 918 | "WNF_TZ_TIMEZONE_CHANGED": 0x41c61439a3bc1875, 919 | "WNF_UBPM_CONSOLE_MONITOR": 0xc960c38a3bc1075, 920 | "WNF_UBPM_FRMU_ALLOWED": 0xc960c38a3bc1875, 921 | "WNF_UBPM_POWER_SOURCE": 0xc960c38a3bc0875, 922 | "WNF_UBPM_PRESHUTDOWN_PHASE": 0xc960c38a3bc2075, 923 | "WNF_UDA_CONTACT_SORT_CHANGED": 0x41870a38a3bc2835, 924 | "WNF_UDM_SERVICE_INITIALIZED": 0x418b0a38a3bc0835, 925 | "WNF_UMDF_DRVMGR_STATUS": 0x7820338a3bc1075, 926 | "WNF_UMDF_WUDFSVC_START": 0x7820338a3bc0875, 927 | "WNF_UMGR_SESSIONUSER_TOKEN_CHANGE": 0x13810338a3bc2875, 928 | "WNF_UMGR_SESSION_ACTIVE_SHELL_USER_CHANGE": 0x13810338a3bc3035, 929 | "WNF_UMGR_SIHOST_READY": 0x13810338a3bc0835, 930 | "WNF_UMGR_SYSTEM_USER_CONTEXT_CHANGED": 0x13810338a3bc2075, 931 | "WNF_UMGR_USER_LOGIN": 0x13810338a3bc1075, 932 | "WNF_UMGR_USER_LOGOUT": 0x13810338a3bc1875, 933 | "WNF_UMGR_USER_TILE_CHANGED": 0x13810338a3bc3875, 934 | "WNF_USB_BILLBOARD_CHANGE": 0x41841d38a3bc1075, 935 | "WNF_USB_CHARGING_STATE": 0x41841d38a3bc2075, 936 | "WNF_USB_ERROR_NOTIFICATION": 0x41841d38a3bc3075, 937 | "WNF_USB_FUNCTION_CONTROLLER_STATE": 0x41841d38a3bc2875, 938 | "WNF_USB_PEER_DEVICE_STATE": 0x41841d38a3bc1875, 939 | "WNF_USB_POLICY_MANAGER_HUB_COLLECTION_STATE": 0x41841d38a3bc3875, 940 | "WNF_USB_TYPE_C_PARTNER_STATE": 0x41841d38a3bc0875, 941 | "WNF_USB_XHCI_AUDIO_OFFLOAD_STATE": 0x41841d38a3bc4075, 942 | "WNF_USO_ACTIVEHOURS_STARTED": 0x41891d38a3bc7075, 943 | "WNF_USO_ACTIVE_SESSION": 0x41891d38a3bc2875, 944 | "WNF_USO_DOWNLOAD_STARTED": 0x41891d38a3bc4875, 945 | "WNF_USO_INSTALL_STARTED": 0x41891d38a3bc5075, 946 | "WNF_USO_INSTALL_STATE": 0x41891d38a3bc5875, 947 | "WNF_USO_REBOOT_BLOCK_REQUESTED": 0x41891d38a3bc4075, 948 | "WNF_USO_REBOOT_REQUIRED": 0x41891d38a3bc2075, 949 | "WNF_USO_SERVICE_STOPPING": 0x41891d38a3bc6075, 950 | "WNF_USO_SETTINGS_REFRESHED": 0x41891d38a3bc6875, 951 | "WNF_USO_STATE_ATTENTION_REQUIRED": 0x41891d38a3bc1075, 952 | "WNF_USO_STATE_CHANGE": 0x41891d38a3bc0875, 953 | "WNF_USO_UPDATE_PROGRESS": 0x41891d38a3bc1875, 954 | "WNF_USO_UPDATE_SUCCEEDED": 0x41891d38a3bc3075, 955 | "WNF_USO_UPTODATE_STATUS_CHANGED": 0x41891d38a3bc3875, 956 | "WNF_UTS_LOCKSCREEN_DISMISSAL_TRIGGERED": 0x41951a38a3bc1475, 957 | "WNF_UTS_USERS_ENROLLED": 0x41951a38a3bc0c75, 958 | "WNF_UWF_OVERLAY_CRITICAL": 0x41801938a3bc1075, 959 | "WNF_UWF_OVERLAY_NORMAL": 0x41801938a3bc1875, 960 | "WNF_UWF_OVERLAY_WARNING": 0x41801938a3bc0875, 961 | "WNF_VAN_VANUI_STATUS": 0x41880f3ba3bc0875, 962 | "WNF_VPN_CLIENT_CONNECTIVITY_STATUS": 0x41881e3ba3bc0875, 963 | "WNF_VTSV_ADD_CRED_NOTIFY": 0x17951a3ba3bc1075, 964 | "WNF_VTSV_CDS_SYNC": 0x17951a3ba3bc0875, 965 | "WNF_WAAS_FEATURE_IMPACT": 0x12870f3aa3bc1075, 966 | "WNF_WAAS_QUALITY_IMPACT": 0x12870f3aa3bc0875, 967 | "WNF_WBIO_ENROLLMENT_FINISHED": 0xe8f0c3aa3bc0875, 968 | "WNF_WCDS_SYNC_WLAN": 0x12820d3aa3bc0875, 969 | "WNF_WCM_INTERFACE_CONNECTION_STATE": 0x418b0d3aa3bc2875, 970 | "WNF_WCM_INTERFACE_LIST": 0x418b0d3aa3bc0875, 971 | "WNF_WCM_MAPPING_POLICY_UPDATED": 0x418b0d3aa3bc1875, 972 | "WNF_WCM_PROFILE_CONFIG_UPDATED": 0x418b0d3aa3bc2075, 973 | "WNF_WCM_SERVICE_STATUS": 0x418b0d3aa3bc1075, 974 | "WNF_WDAG_SETTINGS_CHANGED_SYSTEM": 0x6870a3aa3bc1075, 975 | "WNF_WDAG_SETTINGS_CHANGED_USER": 0x6870a3aa3bc0875, 976 | "WNF_WDSC_ACCOUNT_PROTECTION_REFRESH": 0x2950a3aa3bc0875, 977 | "WNF_WEBA_CTAP_DEVICE_CHANGE_NOTIFY": 0x840b3aa3bc1075, 978 | "WNF_WEBA_CTAP_DEVICE_STATE": 0x840b3aa3bc0875, 979 | "WNF_WER_CRASH_STATE": 0x41940b3aa3bc1875, 980 | "WNF_WER_QUEUED_REPORTS": 0x41940b3aa3bc1075, 981 | "WNF_WER_SERVICE_START": 0x41940b3aa3bc0875, 982 | "WNF_WFAS_FIREWALL_NETWORK_CHANGE_READY": 0x1287083aa3bc0875, 983 | "WNF_WFDN_MOVEMENT_DETECTED": 0xf82083aa3bc1075, 984 | "WNF_WFDN_STAY_CONNECTED_TRIGGER": 0xf82083aa3bc1875, 985 | "WNF_WFDN_WFD_DISCONNECTION_PROPERTIES": 0xf82083aa3bc0875, 986 | "WNF_WFS_FAMILYMEMBERLOGIN": 0x4195083aa3bc1875, 987 | "WNF_WFS_SETTINGS": 0x4195083aa3bc0875, 988 | "WNF_WFS_SETTINGSREFRESH": 0x4195083aa3bc2075, 989 | "WNF_WFS_TIMEREMAININGALERTS": 0x4195083aa3bc1075, 990 | "WNF_WHTP_WINHTTP_PROXY_AUTHENTICATION_REQUIRED": 0x1192063aa3bc1075, 991 | "WNF_WHTP_WINHTTP_PROXY_DISCOVERED": 0x1192063aa3bc0875, 992 | "WNF_WIFI_AOAC_STATUS": 0x880073aa3bc4875, 993 | "WNF_WIFI_AVERAGE_TRANSMIT": 0x880073aa3bc6875, 994 | "WNF_WIFI_CONNECTION_SCORE": 0x880073aa3bc5875, 995 | "WNF_WIFI_CONNECTION_STATUS": 0x880073aa3bc0875, 996 | "WNF_WIFI_CPL_STATUS": 0x880073aa3bc1075, 997 | "WNF_WIFI_HOTSPOT2_REGISTRATION_STATUS": 0x880073aa3bc9075, 998 | "WNF_WIFI_HOTSPOT_HOST_READY": 0x880073aa3bc2875, 999 | "WNF_WIFI_L3_AUTH_STATE": 0x880073aa3bc8075, 1000 | "WNF_WIFI_MEDIA_STREAMING_MODE": 0x880073aa3bc7075, 1001 | "WNF_WIFI_MOVEMENT_DETECTED": 0x880073aa3bca075, 1002 | "WNF_WIFI_PROTECTED_SCENARIO": 0x880073aa3bc9875, 1003 | "WNF_WIFI_SERVICE_NOTIFICATIONS": 0x880073aa3bc2075, 1004 | "WNF_WIFI_TASK_TRIGGER": 0x880073aa3bc7875, 1005 | "WNF_WIFI_TILE_UPDATE": 0x880073aa3bc6075, 1006 | "WNF_WIFI_WLANSVC_NOTIFICATION": 0x880073aa3bc8875, 1007 | "WNF_WIL_BOOT_FEATURE_STORE": 0x418a073aa3bc1475, 1008 | "WNF_WIL_FEATURE_DEVICE_USAGE_TRACKING_1": 0x418a073aa3bc1c75, 1009 | "WNF_WIL_FEATURE_DEVICE_USAGE_TRACKING_2": 0x418a073aa3bc2475, 1010 | "WNF_WIL_FEATURE_DEVICE_USAGE_TRACKING_3": 0x418a073aa3bc2c75, 1011 | "WNF_WIL_FEATURE_HEALTH_TRACKING_1": 0x418a073aa3bc4c75, 1012 | "WNF_WIL_FEATURE_HEALTH_TRACKING_2": 0x418a073aa3bc5475, 1013 | "WNF_WIL_FEATURE_HEALTH_TRACKING_3": 0x418a073aa3bc5c75, 1014 | "WNF_WIL_FEATURE_HEALTH_TRACKING_4": 0x418a073aa3bc6475, 1015 | "WNF_WIL_FEATURE_HEALTH_TRACKING_5": 0x418a073aa3bc6c75, 1016 | "WNF_WIL_FEATURE_HEALTH_TRACKING_6": 0x418a073aa3bc7475, 1017 | "WNF_WIL_FEATURE_STORE": 0x418a073aa3bc0c75, 1018 | "WNF_WIL_FEATURE_USAGE_FOR_SRUM": 0x418a073aa3bc9835, 1019 | "WNF_WIL_FEATURE_USAGE_TRACKING_1": 0x418a073aa3bc3475, 1020 | "WNF_WIL_FEATURE_USAGE_TRACKING_2": 0x418a073aa3bc3c75, 1021 | "WNF_WIL_FEATURE_USAGE_TRACKING_3": 0x418a073aa3bc4475, 1022 | "WNF_WIL_MACHINE_FEATURE_STORE": 0x418a073aa3bc7c75, 1023 | "WNF_WIL_MACHINE_FEATURE_STORE_MODIFIED": 0x418a073aa3bc8075, 1024 | "WNF_WIL_USER_FEATURE_STORE": 0x418a073aa3bc88f5, 1025 | "WNF_WIL_USER_FEATURE_STORE_MODIFIED": 0x418a073aa3bc90f5, 1026 | "WNF_WNS_CONNECTIVITY_STATUS": 0x4195003aa3bc0875, 1027 | "WNF_WOF_OVERLAY_CONFIGURATION_CHANGE": 0x4180013aa3bc0875, 1028 | "WNF_WOSC_DIRECTX_DATABASE_CHANGED": 0x295013aa3bc2075, 1029 | "WNF_WOSC_FEATURE_CONFIGURATION_CHANGED": 0x295013aa3bc1075, 1030 | "WNF_WOSC_FEATURE_CONFIGURATION_COMPLETED": 0x295013aa3bc3075, 1031 | "WNF_WOSC_MITIGATION_CONFIGURATION_CHANGED": 0x295013aa3bc1875, 1032 | "WNF_WOSC_ML_MODELS_CHANGED": 0x295013aa3bc0875, 1033 | "WNF_WOSC_MUSE_CONFIGURATION_CHANGED": 0x295013aa3bc2875, 1034 | "WNF_WPN_PLATFORM_INITIALIZED": 0x41881e3aa3bc10f5, 1035 | "WNF_WPN_SYSTEM_PLATFORM_READY": 0x41881e3aa3bc1875, 1036 | "WNF_WPN_USER_IN_SESSION_PLATFORM_READY": 0x41881e3aa3bc2035, 1037 | "WNF_WPN_USER_PLATFORM_READY": 0x41881e3aa3bc08f5, 1038 | "WNF_WSC_SECURITY_CENTER_USER_NOTIFICATION": 0x41851d3aa3bc0875, 1039 | "WNF_WSQM_IS_OPTED_IN": 0xc971d3aa3bc0875, 1040 | "WNF_WUA_AU_SCAN_COMPLETE": 0x41871b3aa3bc1075, 1041 | "WNF_WUA_CALL_HANG": 0x41871b3aa3bc1875, 1042 | "WNF_WUA_NUM_PER_USER_UPDATES": 0x41871b3aa3bc08f5, 1043 | "WNF_WUA_SERVICE_HANG": 0x41871b3aa3bc2075, 1044 | "WNF_WUA_STAGEUPDATE_DETAILS": 0x41871b3aa3bc2875, 1045 | "WNF_WUA_UPDATE_EXPIRING": 0x41871b3aa3bc3075, 1046 | "WNF_WWAN_CELLULAR_STATE_SNAPSHOT_CHANGE": 0xf87193aa3bc1875, 1047 | "WNF_WWAN_EUICC_ARRIVAL": 0xf87193aa3bc1075, 1048 | "WNF_WWAN_OBJECT_LIST": 0xf87193aa3bc0875, 1049 | "WNF_WWAN_TASK_TRIGGER": 0xf87193aa3bc2075, 1050 | "WNF_XBOX_ACCESSIBILITY_EXCLUSIVE_INPUT_MODE_CHANGED": 0x19890c35a3be9075, 1051 | "WNF_XBOX_ACCESSIBILITY_NARRATOR_ENABLED": 0x19890c35a3bdf075, 1052 | "WNF_XBOX_ACHIEVEMENTS_RAW_NOTIFICATION_RECEIVED": 0x19890c35a3bc8075, 1053 | "WNF_XBOX_ACHIEVEMENT_TRACKER_STATE_CHANGED": 0x19890c35a3bea075, 1054 | "WNF_XBOX_ACTIVE_BACKGROUNDAUDIO_APPLICATION_CHANGED": 0x19890c35a3be5875, 1055 | "WNF_XBOX_ADJUST_SNAP_CPU_AFFINITY": 0x19890c35a3be3075, 1056 | "WNF_XBOX_APPLICATION_ACTIVATING": 0x19890c35a3bc1875, 1057 | "WNF_XBOX_APPLICATION_COMPONENT_FOCUS": 0x19890c35a3bc2075, 1058 | "WNF_XBOX_APPLICATION_COM_RESILIENCY_STATUS_CHANGED": 0x19890c35a3bcd875, 1059 | "WNF_XBOX_APPLICATION_CONTEXT_CHANGED": 0x19890c35a3bc0875, 1060 | "WNF_XBOX_APPLICATION_CURRENT_USER_CHANGED": 0x19890c35a3be0075, 1061 | "WNF_XBOX_APPLICATION_ERROR": 0x19890c35a3bc6075, 1062 | "WNF_XBOX_APPLICATION_FOCUS_CHANGED": 0x19890c35a3bc1075, 1063 | "WNF_XBOX_APPLICATION_LAYOUT_CHANGED": 0x19890c35a3bc9075, 1064 | "WNF_XBOX_APPLICATION_LICENSE_CHANGED": 0x19890c35a3bd0075, 1065 | "WNF_XBOX_APPLICATION_NO_LONGER_RUNNING": 0x19890c35a3bc5075, 1066 | "WNF_XBOX_AUTOPLAY_CONTENT_DETECTED": 0x19890c35a3bc5875, 1067 | "WNF_XBOX_AUTO_SIGNIN_IN_PROGRESS": 0x19890c35a3bde075, 1068 | "WNF_XBOX_CLOUD_SETTINGS_UPDATED": 0x19890c35a3bf2075, 1069 | "WNF_XBOX_CLUBCHAT_RAW_NOTIFICATION_RECEIVED": 0x19890c35a3bef075, 1070 | "WNF_XBOX_CLUB_RAW_NOTIFICATION_RECEIVED": 0x19890c35a3bee875, 1071 | "WNF_XBOX_COMMANDSERVICE_RAW_NOTIFICATION_RECEIVED": 0x19890c35a3bf6075, 1072 | "WNF_XBOX_COPYONLAN_UPLOAD_STATE_CHANGED": 0x19890c35a3bf5075, 1073 | "WNF_XBOX_CORTANAOVERLAY_VISIBILITY_CHANGED": 0x19890c35a3bdc875, 1074 | "WNF_XBOX_CORTANA_SIGNEDIN_USERS_GRAMMAR_UPDATE_NOTIFICATION": 0x19890c35a3be2075, 1075 | "WNF_XBOX_CORTANA_TV_GRAMMAR_UPDATE_NOTIFICATION": 0x19890c35a3be1875, 1076 | "WNF_XBOX_CORTANA_USER_CHANGED_UPDATE_NOTIFICATION": 0x19890c35a3be8875, 1077 | "WNF_XBOX_DASHBOARD_DIRECT_ACTIVATION": 0x19890c35a3bf5875, 1078 | "WNF_XBOX_ERA_FAST_ITERATION_STATUS_CHANGED": 0x19890c35a3bf2875, 1079 | "WNF_XBOX_ERA_TITLE_LAUNCH_NOTIFICATION": 0x19890c35a3bd5875, 1080 | "WNF_XBOX_ERA_VM_INSTANCE_CHANGED": 0x19890c35a3be0875, 1081 | "WNF_XBOX_ERA_VM_IOPRIORITY_CHANGED": 0x19890c35a3be7075, 1082 | "WNF_XBOX_ERA_VM_STATUS_CHANGED": 0x19890c35a3bc8875, 1083 | "WNF_XBOX_EXIT_SILENT_BOOT_MODE": 0x19890c35a3bcf875, 1084 | "WNF_XBOX_EXPANDED_RESOURCES_INACTIVE": 0x19890c35a3bf0875, 1085 | "WNF_XBOX_EXTENDED_RESOURCE_MODE_CHANGED": 0x19890c35a3bdd875, 1086 | "WNF_XBOX_GAMECORE_TITLE_LAUNCH_NOTIFICATION": 0x19890c35a3bf8075, 1087 | "WNF_XBOX_GAMER_ACCOUNT_CHANGED": 0x19890c35a3be6875, 1088 | "WNF_XBOX_GLOBALIZATION_SETTING_CHANGED": 0x19890c35a3bc4875, 1089 | "WNF_XBOX_GLOBAL_SPEECH_INPUT_NOTIFICATION": 0x19890c35a3bdf875, 1090 | "WNF_XBOX_GUEST_VM_CRASH_DUMP_NOTIFICATION": 0x19890c35a3bf7075, 1091 | "WNF_XBOX_GUIDE_DIRECT_ACTIVATION": 0x19890c35a3bea875, 1092 | "WNF_XBOX_HOST_STORAGE_CONFIGURATION_CHANGED": 0x19890c35a3bcf075, 1093 | "WNF_XBOX_HOST_XVC_CORRUPTION_DETECTED": 0x19890c35a3bf8875, 1094 | "WNF_XBOX_IDLE_DIMMER_CHANGED": 0x19890c35a3bc4075, 1095 | "WNF_XBOX_KEYBOARD_LOCALE_CHANGED": 0x19890c35a3be6075, 1096 | "WNF_XBOX_KINECT_IS_REQUIRED": 0x19890c35a3be2875, 1097 | "WNF_XBOX_LIBRARY_RAW_NOTIFICATION_RECEIVED": 0x19890c35a3beb875, 1098 | "WNF_XBOX_LIVETV_RAW_NOTIFICATION_RECEIVED": 0x19890c35a3bed875, 1099 | "WNF_XBOX_LIVETV_TUNER_COUNT_CHANGED": 0x19890c35a3bd9075, 1100 | "WNF_XBOX_LIVE_CONNECTIVITY_CHANGED": 0x19890c35a3bc7075, 1101 | "WNF_XBOX_MEDIA_IS_PLAYING_CHANGED": 0x19890c35a3bf0075, 1102 | "WNF_XBOX_MESSAGING_RAW_NOTIFICATION_RECEIVED": 0x19890c35a3bec075, 1103 | "WNF_XBOX_MSA_ENVIRONMENT_CONFIGURED": 0x19890c35a3bd2075, 1104 | "WNF_XBOX_MULTIPLAYER_RAW_NOTIFICATION_RECEIVED": 0x19890c35a3bed075, 1105 | "WNF_XBOX_NARRATOR_INPUT_LEARNING_MODE_CHANGED": 0x19890c35a3bf3875, 1106 | "WNF_XBOX_NARRATOR_RECT_CHANGED": 0x19890c35a3bda875, 1107 | "WNF_XBOX_NEON_SETTING_CHANGED": 0x19890c35a3bf4875, 1108 | "WNF_XBOX_NOTIFICATION_SETTING_CHANGED": 0x19890c35a3bf6875, 1109 | "WNF_XBOX_NOTIFICATION_UNREAD_COUNT": 0x19890c35a3bdd075, 1110 | "WNF_XBOX_NTM_CONSTRAINED_MODE_CHANGED": 0x19890c35a3bf3075, 1111 | "WNF_XBOX_PACKAGECACHE_CHANGED": 0x19890c35a3bd9875, 1112 | "WNF_XBOX_PACKAGE_INSTALL_STATE_CHANGED": 0x19890c35a3bc3875, 1113 | "WNF_XBOX_PACKAGE_STREAMING_STATE": 0x19890c35a3bd7075, 1114 | "WNF_XBOX_PACKAGE_UNMOUNTED_FROM_SYSTEM_FOR_LAUNCH": 0x19890c35a3bc3075, 1115 | "WNF_XBOX_PACKAGE_UNMOUNTED_FROM_SYSTEM_FOR_UNINSTALL": 0x19890c35a3bdb075, 1116 | "WNF_XBOX_PARENTAL_RESTRICTIONS_CHANGED": 0x19890c35a3bf1075, 1117 | "WNF_XBOX_PARTY_OVERLAY_STATE_CHANGED": 0x19890c35a3bf1875, 1118 | "WNF_XBOX_PASS3_UPDATE_NOTIFICATION": 0x19890c35a3bd1875, 1119 | "WNF_XBOX_PEOPLE_RAW_NOTIFICATION_RECEIVED": 0x19890c35a3bec875, 1120 | "WNF_XBOX_PROACTIVE_NOTIFICATION_TRIGGERED": 0x19890c35a3be9875, 1121 | "WNF_XBOX_QUERY_UPDATE_NOTIFICATION": 0x19890c35a3bd8075, 1122 | "WNF_XBOX_REMOTE_SIGNOUT": 0x19890c35a3bde875, 1123 | "WNF_XBOX_REPOSITORY_CHANGED": 0x19890c35a3bd8875, 1124 | "WNF_XBOX_RESET_IDLE_TIMER": 0x19890c35a3be1075, 1125 | "WNF_XBOX_SAFEAREA_SETTING_CHANGED": 0x19890c35a3be5075, 1126 | "WNF_XBOX_SEND_LTV_COMMAND_REQUESTED": 0x19890c35a3bdb875, 1127 | "WNF_XBOX_SETTINGS_RAW_NOTIFICATION_RECEIVED": 0x19890c35a3bef875, 1128 | "WNF_XBOX_SHELL_DATACACHE_ENTITY_CHANGED": 0x19890c35a3bdc075, 1129 | "WNF_XBOX_SHELL_INITIALIZED": 0x19890c35a3bd0875, 1130 | "WNF_XBOX_SHELL_TOAST_NOTIFICATION": 0x19890c35a3bc2875, 1131 | "WNF_XBOX_SIP_FOCUS_TRANSFER_NOTIFICATION": 0x19890c35a3bd3875, 1132 | "WNF_XBOX_SIP_VISIBILITY_CHANGED": 0x19890c35a3bd2875, 1133 | "WNF_XBOX_SPEECH_INPUT_DEVICE": 0x19890c35a3be7875, 1134 | "WNF_XBOX_STORAGE_CHANGED": 0x19890c35a3bd6875, 1135 | "WNF_XBOX_STORAGE_ERROR": 0x19890c35a3bc6875, 1136 | "WNF_XBOX_STORAGE_STATUS": 0x19890c35a3bd6075, 1137 | "WNF_XBOX_STREAMING_QUEUE_CHANGED": 0x19890c35a3bd7875, 1138 | "WNF_XBOX_SUSPEND_SKELETAL_TRACKING_INITIALIZATION": 0x19890c35a3bf4075, 1139 | "WNF_XBOX_SYSTEMUI_RAW_NOTIFICATION_RECEIVED": 0x19890c35a3bee075, 1140 | "WNF_XBOX_SYSTEM_CONSTRAINED_MODE_STATUS_CHANGED": 0x19890c35a3bca075, 1141 | "WNF_XBOX_SYSTEM_GAME_STREAMING_STATE_CHANGED": 0x19890c35a3bd3075, 1142 | "WNF_XBOX_SYSTEM_IDLE_TIMEOUT_CHANGED": 0x19890c35a3bc9875, 1143 | "WNF_XBOX_SYSTEM_LOW_POWER_MAINTENANCE_WORK_ALLOWED": 0x19890c35a3bd5075, 1144 | "WNF_XBOX_SYSTEM_TITLE_AUTH_STATUS_CHANGED": 0x19890c35a3bc7875, 1145 | "WNF_XBOX_SYSTEM_USER_CONTEXT_CHANGED": 0x19890c35a3bce075, 1146 | "WNF_XBOX_TEST_NETWORK_CONNECTION_COMPLETE": 0x19890c35a3bf7875, 1147 | "WNF_XBOX_TITLE_SPOP_VETO_RECEIVED": 0x19890c35a3beb075, 1148 | "WNF_XBOX_VIDEOPLAYER_ACTIVEPLAYER": 0x19890c35a3be3875, 1149 | "WNF_XBOX_VIDEOPLAYER_PLAYBACKPROGRESS": 0x19890c35a3be4875, 1150 | "WNF_XBOX_VIDEOPLAYER_PLAYERSTATE": 0x19890c35a3be4075, 1151 | "WNF_XBOX_WPN_PLATFORM_HOST_INITIALIZED": 0x19890c35a3bda075, 1152 | "WNF_XBOX_XAM_SMB_SHARES_INIT_ALLOW_SYSTEM_READY": 0x19890c35a3bd4075, 1153 | "WNF_XBOX_XBBLACKBOX_SNAP_NOTIFICATION": 0x19890c35a3bd4875 1154 | } -------------------------------------------------------------------------------- /script_python/WnfClientServer.py: -------------------------------------------------------------------------------- 1 | """ 2 | 3 | Copyright (c) 2018 Gabrielle Viala. All Rights Reserved. 4 | https://blog.quarkslab.com/author/gwaby.html 5 | 6 | """ 7 | 8 | from wnfcom import WnfCom 9 | import argparse 10 | import sys 11 | 12 | 13 | ############### MAIN ############### 14 | 15 | 16 | if __name__ == "__main__": 17 | argParser = argparse.ArgumentParser(description="") 18 | argParser.add_argument("WNF_NAME", nargs='?', type=str, help="state name") 19 | args = argParser.parse_args() 20 | 21 | wnfserver = WnfCom() 22 | if args.WNF_NAME: 23 | if not wnfserver.SetStateName(args.WNF_NAME): 24 | sys.exit("[Error] State name unknown.") 25 | wnfserver.Listen() 26 | else: 27 | wnfserver.CreateServer() 28 | wnfserver.Write() 29 | 30 | while True: 31 | try: 32 | Data = input(">") 33 | except KeyboardInterrupt as e: 34 | break 35 | wnfserver.Write(Data.encode()) 36 | 37 | -------------------------------------------------------------------------------- /script_python/WnfDump.py: -------------------------------------------------------------------------------- 1 | """ 2 | 3 | Copyright (c) 2018 Gabrielle Viala. All Rights Reserved. 4 | https://blog.quarkslab.com/author/gwaby.html 5 | 6 | """ 7 | 8 | from win32api import ( 9 | GetCurrentProcess, 10 | RegOpenKeyEx, 11 | RegEnumValue, 12 | RegQueryValueEx, 13 | RegCloseKey 14 | ) 15 | from win32con import ( 16 | TOKEN_ALL_ACCESS, 17 | HKEY_LOCAL_MACHINE, 18 | KEY_READ 19 | ) 20 | import win32security 21 | from pywintypes import error 22 | from struct import unpack 23 | from enum import Enum 24 | from hexdump import hexdump 25 | import ctypes 26 | import argparse 27 | import sys 28 | 29 | from WellKnownWnfNames import g_WellKnownWnfNames # comment this if you don't have the file 30 | 31 | 32 | 33 | ZwQueryWnfStateData = ctypes.windll.ntdll.ZwQueryWnfStateData 34 | ZwUpdateWnfStateData = ctypes.windll.ntdll.ZwUpdateWnfStateData 35 | ZwQueryWnfStateNameInformation = ctypes.windll.ntdll.ZwQueryWnfStateNameInformation 36 | 37 | WNF_STATE_KEY = 0x41C64E6DA3BC0074 38 | 39 | STATUS_OPERATION_FAILED = 0xc0000001 40 | 41 | 42 | class WNF_STATE_NAME_LIFETIME(Enum): 43 | WnfWellKnownStateName = 0x0 44 | WnfPermanentStateName = 0x1 45 | WnfPersistentStateName = 0x2 46 | WnfTemporaryStateName = 0x3 47 | 48 | class WNF_DATA_SCOPE(Enum): 49 | WnfDataScopeSystem = 0x0 50 | WnfDataScopeSession = 0x1 51 | WnfDataScopeUser = 0x2 52 | WnfDataScopeProcess = 0x3 53 | WnfDataScopeMachine = 0x4 54 | 55 | 56 | class WNF_STATE_NAME_INFORMATION(Enum): 57 | WnfInfoStateNameExist = 0x0 58 | WnfInfoSubscribersPresent = 0x1 59 | WnfInfoIsQuiescent = 0x2 60 | 61 | class WNF_STATE_NAME_bits(ctypes.LittleEndianStructure): 62 | _fields_ = [ 63 | ("Version", ctypes.c_ulonglong, 4), 64 | ("NameLifetime", ctypes.c_ulonglong, 2), 65 | ("DataScope", ctypes.c_ulonglong, 4), 66 | ("PermanentData", ctypes.c_ulonglong, 1), 67 | ("Unique", ctypes.c_ulonglong, 53), 68 | ("value", ctypes.c_ulonglong) 69 | ] 70 | 71 | 72 | class WNF_STATE_NAME_INTERNAL(ctypes.Union): 73 | _fields_ = [("b", WNF_STATE_NAME_bits), 74 | ("value", ctypes.c_ulonglong)] 75 | 76 | 77 | WnfDataScopeStrings = [ 78 | "System", 79 | "session", 80 | "User", 81 | "Process", 82 | "Machine" 83 | ] 84 | 85 | g_LifetimeKeyNames = [ 86 | "SYSTEM\\CurrentControlSet\\Control\\Notifications", 87 | "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications", 88 | "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\VolatileNotifications" 89 | ] 90 | 91 | WnfLifetimeStrings = [ 92 | "Well-Known", 93 | "Permanent", 94 | "Volatile", 95 | "Temporary" 96 | ] 97 | 98 | def DumpWnfData(WnfName, Data, DumpSd, DumpData): 99 | assert(WnfName != 0) 100 | MaxSize = "?" 101 | sd = None 102 | if Data != None: 103 | try: 104 | sd = win32security.SECURITY_DESCRIPTOR(Data) 105 | except: 106 | print("\n[Error] Could not create a security descriptor out of the data for {:x}\n".format(WnfName)) 107 | 108 | if sd != None: 109 | if not sd.IsValid(): 110 | print("[Error] Registry security descriptor invalid for {:x}\n".format(WnfName)) 111 | MaxSize = 0 112 | sd = None 113 | SdSize = sd.GetLength() 114 | MaxSize = unpack("L", Data[SdSize:SdSize+4])[0] 115 | 116 | return PrintWnfRuntimeStatus(WnfName, sd, DumpSd, MaxSize, DumpData) 117 | 118 | def ReadWnfData(StateName): 119 | changeStamp = ctypes.c_ulong(0) 120 | dataBuffer = ctypes.create_string_buffer(4096) 121 | bufferSize = ctypes.c_ulong(ctypes.sizeof(dataBuffer)) 122 | StateName = ctypes.c_longlong(StateName) 123 | res = ZwQueryWnfStateData(ctypes.byref(StateName), 124 | 0, 0, 125 | ctypes.byref(changeStamp), 126 | ctypes.byref(dataBuffer), 127 | ctypes.byref(bufferSize) 128 | ) 129 | readAccess = 0 if res !=0 else 1 130 | bufferSize = ctypes.c_ulong(0) if res !=0 else bufferSize 131 | return readAccess, changeStamp.value, dataBuffer, bufferSize.value 132 | 133 | 134 | def CheckWriteAccess(StateName): 135 | StateName = ctypes.c_longlong(StateName) 136 | status = ZwUpdateWnfStateData(ctypes.byref(StateName), 0, 0, 0, 0, -1, True) 137 | status = ctypes.c_ulong(status).value 138 | assert(status != 0) # We really changed something... Not good O.O' 139 | 140 | return False if status != STATUS_OPERATION_FAILED else True 141 | 142 | 143 | def QueryWnfInfoClass(StateName, infoClassName): 144 | exist = ctypes.c_ulong(2) 145 | StateName = ctypes.c_longlong(StateName) 146 | InfoValue = WNF_STATE_NAME_INFORMATION[infoClassName].value 147 | 148 | 149 | status = ZwQueryWnfStateNameInformation(ctypes.byref(StateName), InfoValue, 0, ctypes.byref(exist), ctypes.sizeof(exist)) 150 | status = ctypes.c_ulong(status).value 151 | if status != 0: 152 | print("[Error] Could not query subscribers: : 0x{:x}".format(status)) 153 | return exist.value 154 | 155 | 156 | def GetWnfName(value): 157 | try: 158 | name = list(g_WellKnownWnfNames.keys())[list(g_WellKnownWnfNames.values()).index(value)] 159 | except: 160 | name = "" 161 | return name 162 | 163 | 164 | def CheckInternalName(Name): 165 | if Name.b.NameLifetime > len(WnfLifetimeStrings): 166 | return False 167 | if Name.b.DataScope > len(WnfDataScopeStrings): 168 | return False 169 | return True 170 | 171 | 172 | def PrintWnfRuntimeStatus(StateName, CheckSd, DumpSd, MaxSize, DumpData): 173 | exists = 2 174 | read, changeStamp, dataBuffer, bufferSize = ReadWnfData(StateName) 175 | 176 | write = CheckWriteAccess(StateName) 177 | if write: 178 | # see if anyone is listening for notifications on this state name. 179 | exists = QueryWnfInfoClass(StateName, 'WnfInfoSubscribersPresent') 180 | 181 | internalName = WNF_STATE_NAME_INTERNAL() 182 | internalName.value = StateName ^ WNF_STATE_KEY 183 | 184 | if not CheckInternalName(internalName): 185 | return False 186 | 187 | if internalName.b.NameLifetime == WNF_STATE_NAME_LIFETIME['WnfWellKnownStateName'].value: 188 | name = GetWnfName(StateName) 189 | if name == "": 190 | char3 = format(internalName.b.Unique >> 37 & 0xff, 'c') 191 | char4 = format(internalName.b.Unique >> 45 & 0xff, 'c') 192 | char3 = char3 if char3.isprintable() else " " 193 | char4 = char4 if char4.isprintable() else " " 194 | 195 | name ="{:c}{:c}{}{}.{:0>3} 0x{:x}".format( 196 | internalName.b.Unique >> 21 & 0xff, 197 | internalName.b.Unique >> 29 & 0xff, 198 | char3, 199 | char4, 200 | internalName.b.Unique & 0xFFFFF, 201 | StateName) 202 | else: 203 | name = "0x{:x}".format(StateName) 204 | print("| {:<64}| {} | {} | {} | {} | {} | {:^7} | {:^7} | {:^7} |".format( 205 | name, 206 | WnfDataScopeStrings[internalName.b.DataScope][0], 207 | WnfLifetimeStrings[internalName.b.NameLifetime][0], 208 | 'Y' if internalName.b.PermanentData else 'N', 209 | ("RW" if write else "RO") if read else ("WO" if write else "NA"), 210 | 'A' if exists == 1 else 'U' if exists == 2 else 'I', 211 | bufferSize, 212 | MaxSize, 213 | changeStamp 214 | )) 215 | 216 | if DumpSd != False and CheckSd != None: 217 | strSd = win32security.ConvertSecurityDescriptorToStringSecurityDescriptor( 218 | CheckSd, win32security.SDDL_REVISION_1, 219 | win32security.DACL_SECURITY_INFORMATION | 220 | win32security.SACL_SECURITY_INFORMATION | 221 | win32security.LABEL_SECURITY_INFORMATION) 222 | print("\n\t{}".format(strSd)) 223 | 224 | if DumpData != False and read != False and bufferSize != 0: 225 | print("\n") 226 | hexdump(dataBuffer.raw[0:bufferSize]) 227 | print("\n") 228 | 229 | return True 230 | 231 | def FormatStateName(WnfName): 232 | try: 233 | StateName = "{:x}".format(g_WellKnownWnfNames[WnfName.upper()]) 234 | except: 235 | if len(WnfName)>2 and WnfName[1] == 'x': 236 | WnfName = WnfName[2:] 237 | StateName = WnfName 238 | for _ in range(len(StateName),16): 239 | StateName = "0"+StateName 240 | 241 | try: 242 | int(StateName, 16) 243 | except: 244 | StateName = "-1" 245 | return StateName 246 | 247 | ######################################################################################### 248 | 249 | #### Displays information on all non-temporary state names 250 | def DumpWnfNames(ShowSd, ShowData): 251 | for i in range(0,len(g_LifetimeKeyNames)): 252 | reghandle = None 253 | try: 254 | reghandle = RegOpenKeyEx( 255 | HKEY_LOCAL_MACHINE, 256 | g_LifetimeKeyNames[i], 257 | 0, 258 | KEY_READ) 259 | except Exception: 260 | print("[Error] Could not open root key: {}".format(g_LifetimeKeyNames[i])) 261 | return False 262 | 263 | print("\n| WNF State Name [{:<10} Lifetime] " 264 | "| S | L | P | AC | N | CurSize | MaxSize | Changes |".format(WnfLifetimeStrings[i])) 265 | print("-"*118) 266 | 267 | i = 0 268 | while 1: 269 | try: 270 | name, value, _ = RegEnumValue(reghandle, i) 271 | except error: 272 | break 273 | i+=1 274 | try: 275 | StateName = int(name, 16) 276 | except: 277 | continue 278 | 279 | if not DumpWnfData(StateName, value, ShowSd, ShowData): 280 | print("[Error] Something went wrong") 281 | return False 282 | if reghandle != None: 283 | RegCloseKey(reghandle) 284 | return True 285 | 286 | 287 | 288 | ### Displays information on all temporary state names 289 | def BruteForceWnfNames(DumpData): 290 | bruteName = WNF_STATE_NAME_INTERNAL() 291 | bruteName.value = 0 292 | bruteName.b.Version = 1 293 | bruteName.b.NameLifetime = WNF_STATE_NAME_LIFETIME['WnfTemporaryStateName'].value 294 | bruteName.b.PermanentData = 0 295 | 296 | for scope in WNF_DATA_SCOPE: 297 | bruteName.b.DataScope = scope.value 298 | print("\n| WNF State Name [{:<7} Scope] " 299 | "| S | L | P | AC | N | CurSize | MaxSize | Changes |".format(WnfDataScopeStrings[scope.value])) 300 | print("-"*118) 301 | 302 | for i in range(0xFFFFFF): 303 | bruteName.b.Unique = i 304 | stateName = bruteName.value ^ WNF_STATE_KEY 305 | #print(hex(stateName)) 306 | exists = QueryWnfInfoClass(stateName, 'WnfInfoStateNameExist') 307 | if exists != 0: 308 | DumpWnfData(stateName, None, False, DumpData) 309 | 310 | 311 | ### Displays information on the given state name 312 | def DumpKeyInfo(StateName, ShowSd, ShowData): 313 | reghandle = None 314 | internalName = WNF_STATE_NAME_INTERNAL() 315 | internalName.value = int(StateName, 16) ^ WNF_STATE_KEY 316 | value = None 317 | if internalName.b.NameLifetime != WNF_STATE_NAME_LIFETIME['WnfTemporaryStateName'].value: 318 | try: 319 | reghandle = RegOpenKeyEx(HKEY_LOCAL_MACHINE,g_LifetimeKeyNames[internalName.b.NameLifetime], 0, KEY_READ) 320 | except Exception: 321 | print("[Error] Could not open root key: {}".format(g_LifetimeKeyNames[internalName.b.NameLifetime])) 322 | return False 323 | 324 | try: 325 | value, _ = RegQueryValueEx(reghandle, StateName) 326 | except error: 327 | print("[Error] Could not find the WnfName in the registry") 328 | return False 329 | print("\n| WNF State Name " 330 | "| S | L | P | AC | N | CurSize | MaxSize | Changes |") 331 | print("-"*118) 332 | DumpWnfData(int(StateName, 16), value, ShowSd, ShowData) 333 | if reghandle != None: 334 | RegCloseKey(reghandle) 335 | return True 336 | 337 | 338 | 339 | ### Reads the current data stored in the given state name 340 | def DoRead(StateName): 341 | _, _, dataBuffer, bufferSize = ReadWnfData(int(StateName, 16)) 342 | hexdump(dataBuffer.raw[0:bufferSize]) 343 | 344 | 345 | ### Writes the given data into the given state name 346 | def DoWrite(StateName, Data): 347 | StateName = ctypes.c_longlong(int(StateName, 16)) 348 | dataBuffer = ctypes.c_char_p(Data) 349 | bufferSize = len(Data) 350 | status = ZwUpdateWnfStateData(ctypes.byref(StateName), dataBuffer, bufferSize, 0, 0, 0, 0) 351 | status = ctypes.c_ulong(status).value 352 | 353 | if status == 0: 354 | return True 355 | else: 356 | print('[Error] Could not write for this statename: 0x{:x}'.format(status)) 357 | return False 358 | 359 | 360 | 361 | ######################################################################################### 362 | 363 | 364 | 365 | ############### MAIN ############### 366 | 367 | 368 | if __name__ == "__main__": 369 | argParser = argparse.ArgumentParser(description="") 370 | readwritegroup = argParser.add_mutually_exclusive_group() 371 | dumpgroup = readwritegroup.add_argument_group() 372 | optiongroup = argParser.add_argument_group() 373 | dumpgroup = argParser.add_argument_group() 374 | 375 | dumpgroup.add_argument("-i","--info", action="store_true", help="Displays information on the given state name.") 376 | dumpgroup.add_argument("-d","--dump", action="store_true", help="Displays information on all non-temporary state names. \ 377 | \tUse -s to show the security descriptor for each name. \ 378 | \tUse -v to dump the value of each name.") 379 | dumpgroup.add_argument("-b","--brut", action="store_true", help="Displays information on all temporary state names. \ 380 | \t Can be combined with -d.\ 381 | Use -v to dump the value of each name.") 382 | 383 | readwritegroup.add_argument("-r","--read", action="store_true", help="Reads the current data stored in the given state name.") 384 | readwritegroup.add_argument("-w","--write", action="store_true", help="Writes data into the given state name.") 385 | 386 | optiongroup.add_argument("-v", "--value", action="store_true", help="Dump the value of each name.") 387 | optiongroup.add_argument("-s", "--sid", action="store_true", help="Show the security descriptor for each name.") 388 | 389 | argParser.add_argument("WNF_NAME", nargs='?', type=str, help="state name") 390 | argParser.add_argument("dataFile", nargs='?', help="File name containing the data that will be written into the given state name.\n\ 391 | \t This is a ugly hack to circumvent to encoding issue when passing a byte string to sys.argv.") 392 | 393 | args = argParser.parse_args() 394 | 395 | 396 | if args.info: # Displays information on the given state name 397 | if args.WNF_NAME != None: 398 | value = args.value | args.read 399 | DumpKeyInfo( 400 | FormatStateName(args.WNF_NAME), 401 | args.sid, 402 | value 403 | ) 404 | else: 405 | sys.exit("[Error] No WNF_NAME provided.") 406 | elif args.dump or args.brut: 407 | if args.dump: # Displays information on all non-temporary state names 408 | value = args.value | args.read 409 | DumpWnfNames(args.sid, value) 410 | 411 | if args.brut: # Displays information on all temporary state names 412 | value = args.value | args.read 413 | BruteForceWnfNames(value) 414 | 415 | else: 416 | if args.read : # Reads the current data stored in the given state name 417 | if args.WNF_NAME != None: 418 | DoRead(FormatStateName(args.WNF_NAME)) 419 | else: 420 | sys.exit("[Error] No WNF_NAME provided.") 421 | 422 | elif args.write: # Writes the given data into the given state name 423 | if args.WNF_NAME != None and args.dataFile !=None: 424 | with open(args.dataFile, 'rb') as fl: 425 | DoWrite(FormatStateName(args.WNF_NAME), fl.read()) 426 | else: 427 | sys.exit("[Error] Need to provide WNF_NAME and data to write.") 428 | 429 | 430 | if not (args.info | args.read | args.write | args.dump | args.brut): 431 | sys.exit("[Error] Use -h to display some help.") 432 | 433 | 434 | 435 | 436 | 437 | 438 | -------------------------------------------------------------------------------- /script_python/WnfNameDumper.py: -------------------------------------------------------------------------------- 1 | """ 2 | 3 | Copyright (c) 2018 Gabrielle Viala. All Rights Reserved. 4 | https://blog.quarkslab.com/author/gwaby.html 5 | 6 | This script finds the wnf names table from a dll (typically perf_nt_c.dll) and dumps its content. 7 | It's a pretty lazy script that searches for all the strings beginning by "WNF_" and xref them until finding the base of the table. 8 | 9 | Usage: 10 | 11 | $ python WnfNameDumper.py [-h] [-dump | -diff] [-v] [-o OUTPUT] file1 [file2] 12 | 13 | Little script to dump or diff wnf name table from dll 14 | 15 | positional arguments: 16 | file1 17 | file2 18 | 19 | optional arguments: 20 | -h, --help show this help message and exit 21 | -dump Dump the table into a file 22 | -diff Diff two tables and dump the discrepancies 23 | -v, --verbose Print the description of the keys 24 | -o OUTPUT, --output OUTPUT 25 | Output file (Default: output.txt) 26 | -py, --python Change the output language to python (by default it's c) 27 | 28 | Example: 29 | 30 | To dump the table into an output file: 31 | $ python3 WnfNameDumper.py -dump -o output.c perf_nt_c.dll 32 | 33 | To diff two dlls: 34 | $ python3 WnfNameDumper.py -diff -v -o output.txt perf_nt_c_15063.dll perf_nt_c_17713.dll 35 | 36 | 37 | """ 38 | 39 | import sys, os, struct 40 | import lief 41 | import argparse 42 | 43 | ############### headers & footers printed in the output file 44 | 45 | headerTable_py = "g_WellKnownWnfNames = {" 46 | footerTable_py = "}" 47 | formatLine_py = "\t\"{0}\": 0x{1}, {2}\n" 48 | formatLastLine_py = "\t\"{0}\": 0x{1} {2}\n" 49 | formatCmt_py = " \t# {}" 50 | 51 | headerTable = """ 52 | typedef struct _WNF_NAME 53 | { 54 | PCHAR Name; 55 | ULONG64 Value; 56 | }WNF_NAME, *PWNF_NAME; 57 | 58 | WNF_NAME g_WellKnownWnfNames[] = 59 | {\n""" 60 | footerTable = "};" 61 | formatLine = "\t{{\"{0}\", 0x{1}}}, {2}\n" 62 | formatLastLine = "\t{{\"{0}\", 0x{1}}} {2}\n" 63 | formatCmt = " \t// {}" 64 | 65 | 66 | headerAdded = """ 67 | ################################################ 68 | # NEW KEYS # 69 | ################################################\n\n""" 70 | 71 | headerDeleted = """\n\n 72 | ################################################ 73 | # DELETED KEYS # 74 | ################################################\n\n""" 75 | 76 | headerModified = """\n\n 77 | ################################################ 78 | # MODIFIED KEYS # 79 | ################################################\n\n""" 80 | 81 | 82 | class dumbWnfParser(object): 83 | def __init__(self, binaryPath): 84 | self.binary = lief.parse(binaryPath) 85 | self.section = self.binary.get_section(".rdata") 86 | self.imgBase = self.binary.optional_header.imagebase 87 | self.ptr_size = 8 if self.binary.header.machine == lief.PE.MACHINE_TYPES.AMD64 else 4 88 | self.content = self.section.content 89 | self.sectionAddr = self.imgBase + self.section.virtual_address 90 | self.pattern = b'W\x00N\x00F\x00_\x00' # key pattern used to find th wnf table 91 | 92 | self.tableAddr = self.SearchForTable() 93 | 94 | 95 | # Small generator providing the addresses of strings containing the [pattern] 96 | def GetWnfOccurence(self, pattern): 97 | for occurence in self.section.search_all(pattern): 98 | yield(self.sectionAddr + occurence) 99 | 100 | 101 | # Xref each wnf key address and check if it's the first element of the wnf name table 102 | def SearchForTable(self): 103 | for address in self.GetWnfOccurence(self.pattern): 104 | offsetString = self.section.search_all(address) 105 | if offsetString != []: 106 | tableOff = offsetString[0]-self.ptr_size 107 | if self.VerifyTableAddr(tableOff) == True: 108 | return tableOff 109 | return 0 110 | 111 | 112 | # Verifies that the wnf name table is at the provided offset ([tableOffset]) 113 | def VerifyTableAddr(self, tableOffset): 114 | if tableOffset == 0: 115 | return 0 116 | currentOff = tableOffset 117 | # At least test three entries in the table to remove false positives 118 | for _ in range(3): 119 | # We should have a wnf value at the first offset 120 | valueAddr = self.GetPtr(currentOff) 121 | if struct.unpack('P', valueAddr)[0] == 0: 122 | return False 123 | value = self.GetContentFromVA(valueAddr, 8) 124 | if value == b'': 125 | return False 126 | 127 | # Just after, we should have a Wnf key 128 | currentOff+=self.ptr_size 129 | wnfkey = self.GetPtr(currentOff) 130 | if wnfkey == b'': 131 | return False 132 | value = self.GetContentFromVA(wnfkey, 8) 133 | if value != self.pattern: 134 | return False # This is not a valid key 135 | 136 | # At last, let's just check if we still have a pointer after that 137 | currentOff+=self.ptr_size 138 | desc = self.GetPtr(currentOff) 139 | if desc == b'': 140 | return False 141 | descAddr = struct.unpack('P', desc)[0] 142 | if descAddr < self.sectionAddr or descAddr >= (self.sectionAddr + self.section.size-self.ptr_size): 143 | return False 144 | 145 | currentOff+=self.ptr_size 146 | 147 | # Verifies that we are really at the beginning of the table 148 | currentOff=tableOffset-(self.ptr_size*2) 149 | wnfkey = self.GetPtr(currentOff) 150 | if struct.unpack('P', wnfkey)[0] != 0: 151 | value = self.GetContentFromVA(wnfkey, 8) 152 | if value == self.pattern: # we are not... 153 | return False 154 | 155 | return True 156 | 157 | # Just reads [self.ptr_size] bytes of the section rdata at the provided [offset] 158 | def GetPtr(self, offset): 159 | assert(len(self.content) >= self.ptr_size+offset) 160 | return b''.join(map(lambda x:x.to_bytes(1, byteorder='little'), self.content[offset:offset+self.ptr_size])) 161 | 162 | 163 | # Extracts a unicode string from the section at the address [addr] 164 | def GetUnicodeStringFromVA(self, addr): 165 | startOffset = struct.unpack('P', addr)[0]-self.sectionAddr 166 | if(startOffset < 0) : 167 | return b'' 168 | assert(self.content[startOffset] != 0) 169 | string = "" 170 | offset = startOffset 171 | while self.content[offset+2]!=0 : 172 | assert(self.content[offset+1]==0) 173 | offset+=2 174 | if startOffset < offset: 175 | string = b''.join(map(lambda x:x.to_bytes(1, byteorder='little'), self.content[startOffset:offset+2])) 176 | return string 177 | 178 | 179 | # Extracts [size] bytes from the section at the address [addr] 180 | def GetContentFromVA(self, addr, size): 181 | addr = struct.unpack('P', addr)[0]-self.sectionAddr 182 | if(addr < 0) : 183 | return b'' 184 | return b''.join(map(lambda x:x.to_bytes(1, byteorder='little'), self.content[addr:addr+size])) 185 | 186 | 187 | # Parses the wnfNametable, populates a dictionary with the wnfNames and returns a dictionary containing all the entries found 188 | def DumpTable(self): 189 | wnfDico = {} 190 | assert(self.tableAddr != 0) 191 | currentOffset = self.tableAddr 192 | valAddr = self.GetPtr(currentOffset) 193 | while struct.unpack('P', valAddr)[0] != 0: 194 | 195 | value = struct.unpack('Q', self.GetContentFromVA(valAddr, 8))[0] 196 | 197 | currentOffset += self.ptr_size 198 | keyAddr = self.GetPtr(currentOffset) 199 | if struct.unpack('P', keyAddr)[0] == 0: 200 | raise Exception('Cannot get the address of the key. Check the base address of the wnfName table') 201 | key = self.GetUnicodeStringFromVA(keyAddr).decode('utf-16') 202 | 203 | currentOffset += self.ptr_size 204 | descAddr = self.GetPtr(currentOffset) 205 | if struct.unpack('P', descAddr)[0] == 0: 206 | raise Exception('Cannot get the address of the description. Check the base address of the wnfName table') 207 | desc = self.GetUnicodeStringFromVA(descAddr).decode('utf-16') 208 | 209 | wnfDico[key] = (value, desc) 210 | currentOffset += self.ptr_size 211 | valAddr = self.GetPtr(currentOffset) 212 | return wnfDico 213 | 214 | 215 | ############### Pretty print and output stuff ############### 216 | 217 | # diff two wnf dictionnaries and outputs the discrepancies as 3 differents dictionnaries 218 | def DiffDico(dicoOld, dicoNew): 219 | addedKey = {key: dicoNew[key] for key in set(dicoNew)-set(dicoOld)} 220 | removedKey = {key: dicoOld[key] for key in set(dicoOld)-set(dicoNew)} 221 | modifiedValue ={key: (dicoOld[key], dicoNew[key]) for key in set(dicoOld) & set(dicoNew) if dicoOld[key] != dicoNew[key]} 222 | return addedKey, removedKey, modifiedValue 223 | 224 | 225 | # simply opens a file and writes the content of the wnfName dictionnary in it 226 | def WriteTableInFile(dico, fileName,append = False, verbose = False): 227 | fileaccess = 'a' if append else 'w' 228 | with open(fileName, fileaccess) as outfile: 229 | outfile.write(headerTable) 230 | sortedDico = sorted(dico) 231 | for key in sortedDico[:-1]: 232 | value, desc = dico[key] 233 | if verbose == True: 234 | desc = formatCmt.format(desc) 235 | else: 236 | desc = "" 237 | line = formatLine.format(key, format(value, '08x'), desc) 238 | outfile.write(line) 239 | 240 | value, desc = dico[sortedDico[-1]] 241 | if verbose == True: 242 | desc = formatCmt.format(desc) 243 | else: 244 | desc = "" 245 | line = formatLastLine.format(sortedDico[-1], format(value, '08x'), desc) 246 | outfile.write(line) 247 | outfile.write(footerTable) 248 | 249 | # Just pretty prints the dictionnary generated by the diff 250 | def PrettyPrintDiff(addedDico, removedDico, modifDico, fileName, verbose = False): 251 | if addedDico != {}: 252 | with open(fileName, "w") as outfile: 253 | outfile.write(headerAdded) 254 | WriteTableInFile(addedDico, fileName, True, verbose) 255 | 256 | if removedDico != {}: 257 | with open(fileName, "a") as outfile: 258 | outfile.write(headerDeleted) 259 | WriteTableInFile(removedDico, fileName, True, verbose) 260 | 261 | if modifDico != {}: 262 | with open(fileName, "a") as outfile: 263 | outfile.write(headerModified) 264 | for key in modifDico: 265 | old, new = modifDico[key] # (value, desc) 266 | line = "Key {0}: {1} -> {2} \n {3} \n->\n {4}\n\n--\n\n".format(key, format(old[0], '08x'), format(new[0], '08x'), old[1], new[1]) 267 | outfile.write(line) 268 | 269 | 270 | ############### MAIN ############### 271 | 272 | 273 | if __name__ == "__main__": 274 | argParser = argparse.ArgumentParser(description="Little script to dump or diff wnf name table from dll") 275 | group = argParser.add_mutually_exclusive_group() 276 | group.add_argument("-dump", action="store_true", help="Dump the table into a file") 277 | group.add_argument("-diff", action="store_true", help="Diff two tables and dump the discrepancies") 278 | argParser.add_argument("-v", "--verbose", action="store_true", help="Print the description of the keys") 279 | argParser.add_argument("-o", "--output", type=str, help="Output file (Default: output.txt)", default="output.txt") 280 | argParser.add_argument("-py", "--python",action="store_true", help="Change the output language to python (by default it's c)") 281 | argParser.add_argument("file1", type=str) 282 | argParser.add_argument("file2", nargs='?', type=str, default="") 283 | args = argParser.parse_args() 284 | 285 | if args.python: 286 | headerTable = headerTable_py 287 | footerTable = footerTable_py 288 | formatLine = formatLine_py 289 | formatLastLine = formatLastLine_py 290 | formatCmt = formatCmt_py 291 | 292 | try: 293 | dumper1 = dumbWnfParser(args.file1) 294 | except Exception as e: 295 | sys.exit("[Error] Error with file {0} : {1}.".format(args.file1, e)) 296 | 297 | if dumper1.tableAddr == 0: 298 | sys.exit("[Error] Could not find the WNF name table in {}.".format(args.file1)) 299 | 300 | 301 | ####### diffing 302 | if args.diff: 303 | if args.file2 == "": 304 | sys.exit("usage: {} -diff oldDllName newDllName".format(os.path.basename(__file__))) 305 | 306 | # same stuff for the second file 307 | try: 308 | dumper2 = dumbWnfParser(args.file2) 309 | except Exception as e: 310 | sys.exit("[Error] Error with file {0} : {1}...".format(args.file2, e)) 311 | 312 | if dumper2.tableAddr == 0: 313 | sys.exit("[Error] Could not find the WNF name table in {}.".format(args.file2)) 314 | 315 | # diffing 316 | try: 317 | dicoOld = dumper1.DumpTable() 318 | dicoNew = dumper2.DumpTable() 319 | added, deleted, modified = DiffDico(dicoOld, dicoNew) 320 | except Exception as e: 321 | sys.exit("[Error] {}".format(e)) 322 | 323 | # writing everithing 324 | try: 325 | PrettyPrintDiff(added, deleted, modified, args.output, args.verbose) 326 | except Exception as e: 327 | sys.exit("[Error] {}".format(e)) 328 | 329 | 330 | ###### dumping 331 | else: 332 | 333 | try: 334 | WriteTableInFile(dumper1.DumpTable(), args.output, False, args.verbose) 335 | except Exception as e: 336 | sys.exit("[Error] {}".format(e)) 337 | -------------------------------------------------------------------------------- /script_python/wnfcom.py: -------------------------------------------------------------------------------- 1 | """ 2 | 3 | Copyright (c) 2018 Gabrielle Viala. All Rights Reserved. 4 | https://blog.quarkslab.com/author/gwaby.html 5 | 6 | """ 7 | 8 | import ctypes 9 | import argparse 10 | import win32security 11 | from enum import Enum 12 | from hexdump import hexdump 13 | import sys 14 | from WellKnownWnfNames import g_WellKnownWnfNames # comment this if you don't have the file (you can generate it with ) 15 | 16 | ZwCreateWnfStateName = ctypes.windll.ntdll.ZwCreateWnfStateName 17 | ZwUpdateWnfStateData = ctypes.windll.ntdll.ZwUpdateWnfStateData 18 | ZwQueryWnfStateData = ctypes.windll.ntdll.ZwQueryWnfStateData 19 | RtlSubscribeWnfStateChangeNotification = ctypes.windll.ntdll.RtlSubscribeWnfStateChangeNotification 20 | RtlUnsubscribeWnfStateChangeNotification = ctypes.windll.ntdll.RtlUnsubscribeWnfStateChangeNotification 21 | CreateEventA = ctypes.windll.kernel32.CreateEventA 22 | WaitForSingleObject = ctypes.windll.kernel32.WaitForSingleObject 23 | CloseHandle = ctypes.windll.kernel32.CloseHandle 24 | 25 | GENERIC_ALL = 0x10000000 26 | WNF_STATE_KEY = 0x41C64E6DA3BC0074 27 | 28 | 29 | class WNF_STATE_NAME_bits(ctypes.LittleEndianStructure): 30 | _fields_ = [ 31 | ("Version", ctypes.c_ulonglong, 4), 32 | ("NameLifetime", ctypes.c_ulonglong, 2), 33 | ("DataScope", ctypes.c_ulonglong, 4), 34 | ("PermanentData", ctypes.c_ulonglong, 1), 35 | ("Unique", ctypes.c_ulonglong, 53), 36 | ("value", ctypes.c_ulonglong) 37 | ] 38 | 39 | 40 | class WNF_STATE_NAME_INTERNAL(ctypes.Union): 41 | _fields_ = [ 42 | ("b", WNF_STATE_NAME_bits), 43 | ("value", ctypes.c_ulonglong) 44 | ] 45 | 46 | class WNF_DATA_SCOPE(Enum): 47 | WnfDataScopeSystem, WnfDataScopeSession, WnfDataScopeUser, WnfDataScopeProcess, WnfDataScopeMachine = range(5) 48 | 49 | class WNF_STATE_NAME_LIFETIME(Enum): 50 | WnfWellKnownStateName, WnfPermanentStateName, WnfPersistentStateName, WnfTemporaryStateName = range(4) 51 | 52 | WnfLifetimeStrings = [ 53 | "Well-Known", 54 | "Permanent", 55 | "Volatile", 56 | "Temporary" 57 | ] 58 | 59 | WnfDataScopeStrings = [ 60 | "System", 61 | "session", 62 | "User", 63 | "Process", 64 | "Machine" 65 | ] 66 | 67 | class WnfCom(object): 68 | class NOTIFY_CONTEXT(ctypes.Structure): 69 | _fields_ = [ 70 | ("NotifyEvent", ctypes.c_ulong), 71 | ("EventDestroyed", ctypes.c_bool) 72 | ] 73 | 74 | def __init__(self, WnfName = 0): 75 | # generic stuff 76 | self.StateName = ctypes.c_ulonglong(0) 77 | self.internalName = WNF_STATE_NAME_INTERNAL() 78 | self.verbose = True 79 | if WnfName != 0: 80 | self.SetStateName(WnfName) 81 | 82 | # callback for the listener 83 | self.callback_type = ctypes.CFUNCTYPE( 84 | ctypes.c_ulonglong, 85 | ctypes.c_ulonglong, 86 | ctypes.c_ulong, 87 | ctypes.c_void_p, 88 | ctypes.c_void_p, 89 | ctypes.c_void_p, 90 | ctypes.c_ulong) 91 | self.callback = self.callback_type(self.NotifyCallback) 92 | 93 | # security descriptor used for creating the server part 94 | everyoneSid = win32security.CreateWellKnownSid(1, None) 95 | acl = win32security.ACL() 96 | acl.AddAccessAllowedAce(win32security.ACL_REVISION, GENERIC_ALL, everyoneSid) 97 | pySd = win32security.SECURITY_DESCRIPTOR() 98 | pySd.SetSecurityDescriptorDacl(True, acl, False) 99 | self.rawSd = ctypes.create_string_buffer(memoryview(pySd).tobytes()) 100 | 101 | 102 | def TooglePrint(self): 103 | self.verbose = not self.verbose 104 | 105 | def pprint(self, string): 106 | if self.verbose: 107 | print(string) 108 | 109 | def PrintInternalName(self): 110 | self.pprint("Encoded Name: {:x}, Clear Name: {:x}\n\t" 111 | "Version: {}, Permanent: {}, Scope: {}, Lifetime: {}, Unique: {}\n".format( 112 | self.StateName.value, 113 | self.internalName.value, 114 | self.internalName.b.Version, 115 | "Yes" if self.internalName.b.PermanentData else "No", 116 | WnfDataScopeStrings[self.internalName.b.DataScope], 117 | WnfLifetimeStrings[self.internalName.b.NameLifetime], 118 | self.internalName.b.Unique)) 119 | 120 | 121 | def SetStateName(self, WnfName): 122 | tmpName = 0 123 | try: 124 | tmpName = g_WellKnownWnfNames[WnfName.upper()] 125 | except: 126 | if len(WnfName)>2 and WnfName[1] == 'x': 127 | WnfName = WnfName[2:] 128 | try: 129 | tmpName = int(WnfName, 16) 130 | except: 131 | tmpName = 0 132 | self.pprint("[Error] Could not validate the provided name") 133 | return False 134 | 135 | self.StateName = ctypes.c_longlong(tmpName) 136 | self.internalName.value = ctypes.c_ulonglong(tmpName ^ WNF_STATE_KEY) 137 | return True 138 | 139 | def CreateServer(self): 140 | status = ZwCreateWnfStateName(ctypes.byref(self.StateName), 141 | WNF_STATE_NAME_LIFETIME.WnfTemporaryStateName.value, 142 | WNF_DATA_SCOPE.WnfDataScopeMachine.value, 143 | False, 144 | 0, 145 | 0x1000, 146 | self.rawSd) 147 | if status != 0: 148 | self.pprint("[Error] Failed: {}".format(status)) 149 | return 0 150 | 151 | self.pprint("[SERVER] StateName created: {:x}\n".format(self.StateName.value)) 152 | self.internalName.value = ctypes.c_ulonglong(self.StateName.value ^ WNF_STATE_KEY) 153 | return self.StateName.value 154 | 155 | 156 | 157 | def Write(self, Data = b"Hello World"): 158 | if self.StateName.value == 0: 159 | self.pprint("[Error] Server not initialized. Use CreateServer() or SetStateName().") 160 | return 0 161 | if type(Data) != bytes: 162 | self.pprint("[Error] Could not read the data. Bytes string is expected.") 163 | return 0 164 | 165 | self.PrintInternalName() 166 | dataBuffer = ctypes.c_char_p(Data) 167 | bufferSize = len(Data) 168 | status = ZwUpdateWnfStateData(ctypes.byref(self.StateName), dataBuffer, bufferSize, 0, 0, 0, 0) 169 | status = ctypes.c_ulong(status).value 170 | 171 | if status != 0: 172 | self.pprint("[Error] Could not write: 0x{:x}\n\t Maybe the data is too big or you don't have write access?".format(status)) 173 | else: 174 | self.pprint("State update: {} bytes written\n".format(bufferSize)) 175 | return status 176 | 177 | def Read(self): 178 | if self.StateName.value == 0: 179 | self.pprint("[Error] Client not initialized. Use SetStateName() to set a state name.") 180 | return False 181 | changeStamp = ctypes.c_ulong(0) 182 | dataBuffer = ctypes.create_string_buffer(4096) 183 | bufferSize = ctypes.c_ulong(ctypes.sizeof(dataBuffer)) 184 | res = ZwQueryWnfStateData(ctypes.byref(self.StateName), 185 | 0, 0, 186 | ctypes.byref(changeStamp), 187 | ctypes.byref(dataBuffer), 188 | ctypes.byref(bufferSize) 189 | ) 190 | bufferSize = 0 if res !=0 else bufferSize.value 191 | hexdump(dataBuffer.raw[0:bufferSize]) 192 | 193 | return changeStamp.value, dataBuffer, bufferSize 194 | 195 | 196 | def Listen(self): 197 | if self.StateName.value == 0: 198 | self.pprint("[Error] Server not initialized. Use CreateServer() or SetStateName().") 199 | return False 200 | wnfSubscription = ctypes.c_void_p(0) 201 | notifyContext = self.NOTIFY_CONTEXT() 202 | notifyContext.EventDestroyed = False 203 | notifyContext.NotifyEvent = CreateEventA(0, 0, 0, 0) 204 | if(notifyContext.NotifyEvent == 0): 205 | self.pprint("[Error] Could not create event") 206 | return False 207 | 208 | self.pprint("[CLIENT]: Event registered: {}\n".format(notifyContext.NotifyEvent)) 209 | 210 | res = RtlSubscribeWnfStateChangeNotification( 211 | ctypes.byref(wnfSubscription), 212 | self.StateName, 213 | 0, 214 | self.callback, 215 | ctypes.byref(notifyContext), 216 | 0, 0, 0) 217 | 218 | if res != 0: 219 | self.pprint("[Error] WNF Sub Failed: {:x}".format(ctypes.c_ulong(res).value)) 220 | CloseHandle(notifyContext.NotifyEvent) 221 | return False 222 | 223 | while not notifyContext.EventDestroyed: 224 | try: 225 | WaitForSingleObject(notifyContext.NotifyEvent, 1500) 226 | except KeyboardInterrupt: 227 | break 228 | 229 | self.pprint("[CLIENT]: Shutting down...") 230 | CloseHandle(notifyContext.NotifyEvent) 231 | RtlUnsubscribeWnfStateChangeNotification(wnfSubscription) 232 | return True 233 | 234 | def NotifyCallback (self, StateName, ChangeStamp, TypeId, CallbackContext, Buffer, BufferSize): 235 | notifyContext = ctypes.cast(CallbackContext, ctypes.POINTER(self.NOTIFY_CONTEXT)) 236 | ArrayType = ctypes.c_char * BufferSize 237 | 238 | if Buffer == None and BufferSize == 0 and ChangeStamp == 0: 239 | self.pprint("[CLIENT]: NAME DESTROYED") 240 | notifyContext.contents.EventDestroyed = True 241 | 242 | else: 243 | buff = ctypes.cast(Buffer, ctypes.POINTER(ArrayType)).contents[:BufferSize] 244 | self.pprint("[CLIENT] Timestamp: 0x{:x} Size: 0x{:x}\n Data:".format( 245 | ChangeStamp, 246 | BufferSize)) 247 | 248 | output = b''.join(map(lambda x:x.to_bytes(1, byteorder='little'), buff)) 249 | hexdump(output) 250 | 251 | return 0 252 | 253 | ############### MAIN ############### 254 | 255 | 256 | if __name__ == "__main__": 257 | argParser = argparse.ArgumentParser(description="") 258 | argParser.add_argument("WNF_NAME", nargs='?', type=str, help="state name") 259 | args = argParser.parse_args() 260 | 261 | wnfserver = WnfCom() 262 | if args.WNF_NAME: 263 | if not wnfserver.SetStateName(args.WNF_NAME): 264 | sys.exit("[Error] State name unknown.") 265 | else: 266 | wnfserver.CreateServer() 267 | wnfserver.Write() 268 | 269 | while True: 270 | try: 271 | Data = input(">") 272 | except KeyboardInterrupt as e: 273 | break 274 | wnfserver.Write(Data.encode()) 275 | 276 | wnfserver.Read() -------------------------------------------------------------------------------- /wnftools_x64/wnfclient-nt.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionescu007/wnfun/ea1a418752920de8c44737db0419273ba3e2fe3e/wnftools_x64/wnfclient-nt.exe -------------------------------------------------------------------------------- /wnftools_x64/wnfclient-rtl.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionescu007/wnfun/ea1a418752920de8c44737db0419273ba3e2fe3e/wnftools_x64/wnfclient-rtl.exe -------------------------------------------------------------------------------- /wnftools_x64/wnfdump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionescu007/wnfun/ea1a418752920de8c44737db0419273ba3e2fe3e/wnftools_x64/wnfdump.exe -------------------------------------------------------------------------------- /wnftools_x64/wnfserver.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionescu007/wnfun/ea1a418752920de8c44737db0419273ba3e2fe3e/wnftools_x64/wnfserver.exe -------------------------------------------------------------------------------- /wnftools_x86/wnfclient-nt.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionescu007/wnfun/ea1a418752920de8c44737db0419273ba3e2fe3e/wnftools_x86/wnfclient-nt.exe -------------------------------------------------------------------------------- /wnftools_x86/wnfclient-rtl.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionescu007/wnfun/ea1a418752920de8c44737db0419273ba3e2fe3e/wnftools_x86/wnfclient-rtl.exe -------------------------------------------------------------------------------- /wnftools_x86/wnfdump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionescu007/wnfun/ea1a418752920de8c44737db0419273ba3e2fe3e/wnftools_x86/wnfdump.exe -------------------------------------------------------------------------------- /wnftools_x86/wnfserver.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionescu007/wnfun/ea1a418752920de8c44737db0419273ba3e2fe3e/wnftools_x86/wnfserver.exe --------------------------------------------------------------------------------