Navigation

← Previous Changeset
Next Changeset →

Changeset 1726

Timestamp:

08/12/08 16:00:34 (4 months ago)

Author:

xkovah

Message:

and now it at least compiles

Files:

capture-mod/trunk/CaptureClient.cpp (modified) (2 diffs)
capture-mod/trunk/CaptureSoapServer.cpp (modified) (7 diffs)
capture-mod/trunk/CaptureSoapServer.h (modified) (3 diffs)
capture-mod/trunk/capture.wsdl (modified) (4 diffs)
capture-mod/trunk/install/FileMonitor.exl (modified) (7 diffs)
capture-mod/trunk/install/ProcessMonitor.exl (modified) (2 diffs)
capture-mod/trunk/install/RegistryMonitor.exl (modified) (4 diffs)
capture-mod/trunk/soapC.cpp (modified) (17 diffs)
capture-mod/trunk/soapClient.cpp (modified) (2 diffs)
capture-mod/trunk/soapH.h (modified) (16 diffs)
capture-mod/trunk/soapServer.cpp (modified) (3 diffs)
capture-mod/trunk/soapStub.h (modified) (15 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

capture-mod/trunk/CaptureClient.cpp

r1644	r1726
7	7	#include "ProcessManager.h"
8	8	#include "shellapi.h"
9		#include "MySoapServer.h"
	9	#include "CaptureSoapServer.h"
10	10	using namespace std;
11	11
…	…
62	62	visitor = new Visitor();
63	63	//Set up the standalone SOAP server
64		~~MySoapServer a = My~~SoapServer(visitor);
	64	CaptureSoapServer a = CaptureSoapServer(visitor);
65	65	analyzer = new Analyzer(visitor, server);
66	66	Thread* captureClientThread = new Thread(this);

capture-mod/trunk/CaptureSoapServer.cpp

r1725	r1726
4	4	*/
5	5
6		#include "MySoapServer.h"
	6	#include "CaptureSoapServer.h"
7	7
8	8	#include "soapH.h"
…	…
13	13	Visitor * globVisitor;
14	14
15		~~MySoapServer::My~~SoapServer(Visitor* v){
	15	CaptureSoapServer::CaptureSoapServer(Visitor* v){
16	16
17	17	globVisitor = v;
18		MySoapServerThread = new Thread(this);
19		~~MySoapServerThread->start("My~~SoapServer");
20
21		}
22
23		~~MySoapServer::~My~~SoapServer(){}
	18	CaptureSoapServerThread = new Thread(this);
	19	CaptureSoapServerThread->start("CaptureSoapServer");
	20
	21	}
	22
	23	CaptureSoapServer::~CaptureSoapServer(){}
24	24
25	25	void
26		MySoapServer::run(){
	26	CaptureSoapServer::run(){
27	27
28	28	char debug = 0;
…	…
72	72	}
73	73
74		void MySoapServer::test(){
75
76		// printf("myVisitor = %#x\n", MySoapServer::myVisitor);
	74	void CaptureSoapServer::test(){
	75
	76	// printf("myVisitor = %#x\n", CaptureSoapServer::myVisitor);
77	77
78	78	}
…	…
124	124
125	125	void
126		MySoapServer::loadClientPlugins()
	126	CaptureSoapServer::loadClientPlugins()
127	127	{
128	128	WIN32_FIND_DATA FindFileData;
…	…
187	187
188	188	ApplicationPlugin*
189		MySoapServer::createApplicationPluginObject(HMODULE hPlugin)
	189	CaptureSoapServer::createApplicationPluginObject(HMODULE hPlugin)
190	190	{
191	191	typedef void (PluginExportInterface)(void);
…	…
211	211
212	212	void
213		MySoapServer::onServerEvent(Element* pElement)
	213	CaptureSoapServer::onServerEvent(Element* pElement)
214	214	{
215	215	wstring applicationName = L"iexplore";
…	…
245	245	///SetEvent(hQueueNotEmpty);
246	246	} else {
247		printf("MySoapServer-onServerEvent: ERROR could not find client %ls path, url not queued for visitation\n", applicationName.c_str());
	247	printf("CaptureSoapServer-onServerEvent: ERROR could not find client %ls path, url not queued for visitation\n", applicationName.c_str());
248	248	}
249	249	} else {
250		printf("MySoapServer-onServerEvent: ERROR no url specified for visit event\n");
251		}
252		}
	250	printf("CaptureSoapServer-onServerEvent: ERROR no url specified for visit event\n");
	251	}
	252	}

capture-mod/trunk/CaptureSoapServer.h

r1725	r1726
33	33
34	34
35		class MySoapServer : public Runnable
	35	class CaptureSoapServer : public Runnable
36	36	{
37	37	public:
…	…
41	41	typedef pair <ApplicationPlugin, Url> VisitPair;
42	42	public:
43		MySoapServer(Visitor *);
44		~MySoapServer();
	43	CaptureSoapServer(Visitor *);
	44	~CaptureSoapServer();
45	45
46	46	void run();
…	…
51	51	void onServerEvent(Element* pElement);
52	52
53		Thread * MySoapServerThread;
	53	Thread * CaptureSoapServerThread;
54	54	signal_visitEvent signalVisitEvent;
55	55	stdext::hash_map<HMODULE, std::list<ApplicationPlugin>> applicationPlugins;

capture-mod/trunk/capture.wsdl

r1725	r1726
26	26	attributeFormDefault="unqualified">
27	27	<import namespace="http://schemas.xmlsoap.org/soap/encoding/"/>
28		~~<complexType name="myStruct2">~~
29		~~<complexContent>~~
30		~~<restriction base="ns:ms2">~~
31		~~</restriction>~~
32		~~</complexContent>~~
33		~~</complexType>~~
34		~~<complexType name="ms2">~~
35		~~<sequence>~~
36		~~<element name="first" type="xsd:string" minOccurs="0" maxOccurs="1" nillable="true"/>~~
37		~~<element name="last" type="xsd:string" minOccurs="0" maxOccurs="1" nillable="true"/>~~
38		~~</sequence>~~
39		~~</complexType>~~
40	28	</schema>
41	29
…	…
68	56	</message>
69	57
70		~~<message name="junks">~~
71		~~<part name="a" type="xsd:string"/>~~
72		~~</message>~~
73
74		~~<message name="ms2">~~
75		~~<part name="first" type="xsd:string"/>~~
76		~~<part name="last" type="xsd:string"/>~~
77		~~</message>~~
78
79	58	<portType name="capturePortType">
80	59	<operation name="add">
…	…
92	71	<input message="tns:subRequest"/>
93	72	<output message="tns:subResponse"/>
94		~~</operation>~~
95		~~<operation name="junks">~~
96		~~<documentation>Service definition of function ns__junks</documentation>~~
97		~~<input message="tns:junks"/>~~
98		~~<output message="tns:ms2"/>~~
99	73	</operation>
100	74	</portType>
…	…
129	103	</output>
130	104	</operation>
131		~~<operation name="junks">~~
132		~~<SOAP:operation style="rpc" soapAction=""/>~~
133		~~<input>~~
134		~~<SOAP:body use="encoded" namespace="capture" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>~~
135		~~</input>~~
136		~~<output>~~
137		~~<SOAP:body use="encoded" namespace="capture" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>~~
138		~~</output>~~
139		~~</operation>~~
140	105	</binding>
141	106

capture-mod/trunk/install/FileMonitor.exl

r1724	r1726
9	9	+ Delete C:\\program Files\\capture\\captureclient\.exe C:\\program files\\capture\\.+\.zip
10	10	#Prefetch
11		+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\Prefetch.*
12		+ Delete C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\Prefetch.*
	11	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\Prefetch\\.+
13	12	+ Write System C:\\WINDOWS\\Prefetch\\.+
14	13	#NTFS Metadata
…	…
51	50	+ Write C:\\WINDOWS\\system32\\services\.exe C:\\WINDOWS\\system32\\config\\SecEvent\.Evt
52	51	#Mapping
53		+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\wbem.*
	52	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\wbem\\.+
54	53	#Cataloging
55	54	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\CatRoot2\\.+
…	…
74	73	+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Local Settings\\Temp\\.+tmp
75	74	# History
76		+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5\\.+
77		+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5\\.+
78		+ Write C:\\WINDOWS\\explorer\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5\\.+
79		+ Delete C:\\WINDOWS\\explorer\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5\\.+
	75	+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History.IE5\\.+
	76	+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History.IE5\\.+
80	77	# IE Cookies
81	78	+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Cookies\\.+
…	…
97	94	+ Write C:\\Program Files\\Messenger\\msmsgs\.exe C:\\Documents and Settings\\.+\\NTUSER.DAT.LOG
98	95	+ Delete C:\\Program Files\\Messenger\\msmsgs\.exe C:\\Documents and Settings\\.+\\NTUSER.DAT.LOG
99		+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\\\$LogFile
100		+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\\\$Directory
101		+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\\\$Mft
102		+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe F:\\\$LogFile
	96	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\$LogFile
	97	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\$Directory
	98	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\$Mft
	99	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe F:\$LogFile
103	100
104	101	###################################################
…	…
128	125	###################################################
129	126	# Alert about executables or scripts that are written to disk
130		#XENO: I recommend commenting out all blacklist entries until this has some way to
131		#deal with the fact that these will always be written to the tmp file if you visit
132		#a link to one of these directly...If we could add whitelist entries back in AFTER
133		#these, pointing at the tmp file dir, signifying that we don't care as long as it
134		#is in that dir, but care about everything else, then this would be usable...but until
135		#then...not so much.
136		#I tested adding a + entry for the temp downloads file after the - entry. It seemed
137		#to work for .vb files, but not .exe files, which is what we care about much more.
138		#- Write .* .+\.bat
139		#- Write .* .+\.cmd
140		#commented out for VMwareService.exe, since it writes .inf files.
141		#- Write .* .+\.inf
142		#- Write .* .+\.lnk
143		#- Write .* .+\.msi
144		#- Write .* .+\.msp
145		#- Write .* .+\.pif
146		#- Write .* .+\.reg
147		#- Write .* .+\.sct
148		#- Write .* .+\.shs
149		#commented out for sites that download \.scr into the temp files folder.
150		#- Write .* .+\.scr
151		#- Write .* .+\.wsc
152		#- Write .* .+\.wsf
153		#- Write .* .+\.wsh
	127	- Write .* .+\.bat
	128	- Write .* .+\.cmd
	129	- Write .* .+\.exe
	130	- Write .* .+\.inf
	131	- Write .* .+\.lnk
	132	- Write .* .+\.msi
	133	- Write .* .+\.msp
	134	- Write .* .+\.pif
	135	- Write .* .+\.reg
	136	- Write .* .+\.sct
	137	- Write .* .+\.shs
	138	- Write .* .+\.scr
	139	- Write .* .+\.wsc
	140	- Write .* .+\.wsf
	141	- Write .* .+\.wsh
154	142	#commented out for IE because \.com cache files and \.vb script files are very common
155	143	#- Write .* .+\.vb
156	144	#- Write .* .+\.com
157		~~#commented out for IE because .exe downloads to the cache dir are very common~~
158		~~#- Write .* .+\.exe~~
159	145	# Alert about modifications to startup locations
160	146	- Write .* C:\\Documents and Settings\\.+\\Start Menu\\Programs\\Startup.+
…	…
168	154	#### HONEYCLIENT AUTO EXCLUDE SCRIPT
169	155	+ Delete C:\\WINDOWS\\system32\\defrag\.exe C:\\.*\.tmp
170		+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\\$ReplaceAttribute
171		+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\\$ReplaceAttribute
172		+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\\\$LogFile
173		+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\\\$Directory
174		+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\\\$Mft
	156	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\$ReplaceAttribute
	157	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\$ReplaceAttribute
	158	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\\$LogFile
	159	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\\$Directory
	160	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\\$Mft
175	161	#### HONEYCLIENT manual
176	162	+ Write C:\\WINDOWS\\system32\\dwwin\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\.*
…	…
180	166	+ Delete C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe C:\\WINDOWS\\system32\\wbem\\Performance\\WmiApRpl\.h
181	167	+ Delete C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe C:\\WINDOWS\\system32\\PerfStringBackup\.TMP
182		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS~~
183		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\AppPatch~~
184		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\system32~~
185		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\system32\\config~~
186		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\system32\\config\\systemprofile~~
187		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\system32\\wbem~~
188		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\system32\\wbem\\Repository\\FS~~
189		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\system32\\Prefetch~~
190		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\PCHEALTH\\HELPCTR~~
191		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Config~~
192		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\PCHEALTH\\HELPCTR\\PackageStore~~
193		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\~~
194		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\Prefetch~~
195		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries~~
196		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\PCHEALTH\\HELPCTR\\DataColl~~
197		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\\~~
198		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\WinSxS~~
199		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\WinSxS\\MANIFESTS~~
200		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\WinSxS\\Policies~~
201		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\REGISTRATION~~
202		+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\WinSxS\\Policies\\.*
203		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\Documents and Settings~~
204		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\Documents and Settings\\Default User~~
205		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\Documents and Settings\\ALL USERS~~
206		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\Documents and Settings\\Default User\\Start Menu\\Programs~~
207		~~+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\Documents and Settings\\All Users\\START MENU~~
208
209		~~#### Honeyclient manual add - helpsvc.exe~~
210		+ Write C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpsvc\.exe C:\\WINDOWS\\PCHEALTH\\HELPCTR\\DataColl\\.*
211		+ Delete C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpsvc\.exe C:\\WINDOWS\\PCHEALTH\\HELPCTR\\DataColl\\.*
212
213		~~#### Honeyclient manual add - dfrgntfs.exe - ticket #143~~
214		+ Write C:\\WINDOWS\\system32\\dfrgntfs\.exe .*
215
216		~~#### Honeyclient manual add - iexplore.exe - ticket #142~~
217		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\Cab.*\.tmp~~
218		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\Cab.*\.tmp~~
219		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\Tar.*\.tmp~~
220		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\Tar.*\.tmp~~
221
222		~~#### Honeyclient manual add - iexplore.exe - ticket #144 (windows update services)~~
223		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\WindowsUpdate.log~~
224		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\system32\\wuweb\.dll~~
225		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\system32\\wuweb\.dll~~
226		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\ICD.?.?\.tmp~~
227		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\ICD.?.?\.tmp\\wuweb\.dll~~
228		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\ICD.?.?\.tmp\\wuweb\.dll~~
229		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\ICD.?.?\.tmp\\wuweb\.inf~~
230		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\ICD.?.?\.tmp\\wuweb\.inf~~
231		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\ICD.?.?\.tmp\\wuweb\.cat~~
232		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\ICD.?.?\.tmp\\wuweb\.cat~~
233		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\system32\\CatRoot2\\dberr\.txt~~
234		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\LastGood\\TMP.*\.tmp~~
235		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\system32\\SET.*\.tmp~~
236		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\system32\\SET.*\.tmp~~
237		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\Downloaded Program Files\\SET.*\.tmp~~
238		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\Downloaded Program Files\\SET.*\.tmp~~
239		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WuRedir\\9482F4B4-E343-43B6-B170-9A65BC822C77\\wuredir\.cab\.bak~~
240		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WuRedir\\9482F4B4-E343-43B6-B170-9A65BC822C77\\wuredir\.cab\.bak~~
241		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WuRedir\\9482F4B4-E343-43B6-B170-9A65BC822C77\\wuredir\.xml~~
242		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WuRedir\\9482F4B4-E343-43B6-B170-9A65BC822C77\\wuredir\.cab~~
243		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wuident\.txt~~
244		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wuident\.txt~~
245		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wuident\.cab~~
246		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wuident\.cab~~
247		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wsus3setup\.cab~~
248		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wsus3setup\.cab~~
249		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wsus3setup\.inf~~
250		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wsus3setup\.inf~~
251		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wsus3setup\.cat~~
252		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wsus3setup\.cat~~
253		~~+ Delete C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\CatRoot2\\tmp\.edb~~
254		~~+ Write C:\\WINDOWS\\system32\\winlogon\.exe C:\\WINDOWS\\system32\\dllcache\\wuweb\.dll\.new~~
255
256		~~#### Honeyclient manual add - iexplore.exe - ticket #136 (flash)~~
257		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\fla.*\.tmp~~
258		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\fla.*\.tmp~~
259		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\fla.*\.tmp~~
260		~~+ Delete C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\fla.*\.tmp~~
261
262		~~#### Honeyclient manual add - iexplore.exe - ticket #152~~
263		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\VGX.*\.tmp~~
264
265		~~#### Honeyclient manual add - iexplore.exe~~
266		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\wbk.*\.tmp~~
267
268		~~#### HONEYCLIENT AUTO EXCLUDE SCRIPT - Internet Explorer 7 Updates~~
269		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS~~
270		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution\\DataStore\\Logs~~
271		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32~~
272		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\repair~~
273		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution~~
274		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Cookies~~
275		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Cookies\\index.dat~~
276		+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5.*
277		+ Delete C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5.*
278		+ Write C:\\WINDOWS\\system32\\WgaTray\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5.*
279		+ Delete C:\\WINDOWS\\system32\\WgaTray\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5.*
280		+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\cygwin.*
281		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Desktop~~
282		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Desktop\\%USERPROFILE%\\Local Settings\\Application Data\\Microsoft\\Feeds Cache~~
283		+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files.*
284		+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content\.IE5\\.*
285		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator~~
286		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Desktop\\%USERPROFILE%\\Local Settings\\Application Data\\Microsoft\\Feeds Cache\\index\.dat~~
287		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\MSIMGSIZ\.DAT~~
288		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Local Settings~~
289		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\AntiPhishing\\.+~~
290		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Program Files\\Internet Explorer~~
291		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content\.IE5~~
292		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\Macromed\\Flash~~
293		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Feeds Cache~~
294		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Program Files~~
295		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Favorites~~
296		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Program Files\\Messenger~~
297		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Feeds Cache\\index\.dat~~
298		+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\Microsoft\.NET\\Framework.*
299		+ Write C:\\WINDOWS\\system32\\WgaTray\.exe C:\\Documents and Settings\\.+\\Local Settings\\Temporary Internet Files\\.*
300		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Cookies\\.+~~
301		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Cookies\\index.dat~~
302		~~+ Delete C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Cookies\\.+~~
303		~~+ Delete C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Cookies\\index.dat~~
304		+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\WinSxS\\Policies\\.*
305		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\WinSxS~~
306		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\~~
307		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\Temp~~
308
309		~~#### HONEYCLIENT AUTO EXCLUDE SCRIPT~~
310		~~#No guarantees that the % will be interpreted literally by the regex processing...but this is what it spit out~~
311		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Desktop\\%USERPROFILE%\\UserData\\index\.dat~~
312
313		~~#### HONEYCLIENT AUTO EXCLUDE SCRIPT~~
314		+ Write C:\\WINDOWS\\system32\\lsass\.exe C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\Protect\\.*
315
316
317		~~###Stuff that got accidentally removed in r 1511~~
318
319		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\Temp\\WGANotify\.settings~~
320		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\config~~
321		+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Application Data.*
322		+ Delete C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Application Data.*
323		+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Application Data\\Microsoft\\CryptnetUrlCache.*
324		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\All Users~~
325		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution\\Download~~
326		+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution\\Download.*
327		+ Delete C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution\\Download.*
328		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\wbem~~
329
330		~~#### HONEYCLIENT AUTO EXCLUDE SCRIPT - IE7 accessing live.com~~
331		~~+ Write C:\\WINDOWS\\Microsoft\.NET\\Framework\\v3\.0\\Windows Communication Foundation\\infocard\.exe C:\\WINDOWS\\system32\\config\\system\.LOG~~
332		~~+ Write C:\\WINDOWS\\Microsoft\.NET\\Framework\\v3\.0\\Windows Communication Foundation\\infocard\.exe C:\\WINDOWS\\system32\\config\\system~~
333		~~+ Write C:\\WINDOWS\\Microsoft\.NET\\Framework\\v3\.0\\Windows Communication Foundation\\infocard\.exe C:\\WINDOWS\\system32\\config~~
334
335		~~# IE7 - Exclusion~~
336		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\LocalService~~
337		~~+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\config\\SysEvent\.Evt~~
338
339		~~# VMware Tools~~
340		+ Write C:\\Program Files\\VMware\\VMware Tools\\VMwareUser\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temp.*
341		+ Delete C:\\Program Files\\VMware\\VMware Tools\\VMwareUser\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temp.*
342
343		~~# IE - Active Scripting Printing~~
344		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\.+htm~~
345		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\.+html~~
346		~~+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\.+tmp~~
347		~~+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\.+tmp~~
348
349		~~# System Log Files - IE7~~
350		~~+ Write C:\\WINDOWS\\system32\\services\.exe C:\\WINDOWS\\Debug\\UserMode\\userenv\.log~~
351
352		~~# IE6 Crashing~~
353		+ Write C:\\WINDOWS\\system32\\drwtsn32\.exe C:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\Dr Watson\\.*

capture-mod/trunk/install/ProcessMonitor.exl

r1724	r1726
15	15	### Microsoft Internet Explorer 6.0 ###
16	16	###################################################
17		+ iexplore.exe .* C:\\Program Files\\Internet Explorer\\iexplore\.exe
	17	+ iexplore.exe .* C:\\Program Files\\Internet Explorer\\iexplore.exe
18	18	#agent server is an activeX control that starts upon displaying multimedia content
19		+ agentsvr.exe .* C:\\WINDOWS\\msagent\\agentsvr\.exe
	19	+ agentsvr.exe .* C:\\WINDOWS\\msagent\\agentsvr.exe
20	20	#messenger activeX
21		+ msmsgs.exe .* C:\\Program Files\\Messenger\\msmsgs\.exe
	21	+ msmsgs.exe .* C:\\Program Files\\Messenger\\msmsgs.exe
22	22	###################################################
23	23	### Honeyclient added/specific? ###
24	24	###################################################
25		#FIXME: Xeno - ~~specifying a parent process doesn't work - this is a known bug~~
	25	#FIXME: Xeno - Does specifying a parent process even work? I tried
26	26	+ bash.exe .* C:\\cygwin\\bin\\bash\.exe
27	27	+ perl.exe .* C:\\cygwin\\bin\\perl\.exe
…	…
33	33	+ WgaTray.exe .* C:\\WINDOWS\\system32\\WgaTray\.exe
34	34	+ alg.exe .* C:\\WINDOWS\\system32\\alg\.exe
35		+ firefox.exe .* C:\\Program Files\\Mozilla Firefox\\firefox\.exe
36
37		#### HONEYCLIENT AUTO EXCLUDE SCRIPT
38		+ setup_wm.exe .* C:\\Program Files\\Windows Media Player\\setup_wm\.exe
39		+ wmplayer.exe .* C:\\Program Files\\Windows Media Player\\wmplayer\.exe
40
41		#### HONEYCLIENT AUTO EXCLUDE SCRIPT - Internet Explorer 7 Updates
42		+ verclsid.exe .* C:\\WINDOWS\\system32\\verclsid\.exe
43		#### HONEYCLIENT AUTO EXCLUDE SCRIPT
44		#This is related to the language bar...I just installed updates, and it was newly activated
45		#thus I consider it something valid to add
46		+ ctfmon.exe .* C:\\WINDOWS\\system32\\ctfmon\.exe
47
48		#### HONEYCLIENT AUTO EXCLUDE SCRIPT - IE7 accessing live.com
49		+ infocard.exe .* C:\\WINDOWS\\Microsoft.NET\\Framework\\v3.0\\Windows Communication Foundation\\infocard\.exe
50
51		# IE - Active Scripting Printing
52		+ rundll32.exe .* C:\\WINDOWS\\system32\\rundll32\.exe
53
54		# IE - Random Crashing Due To Poor Application Coding
55		+ drwtsn32.exe .* C:\\WINDOWS\\system32\\drwtsn32\.exe
	35	+ firefox.exe .* C:\\Program Files\\Mozilla Firefox\\firefox\.exe#### HONEYCLIENT AUTO EXCLUDE SCRIPT
	36	+ setup_wm.exe .* C:\\Program Files\\Windows Media Player\\setup_wm.exe
	37	+ wmplayer.exe .* C:\\Program Files\\Windows Media Player\\wmplayer.exe

capture-mod/trunk/install/RegistryMonitor.exl

r1724	r1726
14	14	+ SetValueKey .* HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\.+
15	15	+ SetValueKey .* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\RNG\\Seed.*
16		+ SetValueKey C:\\WINDOWS\\explorer\.exe HKCU\\SessionInformation\\.+
17		+ SetValueKey C:\\WINDOWS\\explorer\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\.+
18		+ SetValueKey C:\\WINDOWS\\explorer\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\.+
19		+ SetValueKey C:\\WINDOWS\\explorer\.exe HKU\\.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\.+
20		+ SetValueKey C:\\WINDOWS\\system32\\winlogon\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\.+
21		+ SetValueKey C:\\WINDOWS\\system32\\svchost\.exe \\REGISTRY\\USER\\.+
22		+ SetValueKey C:\\WINDOWS\\system32\\svchost\.exe HKU\\.+
	16	+ SetValueKey C:\\WINDOWS\\explorer.exe HKCU\\SessionInformation\\.+
	17	+ SetValueKey C:\\WINDOWS\\explorer.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\.+
	18	+ SetValueKey C:\\WINDOWS\\explorer.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\.+
	19	+ SetValueKey C:\\WINDOWS\\explorer.exe HKU\\.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\.+
	20	+ SetValueKey C:\\WINDOWS\\system32\\winlogon.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\.+
	21	+ SetValueKey C:\\WINDOWS\\system32\\svchost.exe \\REGISTRY\\USER\\.+
	22	+ SetValueKey C:\\WINDOWS\\system32\\svchost.exe HKU\\.+
23	23	+ SetValueKey C:\\WINDOWS\\system32\\WgaTray\.exe HKCU\\SOFTWARE\\Microsoft\\SystemCertificates\\.+
24		+ SetValueKey C:\\WINDOWS\\system32\\svchost\.exe HKCU\\Software\\Microsoft\\SystemCertificates\\Root\\.+
25		+ SetValueKey C:\\WINDOWS\\system32\\svchost\.exe HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\.+
26		+ SetValueKey C:\\WINDOWS\\system32\\svchost\.exe HKLM\\SOFTWARE\\Microsoft\\PCHealth\\.+
27		+ SetValueKey C:\\WINDOWS\\system32\\svchost\.exe HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\.+
28		+ SetValueKey C:\\WINDOWS\\system32\\svchost\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\.+
29		+ SetValueKey C:\\WINDOWS\\system32\\svchost\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\.+
30		+ SetValueKey C:\\WINDOWS\\system32\\svchost\.exe HKLM\\SYSTEM\\ControlSet001\\.+
31		+ SetValueKey C:\\WINDOWS\\system32\\services\.exe HKLM\\SYSTEM\\ControlSet001\\.+
32		+ SetValueKey C:\\WINDOWS\\system32\\lsass\.exe HKLM\\SECURITY\\.+
33		+ SetValueKey C:\\WINDOWS\\system32\\lsass\.exe HKCU\\Software\\Microsoft\\Protected Storage System Provider\\.+
34		+ SetValueKey C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe HKLM\\SOFTWARE\\Microsoft\\WBEM\\.+
35		+ SetValueKey C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\.+
36		+ SetValueKey C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\.+
37		+ SetValueKey C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe HKLM\\SOFTWARE\\Microsoft\\WBEM\\WDM\\.+
	24	+ SetValueKey C:\\WINDOWS\\system32\\svchost.exe HKCU\\Software\\Microsoft\\SystemCertificates\\Root\\.+
	25	+ SetValueKey C:\\WINDOWS\\system32\\svchost.exe HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\.+
	26	+ SetValueKey C:\\WINDOWS\\system32\\svchost.exe HKLM\\SOFTWARE\\Microsoft\\PCHealth\\.+
	27	+ SetValueKey C:\\WINDOWS\\system32\\svchost.exe HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\.+
	28	+ SetValueKey C:\\WINDOWS\\system32\\svchost.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\.+
	29	+ SetValueKey C:\\WINDOWS\\system32\\svchost.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\.+
	30	+ SetValueKey C:\\WINDOWS\\system32\\svchost.exe HKLM\\SYSTEM\\ControlSet001\\.+
	31	+ SetValueKey C:\\WINDOWS\\system32\\services.exe HKLM\\SYSTEM\\ControlSet001\\.+
	32	+ SetValueKey C:\\WINDOWS\\system32\\lsass.exe HKLM\\SECURITY\\.+
	33	+ SetValueKey C:\\WINDOWS\\system32\\lsass.exe HKCU\\Software\\Microsoft\\Protected Storage System Provider\\.+
	34	+ SetValueKey C:\\WINDOWS\\system32\\wbem\\wmiadap.exe HKLM\\SOFTWARE\\Microsoft\\WBEM\\.+
	35	+ SetValueKey C:\\WINDOWS\\system32\\wbem\\wmiadap.exe HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\.+
	36	+ SetValueKey C:\\WINDOWS\\system32\\wbem\\wmiadap.exe HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\.+
	37	+ SetValueKey C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe HKLM\\SOFTWARE\\Microsoft\\WBEM\\WDM\\.+
38	38	+ DeleteValueKey .* HKU\\.+\\SessionInformation\\ProgramCount
39	39	+ DeleteValueKey .* HKCU\\Software\\Microsoft\\Windows\\ShellNoRoam.*
40	40	+ DeleteValueKey .* HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\.+
41	41	+ DeleteValueKey .* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\RNG\\Seed.*
42		+ DeleteValueKey C:\\WINDOWS\\explorer\.exe HKCU\\SessionInformation\\.+
43		+ DeleteValueKey C:\\WINDOWS\\explorer\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\.+
44		+ DeleteValueKey C:\\WINDOWS\\explorer\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\.+
45		+ DeleteValueKey C:\\WINDOWS\\explorer\.exe HKU\\.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\.+
46		+ DeleteValueKey C:\\WINDOWS\\system32\\winlogon\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\.+
47		+ DeleteValueKey C:\\WINDOWS\\system32\\svchost\.exe \\REGISTRY\\USER\\.+
48		+ DeleteValueKey C:\\WINDOWS\\system32\\svchost\.exe HKU\\.+
	42	+ DeleteValueKey C:\\WINDOWS\\explorer.exe HKCU\\SessionInformation\\.+
	43	+ DeleteValueKey C:\\WINDOWS\\explorer.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\.+
	44	+ DeleteValueKey C:\\WINDOWS\\explorer.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\.+
	45	+ DeleteValueKey C:\\WINDOWS\\explorer.exe HKU\\.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\.+
	46	+ DeleteValueKey C:\\WINDOWS\\system32\\winlogon.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\.+
	47	+ DeleteValueKey C:\\WINDOWS\\system32\\svchost.exe \\REGISTRY\\USER\\.+
	48	+ DeleteValueKey C:\\WINDOWS\\system32\\svchost.exe HKU\\.+
49	49	+ DeleteValueKey C:\\WINDOWS\\system32\\WgaTray\.exe HKCU\\SOFTWARE\\Microsoft\\SystemCertificates\\.+
50		+ DeleteValueKey C:\\WINDOWS\\system32\\svchost\.exe HKCU\\Software\\Microsoft\\SystemCertificates\\Root\\.+
51		+ DeleteValueKey C:\\WINDOWS\\system32\\svchost\.exe HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\.+
52		+ DeleteValueKey C:\\WINDOWS\\system32\\svchost\.exe HKLM\\SOFTWARE\\Microsoft\\PCHealth\\.+
53		+ DeleteValueKey C:\\WINDOWS\\system32\\svchost\.exe HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\.+
54		+ DeleteValueKey C:\\WINDOWS\\system32\\svchost\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\.+
55		+ DeleteValueKey C:\\WINDOWS\\system32\\svchost\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\.+
56		+ DeleteValueKey C:\\WINDOWS\\system32\\svchost\.exe HKCU\\Software\\Microsoft\\SystemCertificates\\Root\\.+
57		+ DeleteValueKey C:\\WINDOWS\\system32\\svchost\.exe HKLM\\SYSTEM\\ControlSet001\\.+
58		+ DeleteValueKey C:\\WINDOWS\\system32\\services\.exe HKLM\\SYSTEM\\ControlSet001\\.+
59		+ DeleteValueKey C:\\WINDOWS\\system32\\lsass\.exe HKLM\\SECURITY\\.+
60		+ DeleteValueKey C:\\WINDOWS\\system32\\lsass\.exe HKCU\\Software\\Microsoft\\Protected Storage System Provider\\.+
61		+ DeleteValueKey C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe HKLM\\SOFTWARE\\Microsoft\\WBEM\\.+
62		+ DeleteValueKey C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\.+
63		+ DeleteValueKey C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\.+
64		+ DeleteValueKey C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe HKLM\\SOFTWARE\\Microsoft\\WBEM\\WDM\\.+
	50	+ DeleteValueKey C:\\WINDOWS\\system32\\svchost.exe HKCU\\Software\\Microsoft\\SystemCertificates\\Root\\.+
	51	+ DeleteValueKey C:\\WINDOWS\\system32\\svchost.exe HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\.+
	52	+ DeleteValueKey C:\\WINDOWS\\system32\\svchost.exe HKLM\\SOFTWARE\\Microsoft\\PCHealth\\.+
	53	+ DeleteValueKey C:\\WINDOWS\\system32\\svchost.exe HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\.+
	54	+ DeleteValueKey C:\\WINDOWS\\system32\\svchost.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\.+
	55	+ DeleteValueKey C:\\WINDOWS\\system32\\svchost.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\.+
	56	+ DeleteValueKey C:\\WINDOWS\\system32\\svchost.exe HKCU\\Software\\Microsoft\\SystemCertificates\\Root\\.+
	57	+ DeleteValueKey C:\\WINDOWS\\system32\\svchost.exe HKLM\\SYSTEM\\ControlSet001\\.+
	58	+ DeleteValueKey C:\\WINDOWS\\system32\\services.exe HKLM\\SYSTEM\\ControlSet001\\.+
	59	+ DeleteValueKey C:\\WINDOWS\\system32\\lsass.exe HKLM\\SECURITY\\.+
	60	+ DeleteValueKey C:\\WINDOWS\\system32\\lsass.exe HKCU\\Software\\Microsoft\\Protected Storage System Provider\\.+
	61	+ DeleteValueKey C:\\WINDOWS\\system32\\wbem\\wmiadap.exe HKLM\\SOFTWARE\\Microsoft\\WBEM\\.+
	62	+ DeleteValueKey C:\\WINDOWS\\system32\\wbem\\wmiadap.exe HKLM\\SYSTEM\\ControlSet001\\Services\\WmiApRpl\\Performance\\.+
	63	+ DeleteValueKey C:\\WINDOWS\\system32\\wbem\\wmiadap.exe HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\.+
	64	+ DeleteValueKey C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe HKLM\\SOFTWARE\\Microsoft\\WBEM\\WDM\\.+
65	65	#defrag
66		+ SetValueKey C:\\WINDOWS\\system32\\dfrgntfs\.exe HKLM\\SOFTWARE\\Microsoft\\Dfrg.*
67		+ DeleteValueKey C:\\WINDOWS\\system32\\dfrgntfs\.exe HKLM\\SOFTWARE\\Microsoft\\Dfrg.*
	66	+ SetValueKey C:\\WINDOWS\\system32\\dfrgntfs.exe HKLM\\SOFTWARE\\Microsoft\\Dfrg.*
	67	+ DeleteValueKey C:\\WINDOWS\\system32\\dfrgntfs.exe HKLM\\SOFTWARE\\Microsoft\\Dfrg.*
68	68	#windows update
69		+ SetValueKey C:\\WINDOWS\\system32\\wuauclt\.exe HKLM\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application\\ESENT\\.+
70		+ DeleteValueKey C:\\WINDOWS\\system32\\wuauclt\.exe HKLM\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application\\ESENT\\.+
	69	+ SetValueKey C:\\WINDOWS\\system32\\wuauclt.exe HKLM\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application\\ESENT\\.+
	70	+ DeleteValueKey C:\\WINDOWS\\system32\\wuauclt.exe HKLM\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application\\ESENT\\.+
71	71	###################################################
72	72	### Internet Explorer 6.0 SP2 ###
…	…
114	114	+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache.+
115	115	+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache.+
116		+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Passport.*
	116	+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Passport\\.+
117	117	+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\.+
118	118	+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Direct3D.+
…	…
160	160	+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache.+
161	161	+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache.+
162		+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Passport.*
	162	+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Passport\\.+
163	163	+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\.+
164	164	+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Direct3D.+
…	…
312	312	+ SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Printers
313	313	+ SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Providers
314
315		~~#### Honeyclient manual add - helpsvc.exe~~
316		~~+ SetValueKey C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpsvc.exe HKLM\\SOFTWARE\\Microsoft\\PCHealth\\.+~~
317
318		~~#### Honeyclient manual add - iexplore.exe - ticket #144 (windows update services)~~
319		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ModuleUsage\\C:\/WINDOWS\/System32\/wuweb\.dll~~
320		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs~~
321		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\\{6414512B-B978-451D-A0D8-FCFDF33E833C\}~~
322		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\\{6414512B-B978-451D-A0D8-FCFDF33E833C\}\\DownloadInformation~~
323		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\\{6414512B-B978-451D-A0D8-FCFDF33E833C\}\\InstalledVersion~~
324		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\\{6414512B-B978-451D-A0D8-FCFDF33E833C\}\\Contains\\Files~~
325		~~+ SetValueKey C:\\WINDOWS\\system32\\winlogon.exe HKU\\\.DEFAULT\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon~~
326
327		~~#### HONEYCLIENT AUTO EXCLUDE SCRIPT - Internet Explorer 7 Updates~~
328		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing\\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F~~
329		~~+ DeleteValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKU\\\.DEFAULT\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts~~
330		~~+ SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKU\\\.DEFAULT\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows~~
331		~~+ SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows~~
332		~~+ DeleteValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKU\\S.+\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts~~
333		~~+ SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKU\\S.+\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts~~
334		~~+ SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Devices~~
335		~~+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\LowRegistry~~
336		~~+ DeleteValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKU\\S.+\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Devices~~
337		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Zoom~~
338		~~+ DeleteValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Devices~~
339		~~+ DeleteValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKU\\\.DEFAULT\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Devices~~
340		+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\CTF\\TIP\\\{1188450c-fdab-47ae-80d8-c9633f71be64\}\\LanguageProfile\\0x00000000\\\{63800dac-e7ca-4df9-9a5c-20765055488d\}
341		~~+ SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Ports~~
342		~~+ SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKU\\S.+\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows~~
343		~~+ DeleteValueKey C:\\WINDOWS\\system32\\userinit\.exe HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts~~
344		~~+ SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKU\\S.+\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Devices~~
345		~~+ SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKU\\\.DEFAULT\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Devices~~
346		~~+ DeleteValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts~~
347		~~+ DeleteValueKey C:\\WINDOWS\\system32\\userinit\.exe HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Devices~~
348		~~+ SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKU\\\.DEFAULT\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts~~
349		~~+ SetValueKey C:\\WINDOWS\\explorer\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached~~
350		~~+ SetValueKey C:\\WINDOWS\\system32\\spoolsv\.exe HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts~~
351		~~+ SetValueKey C:\\WINDOWS\\system32\\userinit\.exe HKCU\\Printers~~
352		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter~~
353
354		~~#### HONEYCLIENT AUTO EXCLUDE SCRIPT~~
355		+ SetValueKey C:\\Program Files\\Windows Media Player\\wmpnscfg\.exe HKLM\\SOFTWARE\\Microsoft\\Windows Media Player NSS\\.*
356		+ SetValueKey C:\\Program Files\\Windows Media Player\\wmpnetwk\.exe HKLM\\SOFTWARE\\Microsoft\\Windows Media Player NSS\\.*
357
358		~~#### HONEYCLIENT AUTO EXCLUDE SCRIPT - Internet Explorer 7 Updates~~
359		~~+ SetValueKey C:\\WINDOWS\\explorer\.exe HKCU\\Software\\Microsoft\\Windows\\Shell\\Bag.+~~
360		~~#The above should cover the below 2 cases...but it didn't...why?~~
361		~~+ SetValueKey C:\\WINDOWS\\explorer\.exe HKCU\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop~~
362		~~+ SetValueKey C:\\WINDOWS\\explorer\.exe HKCU\\Software\\Microsoft\\Windows\\Shell\\BagMRU~~
363		~~#### HONEYCLIENT AUTO EXCLUDE SCRIPT~~
364		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\IEXPLORE\.EXE HKCU\\Software\\Microsoft\\Internet Explorer\\International~~
365
366		~~#### HONEYCLIENT AUTO EXCLUDE SCRIPT~~
367		~~#After installing updates, the language bar was newly activated, these are related to that, and thus seem reasonable to add~~
368		~~+ SetValueKey C:\\WINDOWS\\system32\\ctfmon\.exe HKCU\\Software\\Microsoft\\CTF\\Sapilayr~~
369		~~+ DeleteValueKey C:\\WINDOWS\\system32\\ctfmon\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run~~
370		+ SetValueKey C:\\WINDOWS\\system32\\ctfmon\.exe HKCU\\Software\\Microsoft\\CTF\\TIP\\.+\\LanguageProfile\\.*
371		~~+ SetValueKey C:\\WINDOWS\\system32\\ctfmon\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run~~
372		~~+ SetValueKey C:\\WINDOWS\\system32\\ctfmon\.exe HKCU\\Software\\Microsoft\\CTF\\LangBar~~
373
374		+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\SearchScopes\\.*
375		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\Extensions\\CmdMapping~~
376		~~+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\SearchUrl~~
377		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\IEXPLORE\.EXE\\DefaultIcon~~
378		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar\\WebBrowser~~
379		~~+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\7\.0~~
380		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached~~
381		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\SearchScopes~~
382		~~+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components~~
383		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing\\.+\\Smart Screen DAT file~~
384		~~+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks~~
385
386		~~+ SetValueKey C:\\WINDOWS\\explorer\.exe HKCU\\Software\\Microsoft\\CTF\\LangBar~~
387
388		~~#NOTE: looks like a likely bug value (translation not getting done)~~
389		~~+ DeleteValueKey C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe \\REGIS~~
390
391		~~#### HONEYCLIENT AUTO EXCLUDE SCRIPT~~
392		~~+ DeleteValueKey C:\\WINDOWS\\system32\\ctfmon\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run~~
393		~~+ SetValueKey C:\\WINDOWS\\system32\\ctfmon\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run~~
394
395		~~#### HONEYCLIENT AUTO EXCLUDE SCRIPT - IE7 accessing live.com~~
396		~~+ SetValueKey C:\\WINDOWS\\Microsoft\.NET\\Framework\\v3\.0\\Windows Communication Foundation\\infocard\.exe HKU\\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders~~
397		~~+ SetValueKey C:\\WINDOWS\\Microsoft\.NET\\Framework\\v3\.0\\Windows Communication Foundation\\infocard\.exe HKLM\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application~~
398		~~+ SetValueKey C:\\WINDOWS\\Microsoft\.NET\\Framework\\v3\.0\\Windows Communication Foundation\\infocard\.exe HKLM\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application\\idsvc~~
399		~~+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Main~~
400
401		~~# IE7 - accessing multimedia pages~~
402		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\MPEG2Demultiplexer~~
403
404		~~# IE - Active Scripting Printing~~
405		~~+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\PageSetup~~
406
407		~~# IE - Random Crashing Due To Poor Application Coding~~
408		+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\.*
409		+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\.*
410
411		~~# IE - Dr Watson IE 6 Crashing~~
412		+ SetValueKey C:\\WINDOWS\\system32\\drwtsn32\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders.*
413		+ SetValueKey C:\\WINDOWS\\system32\\drwtsn32\.exe HKLM\\SOFTWARE\\Microsoft\\DrWatson.*
414
415		~~# Benign Explorer Activity~~
416		+ SetValueKey C:\\WINDOWS\\explorer\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar.*
417		+ SetValueKey C:\\WINDOWS\\explorer\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings.*

capture-mod/trunk/soapC.cpp

r1724	r1726
8	8	#include "soapH.h"
9	9
10		SOAP_SOURCE_STAMP("@(#) soapC.cpp ver 2.7.10 2008-08-12 07:~~24:58~~ GMT")
	10	SOAP_SOURCE_STAMP("@(#) soapC.cpp ver 2.7.10 2008-08-12 07:50:20 GMT")
11	11
12	12
…	…
162	162	case SOAP_TYPE_double:
163	163	return soap_in_double(soap, NULL, NULL, "xsd:double");
164		~~case SOAP_TYPE_ns__junks:~~
165		~~return soap_in_ns__junks(soap, NULL, NULL, "ns:junks");~~
166	164	case SOAP_TYPE_ns__sub:
167	165	return soap_in_ns__sub(soap, NULL, NULL, "ns:sub");
…	…
176	174	case SOAP_TYPE_ns__addResponse:
177	175	return soap_in_ns__addResponse(soap, NULL, NULL, "ns:addResponse");
178		~~case SOAP_TYPE_ns__myStruct2:~~
179		~~return soap_in_ns__myStruct2(soap, NULL, NULL, "ns:myStruct2");~~
180		~~case SOAP_TYPE_ms2:~~
181		~~return soap_in_ms2(soap, NULL, NULL, "ms2");~~
182	176	case SOAP_TYPE_PointerTostring:
183	177	return soap_in_PointerTostring(soap, NULL, NULL, "xsd:string");
&h