[3] : 0x00 (0) [4] : 0x69 (105) [5] : 0x00 (0) [6] : 0x6e (110) [7] : 0x00 (0) [8] : 0x74 (116) [9] : 0x00 (0) [10] : 0x20 (32) [11] : 0x00 (0) [12] : 0x53 (83) [13] : 0x00 (0) [14] : 0x70 (112) [15] : 0x00 (0) [16] : 0x6f (111) [17] : 0x00 (0) [18] : 0x6f (111) [19] : 0x00 (0) [20] : 0x6c (108) [21] : 0x00 (0) [22] : 0x65 (101) [23] : 0x00 (0) [24] : 0x72 (114) [25] : 0x00 (0) [26] : 0x00 (0) [27] : 0x00 (0) size : 0x0000001c (28) [2012/09/07 07:06:50.894840, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.894946, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\Spooler:DisplayName] [2012/09/07 07:06:50.894986, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.895121, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000003-0000-0000-4950-79ff4a050000 name: struct winreg_String name_len : 0x0014 (20) name_size : 0x0014 (20) name : * name : 'ImagePath' type : REG_SZ (1) data : * data: ARRAY(54) [0] : 0x2f (47) [1] : 0x00 (0) [2] : 0x75 (117) [3] : 0x00 (0) [4] : 0x73 (115) [5] : 0x00 (0) [6] : 0x72 (114) [7] : 0x00 (0) [8] : 0x2f (47) [9] : 0x00 (0) [10] : 0x6c (108) [11] : 0x00 (0) [12] : 0x69 (105) [13] : 0x00 (0) [14] : 0x62 (98) [15] : 0x00 (0) [16] : 0x2f (47) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x61 (97) [21] : 0x00 (0) [22] : 0x6d (109) [23] : 0x00 (0) [24] : 0x62 (98) [25] : 0x00 (0) [26] : 0x61 (97) [27] : 0x00 (0) [28] : 0x2f (47) [29] : 0x00 (0) [30] : 0x73 (115) [31] : 0x00 (0) [32] : 0x76 (118) [33] : 0x00 (0) [34] : 0x63 (99) [35] : 0x00 (0) [36] : 0x63 (99) [37] : 0x00 (0) [38] : 0x74 (116) [39] : 0x00 (0) [40] : 0x6c (108) [41] : 0x00 (0) [42] : 0x2f (47) [43] : 0x00 (0) [44] : 0x73 (115) [45] : 0x00 (0) [46] : 0x6d (109) [47] : 0x00 (0) [48] : 0x62 (98) [49] : 0x00 (0) [50] : 0x64 (100) [51] : 0x00 (0) [52] : 0x00 (0) [53] : 0x00 (0) size : 0x00000036 (54) [2012/09/07 07:06:50.896003, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.896053, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\Spooler:ImagePath] [2012/09/07 07:06:50.896076, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.896132, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000003-0000-0000-4950-79ff4a050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'Description' type : REG_SZ (1) data : * data: ARRAY(106) [0] : 0x49 (73) [1] : 0x00 (0) [2] : 0x6e (110) [3] : 0x00 (0) [4] : 0x74 (116) [5] : 0x00 (0) [6] : 0x65 (101) [7] : 0x00 (0) [8] : 0x72 (114) [9] : 0x00 (0) [10] : 0x6e (110) [11] : 0x00 (0) [12] : 0x61 (97) [13] : 0x00 (0) [14] : 0x6c (108) [15] : 0x00 (0) [16] : 0x20 (32) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x65 (101) [21] : 0x00 (0) [22] : 0x72 (114) [23] : 0x00 (0) [24] : 0x76 (118) [25] : 0x00 (0) [26] : 0x69 (105) [27] : 0x00 (0) [28] : 0x63 (99) [29] : 0x00 (0) [30] : 0x65 (101) [31] : 0x00 (0) [32] : 0x20 (32) [33] : 0x00 (0) [34] : 0x66 (102) [35] : 0x00 (0) [36] : 0x6f (111) [37] : 0x00 (0) [38] : 0x72 (114) [39] : 0x00 (0) [40] : 0x20 (32) [41] : 0x00 (0) [42] : 0x73 (115) [43] : 0x00 (0) [44] : 0x70 (112) [45] : 0x00 (0) [46] : 0x6f (111) [47] : 0x00 (0) [48] : 0x6f (111) [49] : 0x00 (0) [50] : 0x6c (108) [51] : 0x00 (0) [52] : 0x69 (105) [53] : 0x00 (0) [54] : 0x6e (110) [55] : 0x00 (0) [56] : 0x67 (103) [57] : 0x00 (0) [58] : 0x20 (32) [59] : 0x00 (0) [60] : 0x66 (102) [61] : 0x00 (0) [62] : 0x69 (105) [63] : 0x00 (0) [64] : 0x6c (108) [65] : 0x00 (0) [66] : 0x65 (101) [67] : 0x00 (0) [68] : 0x73 (115) [69] : 0x00 (0) [70] : 0x20 (32) [71] : 0x00 (0) [72] : 0x74 (116) [73] : 0x00 (0) [74] : 0x6f (111) [75] : 0x00 (0) [76] : 0x20 (32) [77] : 0x00 (0) [78] : 0x70 (112) [79] : 0x00 (0) [80] : 0x72 (114) [81] : 0x00 (0) [82] : 0x69 (105) [83] : 0x00 (0) [84] : 0x6e (110) [85] : 0x00 (0) [86] : 0x74 (116) [87] : 0x00 (0) [88] : 0x20 (32) [89] : 0x00 (0) [90] : 0x64 (100) [91] : 0x00 (0) [92] : 0x65 (101) [93] : 0x00 (0) [94] : 0x76 (118) [95] : 0x00 (0) [96] : 0x69 (105) [97] : 0x00 (0) [98] : 0x63 (99) [99] : 0x00 (0) [100] : 0x65 (101) [101] : 0x00 (0) [102] : 0x73 (115) [103] : 0x00 (0) [104] : 0x00 (0) [105] : 0x00 (0) size : 0x0000006a (106) [2012/09/07 07:06:50.897280, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.897329, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\Spooler:Description] [2012/09/07 07:06:50.897351, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.897406, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000003-0000-0000-4950-79ff4a050000 [2012/09/07 07:06:50.897478, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.897525, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.897570, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.897591, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.897611, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.897714, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-79ff4a050000 name: struct winreg_String name_len : 0x0066 (102) name_size : 0x0066 (102) name : * name : 'SYSTEM\CurrentControlSet\Services\Spooler\Security' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) [2012/09/07 07:06:50.898032, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.898079, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\Spooler\Security' [2012/09/07 07:06:50.898102, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.898123, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.898145, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.898165, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.898185, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.898204, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.898240, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.898262, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.898283, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.898301, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.898321, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.898339, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.898368, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.898390, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.898409, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.898431, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.898453, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.898473, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.898491, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.898526, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.898549, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Spooler] [2012/09/07 07:06:50.898568, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.898589, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler] [2012/09/07 07:06:50.898608, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler] [2012/09/07 07:06:50.898628, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.898646, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler] [2012/09/07 07:06:50.898674, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.898696, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Security] [2012/09/07 07:06:50.898715, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.898737, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security] [2012/09/07 07:06:50.898756, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security] [2012/09/07 07:06:50.898775, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.898793, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security] [2012/09/07 07:06:50.898819, 10] registry/reg_backend_db.c:1630(regdb_fetch_keys_internal) regdb_fetch_keys: no subkeys found for key [HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security] [2012/09/07 07:06:50.898840, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.898861, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 04 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.898906, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000004-0000-0000-4950-7aff4a050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.899024, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000004-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0012 (18) name_size : 0x0012 (18) name : * name : 'Security' type : REG_BINARY (3) data : * data: ARRAY(120) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x04 (4) [3] : 0x80 (128) [4] : 0x00 (0) [5] : 0x00 (0) [6] : 0x00 (0) [7] : 0x00 (0) [8] : 0x00 (0) [9] : 0x00 (0) [10] : 0x00 (0) [11] : 0x00 (0) [12] : 0x00 (0) [13] : 0x00 (0) [14] : 0x00 (0) [15] : 0x00 (0) [16] : 0x14 (20) [17] : 0x00 (0) [18] : 0x00 (0) [19] : 0x00 (0) [20] : 0x02 (2) [21] : 0x00 (0) [22] : 0x64 (100) [23] : 0x00 (0) [24] : 0x04 (4) [25] : 0x00 (0) [26] : 0x00 (0) [27] : 0x00 (0) [28] : 0x00 (0) [29] : 0x00 (0) [30] : 0x14 (20) [31] : 0x00 (0) [32] : 0x8d (141) [33] : 0x01 (1) [34] : 0x02 (2) [35] : 0x00 (0) [36] : 0x01 (1) [37] : 0x01 (1) [38] : 0x00 (0) [39] : 0x00 (0) [40] : 0x00 (0) [41] : 0x00 (0) [42] : 0x00 (0) [43] : 0x01 (1) [44] : 0x00 (0) [45] : 0x00 (0) [46] : 0x00 (0) [47] : 0x00 (0) [48] : 0x00 (0) [49] : 0x00 (0) [50] : 0x18 (24) [51] : 0x00 (0) [52] : 0xfd (253) [53] : 0x01 (1) [54] : 0x02 (2) [55] : 0x00 (0) [56] : 0x01 (1) [57] : 0x02 (2) [58] : 0x00 (0) [59] : 0x00 (0) [60] : 0x00 (0) [61] : 0x00 (0) [62] : 0x00 (0) [63] : 0x05 (5) [64] : 0x20 (32) [65] : 0x00 (0) [66] : 0x00 (0) [67] : 0x00 (0) [68] : 0x23 (35) [69] : 0x02 (2) [70] : 0x00 (0) [71] : 0x00 (0) [72] : 0x00 (0) [73] : 0x00 (0) [74] : 0x18 (24) [75] : 0x00 (0) [76] : 0xff (255) [77] : 0x01 (1) [78] : 0x0f (15) [79] : 0x00 (0) [80] : 0x01 (1) [81] : 0x02 (2) [82] : 0x00 (0) [83] : 0x00 (0) [84] : 0x00 (0) [85] : 0x00 (0) [86] : 0x00 (0) [87] : 0x05 (5) [88] : 0x20 (32) [89] : 0x00 (0) [90] : 0x00 (0) [91] : 0x00 (0) [92] : 0x25 (37) [93] : 0x02 (2) [94] : 0x00 (0) [95] : 0x00 (0) [96] : 0x00 (0) [97] : 0x00 (0) [98] : 0x18 (24) [99] : 0x00 (0) [100] : 0xff (255) [101] : 0x01 (1) [102] : 0x0f (15) [103] : 0x00 (0) [104] : 0x01 (1) [105] : 0x02 (2) [106] : 0x00 (0) [107] : 0x00 (0) [108] : 0x00 (0) [109] : 0x00 (0) [110] : 0x00 (0) [111] : 0x05 (5) [112] : 0x20 (32) [113] : 0x00 (0) [114] : 0x00 (0) [115] : 0x00 (0) [116] : 0x20 (32) [117] : 0x02 (2) [118] : 0x00 (0) [119] : 0x00 (0) size : 0x00000078 (120) [2012/09/07 07:06:50.900283, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 04 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.900329, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security:Security] [2012/09/07 07:06:50.900350, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security' (ops 0xb77440e0) [2012/09/07 07:06:50.900370, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security] [2012/09/07 07:06:50.900399, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Security], len: 120 [2012/09/07 07:06:50.900425, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.900472, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000004-0000-0000-4950-7aff4a050000 [2012/09/07 07:06:50.900542, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 04 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.900589, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 04 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.900634, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.900653, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.900672, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.900762, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-79ff4a050000 name: struct winreg_String name_len : 0x0056 (86) name_size : 0x0056 (86) name : * name : 'SYSTEM\CurrentControlSet\Services\NETLOGON' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_ACTION_NONE (0) [2012/09/07 07:06:50.901069, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.901115, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\NETLOGON' [2012/09/07 07:06:50.901139, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.901160, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.901181, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.901199, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.901218, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.901236, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.901265, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.901286, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.901307, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.901326, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.901345, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.901363, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.901391, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.901413, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.901432, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.901453, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.901471, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.901491, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.901508, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.901542, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.901564, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [NETLOGON] [2012/09/07 07:06:50.901583, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.901604, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.901623, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.901642, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.901660, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.901689, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.901725, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.901773, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff4a050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.901887, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x000c (12) name_size : 0x000c (12) name : * name : 'Start' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x02 (2) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.902075, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.902122, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:Start] [2012/09/07 07:06:50.902142, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON' (ops 0xb77440e0) [2012/09/07 07:06:50.902162, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.902190, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Start], len: 4 [2012/09/07 07:06:50.902212, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Type], len: 4 [2012/09/07 07:06:50.902232, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ErrorControl], len: 4 [2012/09/07 07:06:50.902252, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ObjectName], len: 24 [2012/09/07 07:06:50.902272, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [DisplayName], len: 20 [2012/09/07 07:06:50.902292, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ImagePath], len: 54 [2012/09/07 07:06:50.902313, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Description], len: 164 [2012/09/07 07:06:50.902333, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.902382, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x000a (10) name_size : 0x000a (10) name : * name : 'Type' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.902575, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.902622, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:Type] [2012/09/07 07:06:50.902642, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.902691, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x001a (26) name_size : 0x001a (26) name : * name : 'ErrorControl' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.902877, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.902924, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:ErrorControl] [2012/09/07 07:06:50.902945, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.902995, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0016 (22) name_size : 0x0016 (22) name : * name : 'ObjectName' type : REG_SZ (1) data : * data: ARRAY(24) [0] : 0x4c (76) [1] : 0x00 (0) [2] : 0x6f (111) [3] : 0x00 (0) [4] : 0x63 (99) [5] : 0x00 (0) [6] : 0x61 (97) [7] : 0x00 (0) [8] : 0x6c (108) [9] : 0x00 (0) [10] : 0x53 (83) [11] : 0x00 (0) [12] : 0x79 (121) [13] : 0x00 (0) [14] : 0x73 (115) [15] : 0x00 (0) [16] : 0x74 (116) [17] : 0x00 (0) [18] : 0x65 (101) [19] : 0x00 (0) [20] : 0x6d (109) [21] : 0x00 (0) [22] : 0x00 (0) [23] : 0x00 (0) size : 0x00000018 (24) [2012/09/07 07:06:50.903366, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.903413, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:ObjectName] [2012/09/07 07:06:50.903434, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.903486, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'DisplayName' type : REG_SZ (1) data : * data: ARRAY(20) [0] : 0x4e (78) [1] : 0x00 (0) [2] : 0x65 (101) [3] : 0x00 (0) [4] : 0x74 (116) [5] : 0x00 (0) [6] : 0x20 (32) [7] : 0x00 (0) [8] : 0x4c (76) [9] : 0x00 (0) [10] : 0x6f (111) [11] : 0x00 (0) [12] : 0x67 (103) [13] : 0x00 (0) [14] : 0x6f (111) [15] : 0x00 (0) [16] : 0x6e (110) [17] : 0x00 (0) [18] : 0x00 (0) [19] : 0x00 (0) size : 0x00000014 (20) [2012/09/07 07:06:50.903820, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.903866, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:DisplayName] [2012/09/07 07:06:50.903887, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.903941, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0014 (20) name_size : 0x0014 (20) name : * name : 'ImagePath' type : REG_SZ (1) data : * data: ARRAY(54) [0] : 0x2f (47) [1] : 0x00 (0) [2] : 0x75 (117) [3] : 0x00 (0) [4] : 0x73 (115) [5] : 0x00 (0) [6] : 0x72 (114) [7] : 0x00 (0) [8] : 0x2f (47) [9] : 0x00 (0) [10] : 0x6c (108) [11] : 0x00 (0) [12] : 0x69 (105) [13] : 0x00 (0) [14] : 0x62 (98) [15] : 0x00 (0) [16] : 0x2f (47) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x61 (97) [21] : 0x00 (0) [22] : 0x6d (109) [23] : 0x00 (0) [24] : 0x62 (98) [25] : 0x00 (0) [26] : 0x61 (97) [27] : 0x00 (0) [28] : 0x2f (47) [29] : 0x00 (0) [30] : 0x73 (115) [31] : 0x00 (0) [32] : 0x76 (118) [33] : 0x00 (0) [34] : 0x63 (99) [35] : 0x00 (0) [36] : 0x63 (99) [37] : 0x00 (0) [38] : 0x74 (116) [39] : 0x00 (0) [40] : 0x6c (108) [41] : 0x00 (0) [42] : 0x2f (47) [43] : 0x00 (0) [44] : 0x73 (115) [45] : 0x00 (0) [46] : 0x6d (109) [47] : 0x00 (0) [48] : 0x62 (98) [49] : 0x00 (0) [50] : 0x64 (100) [51] : 0x00 (0) [52] : 0x00 (0) [53] : 0x00 (0) size : 0x00000036 (54) [2012/09/07 07:06:50.904580, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.904630, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:ImagePath] [2012/09/07 07:06:50.904651, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.904701, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'Description' type : REG_SZ (1) data : * data: ARRAY(164) [0] : 0x46 (70) [1] : 0x00 (0) [2] : 0x69 (105) [3] : 0x00 (0) [4] : 0x6c (108) [5] : 0x00 (0) [6] : 0x65 (101) [7] : 0x00 (0) [8] : 0x20 (32) [9] : 0x00 (0) [10] : 0x73 (115) [11] : 0x00 (0) [12] : 0x65 (101) [13] : 0x00 (0) [14] : 0x72 (114) [15] : 0x00 (0) [16] : 0x76 (118) [17] : 0x00 (0) [18] : 0x69 (105) [19] : 0x00 (0) [20] : 0x63 (99) [21] : 0x00 (0) [22] : 0x65 (101) [23] : 0x00 (0) [24] : 0x20 (32) [25] : 0x00 (0) [26] : 0x70 (112) [27] : 0x00 (0) [28] : 0x72 (114) [29] : 0x00 (0) [30] : 0x6f (111) [31] : 0x00 (0) [32] : 0x76 (118) [33] : 0x00 (0) [34] : 0x69 (105) [35] : 0x00 (0) [36] : 0x64 (100) [37] : 0x00 (0) [38] : 0x69 (105) [39] : 0x00 (0) [40] : 0x6e (110) [41] : 0x00 (0) [42] : 0x67 (103) [43] : 0x00 (0) [44] : 0x20 (32) [45] : 0x00 (0) [46] : 0x61 (97) [47] : 0x00 (0) [48] : 0x63 (99) [49] : 0x00 (0) [50] : 0x63 (99) [51] : 0x00 (0) [52] : 0x65 (101) [53] : 0x00 (0) [54] : 0x73 (115) [55] : 0x00 (0) [56] : 0x73 (115) [57] : 0x00 (0) [58] : 0x20 (32) [59] : 0x00 (0) [60] : 0x74 (116) [61] : 0x00 (0) [62] : 0x6f (111) [63] : 0x00 (0) [64] : 0x20 (32) [65] : 0x00 (0) [66] : 0x70 (112) [67] : 0x00 (0) [68] : 0x6f (111) [69] : 0x00 (0) [70] : 0x6c (108) [71] : 0x00 (0) [72] : 0x69 (105) [73] : 0x00 (0) [74] : 0x63 (99) [75] : 0x00 (0) [76] : 0x79 (121) [77] : 0x00 (0) [78] : 0x20 (32) [79] : 0x00 (0) [80] : 0x61 (97) [81] : 0x00 (0) [82] : 0x6e (110) [83] : 0x00 (0) [84] : 0x64 (100) [85] : 0x00 (0) [86] : 0x20 (32) [87] : 0x00 (0) [88] : 0x70 (112) [89] : 0x00 (0) [90] : 0x72 (114) [91] : 0x00 (0) [92] : 0x6f (111) [93] : 0x00 (0) [94] : 0x66 (102) [95] : 0x00 (0) [96] : 0x69 (105) [97] : 0x00 (0) [98] : 0x6c (108) [99] : 0x00 (0) [100] : 0x65 (101) [101] : 0x00 (0) [102] : 0x20 (32) [103] : 0x00 (0) [104] : 0x64 (100) [105] : 0x00 (0) [106] : 0x61 (97) [107] : 0x00 (0) [108] : 0x74 (116) [109] : 0x00 (0) [110] : 0x61 (97) [111] : 0x00 (0) [112] : 0x20 (32) [113] : 0x00 (0) [114] : 0x28 (40) [115] : 0x00 (0) [116] : 0x6e (110) [117] : 0x00 (0) [118] : 0x6f (111) [119] : 0x00 (0) [120] : 0x74 (116) [121] : 0x00 (0) [122] : 0x72 (114) [123] : 0x00 (0) [124] : 0x65 (101) [125] : 0x00 (0) [126] : 0x6d (109) [127] : 0x00 (0) [128] : 0x6f (111) [129] : 0x00 (0) [130] : 0x74 (116) [131] : 0x00 (0) [132] : 0x65 (101) [133] : 0x00 (0) [134] : 0x6c (108) [135] : 0x00 (0) [136] : 0x79 (121) [137] : 0x00 (0) [138] : 0x20 (32) [139] : 0x00 (0) [140] : 0x6d (109) [141] : 0x00 (0) [142] : 0x61 (97) [143] : 0x00 (0) [144] : 0x6e (110) [145] : 0x00 (0) [146] : 0x61 (97) [147] : 0x00 (0) [148] : 0x67 (103) [149] : 0x00 (0) [150] : 0x65 (101) [151] : 0x00 (0) [152] : 0x61 (97) [153] : 0x00 (0) [154] : 0x62 (98) [155] : 0x00 (0) [156] : 0x6c (108) [157] : 0x00 (0) [158] : 0x65 (101) [159] : 0x00 (0) [160] : 0x29 (41) [161] : 0x00 (0) [162] : 0x00 (0) [163] : 0x00 (0) size : 0x000000a4 (164) [2012/09/07 07:06:50.906469, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.906517, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:Description] [2012/09/07 07:06:50.906538, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.906588, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff4a050000 [2012/09/07 07:06:50.906660, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.906709, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.906753, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.906773, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.906793, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.906882, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-79ff4a050000 name: struct winreg_String name_len : 0x0068 (104) name_size : 0x0068 (104) name : * name : 'SYSTEM\CurrentControlSet\Services\NETLOGON\Security' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) [2012/09/07 07:06:50.907187, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.907234, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\NETLOGON\Security' [2012/09/07 07:06:50.907255, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.907274, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.907295, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.907314, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.907333, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.907351, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.907384, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.907405, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.907426, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.907445, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.907464, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.907482, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.907510, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.907532, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.907551, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.907572, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.907590, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.907610, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.907628, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.907662, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.907684, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [NETLOGON] [2012/09/07 07:06:50.907704, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.907725, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.907744, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.907763, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.907781, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.907810, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.907832, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Security] [2012/09/07 07:06:50.907851, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.907872, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security] [2012/09/07 07:06:50.907891, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security] [2012/09/07 07:06:50.907911, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.907929, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security] [2012/09/07 07:06:50.907955, 10] registry/reg_backend_db.c:1630(regdb_fetch_keys_internal) regdb_fetch_keys: no subkeys found for key [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security] [2012/09/07 07:06:50.907976, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.907996, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 06 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.908046, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000006-0000-0000-4950-7aff4a050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.908155, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000006-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0012 (18) name_size : 0x0012 (18) name : * name : 'Security' type : REG_BINARY (3) data : * data: ARRAY(120) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x04 (4) [3] : 0x80 (128) [4] : 0x00 (0) [5] : 0x00 (0) [6] : 0x00 (0) [7] : 0x00 (0) [8] : 0x00 (0) [9] : 0x00 (0) [10] : 0x00 (0) [11] : 0x00 (0) [12] : 0x00 (0) [13] : 0x00 (0) [14] : 0x00 (0) [15] : 0x00 (0) [16] : 0x14 (20) [17] : 0x00 (0) [18] : 0x00 (0) [19] : 0x00 (0) [20] : 0x02 (2) [21] : 0x00 (0) [22] : 0x64 (100) [23] : 0x00 (0) [24] : 0x04 (4) [25] : 0x00 (0) [26] : 0x00 (0) [27] : 0x00 (0) [28] : 0x00 (0) [29] : 0x00 (0) [30] : 0x14 (20) [31] : 0x00 (0) [32] : 0x8d (141) [33] : 0x01 (1) [34] : 0x02 (2) [35] : 0x00 (0) [36] : 0x01 (1) [37] : 0x01 (1) [38] : 0x00 (0) [39] : 0x00 (0) [40] : 0x00 (0) [41] : 0x00 (0) [42] : 0x00 (0) [43] : 0x01 (1) [44] : 0x00 (0) [45] : 0x00 (0) [46] : 0x00 (0) [47] : 0x00 (0) [48] : 0x00 (0) [49] : 0x00 (0) [50] : 0x18 (24) [51] : 0x00 (0) [52] : 0xfd (253) [53] : 0x01 (1) [54] : 0x02 (2) [55] : 0x00 (0) [56] : 0x01 (1) [57] : 0x02 (2) [58] : 0x00 (0) [59] : 0x00 (0) [60] : 0x00 (0) [61] : 0x00 (0) [62] : 0x00 (0) [63] : 0x05 (5) [64] : 0x20 (32) [65] : 0x00 (0) [66] : 0x00 (0) [67] : 0x00 (0) [68] : 0x23 (35) [69] : 0x02 (2) [70] : 0x00 (0) [71] : 0x00 (0) [72] : 0x00 (0) [73] : 0x00 (0) [74] : 0x18 (24) [75] : 0x00 (0) [76] : 0xff (255) [77] : 0x01 (1) [78] : 0x0f (15) [79] : 0x00 (0) [80] : 0x01 (1) [81] : 0x02 (2) [82] : 0x00 (0) [83] : 0x00 (0) [84] : 0x00 (0) [85] : 0x00 (0) [86] : 0x00 (0) [87] : 0x05 (5) [88] : 0x20 (32) [89] : 0x00 (0) [90] : 0x00 (0) [91] : 0x00 (0) [92] : 0x25 (37) [93] : 0x02 (2) [94] : 0x00 (0) [95] : 0x00 (0) [96] : 0x00 (0) [97] : 0x00 (0) [98] : 0x18 (24) [99] : 0x00 (0) [100] : 0xff (255) [101] : 0x01 (1) [102] : 0x0f (15) [103] : 0x00 (0) [104] : 0x01 (1) [105] : 0x02 (2) [106] : 0x00 (0) [107] : 0x00 (0) [108] : 0x00 (0) [109] : 0x00 (0) [110] : 0x00 (0) [111] : 0x05 (5) [112] : 0x20 (32) [113] : 0x00 (0) [114] : 0x00 (0) [115] : 0x00 (0) [116] : 0x20 (32) [117] : 0x02 (2) [118] : 0x00 (0) [119] : 0x00 (0) size : 0x00000078 (120) [2012/09/07 07:06:50.909549, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 06 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.909598, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security:Security] [2012/09/07 07:06:50.909619, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security' (ops 0xb77440e0) [2012/09/07 07:06:50.909639, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security] [2012/09/07 07:06:50.909668, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Security], len: 120 [2012/09/07 07:06:50.909690, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.909751, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000006-0000-0000-4950-7aff4a050000 [2012/09/07 07:06:50.909822, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 06 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.909869, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 06 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.909914, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.909932, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.909952, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.910042, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-79ff4a050000 name: struct winreg_String name_len : 0x0062 (98) name_size : 0x0062 (98) name : * name : 'SYSTEM\CurrentControlSet\Services\RemoteRegistry' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_ACTION_NONE (0) [2012/09/07 07:06:50.910351, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.910398, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\RemoteRegistry' [2012/09/07 07:06:50.910419, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.910439, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.910460, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.910478, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.910497, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.910515, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.910544, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.910565, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.910586, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.910605, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.910624, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.910642, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.910670, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.910692, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.910711, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.910732, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.910751, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.910770, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.910788, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.910822, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.910844, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [RemoteRegistry] [2012/09/07 07:06:50.910863, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.910889, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.910907, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.910927, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.910945, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.910973, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.910995, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.911041, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff4a050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.911147, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x000c (12) name_size : 0x000c (12) name : * name : 'Start' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x02 (2) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.911333, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.911380, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:Start] [2012/09/07 07:06:50.911400, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry' (ops 0xb77440e0) [2012/09/07 07:06:50.911420, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.911448, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Start], len: 4 [2012/09/07 07:06:50.911470, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Type], len: 4 [2012/09/07 07:06:50.911490, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ErrorControl], len: 4 [2012/09/07 07:06:50.911510, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ObjectName], len: 24 [2012/09/07 07:06:50.911530, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [DisplayName], len: 48 [2012/09/07 07:06:50.911554, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ImagePath], len: 54 [2012/09/07 07:06:50.911574, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Description], len: 126 [2012/09/07 07:06:50.911594, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.911644, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x000a (10) name_size : 0x000a (10) name : * name : 'Type' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.911829, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.911876, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:Type] [2012/09/07 07:06:50.911897, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.911945, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x001a (26) name_size : 0x001a (26) name : * name : 'ErrorControl' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.912130, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.912178, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:ErrorControl] [2012/09/07 07:06:50.912199, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.912248, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0016 (22) name_size : 0x0016 (22) name : * name : 'ObjectName' type : REG_SZ (1) data : * data: ARRAY(24) [0] : 0x4c (76) [1] : 0x00 (0) [2] : 0x6f (111) [3] : 0x00 (0) [4] : 0x63 (99) [5] : 0x00 (0) [6] : 0x61 (97) [7] : 0x00 (0) [8] : 0x6c (108) [9] : 0x00 (0) [10] : 0x53 (83) [11] : 0x00 (0) [12] : 0x79 (121) [13] : 0x00 (0) [14] : 0x73 (115) [15] : 0x00 (0) [16] : 0x74 (116) [17] : 0x00 (0) [18] : 0x65 (101) [19] : 0x00 (0) [20] : 0x6d (109) [21] : 0x00 (0) [22] : 0x00 (0) [23] : 0x00 (0) size : 0x00000018 (24) [2012/09/07 07:06:50.912622, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.912668, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:ObjectName] [2012/09/07 07:06:50.912690, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.912743, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'DisplayName' type : REG_SZ (1) data : * data: ARRAY(48) [0] : 0x52 (82) [1] : 0x00 (0) [2] : 0x65 (101) [3] : 0x00 (0) [4] : 0x6d (109) [5] : 0x00 (0) [6] : 0x6f (111) [7] : 0x00 (0) [8] : 0x74 (116) [9] : 0x00 (0) [10] : 0x65 (101) [11] : 0x00 (0) [12] : 0x20 (32) [13] : 0x00 (0) [14] : 0x52 (82) [15] : 0x00 (0) [16] : 0x65 (101) [17] : 0x00 (0) [18] : 0x67 (103) [19] : 0x00 (0) [20] : 0x69 (105) [21] : 0x00 (0) [22] : 0x73 (115) [23] : 0x00 (0) [24] : 0x74 (116) [25] : 0x00 (0) [26] : 0x72 (114) [27] : 0x00 (0) [28] : 0x79 (121) [29] : 0x00 (0) [30] : 0x20 (32) [31] : 0x00 (0) [32] : 0x53 (83) [33] : 0x00 (0) [34] : 0x65 (101) [35] : 0x00 (0) [36] : 0x72 (114) [37] : 0x00 (0) [38] : 0x76 (118) [39] : 0x00 (0) [40] : 0x69 (105) [41] : 0x00 (0) [42] : 0x63 (99) [43] : 0x00 (0) [44] : 0x65 (101) [45] : 0x00 (0) [46] : 0x00 (0) [47] : 0x00 (0) size : 0x00000030 (48) [2012/09/07 07:06:50.913330, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.913377, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:DisplayName] [2012/09/07 07:06:50.913399, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.913449, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0014 (20) name_size : 0x0014 (20) name : * name : 'ImagePath' type : REG_SZ (1) data : * data: ARRAY(54) [0] : 0x2f (47) [1] : 0x00 (0) [2] : 0x75 (117) [3] : 0x00 (0) [4] : 0x73 (115) [5] : 0x00 (0) [6] : 0x72 (114) [7] : 0x00 (0) [8] : 0x2f (47) [9] : 0x00 (0) [10] : 0x6c (108) [11] : 0x00 (0) [12] : 0x69 (105) [13] : 0x00 (0) [14] : 0x62 (98) [15] : 0x00 (0) [16] : 0x2f (47) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x61 (97) [21] : 0x00 (0) [22] : 0x6d (109) [23] : 0x00 (0) [24] : 0x62 (98) [25] : 0x00 (0) [26] : 0x61 (97) [27] : 0x00 (0) [28] : 0x2f (47) [29] : 0x00 (0) [30] : 0x73 (115) [31] : 0x00 (0) [32] : 0x76 (118) [33] : 0x00 (0) [34] : 0x63 (99) [35] : 0x00 (0) [36] : 0x63 (99) [37] : 0x00 (0) [38] : 0x74 (116) [39] : 0x00 (0) [40] : 0x6c (108) [41] : 0x00 (0) [42] : 0x2f (47) [43] : 0x00 (0) [44] : 0x73 (115) [45] : 0x00 (0) [46] : 0x6d (109) [47] : 0x00 (0) [48] : 0x62 (98) [49] : 0x00 (0) [50] : 0x64 (100) [51] : 0x00 (0) [52] : 0x00 (0) [53] : 0x00 (0) size : 0x00000036 (54) [2012/09/07 07:06:50.914102, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.914150, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:ImagePath] [2012/09/07 07:06:50.914172, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.914223, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'Description' type : REG_SZ (1) data : * data: ARRAY(126) [0] : 0x49 (73) [1] : 0x00 (0) [2] : 0x6e (110) [3] : 0x00 (0) [4] : 0x74 (116) [5] : 0x00 (0) [6] : 0x65 (101) [7] : 0x00 (0) [8] : 0x72 (114) [9] : 0x00 (0) [10] : 0x6e (110) [11] : 0x00 (0) [12] : 0x61 (97) [13] : 0x00 (0) [14] : 0x6c (108) [15] : 0x00 (0) [16] : 0x20 (32) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x65 (101) [21] : 0x00 (0) [22] : 0x72 (114) [23] : 0x00 (0) [24] : 0x76 (118) [25] : 0x00 (0) [26] : 0x69 (105) [27] : 0x00 (0) [28] : 0x63 (99) [29] : 0x00 (0) [30] : 0x65 (101) [31] : 0x00 (0) [32] : 0x20 (32) [33] : 0x00 (0) [34] : 0x70 (112) [35] : 0x00 (0) [36] : 0x72 (114) [37] : 0x00 (0) [38] : 0x6f (111) [39] : 0x00 (0) [40] : 0x76 (118) [41] : 0x00 (0) [42] : 0x69 (105) [43] : 0x00 (0) [44] : 0x64 (100) [45] : 0x00 (0) [46] : 0x69 (105) [47] : 0x00 (0) [48] : 0x6e (110) [49] : 0x00 (0) [50] : 0x67 (103) [51] : 0x00 (0) [52] : 0x20 (32) [53] : 0x00 (0) [54] : 0x72 (114) [55] : 0x00 (0) [56] : 0x65 (101) [57] : 0x00 (0) [58] : 0x6d (109) [59] : 0x00 (0) [60] : 0x6f (111) [61] : 0x00 (0) [62] : 0x74 (116) [63] : 0x00 (0) [64] : 0x65 (101) [65] : 0x00 (0) [66] : 0x20 (32) [67] : 0x00 (0) [68] : 0x61 (97) [69] : 0x00 (0) [70] : 0x63 (99) [71] : 0x00 (0) [72] : 0x63 (99) [73] : 0x00 (0) [74] : 0x65 (101) [75] : 0x00 (0) [76] : 0x73 (115) [77] : 0x00 (0) [78] : 0x73 (115) [79] : 0x00 (0) [80] : 0x20 (32) [81] : 0x00 (0) [82] : 0x74 (116) [83] : 0x00 (0) [84] : 0x6f (111) [85] : 0x00 (0) [86] : 0x20 (32) [87] : 0x00 (0) [88] : 0x74 (116) [89] : 0x00 (0) [90] : 0x68 (104) [91] : 0x00 (0) [92] : 0x65 (101) [93] : 0x00 (0) [94] : 0x20 (32) [95] : 0x00 (0) [96] : 0x53 (83) [97] : 0x00 (0) [98] : 0x61 (97) [99] : 0x00 (0) [100] : 0x6d (109) [101] : 0x00 (0) [102] : 0x62 (98) [103] : 0x00 (0) [104] : 0x61 (97) [105] : 0x00 (0) [106] : 0x20 (32) [107] : 0x00 (0) [108] : 0x72 (114) [109] : 0x00 (0) [110] : 0x65 (101) [111] : 0x00 (0) [112] : 0x67 (103) [113] : 0x00 (0) [114] : 0x69 (105) [115] : 0x00 (0) [116] : 0x73 (115) [117] : 0x00 (0) [118] : 0x74 (116) [119] : 0x00 (0) [120] : 0x72 (114) [121] : 0x00 (0) [122] : 0x79 (121) [123] : 0x00 (0) [124] : 0x00 (0) [125] : 0x00 (0) size : 0x0000007e (126) [2012/09/07 07:06:50.915506, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.915553, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:Description] [2012/09/07 07:06:50.915578, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.915627, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff4a050000 [2012/09/07 07:06:50.915697, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.915744, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.915790, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.915810, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.915829, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.915919, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-79ff4a050000 name: struct winreg_String name_len : 0x0074 (116) name_size : 0x0074 (116) name : * name : 'SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) [2012/09/07 07:06:50.916225, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.916272, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security' [2012/09/07 07:06:50.916297, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.916317, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.916338, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.916357, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.916376, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.916394, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.916422, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.916444, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.916465, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.916484, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.916503, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.916521, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.916549, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.916571, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.916590, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.916611, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.916630, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.916649, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.916667, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.916703, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.916726, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [RemoteRegistry] [2012/09/07 07:06:50.916745, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.916767, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.916785, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.916805, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.916823, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.916851, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.916872, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Security] [2012/09/07 07:06:50.916892, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.916913, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security] [2012/09/07 07:06:50.916936, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security] [2012/09/07 07:06:50.916956, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.916974, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security] [2012/09/07 07:06:50.917000, 10] registry/reg_backend_db.c:1630(regdb_fetch_keys_internal) regdb_fetch_keys: no subkeys found for key [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security] [2012/09/07 07:06:50.917021, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.917042, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 08 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.917087, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000008-0000-0000-4950-7aff4a050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.917198, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000008-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0012 (18) name_size : 0x0012 (18) name : * name : 'Security' type : REG_BINARY (3) data : * data: ARRAY(120) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x04 (4) [3] : 0x80 (128) [4] : 0x00 (0) [5] : 0x00 (0) [6] : 0x00 (0) [7] : 0x00 (0) [8] : 0x00 (0) [9] : 0x00 (0) [10] : 0x00 (0) [11] : 0x00 (0) [12] : 0x00 (0) [13] : 0x00 (0) [14] : 0x00 (0) [15] : 0x00 (0) [16] : 0x14 (20) [17] : 0x00 (0) [18] : 0x00 (0) [19] : 0x00 (0) [20] : 0x02 (2) [21] : 0x00 (0) [22] : 0x64 (100) [23] : 0x00 (0) [24] : 0x04 (4) [25] : 0x00 (0) [26] : 0x00 (0) [27] : 0x00 (0) [28] : 0x00 (0) [29] : 0x00 (0) [30] : 0x14 (20) [31] : 0x00 (0) [32] : 0x8d (141) [33] : 0x01 (1) [34] : 0x02 (2) [35] : 0x00 (0) [36] : 0x01 (1) [37] : 0x01 (1) [38] : 0x00 (0) [39] : 0x00 (0) [40] : 0x00 (0) [41] : 0x00 (0) [42] : 0x00 (0) [43] : 0x01 (1) [44] : 0x00 (0) [45] : 0x00 (0) [46] : 0x00 (0) [47] : 0x00 (0) [48] : 0x00 (0) [49] : 0x00 (0) [50] : 0x18 (24) [51] : 0x00 (0) [52] : 0xfd (253) [53] : 0x01 (1) [54] : 0x02 (2) [55] : 0x00 (0) [56] : 0x01 (1) [57] : 0x02 (2) [58] : 0x00 (0) [59] : 0x00 (0) [60] : 0x00 (0) [61] : 0x00 (0) [62] : 0x00 (0) [63] : 0x05 (5) [64] : 0x20 (32) [65] : 0x00 (0) [66] : 0x00 (0) [67] : 0x00 (0) [68] : 0x23 (35) [69] : 0x02 (2) [70] : 0x00 (0) [71] : 0x00 (0) [72] : 0x00 (0) [73] : 0x00 (0) [74] : 0x18 (24) [75] : 0x00 (0) [76] : 0xff (255) [77] : 0x01 (1) [78] : 0x0f (15) [79] : 0x00 (0) [80] : 0x01 (1) [81] : 0x02 (2) [82] : 0x00 (0) [83] : 0x00 (0) [84] : 0x00 (0) [85] : 0x00 (0) [86] : 0x00 (0) [87] : 0x05 (5) [88] : 0x20 (32) [89] : 0x00 (0) [90] : 0x00 (0) [91] : 0x00 (0) [92] : 0x25 (37) [93] : 0x02 (2) [94] : 0x00 (0) [95] : 0x00 (0) [96] : 0x00 (0) [97] : 0x00 (0) [98] : 0x18 (24) [99] : 0x00 (0) [100] : 0xff (255) [101] : 0x01 (1) [102] : 0x0f (15) [103] : 0x00 (0) [104] : 0x01 (1) [105] : 0x02 (2) [106] : 0x00 (0) [107] : 0x00 (0) [108] : 0x00 (0) [109] : 0x00 (0) [110] : 0x00 (0) [111] : 0x05 (5) [112] : 0x20 (32) [113] : 0x00 (0) [114] : 0x00 (0) [115] : 0x00 (0) [116] : 0x20 (32) [117] : 0x02 (2) [118] : 0x00 (0) [119] : 0x00 (0) size : 0x00000078 (120) [2012/09/07 07:06:50.918486, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 08 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.918533, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security:Security] [2012/09/07 07:06:50.918554, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security' (ops 0xb77440e0) [2012/09/07 07:06:50.918574, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security] [2012/09/07 07:06:50.918603, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Security], len: 120 [2012/09/07 07:06:50.918624, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.918672, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000008-0000-0000-4950-7aff4a050000 [2012/09/07 07:06:50.918742, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 08 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.918788, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 08 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.918833, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.918852, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.918871, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.918963, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-79ff4a050000 name: struct winreg_String name_len : 0x004e (78) name_size : 0x004e (78) name : * name : 'SYSTEM\CurrentControlSet\Services\WINS' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_ACTION_NONE (0) [2012/09/07 07:06:50.919271, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.919318, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\WINS' [2012/09/07 07:06:50.919339, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.919358, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.919379, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.919398, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.919416, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.919434, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.919463, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.919484, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.919505, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.919524, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.919543, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.919561, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.919589, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.919611, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.919631, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.919655, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.919674, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.919693, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.919711, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.919745, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.919766, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [WINS] [2012/09/07 07:06:50.919786, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.919807, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.919825, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.919877, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.919895, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.919924, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.919946, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.919992, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff4a050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.920099, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x000c (12) name_size : 0x000c (12) name : * name : 'Start' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x02 (2) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.920286, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.920333, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:Start] [2012/09/07 07:06:50.920353, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\WINS' (ops 0xb77440e0) [2012/09/07 07:06:50.920376, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.920406, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Start], len: 4 [2012/09/07 07:06:50.920428, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Type], len: 4 [2012/09/07 07:06:50.920448, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ErrorControl], len: 4 [2012/09/07 07:06:50.920468, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ObjectName], len: 24 [2012/09/07 07:06:50.920488, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [DisplayName], len: 74 [2012/09/07 07:06:50.920508, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ImagePath], len: 54 [2012/09/07 07:06:50.920529, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Description], len: 178 [2012/09/07 07:06:50.920549, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.920598, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x000a (10) name_size : 0x000a (10) name : * name : 'Type' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.920785, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.920832, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:Type] [2012/09/07 07:06:50.920853, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.920902, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x001a (26) name_size : 0x001a (26) name : * name : 'ErrorControl' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.921092, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.921140, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:ErrorControl] [2012/09/07 07:06:50.921161, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.921211, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0016 (22) name_size : 0x0016 (22) name : * name : 'ObjectName' type : REG_SZ (1) data : * data: ARRAY(24) [0] : 0x4c (76) [1] : 0x00 (0) [2] : 0x6f (111) [3] : 0x00 (0) [4] : 0x63 (99) [5] : 0x00 (0) [6] : 0x61 (97) [7] : 0x00 (0) [8] : 0x6c (108) [9] : 0x00 (0) [10] : 0x53 (83) [11] : 0x00 (0) [12] : 0x79 (121) [13] : 0x00 (0) [14] : 0x73 (115) [15] : 0x00 (0) [16] : 0x74 (116) [17] : 0x00 (0) [18] : 0x65 (101) [19] : 0x00 (0) [20] : 0x6d (109) [21] : 0x00 (0) [22] : 0x00 (0) [23] : 0x00 (0) size : 0x00000018 (24) [2012/09/07 07:06:50.921585, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.921632, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:ObjectName] [2012/09/07 07:06:50.921653, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.921716, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'DisplayName' type : REG_SZ (1) data : * data: ARRAY(74) [0] : 0x57 (87) [1] : 0x00 (0) [2] : 0x69 (105) [3] : 0x00 (0) [4] : 0x6e (110) [5] : 0x00 (0) [6] : 0x64 (100) [7] : 0x00 (0) [8] : 0x6f (111) [9] : 0x00 (0) [10] : 0x77 (119) [11] : 0x00 (0) [12] : 0x73 (115) [13] : 0x00 (0) [14] : 0x20 (32) [15] : 0x00 (0) [16] : 0x49 (73) [17] : 0x00 (0) [18] : 0x6e (110) [19] : 0x00 (0) [20] : 0x74 (116) [21] : 0x00 (0) [22] : 0x65 (101) [23] : 0x00 (0) [24] : 0x72 (114) [25] : 0x00 (0) [26] : 0x6e (110) [27] : 0x00 (0) [28] : 0x65 (101) [29] : 0x00 (0) [30] : 0x74 (116) [31] : 0x00 (0) [32] : 0x20 (32) [33] : 0x00 (0) [34] : 0x4e (78) [35] : 0x00 (0) [36] : 0x61 (97) [37] : 0x00 (0) [38] : 0x6d (109) [39] : 0x00 (0) [40] : 0x65 (101) [41] : 0x00 (0) [42] : 0x20 (32) [43] : 0x00 (0) [44] : 0x53 (83) [45] : 0x00 (0) [46] : 0x65 (101) [47] : 0x00 (0) [48] : 0x72 (114) [49] : 0x00 (0) [50] : 0x76 (118) [51] : 0x00 (0) [52] : 0x69 (105) [53] : 0x00 (0) [54] : 0x63 (99) [55] : 0x00 (0) [56] : 0x65 (101) [57] : 0x00 (0) [58] : 0x20 (32) [59] : 0x00 (0) [60] : 0x28 (40) [61] : 0x00 (0) [62] : 0x57 (87) [63] : 0x00 (0) [64] : 0x49 (73) [65] : 0x00 (0) [66] : 0x4e (78) [67] : 0x00 (0) [68] : 0x53 (83) [69] : 0x00 (0) [70] : 0x29 (41) [71] : 0x00 (0) [72] : 0x00 (0) [73] : 0x00 (0) size : 0x0000004a (74) [2012/09/07 07:06:50.922568, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.922616, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:DisplayName] [2012/09/07 07:06:50.922637, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.922688, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0014 (20) name_size : 0x0014 (20) name : * name : 'ImagePath' type : REG_SZ (1) data : * data: ARRAY(54) [0] : 0x2f (47) [1] : 0x00 (0) [2] : 0x75 (117) [3] : 0x00 (0) [4] : 0x73 (115) [5] : 0x00 (0) [6] : 0x72 (114) [7] : 0x00 (0) [8] : 0x2f (47) [9] : 0x00 (0) [10] : 0x6c (108) [11] : 0x00 (0) [12] : 0x69 (105) [13] : 0x00 (0) [14] : 0x62 (98) [15] : 0x00 (0) [16] : 0x2f (47) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x61 (97) [21] : 0x00 (0) [22] : 0x6d (109) [23] : 0x00 (0) [24] : 0x62 (98) [25] : 0x00 (0) [26] : 0x61 (97) [27] : 0x00 (0) [28] : 0x2f (47) [29] : 0x00 (0) [30] : 0x73 (115) [31] : 0x00 (0) [32] : 0x76 (118) [33] : 0x00 (0) [34] : 0x63 (99) [35] : 0x00 (0) [36] : 0x63 (99) [37] : 0x00 (0) [38] : 0x74 (116) [39] : 0x00 (0) [40] : 0x6c (108) [41] : 0x00 (0) [42] : 0x2f (47) [43] : 0x00 (0) [44] : 0x6e (110) [45] : 0x00 (0) [46] : 0x6d (109) [47] : 0x00 (0) [48] : 0x62 (98) [49] : 0x00 (0) [50] : 0x64 (100) [51] : 0x00 (0) [52] : 0x00 (0) [53] : 0x00 (0) size : 0x00000036 (54) [2012/09/07 07:06:50.923336, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.923384, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:ImagePath] [2012/09/07 07:06:50.923405, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.923455, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'Description' type : REG_SZ (1) data : * data: ARRAY(178) [0] : 0x49 (73) [1] : 0x00 (0) [2] : 0x6e (110) [3] : 0x00 (0) [4] : 0x74 (116) [5] : 0x00 (0) [6] : 0x65 (101) [7] : 0x00 (0) [8] : 0x72 (114) [9] : 0x00 (0) [10] : 0x6e (110) [11] : 0x00 (0) [12] : 0x61 (97) [13] : 0x00 (0) [14] : 0x6c (108) [15] : 0x00 (0) [16] : 0x20 (32) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x65 (101) [21] : 0x00 (0) [22] : 0x72 (114) [23] : 0x00 (0) [24] : 0x76 (118) [25] : 0x00 (0) [26] : 0x69 (105) [27] : 0x00 (0) [28] : 0x63 (99) [29] : 0x00 (0) [30] : 0x65 (101) [31] : 0x00 (0) [32] : 0x20 (32) [33] : 0x00 (0) [34] : 0x70 (112) [35] : 0x00 (0) [36] : 0x72 (114) [37] : 0x00 (0) [38] : 0x6f (111) [39] : 0x00 (0) [40] : 0x76 (118) [41] : 0x00 (0) [42] : 0x69 (105) [43] : 0x00 (0) [44] : 0x64 (100) [45] : 0x00 (0) [46] : 0x69 (105) [47] : 0x00 (0) [48] : 0x6e (110) [49] : 0x00 (0) [50] : 0x67 (103) [51] : 0x00 (0) [52] : 0x20 (32) [53] : 0x00 (0) [54] : 0x61 (97) [55] : 0x00 (0) [56] : 0x20 (32) [57] : 0x00 (0) [58] : 0x4e (78) [59] : 0x00 (0) [60] : 0x65 (101) [61] : 0x00 (0) [62] : 0x74 (116) [63] : 0x00 (0) [64] : 0x42 (66) [65] : 0x00 (0) [66] : 0x49 (73) [67] : 0x00 (0) [68] : 0x4f (79) [69] : 0x00 (0) [70] : 0x53 (83) [71] : 0x00 (0) [72] : 0x20 (32) [73] : 0x00 (0) [74] : 0x70 (112) [75] : 0x00 (0) [76] : 0x6f (111) [77] : 0x00 (0) [78] : 0x69 (105) [79] : 0x00 (0) [80] : 0x6e (110) [81] : 0x00 (0) [82] : 0x74 (116) [83] : 0x00 (0) [84] : 0x2d (45) [85] : 0x00 (0) [86] : 0x74 (116) [87] : 0x00 (0) [88] : 0x6f (111) [89] : 0x00 (0) [90] : 0x2d (45) [91] : 0x00 (0) [92] : 0x70 (112) [93] : 0x00 (0) [94] : 0x6f (111) [95] : 0x00 (0) [96] : 0x69 (105) [97] : 0x00 (0) [98] : 0x6e (110) [99] : 0x00 (0) [100] : 0x74 (116) [101] : 0x00 (0) [102] : 0x20 (32) [103] : 0x00 (0) [104] : 0x6e (110) [105] : 0x00 (0) [106] : 0x61 (97) [107] : 0x00 (0) [108] : 0x6d (109) [109] : 0x00 (0) [110] : 0x65 (101) [111] : 0x00 (0) [112] : 0x20 (32) [113] : 0x00 (0) [114] : 0x73 (115) [115] : 0x00 (0) [116] : 0x65 (101) [117] : 0x00 (0) [118] : 0x72 (114) [119] : 0x00 (0) [120] : 0x76 (118) [121] : 0x00 (0) [122] : 0x65 (101) [123] : 0x00 (0) [124] : 0x72 (114) [125] : 0x00 (0) [126] : 0x28 (40) [127] : 0x00 (0) [128] : 0x6e (110) [129] : 0x00 (0) [130] : 0x6f (111) [131] : 0x00 (0) [132] : 0x74 (116) [133] : 0x00 (0) [134] : 0x20 (32) [135] : 0x00 (0) [136] : 0x72 (114) [137] : 0x00 (0) [138] : 0x65 (101) [139] : 0x00 (0) [140] : 0x6d (109) [141] : 0x00 (0) [142] : 0x6f (111) [143] : 0x00 (0) [144] : 0x74 (116) [145] : 0x00 (0) [146] : 0x65 (101) [147] : 0x00 (0) [148] : 0x6c (108) [149] : 0x00 (0) [150] : 0x79 (121) [151] : 0x00 (0) [152] : 0x20 (32) [153] : 0x00 (0) [154] : 0x6d (109) [155] : 0x00 (0) [156] : 0x61 (97) [157] : 0x00 (0) [158] : 0x6e (110) [159] : 0x00 (0) [160] : 0x61 (97) [161] : 0x00 (0) [162] : 0x67 (103) [163] : 0x00 (0) [164] : 0x65 (101) [165] : 0x00 (0) [166] : 0x61 (97) [167] : 0x00 (0) [168] : 0x62 (98) [169] : 0x00 (0) [170] : 0x6c (108) [171] : 0x00 (0) [172] : 0x65 (101) [173] : 0x00 (0) [174] : 0x29 (41) [175] : 0x00 (0) [176] : 0x00 (0) [177] : 0x00 (0) size : 0x000000b2 (178) [2012/09/07 07:06:50.925251, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.925299, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:Description] [2012/09/07 07:06:50.925320, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.925368, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff4a050000 [2012/09/07 07:06:50.925438, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.925485, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.925531, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.925551, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.925570, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.925660, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-79ff4a050000 name: struct winreg_String name_len : 0x0060 (96) name_size : 0x0060 (96) name : * name : 'SYSTEM\CurrentControlSet\Services\WINS\Security' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) [2012/09/07 07:06:50.925984, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.926033, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\WINS\Security' [2012/09/07 07:06:50.926054, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.926074, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.926095, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.926114, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.926133, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.926151, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.926180, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.926202, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.926223, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.926242, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.926261, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.926279, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.926307, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.926329, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.926348, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.926369, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.926388, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.926407, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.926425, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.926459, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.926482, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [WINS] [2012/09/07 07:06:50.926501, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.926526, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.926546, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.926565, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.926583, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.926611, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.926633, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Security] [2012/09/07 07:06:50.926652, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.926674, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security] [2012/09/07 07:06:50.926693, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security] [2012/09/07 07:06:50.926712, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.926730, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security] [2012/09/07 07:06:50.926755, 10] registry/reg_backend_db.c:1630(regdb_fetch_keys_internal) regdb_fetch_keys: no subkeys found for key [HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security] [2012/09/07 07:06:50.926776, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.926796, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 0A 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.926841, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000a-0000-0000-4950-7aff4a050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.926951, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000a-0000-0000-4950-7aff4a050000 name: struct winreg_String name_len : 0x0012 (18) name_size : 0x0012 (18) name : * name : 'Security' type : REG_BINARY (3) data : * data: ARRAY(120) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x04 (4) [3] : 0x80 (128) [4] : 0x00 (0) [5] : 0x00 (0) [6] : 0x00 (0) [7] : 0x00 (0) [8] : 0x00 (0) [9] : 0x00 (0) [10] : 0x00 (0) [11] : 0x00 (0) [12] : 0x00 (0) [13] : 0x00 (0) [14] : 0x00 (0) [15] : 0x00 (0) [16] : 0x14 (20) [17] : 0x00 (0) [18] : 0x00 (0) [19] : 0x00 (0) [20] : 0x02 (2) [21] : 0x00 (0) [22] : 0x64 (100) [23] : 0x00 (0) [24] : 0x04 (4) [25] : 0x00 (0) [26] : 0x00 (0) [27] : 0x00 (0) [28] : 0x00 (0) [29] : 0x00 (0) [30] : 0x14 (20) [31] : 0x00 (0) [32] : 0x8d (141) [33] : 0x01 (1) [34] : 0x02 (2) [35] : 0x00 (0) [36] : 0x01 (1) [37] : 0x01 (1) [38] : 0x00 (0) [39] : 0x00 (0) [40] : 0x00 (0) [41] : 0x00 (0) [42] : 0x00 (0) [43] : 0x01 (1) [44] : 0x00 (0) [45] : 0x00 (0) [46] : 0x00 (0) [47] : 0x00 (0) [48] : 0x00 (0) [49] : 0x00 (0) [50] : 0x18 (24) [51] : 0x00 (0) [52] : 0xfd (253) [53] : 0x01 (1) [54] : 0x02 (2) [55] : 0x00 (0) [56] : 0x01 (1) [57] : 0x02 (2) [58] : 0x00 (0) [59] : 0x00 (0) [60] : 0x00 (0) [61] : 0x00 (0) [62] : 0x00 (0) [63] : 0x05 (5) [64] : 0x20 (32) [65] : 0x00 (0) [66] : 0x00 (0) [67] : 0x00 (0) [68] : 0x23 (35) [69] : 0x02 (2) [70] : 0x00 (0) [71] : 0x00 (0) [72] : 0x00 (0) [73] : 0x00 (0) [74] : 0x18 (24) [75] : 0x00 (0) [76] : 0xff (255) [77] : 0x01 (1) [78] : 0x0f (15) [79] : 0x00 (0) [80] : 0x01 (1) [81] : 0x02 (2) [82] : 0x00 (0) [83] : 0x00 (0) [84] : 0x00 (0) [85] : 0x00 (0) [86] : 0x00 (0) [87] : 0x05 (5) [88] : 0x20 (32) [89] : 0x00 (0) [90] : 0x00 (0) [91] : 0x00 (0) [92] : 0x25 (37) [93] : 0x02 (2) [94] : 0x00 (0) [95] : 0x00 (0) [96] : 0x00 (0) [97] : 0x00 (0) [98] : 0x18 (24) [99] : 0x00 (0) [100] : 0xff (255) [101] : 0x01 (1) [102] : 0x0f (15) [103] : 0x00 (0) [104] : 0x01 (1) [105] : 0x02 (2) [106] : 0x00 (0) [107] : 0x00 (0) [108] : 0x00 (0) [109] : 0x00 (0) [110] : 0x00 (0) [111] : 0x05 (5) [112] : 0x20 (32) [113] : 0x00 (0) [114] : 0x00 (0) [115] : 0x00 (0) [116] : 0x20 (32) [117] : 0x02 (2) [118] : 0x00 (0) [119] : 0x00 (0) size : 0x00000078 (120) [2012/09/07 07:06:50.928201, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0A 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.928249, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security:Security] [2012/09/07 07:06:50.928269, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security' (ops 0xb77440e0) [2012/09/07 07:06:50.928289, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security] [2012/09/07 07:06:50.928317, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Security], len: 120 [2012/09/07 07:06:50.928338, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.928388, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000a-0000-0000-4950-7aff4a050000 [2012/09/07 07:06:50.928458, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0A 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.928509, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0A 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.928556, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.928575, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.928594, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.928678, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000002-0000-0000-4950-79ff4a050000 [2012/09/07 07:06:50.928748, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.928794, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 49 50 79 FF ........ ....IPy. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.928839, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.928865, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (3->2) [2012/09/07 07:06:50.928885, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.928974, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (2->1) [2012/09/07 07:06:50.929015, 3] rpc_server/eventlog/srv_eventlog_reg.c:59(eventlog_init_winreg) Initialise the eventlog registry keys if needed. [2012/09/07 07:06:50.929037, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \winreg [2012/09/07 07:06:50.929062, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 2 for pipe \winreg [2012/09/07 07:06:50.929088, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \winreg (pipes_open=0) [2012/09/07 07:06:50.929114, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenHKLM: struct winreg_OpenHKLM in: struct winreg_OpenHKLM system_name : NULL access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2012/09/07 07:06:50.929232, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [HKLM] [2012/09/07 07:06:50.929256, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (1->2) [2012/09/07 07:06:50.929277, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM] [2012/09/07 07:06:50.929296, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM] [2012/09/07 07:06:50.929315, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.929333, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM] [2012/09/07 07:06:50.929365, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[2] [0000] 00 00 00 00 0B 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.929415, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenHKLM: struct winreg_OpenHKLM out: struct winreg_OpenHKLM handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000b-0000-0000-4950-7aff4a050000 result : WERR_OK [2012/09/07 07:06:50.929505, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey in: struct winreg_OpenKey parent_handle : * parent_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000b-0000-0000-4950-7aff4a050000 keyname: struct winreg_String name_len : 0x0056 (86) name_size : 0x0056 (86) name : * name : 'SYSTEM\CurrentControlSet\Services\Eventlog' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2012/09/07 07:06:50.929749, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0B 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.929798, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.929818, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (2->3) [2012/09/07 07:06:50.929839, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.929858, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.929877, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.929895, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.929927, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.929949, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.929970, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.929992, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.930012, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.930030, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.930062, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.930084, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.930104, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.930125, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.930143, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.930162, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.930181, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.930218, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.930240, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Eventlog] [2012/09/07 07:06:50.930260, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.930281, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\Eventlog] [2012/09/07 07:06:50.930299, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\Eventlog] [2012/09/07 07:06:50.930319, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.930337, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77440e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\Eventlog] [2012/09/07 07:06:50.930366, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.930388, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 0C 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.930435, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey out: struct winreg_OpenKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000c-0000-0000-4950-7aff4a050000 result : WERR_OK [2012/09/07 07:06:50.930524, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_QueryInfoKey: struct winreg_QueryInfoKey in: struct winreg_QueryInfoKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000c-0000-0000-4950-7aff4a050000 classname : * classname: struct winreg_String name_len : 0x0000 (0) name_size : 0x0000 (0) name : NULL [2012/09/07 07:06:50.930638, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0C 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.930697, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\Eventlog' (ops 0xb77440e0) [2012/09/07 07:06:50.930723, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\Eventlog] [2012/09/07 07:06:50.930753, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [DisplayName], len: 20 [2012/09/07 07:06:50.930775, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ErrorControl], len: 4 [2012/09/07 07:06:50.930796, 10] registry/reg_backend_db.c:1871(regdb_get_secdesc) regdb_get_secdesc: Getting secdesc of key [HKLM\SYSTEM\CurrentControlSet\Services\Eventlog] [2012/09/07 07:06:50.930827, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_QueryInfoKey: struct winreg_QueryInfoKey out: struct winreg_QueryInfoKey classname : * classname: struct winreg_String name_len : 0x0000 (0) name_size : 0x0000 (0) name : NULL num_subkeys : * num_subkeys : 0x00000000 (0) max_subkeylen : * max_subkeylen : 0x00000000 (0) max_classlen : * max_classlen : 0x00000000 (0) num_values : * num_values : 0x00000002 (2) max_valnamelen : * max_valnamelen : 0x0000001a (26) max_valbufsize : * max_valbufsize : 0x00000014 (20) secdescsize : * secdescsize : 0x00000078 (120) last_changed_time : * last_changed_time : NTTIME(0) result : WERR_OK [2012/09/07 07:06:50.931060, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000c-0000-0000-4950-7aff4a050000 [2012/09/07 07:06:50.931132, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0C 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.931178, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0C 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 4A 05 00 00 J... [2012/09/07 07:06:50.931223, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.931242, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (3->2) [2012/09/07 07:06:50.931261, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.931361, 3] printing/pcap.c:138(pcap_cache_reload) reloading printcap cache [2012/09/07 07:06:50.931395, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 5052494E5445524C4953 [2012/09/07 07:06:50.931421, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb8cd1580 [2012/09/07 07:06:50.931487, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 5052494E5445524C4953 [2012/09/07 07:06:50.931523, 5] printing/print_cups.c:408(cups_pcap_load_async) cups_pcap_load_async: asynchronously loading cups printers [2012/09/07 07:06:50.931730, 10] printing/print_cups.c:425(cups_pcap_load_async) cups_pcap_load_async: child pid = 1385 [2012/09/07 07:06:50.931776, 10] printing/print_cups.c:545(cups_cache_reload) cups_cache_reload: async read on fd 25 [2012/09/07 07:06:50.931799, 3] printing/pcap.c:189(pcap_cache_reload) reload status: ok [2012/09/07 07:06:50.931827, 3] printing/printing.c:1644(start_background_queue) start_background_queue: Starting background LPQ thread [2012/09/07 07:06:50.931941, 5] printing/print_cups.c:277(cups_cache_reload_async) reloading cups printcap cache [2012/09/07 07:06:50.932023, 0] smbd/server.c:762(open_sockets_smbd) open_sockets_smbd: No sockets available to bind to. [2012/09/07 07:06:50.932059, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.932080, 5] ../libcli/security/security_token.c:53(security_token_debug) [2012/09/07 07:06:50.932019, 5] printing/printing.c:1667(start_background_queue) Security token: (NULL) [2012/09/07 07:06:50.932101, 5] auth/token_util.c:527(debug_unix_user_token) start_background_queue: background LPQ thread started UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.932139, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2012/09/07 07:06:50.932156, 10] printing/print_cups.c:89(cups_connect) [2012/09/07 07:06:50.932176, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) connecting to cups server localhost:631 Locking key 4A050000FFFFFFFF [2012/09/07 07:06:50.932200, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb8cd36c0 [2012/09/07 07:06:50.932221, 1] lib/serverid.c:197(serverid_deregister) Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND [2012/09/07 07:06:50.932243, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 4A050000FFFFFFFF [2012/09/07 07:06:50.932253, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 6A050000FFFFFFFF [2012/09/07 07:06:50.932304, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) [2012/09/07 07:06:50.932306, 0] smbd/server_exit.c:169(exit_server_common) =============================================================== Allocated locked data 0x0xb8cd36c0 [2012/09/07 07:06:50.932334, 0] smbd/server_exit.c:171(exit_server_common) Abnormal server exit: open_sockets_smbd() failed [2012/09/07 07:06:50.932352, 0] smbd/server_exit.c:172(exit_server_common) =============================================================== [2012/09/07 07:06:50.932372, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 6A050000FFFFFFFF [2012/09/07 07:06:50.932422, 5] printing/printing.c:1703(start_background_queue) start_background_queue: background LPQ thread waiting for messages [2012/09/07 07:06:50.933175, 0] lib/util.c:1221(log_stack_trace) BACKTRACE: 6 stack frames: #0 smbd(log_stack_trace+0x29) [0xb71b1c49] #1 smbd(+0x7086a9) [0xb74776a9] #2 smbd(+0x708a61) [0xb7477a61] #3 smbd(main+0xbf6) [0xb6e16166] #4 /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0xb68fe4d3] #5 smbd(+0xa7dd1) [0xb6e16dd1] [2012/09/07 07:06:50.933253, 0] lib/fault.c:372(dump_core) dumping core in /var/log/samba/cores/smbd [2012/09/07 07:06:50.933730, 0] printing/print_cups.c:110(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused [2012/09/07 07:06:50.933795, 10] printing/print_cups.c:130(send_pcap_blob) successfully sent blob of len 12 [2012/09/07 07:06:50.934295, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.934343, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.934373, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.934423, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2012/09/07 07:06:50.934477, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 6A050000FFFFFFFF [2012/09/07 07:06:50.934517, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb8cd1190 [2012/09/07 07:06:50.934555, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 6A050000FFFFFFFF [2012/09/07 07:06:50.934656, 3] smbd/server_exit.c:180(exit_server_common) Server exit (normal exit) [2012/09/07 07:06:50, 0] smbd/server.c:1051(main) smbd version 3.6.3 started. Copyright Andrew Tridgell and the Samba Team 1992-2011 [2012/09/07 07:06:50, 5] ../lib/util/debug.c:330(debug_dump_status) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 doing parameter workgroup = MyGroup doing parameter server string = %h server (Samba, Ubuntu) doing parameter wins support = yes doing parameter domain master = yes doing parameter local master = yes doing parameter preferred master = yes doing parameter os level = 65 doing parameter dns proxy = no doing parameter name resolve order = lmhosts host wins bcast doing parameter interfaces = eth0 doing parameter bind interfaces only = yes doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter syslog = 0 doing parameter panic action = /usr/share/samba/panic-action %d doing parameter security = user doing parameter encrypt passwords = true doing parameter passdb backend = tdbsam doing parameter lanman auth = yes doing parameter client lanman auth = yes doing parameter unix password sync = no doing parameter passwd program = /usr/bin/passwd %u doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . doing parameter map to guest = bad user doing parameter usershare allow guests = yes doing parameter username map = /etc/samba/smbusers doing parameter security = user doing parameter guest ok = yes [2012/09/07 07:06:50, 4] param/loadparm.c:9608(lp_load_ex) pm_process() returned Yes [2012/09/07 07:06:50, 7] param/loadparm.c:9830(lp_servicenumber) lp_servicenumber: couldn't find homes [2012/09/07 07:06:50, 10] param/loadparm_server_role.c:101(set_server_role) set_server_role: role = ROLE_STANDALONE [2012/09/07 07:06:50, 5] ../lib/util/charset/codepoints.c:235(map_locale) Substituting charset 'ANSI_X3.4-1968' for LOCALE [2012/09/07 07:06:50, 2] lib/tallocmsg.c:124(register_msg_pool_usage) Registered MSG_REQ_POOL_USAGE [2012/09/07 07:06:50, 2] lib/dmallocmsg.c:78(register_dmalloc_msgs) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2012/09/07 07:06:50.943030, 3] param/loadparm.c:9572(lp_load_ex) lp_load_ex: refreshing parameters [2012/09/07 07:06:50.943062, 3] param/loadparm.c:5192(init_globals) Initialising global parameters [2012/09/07 07:06:50.943087, 2] param/loadparm.c:4985(max_open_files) rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) [2012/09/07 07:06:50.943136, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2012/09/07 07:06:50.943164, 3] param/loadparm.c:8310(do_section) Processing section "[global]" doing parameter log level = 10 [2012/09/07 07:06:50.943196, 5] ../lib/util/debug.c:330(debug_dump_status) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 doing parameter workgroup = MyGroup doing parameter server string = %h server (Samba, Ubuntu) doing parameter wins support = yes doing parameter domain master = yes doing parameter local master = yes doing parameter preferred master = yes doing parameter os level = 65 doing parameter dns proxy = no doing parameter name resolve order = lmhosts host wins bcast doing parameter interfaces = eth0 doing parameter bind interfaces only = yes doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter syslog = 0 doing parameter panic action = /usr/share/samba/panic-action %d doing parameter security = user doing parameter encrypt passwords = true doing parameter passdb backend = tdbsam doing parameter lanman auth = yes doing parameter client lanman auth = yes doing parameter unix password sync = no doing parameter passwd program = /usr/bin/passwd %u doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . doing parameter map to guest = bad user doing parameter usershare allow guests = yes doing parameter username map = /etc/samba/smbusers doing parameter security = user doing parameter guest ok = yes [2012/09/07 07:06:50.943721, 2] param/loadparm.c:8327(do_section) Processing section "[printers]" [2012/09/07 07:06:50.943761, 8] param/loadparm.c:6480(add_a_service) add_a_service: Creating snum = 0 for printers [2012/09/07 07:06:50.943782, 10] param/loadparm.c:6518(hash_a_service) hash_a_service: creating servicehash [2012/09/07 07:06:50.943801, 10] param/loadparm.c:6527(hash_a_service) hash_a_service: hashing index 0 for service name printers doing parameter comment = All Printers doing parameter browseable = yes doing parameter path = /var/spool/samba doing parameter printable = yes doing parameter guest ok = yes doing parameter create mask = 0700 [2012/09/07 07:06:50.943911, 2] param/loadparm.c:8327(do_section) Processing section "[print$]" [2012/09/07 07:06:50.943947, 8] param/loadparm.c:6480(add_a_service) add_a_service: Creating snum = 1 for print$ [2012/09/07 07:06:50.943967, 10] param/loadparm.c:6527(hash_a_service) hash_a_service: hashing index 1 for service name print$ doing parameter comment = Printer Drivers doing parameter path = /var/lib/samba/printers doing parameter writeable = yes doing parameter guest ok = yes [2012/09/07 07:06:50.944032, 2] param/loadparm.c:8327(do_section) Processing section "[Media]" [2012/09/07 07:06:50.944066, 8] param/loadparm.c:6480(add_a_service) add_a_service: Creating snum = 2 for Media [2012/09/07 07:06:50.944085, 10] param/loadparm.c:6527(hash_a_service) hash_a_service: hashing index 2 for service name Media doing parameter path = /media doing parameter writeable = no doing parameter browseable = yes doing parameter valid users = crlb [2012/09/07 07:06:50.944155, 2] param/loadparm.c:8327(do_section) Processing section "[Win95]" [2012/09/07 07:06:50.944189, 8] param/loadparm.c:6480(add_a_service) add_a_service: Creating snum = 3 for Win95 [2012/09/07 07:06:50.944209, 10] param/loadparm.c:6527(hash_a_service) hash_a_service: hashing index 3 for service name Win95 doing parameter path = /home/crlb/Win95 doing parameter writeable = yes doing parameter browseable = yes doing parameter valid users = crlb [2012/09/07 07:06:50.944278, 4] param/loadparm.c:9608(lp_load_ex) pm_process() returned Yes [2012/09/07 07:06:50.944305, 7] param/loadparm.c:9830(lp_servicenumber) lp_servicenumber: couldn't find homes [2012/09/07 07:06:50.944339, 8] param/loadparm.c:6480(add_a_service) add_a_service: Creating snum = 4 for IPC$ [2012/09/07 07:06:50.944359, 10] param/loadparm.c:6527(hash_a_service) hash_a_service: hashing index 4 for service name IPC$ [2012/09/07 07:06:50.944382, 3] param/loadparm.c:6630(lp_add_ipc) adding IPC service [2012/09/07 07:06:50.944401, 10] param/loadparm_server_role.c:101(set_server_role) set_server_role: role = ROLE_STANDALONE [2012/09/07 07:06:50.944428, 5] ../lib/util/charset/codepoints.c:235(map_locale) Substituting charset 'ANSI_X3.4-1968' for LOCALE [2012/09/07 07:06:50.944463, 6] param/loadparm.c:7490(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Fri Sep 7 06:50:16 2012 [2012/09/07 07:06:50.944632, 2] lib/interface.c:341(add_interface) added interface eth0 ip=fe80::227:eff:fe12:cb02%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: [2012/09/07 07:06:50.944710, 2] lib/interface.c:341(add_interface) added interface eth0 ip=192.168.1.11 bcast=192.168.1.255 netmask=255.255.255.0 [2012/09/07 07:06:50.944746, 3] smbd/server.c:1086(main) loaded services [2012/09/07 07:06:50.944768, 5] lib/util.c:242(init_names) Netbios name list:- my_netbios_names[0]="CHIMPANZEE" [2012/09/07 07:06:50.944821, 0] smbd/server.c:1107(main) standard input is not a socket, assuming -D option [2012/09/07 07:06:50.944844, 3] smbd/server.c:1118(main) Becoming a daemon. [2012/09/07 07:06:50.944900, 8] ../lib/util/util.c:263(fcntl_lock) fcntl_lock 9 13 0 1 1 [2012/09/07 07:06:50.944942, 8] ../lib/util/util.c:298(fcntl_lock) fcntl_lock: Lock call successful [2012/09/07 07:06:50.945043, 5] passdb/pdb_interface.c:71(smb_register_passdb) Attempting to register passdb backend ldapsam [2012/09/07 07:06:50.945074, 5] passdb/pdb_interface.c:84(smb_register_passdb) Successfully added passdb backend 'ldapsam' [2012/09/07 07:06:50.945094, 5] passdb/pdb_interface.c:71(smb_register_passdb) Attempting to register passdb backend ldapsam_compat [2012/09/07 07:06:50.945113, 5] passdb/pdb_interface.c:84(smb_register_passdb) Successfully added passdb backend 'ldapsam_compat' [2012/09/07 07:06:50.945133, 5] passdb/pdb_interface.c:71(smb_register_passdb) Attempting to register passdb backend NDS_ldapsam [2012/09/07 07:06:50.945152, 5] passdb/pdb_interface.c:84(smb_register_passdb) Successfully added passdb backend 'NDS_ldapsam' [2012/09/07 07:06:50.945170, 5] passdb/pdb_interface.c:71(smb_register_passdb) Attempting to register passdb backend NDS_ldapsam_compat [2012/09/07 07:06:50.945189, 5] passdb/pdb_interface.c:84(smb_register_passdb) Successfully added passdb backend 'NDS_ldapsam_compat' [2012/09/07 07:06:50.945210, 5] passdb/pdb_interface.c:71(smb_register_passdb) Attempting to register passdb backend IPA_ldapsam [2012/09/07 07:06:50.945228, 5] passdb/pdb_interface.c:84(smb_register_passdb) Successfully added passdb backend 'IPA_ldapsam' [2012/09/07 07:06:50.945248, 5] passdb/pdb_interface.c:71(smb_register_passdb) Attempting to register passdb backend smbpasswd [2012/09/07 07:06:50.945267, 5] passdb/pdb_interface.c:84(smb_register_passdb) Successfully added passdb backend 'smbpasswd' [2012/09/07 07:06:50.945287, 5] passdb/pdb_interface.c:71(smb_register_passdb) Attempting to register passdb backend tdbsam [2012/09/07 07:06:50.945306, 5] passdb/pdb_interface.c:84(smb_register_passdb) Successfully added passdb backend 'tdbsam' [2012/09/07 07:06:50.945325, 5] passdb/pdb_interface.c:71(smb_register_passdb) Attempting to register passdb backend wbc_sam [2012/09/07 07:06:50.945345, 5] passdb/pdb_interface.c:84(smb_register_passdb) Successfully added passdb backend 'wbc_sam' [2012/09/07 07:06:50.945364, 5] passdb/pdb_interface.c:141(make_pdb_method_name) Attempting to find a passdb backend to match tdbsam (tdbsam) [2012/09/07 07:06:50.945383, 5] passdb/pdb_interface.c:162(make_pdb_method_name) Found pdb backend tdbsam [2012/09/07 07:06:50.945405, 5] passdb/pdb_interface.c:173(make_pdb_method_name) pdb backend tdbsam has a valid init [2012/09/07 07:06:50.945729, 10] registry/reg_backend_db.c:526(regdb_init) regdb_init: registry db openend. refcount reset (1) [2012/09/07 07:06:50.945764, 10] registry/reg_cachehook.c:70(reghook_cache_init) reghook_cache_init: new tree with default ops 0xb77570e0 for key [] [2012/09/07 07:06:50.945905, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports] [2012/09/07 07:06:50.945942, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Samba Printer Port], len: 2 [2012/09/07 07:06:50.945969, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers] [2012/09/07 07:06:50.946001, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [DefaultSpoolDirectory], len: 70 [2012/09/07 07:06:50.946023, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\Eventlog] [2012/09/07 07:06:50.946054, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [DisplayName], len: 20 [2012/09/07 07:06:50.946075, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ErrorControl], len: 4 [2012/09/07 07:06:50.946098, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\Eventlog] [2012/09/07 07:06:50.946128, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [DisplayName], len: 20 [2012/09/07 07:06:50.946149, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ErrorControl], len: 4 [2012/09/07 07:06:50.946172, 10] registry/reg_cachehook.c:94(reghook_cache_add) reghook_cache_add: Adding ops 0xb77571c0 for key [\HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers] [2012/09/07 07:06:50.946193, 8] lib/adt_tree.c:215(pathtree_add) pathtree_add: Enter [2012/09/07 07:06:50.946214, 10] lib/adt_tree.c:282(pathtree_add) pathtree_add: Successfully added node [HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers] to tree [2012/09/07 07:06:50.946235, 8] lib/adt_tree.c:284(pathtree_add) pathtree_add: Exit [2012/09/07 07:06:50.946255, 10] registry/reg_cachehook.c:94(reghook_cache_add) reghook_cache_add: Adding ops 0xb77570e0 for key [\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers] [2012/09/07 07:06:50.946274, 8] lib/adt_tree.c:215(pathtree_add) pathtree_add: Enter [2012/09/07 07:06:50.946295, 10] lib/adt_tree.c:282(pathtree_add) pathtree_add: Successfully added node [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers] to tree [2012/09/07 07:06:50.946314, 8] lib/adt_tree.c:284(pathtree_add) pathtree_add: Exit [2012/09/07 07:06:50.946334, 10] registry/reg_cachehook.c:94(reghook_cache_add) reghook_cache_add: Adding ops 0xb77570e0 for key [\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports] [2012/09/07 07:06:50.946353, 8] lib/adt_tree.c:215(pathtree_add) pathtree_add: Enter [2012/09/07 07:06:50.946373, 10] lib/adt_tree.c:282(pathtree_add) pathtree_add: Successfully added node [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports] to tree [2012/09/07 07:06:50.946393, 8] lib/adt_tree.c:284(pathtree_add) pathtree_add: Exit [2012/09/07 07:06:50.946412, 10] registry/reg_cachehook.c:94(reghook_cache_add) reghook_cache_add: Adding ops 0xb7757200 for key [\HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares] [2012/09/07 07:06:50.946432, 8] lib/adt_tree.c:215(pathtree_add) pathtree_add: Enter [2012/09/07 07:06:50.946452, 10] lib/adt_tree.c:282(pathtree_add) pathtree_add: Successfully added node [HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares] to tree [2012/09/07 07:06:50.946471, 8] lib/adt_tree.c:284(pathtree_add) pathtree_add: Exit [2012/09/07 07:06:50.946491, 10] registry/reg_cachehook.c:94(reghook_cache_add) reghook_cache_add: Adding ops 0xb7757180 for key [\HKLM\SOFTWARE\Samba\smbconf] [2012/09/07 07:06:50.946509, 8] lib/adt_tree.c:215(pathtree_add) pathtree_add: Enter [2012/09/07 07:06:50.946529, 10] lib/adt_tree.c:282(pathtree_add) pathtree_add: Successfully added node [HKLM\SOFTWARE\Samba\smbconf] to tree [2012/09/07 07:06:50.946548, 8] lib/adt_tree.c:284(pathtree_add) pathtree_add: Exit [2012/09/07 07:06:50.946568, 10] registry/reg_cachehook.c:94(reghook_cache_add) reghook_cache_add: Adding ops 0xb7757240 for key [\HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] [2012/09/07 07:06:50.946590, 8] lib/adt_tree.c:215(pathtree_add) pathtree_add: Enter [2012/09/07 07:06:50.946612, 10] lib/adt_tree.c:282(pathtree_add) pathtree_add: Successfully added node [HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] to tree [2012/09/07 07:06:50.946631, 8] lib/adt_tree.c:284(pathtree_add) pathtree_add: Exit [2012/09/07 07:06:50.946651, 10] registry/reg_cachehook.c:94(reghook_cache_add) reghook_cache_add: Adding ops 0xb7757280 for key [\HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions] [2012/09/07 07:06:50.946670, 8] lib/adt_tree.c:215(pathtree_add) pathtree_add: Enter [2012/09/07 07:06:50.946690, 10] lib/adt_tree.c:282(pathtree_add) pathtree_add: Successfully added node [HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions] to tree [2012/09/07 07:06:50.946710, 8] lib/adt_tree.c:284(pathtree_add) pathtree_add: Exit [2012/09/07 07:06:50.946729, 10] registry/reg_cachehook.c:94(reghook_cache_add) reghook_cache_add: Adding ops 0xb77572c0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] [2012/09/07 07:06:50.946748, 8] lib/adt_tree.c:215(pathtree_add) pathtree_add: Enter [2012/09/07 07:06:50.946769, 10] lib/adt_tree.c:282(pathtree_add) pathtree_add: Successfully added node [HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] to tree [2012/09/07 07:06:50.946788, 8] lib/adt_tree.c:284(pathtree_add) pathtree_add: Exit [2012/09/07 07:06:50.946807, 10] registry/reg_cachehook.c:94(reghook_cache_add) reghook_cache_add: Adding ops 0xb7757300 for key [\HKPT] [2012/09/07 07:06:50.946826, 8] lib/adt_tree.c:215(pathtree_add) pathtree_add: Enter [2012/09/07 07:06:50.946845, 10] lib/adt_tree.c:282(pathtree_add) pathtree_add: Successfully added node [HKPT] to tree [2012/09/07 07:06:50.946864, 8] lib/adt_tree.c:284(pathtree_add) pathtree_add: Exit [2012/09/07 07:06:50.946883, 10] registry/reg_cachehook.c:94(reghook_cache_add) reghook_cache_add: Adding ops 0xb7757340 for key [\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion] [2012/09/07 07:06:50.946903, 8] lib/adt_tree.c:215(pathtree_add) pathtree_add: Enter [2012/09/07 07:06:50.946921, 10] lib/adt_tree.c:282(pathtree_add) pathtree_add: Successfully added node [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion] to tree [2012/09/07 07:06:50.946940, 8] lib/adt_tree.c:284(pathtree_add) pathtree_add: Exit [2012/09/07 07:06:50.946960, 10] registry/reg_cachehook.c:94(reghook_cache_add) reghook_cache_add: Adding ops 0xb7757380 for key [\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib] [2012/09/07 07:06:50.946980, 8] lib/adt_tree.c:215(pathtree_add) pathtree_add: Enter [2012/09/07 07:06:50.946999, 10] lib/adt_tree.c:282(pathtree_add) pathtree_add: Successfully added node [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib] to tree [2012/09/07 07:06:50.947019, 8] lib/adt_tree.c:284(pathtree_add) pathtree_add: Exit [2012/09/07 07:06:50.947037, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (1->0) [2012/09/07 07:06:50.947367, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user root [2012/09/07 07:06:50.947394, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is root [2012/09/07 07:06:50.947433, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [root]! [2012/09/07 07:06:50.947464, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: Unix User\root => domain=[Unix User], name=[root] [2012/09/07 07:06:50.947485, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x073 [2012/09/07 07:06:50.947520, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user root [2012/09/07 07:06:50.947540, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is root [2012/09/07 07:06:50.947560, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [root]! [2012/09/07 07:06:50.947586, 10] passdb/pdb_get_set.c:575(pdb_set_username) pdb_set_username: setting username root, was [2012/09/07 07:06:50.947613, 10] passdb/pdb_get_set.c:644(pdb_set_fullname) pdb_set_full_name: setting full name root, was [2012/09/07 07:06:50.947633, 10] passdb/pdb_get_set.c:598(pdb_set_domain) pdb_set_domain: setting domain CHIMPANZEE, was [2012/09/07 07:06:50.947654, 4] lib/substitute.c:527(automount_server) Home server: chimpanzee [2012/09/07 07:06:50.947679, 10] passdb/pdb_get_set.c:690(pdb_set_profile_path) pdb_set_profile_path: setting profile path \\chimpanzee\root\profile, was [2012/09/07 07:06:50.947700, 4] lib/substitute.c:527(automount_server) Home server: chimpanzee [2012/09/07 07:06:50.947721, 10] passdb/pdb_get_set.c:737(pdb_set_homedir) pdb_set_homedir: setting home dir \\chimpanzee\root, was [2012/09/07 07:06:50.947743, 10] passdb/pdb_get_set.c:713(pdb_set_dir_drive) pdb_set_dir_drive: setting dir drive , was NULL [2012/09/07 07:06:50.947764, 10] passdb/pdb_get_set.c:667(pdb_set_logon_script) pdb_set_logon_script: setting logon script , was [2012/09/07 07:06:50.947785, 10] passdb/pdb_get_set.c:500(pdb_set_user_sid) pdb_set_user_sid: setting user sid S-1-5-21-1502951883-1650629459-3591150155-1000 [2012/09/07 07:06:50.947808, 10] passdb/pdb_compat.c:73(pdb_set_user_sid_from_rid) pdb_set_user_sid_from_rid: setting user sid S-1-5-21-1502951883-1650629459-3591150155-1000 from rid 1000 [2012/09/07 07:06:50.947836, 10] passdb/pdb_get_set.c:575(pdb_set_username) pdb_set_username: setting username root, was root [2012/09/07 07:06:50.947855, 10] passdb/pdb_get_set.c:500(pdb_set_user_sid) pdb_set_user_sid: setting user sid S-1-22-1-0 [2012/09/07 07:06:50.947888, 5] lib/gencache.c:68(gencache_init) Opening cache file at /var/run/samba/gencache.tdb [2012/09/07 07:06:50.947938, 5] lib/gencache.c:111(gencache_init) Opening cache file at /var/run/samba/gencache_notrans.tdb [2012/09/07 07:06:50.947989, 5] passdb/lookup_sid.c:1384(gid_to_sid) gid_to_sid: winbind failed to find a sid for gid 0 [2012/09/07 07:06:50.948014, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.948036, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.948057, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.948078, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.948098, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.948170, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.948195, 10] passdb/lookup_sid.c:1181(legacy_gid_to_sid) LEGACY: gid 0 -> sid S-1-22-2-0 [2012/09/07 07:06:50.948224, 3] passdb/lookup_sid.c:1737(get_primary_group_sid) Forcing Primary Group to 'Domain Users' for root [2012/09/07 07:06:50.948248, 10] auth/server_info.c:354(samu_to_SamInfo3) Unix User found in struct samu. Rid marked as special and sid (S-1-22-1-0) saved as extra sid [2012/09/07 07:06:50.948274, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user root [2012/09/07 07:06:50.948294, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is root [2012/09/07 07:06:50.948313, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [root]! [2012/09/07 07:06:50.948344, 10] lib/system_smbd.c:175(sys_getgrouplist) sys_getgrouplist: user [root] [2012/09/07 07:06:50.948435, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: CHIMPANZEE\root => domain=[CHIMPANZEE], name=[root] [2012/09/07 07:06:50.948460, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x073 [2012/09/07 07:06:50.948482, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.948502, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.948521, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.948543, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.948562, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.948618, 4] passdb/pdb_tdb.c:523(tdbsam_open) tdbsam_open: successfully opened /var/lib/samba/passdb.tdb [2012/09/07 07:06:50.948645, 5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam) pdb_getsampwnam (TDB): error fetching database. Key: USER_root [2012/09/07 07:06:50.948676, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.948697, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.948716, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.948735, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.948753, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.948771, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.948807, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.948831, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: Unix User\root => domain=[Unix User], name=[root] [2012/09/07 07:06:50.948849, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x073 [2012/09/07 07:06:50.948871, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user root [2012/09/07 07:06:50.948890, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is root [2012/09/07 07:06:50.948910, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [root]! [2012/09/07 07:06:50.948932, 10] passdb/lookup_sid.c:1527(sid_to_uid) sid S-1-22-1-0 -> uid 0 [2012/09/07 07:06:50.948970, 10] lib/system_smbd.c:175(sys_getgrouplist) sys_getgrouplist: user [root] [2012/09/07 07:06:50.949022, 10] auth/token_util.c:339(create_local_nt_token) Create local NT token for S-1-22-1-0 [2012/09/07 07:06:50.949062, 10] passdb/lookup_sid.c:1611(sid_to_gid) winbind failed to find a gid for sid S-1-5-32-544 [2012/09/07 07:06:50.949085, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.949104, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.949123, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.949141, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.949160, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.949198, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.949220, 10] passdb/lookup_sid.c:1253(legacy_sid_to_gid) LEGACY: mapping failed for sid S-1-5-32-544 [2012/09/07 07:06:50.949240, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.949259, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.949277, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.949296, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.949314, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.949348, 3] auth/token_util.c:438(finalize_local_nt_token) Failed to fetch domain sid for MYGROUP [2012/09/07 07:06:50.949372, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.949402, 10] passdb/lookup_sid.c:1611(sid_to_gid) winbind failed to find a gid for sid S-1-5-32-545 [2012/09/07 07:06:50.949428, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.949448, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.949467, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.949485, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.949504, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.949541, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.949562, 10] passdb/lookup_sid.c:1253(legacy_sid_to_gid) LEGACY: mapping failed for sid S-1-5-32-545 [2012/09/07 07:06:50.949582, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.949601, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.949620, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.949639, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.949657, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.949691, 3] auth/token_util.c:469(finalize_local_nt_token) Failed to fetch domain sid for MYGROUP [2012/09/07 07:06:50.949727, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.949748, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.949767, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.949786, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.949804, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.949822, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.949883, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.949934, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-22-1-0] [2012/09/07 07:06:50.949964, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-22-2-0] [2012/09/07 07:06:50.949989, 5] lib/privileges.c:175(get_privileges_for_sids) get_privileges_for_sids: sid = S-1-1-0 Privilege set: 0x0 [2012/09/07 07:06:50.950020, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-2] [2012/09/07 07:06:50.950044, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-11] [2012/09/07 07:06:50.950098, 10] passdb/lookup_sid.c:1468(sids_to_unix_ids) wbcSidsToUnixIds returned WBC_ERR_WINBIND_NOT_AVAILABLE [2012/09/07 07:06:50.950121, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.950140, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.950159, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.950177, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.950195, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.950232, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.950253, 10] passdb/lookup_sid.c:1253(legacy_sid_to_gid) LEGACY: mapping failed for sid S-1-1-0 [2012/09/07 07:06:50.950277, 10] passdb/lookup_sid.c:1218(legacy_sid_to_uid) LEGACY: mapping failed for sid S-1-1-0 [2012/09/07 07:06:50.950298, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.950317, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.950336, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.950355, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.950373, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.950409, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.950430, 10] passdb/lookup_sid.c:1253(legacy_sid_to_gid) LEGACY: mapping failed for sid S-1-5-2 [2012/09/07 07:06:50.950450, 10] passdb/lookup_sid.c:1218(legacy_sid_to_uid) LEGACY: mapping failed for sid S-1-5-2 [2012/09/07 07:06:50.950470, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.950489, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.950507, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.950526, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.950544, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.950580, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.950601, 10] passdb/lookup_sid.c:1253(legacy_sid_to_gid) LEGACY: mapping failed for sid S-1-5-11 [2012/09/07 07:06:50.950621, 10] passdb/lookup_sid.c:1218(legacy_sid_to_uid) LEGACY: mapping failed for sid S-1-5-11 [2012/09/07 07:06:50.950642, 10] auth/auth_util.c:505(create_local_token) Could not convert SID S-1-1-0 to gid, ignoring it [2012/09/07 07:06:50.950662, 10] auth/auth_util.c:505(create_local_token) Could not convert SID S-1-5-2 to gid, ignoring it [2012/09/07 07:06:50.950681, 10] auth/auth_util.c:505(create_local_token) Could not convert SID S-1-5-11 to gid, ignoring it [2012/09/07 07:06:50.950702, 10] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (5): SID[ 0]: S-1-22-1-0 SID[ 1]: S-1-22-2-0 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 Privileges (0x 0): Rights (0x 0): [2012/09/07 07:06:50.950780, 10] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 1 supplementary groups Group[ 0]: 0 [2012/09/07 07:06:50.950819, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user nobody [2012/09/07 07:06:50.950839, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is nobody [2012/09/07 07:06:50.950876, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [nobody]! [2012/09/07 07:06:50.950910, 4] auth/user_util.c:361(map_username) Scanning username map /etc/samba/smbusers [2012/09/07 07:06:50.950937, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user CHIMPANZEE\nobody [2012/09/07 07:06:50.950957, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is chimpanzee\nobody [2012/09/07 07:06:50.951002, 5] lib/username.c:124(Get_Pwnam_internals) Trying _Get_Pwnam(), username as given is CHIMPANZEE\nobody [2012/09/07 07:06:50.951047, 5] lib/username.c:134(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is CHIMPANZEE\NOBODY [2012/09/07 07:06:50.951091, 5] lib/username.c:143(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in chimpanzee\nobody [2012/09/07 07:06:50.951111, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [CHIMPANZEE\nobody]! [2012/09/07 07:06:50.951135, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user nobody [2012/09/07 07:06:50.951154, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is nobody [2012/09/07 07:06:50.951174, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [nobody]! [2012/09/07 07:06:50.951206, 5] passdb/lookup_sid.c:1384(gid_to_sid) gid_to_sid: winbind failed to find a sid for gid 65534 [2012/09/07 07:06:50.951228, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.951247, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.951266, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.951284, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.951302, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.951339, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.951361, 10] passdb/lookup_sid.c:1181(legacy_gid_to_sid) LEGACY: gid 65534 -> sid S-1-22-2-65534 [2012/09/07 07:06:50.951388, 3] passdb/lookup_sid.c:1737(get_primary_group_sid) Forcing Primary Group to 'Domain Users' for nobody [2012/09/07 07:06:50.951410, 10] auth/token_util.c:223(create_local_nt_token_from_info3) Create local NT token for nobody [2012/09/07 07:06:50.951441, 10] passdb/lookup_sid.c:1611(sid_to_gid) winbind failed to find a gid for sid S-1-5-32-544 [2012/09/07 07:06:50.951463, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.951483, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.951502, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.951521, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.951539, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.951576, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.951597, 10] passdb/lookup_sid.c:1253(legacy_sid_to_gid) LEGACY: mapping failed for sid S-1-5-32-544 [2012/09/07 07:06:50.951617, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.951636, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.951655, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.951673, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.951691, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.951725, 3] auth/token_util.c:438(finalize_local_nt_token) Failed to fetch domain sid for MYGROUP [2012/09/07 07:06:50.951748, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.951778, 10] passdb/lookup_sid.c:1611(sid_to_gid) winbind failed to find a gid for sid S-1-5-32-545 [2012/09/07 07:06:50.951800, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.951819, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.951838, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.951857, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.951875, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.951918, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.951940, 10] passdb/lookup_sid.c:1253(legacy_sid_to_gid) LEGACY: mapping failed for sid S-1-5-32-545 [2012/09/07 07:06:50.951960, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.951979, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.951997, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.952016, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.952034, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.952067, 3] auth/token_util.c:469(finalize_local_nt_token) Failed to fetch domain sid for MYGROUP [2012/09/07 07:06:50.952089, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.952109, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.952128, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.952147, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.952166, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.952184, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.952250, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.952277, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-1502951883-1650629459-3591150155-501] [2012/09/07 07:06:50.952304, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-1502951883-1650629459-3591150155-513] [2012/09/07 07:06:50.952329, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-1502951883-1650629459-3591150155-546] [2012/09/07 07:06:50.952355, 5] lib/privileges.c:175(get_privileges_for_sids) get_privileges_for_sids: sid = S-1-1-0 Privilege set: 0x0 [2012/09/07 07:06:50.952386, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-2] [2012/09/07 07:06:50.952410, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-32-546] [2012/09/07 07:06:50.952495, 10] passdb/lookup_sid.c:1468(sids_to_unix_ids) wbcSidsToUnixIds returned WBC_ERR_WINBIND_NOT_AVAILABLE [2012/09/07 07:06:50.952517, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.952537, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.952555, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.952574, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.952593, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.952624, 5] passdb/pdb_interface.c:1605(lookup_global_sam_rid) lookup_global_sam_rid: looking up RID 501. [2012/09/07 07:06:50.952645, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2012/09/07 07:06:50.952664, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2012/09/07 07:06:50.952683, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2012/09/07 07:06:50.952702, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.952720, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.952754, 6] passdb/pdb_interface.c:400(pdb_getsampwsid) pdb_getsampwsid: Building guest account [2012/09/07 07:06:50.952775, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user nobody [2012/09/07 07:06:50.952793, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is nobody [2012/09/07 07:06:50.952813, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [nobody]! [2012/09/07 07:06:50.952832, 10] passdb/pdb_get_set.c:575(pdb_set_username) pdb_set_username: setting username nobody, was [2012/09/07 07:06:50.952852, 10] passdb/pdb_get_set.c:644(pdb_set_fullname) pdb_set_full_name: setting full name nobody, was [2012/09/07 07:06:50.952871, 10] passdb/pdb_get_set.c:598(pdb_set_domain) pdb_set_domain: setting domain CHIMPANZEE, was [2012/09/07 07:06:50.952891, 10] passdb/pdb_get_set.c:500(pdb_set_user_sid) pdb_set_user_sid: setting user sid S-1-5-21-1502951883-1650629459-3591150155-501 [2012/09/07 07:06:50.952912, 10] passdb/pdb_compat.c:73(pdb_set_user_sid_from_rid) pdb_set_user_sid_from_rid: setting user sid S-1-5-21-1502951883-1650629459-3591150155-501 from rid 501 [2012/09/07 07:06:50.952943, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.952964, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user nobody [2012/09/07 07:06:50.952983, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is nobody [2012/09/07 07:06:50.953003, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [nobody]! [2012/09/07 07:06:50.953025, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.953044, 5] passdb/lookup_sid.c:1269(legacy_sid_to_gid) LEGACY: sid S-1-5-21-1502951883-1650629459-3591150155-501 is a User, expected a group [2012/09/07 07:06:50.953066, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.953085, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.953104, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.953122, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.953140, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.953169, 5] passdb/pdb_interface.c:1605(lookup_global_sam_rid) lookup_global_sam_rid: looking up RID 501. [2012/09/07 07:06:50.953189, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2012/09/07 07:06:50.953208, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2012/09/07 07:06:50.953227, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2012/09/07 07:06:50.953246, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.953264, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.953293, 6] passdb/pdb_interface.c:400(pdb_getsampwsid) pdb_getsampwsid: Building guest account [2012/09/07 07:06:50.953312, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user nobody [2012/09/07 07:06:50.953330, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is nobody [2012/09/07 07:06:50.953350, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [nobody]! [2012/09/07 07:06:50.953369, 10] passdb/pdb_get_set.c:575(pdb_set_username) pdb_set_username: setting username nobody, was [2012/09/07 07:06:50.953389, 10] passdb/pdb_get_set.c:644(pdb_set_fullname) pdb_set_full_name: setting full name nobody, was [2012/09/07 07:06:50.953412, 10] passdb/pdb_get_set.c:598(pdb_set_domain) pdb_set_domain: setting domain CHIMPANZEE, was [2012/09/07 07:06:50.953433, 10] passdb/pdb_get_set.c:500(pdb_set_user_sid) pdb_set_user_sid: setting user sid S-1-5-21-1502951883-1650629459-3591150155-501 [2012/09/07 07:06:50.953454, 10] passdb/pdb_compat.c:73(pdb_set_user_sid_from_rid) pdb_set_user_sid_from_rid: setting user sid S-1-5-21-1502951883-1650629459-3591150155-501 from rid 501 [2012/09/07 07:06:50.953484, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.953506, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user nobody [2012/09/07 07:06:50.953524, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is nobody [2012/09/07 07:06:50.953544, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [nobody]! [2012/09/07 07:06:50.953566, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.953585, 10] passdb/lookup_sid.c:1223(legacy_sid_to_uid) LEGACY: sid S-1-5-21-1502951883-1650629459-3591150155-501 -> uid 65534 [2012/09/07 07:06:50.953607, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.953627, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.953645, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.953664, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.953682, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.953759, 5] passdb/pdb_interface.c:1605(lookup_global_sam_rid) lookup_global_sam_rid: looking up RID 513. [2012/09/07 07:06:50.953782, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2012/09/07 07:06:50.953801, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2012/09/07 07:06:50.953820, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2012/09/07 07:06:50.953838, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.953856, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.953891, 5] passdb/pdb_tdb.c:614(tdbsam_getsampwrid) pdb_getsampwrid (TDB): error looking up RID 513 by key RID_00000201. [2012/09/07 07:06:50.953922, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.953943, 5] passdb/pdb_interface.c:1667(lookup_global_sam_rid) Can't find a unix id for an unmapped group [2012/09/07 07:06:50.953964, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.953984, 10] passdb/lookup_sid.c:1280(legacy_sid_to_gid) LEGACY: mapping failed for sid S-1-5-21-1502951883-1650629459-3591150155-513 [2012/09/07 07:06:50.954005, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.954024, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.954043, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.954062, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.954080, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.954109, 5] passdb/pdb_interface.c:1605(lookup_global_sam_rid) lookup_global_sam_rid: looking up RID 513. [2012/09/07 07:06:50.954131, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2012/09/07 07:06:50.954150, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2012/09/07 07:06:50.954173, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2012/09/07 07:06:50.954192, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.954210, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.954243, 5] passdb/pdb_tdb.c:614(tdbsam_getsampwrid) pdb_getsampwrid (TDB): error looking up RID 513 by key RID_00000201. [2012/09/07 07:06:50.954273, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.954294, 5] passdb/pdb_interface.c:1667(lookup_global_sam_rid) Can't find a unix id for an unmapped group [2012/09/07 07:06:50.954315, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.954335, 10] passdb/lookup_sid.c:1218(legacy_sid_to_uid) LEGACY: mapping failed for sid S-1-5-21-1502951883-1650629459-3591150155-513 [2012/09/07 07:06:50.954356, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.954375, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.954394, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.954413, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.954431, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.954460, 5] passdb/pdb_interface.c:1605(lookup_global_sam_rid) lookup_global_sam_rid: looking up RID 546. [2012/09/07 07:06:50.954480, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2012/09/07 07:06:50.954498, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2012/09/07 07:06:50.954517, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2012/09/07 07:06:50.954536, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.954554, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.954587, 5] passdb/pdb_tdb.c:614(tdbsam_getsampwrid) pdb_getsampwrid (TDB): error looking up RID 546 by key RID_00000222. [2012/09/07 07:06:50.954617, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.954637, 5] passdb/pdb_interface.c:1667(lookup_global_sam_rid) Can't find a unix id for an unmapped group [2012/09/07 07:06:50.954659, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.954678, 10] passdb/lookup_sid.c:1280(legacy_sid_to_gid) LEGACY: mapping failed for sid S-1-5-21-1502951883-1650629459-3591150155-546 [2012/09/07 07:06:50.954700, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.954720, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.954738, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.954757, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.954775, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.954804, 5] passdb/pdb_interface.c:1605(lookup_global_sam_rid) lookup_global_sam_rid: looking up RID 546. [2012/09/07 07:06:50.954825, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2012/09/07 07:06:50.954845, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2012/09/07 07:06:50.954863, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2012/09/07 07:06:50.954886, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.954904, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.954937, 5] passdb/pdb_tdb.c:614(tdbsam_getsampwrid) pdb_getsampwrid (TDB): error looking up RID 546 by key RID_00000222. [2012/09/07 07:06:50.954967, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.954988, 5] passdb/pdb_interface.c:1667(lookup_global_sam_rid) Can't find a unix id for an unmapped group [2012/09/07 07:06:50.955009, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.955028, 10] passdb/lookup_sid.c:1218(legacy_sid_to_uid) LEGACY: mapping failed for sid S-1-5-21-1502951883-1650629459-3591150155-546 [2012/09/07 07:06:50.955050, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.955069, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.955087, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.955106, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.955124, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.955161, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.955182, 10] passdb/lookup_sid.c:1253(legacy_sid_to_gid) LEGACY: mapping failed for sid S-1-1-0 [2012/09/07 07:06:50.955202, 10] passdb/lookup_sid.c:1218(legacy_sid_to_uid) LEGACY: mapping failed for sid S-1-1-0 [2012/09/07 07:06:50.955222, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.955241, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.955260, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.955278, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.955297, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.955333, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.955354, 10] passdb/lookup_sid.c:1253(legacy_sid_to_gid) LEGACY: mapping failed for sid S-1-5-2 [2012/09/07 07:06:50.955374, 10] passdb/lookup_sid.c:1218(legacy_sid_to_uid) LEGACY: mapping failed for sid S-1-5-2 [2012/09/07 07:06:50.955394, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.955413, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.955431, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.955450, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.955468, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.955504, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.955525, 10] passdb/lookup_sid.c:1253(legacy_sid_to_gid) LEGACY: mapping failed for sid S-1-5-32-546 [2012/09/07 07:06:50.955545, 10] passdb/lookup_sid.c:1218(legacy_sid_to_uid) LEGACY: mapping failed for sid S-1-5-32-546 [2012/09/07 07:06:50.955565, 10] auth/auth_util.c:505(create_local_token) Could not convert SID S-1-5-21-1502951883-1650629459-3591150155-513 to gid, ignoring it [2012/09/07 07:06:50.955585, 10] auth/auth_util.c:505(create_local_token) Could not convert SID S-1-5-21-1502951883-1650629459-3591150155-546 to gid, ignoring it [2012/09/07 07:06:50.955610, 10] auth/auth_util.c:505(create_local_token) Could not convert SID S-1-1-0 to gid, ignoring it [2012/09/07 07:06:50.955629, 10] auth/auth_util.c:505(create_local_token) Could not convert SID S-1-5-2 to gid, ignoring it [2012/09/07 07:06:50.955649, 10] auth/auth_util.c:505(create_local_token) Could not convert SID S-1-5-32-546 to gid, ignoring it [2012/09/07 07:06:50.955671, 10] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (7): SID[ 0]: S-1-5-21-1502951883-1650629459-3591150155-501 SID[ 1]: S-1-5-21-1502951883-1650629459-3591150155-513 SID[ 2]: S-1-5-21-1502951883-1650629459-3591150155-546 SID[ 3]: S-1-1-0 SID[ 4]: S-1-5-2 SID[ 5]: S-1-5-32-546 SID[ 6]: S-1-22-1-65534 Privileges (0x 0): Rights (0x 0): [2012/09/07 07:06:50.955766, 10] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 65534 Primary group is 65534 and contains 0 supplementary groups [2012/09/07 07:06:50.955856, 3] rpc_server/svcctl/srv_svcctl_reg.c:569(svcctl_init_winreg) Initialise the svcctl registry keys if needed. [2012/09/07 07:06:50.955880, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.955900, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/09/07 07:06:50.955919, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/09/07 07:06:50.955938, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2012/09/07 07:06:50.955956, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/09/07 07:06:50.956014, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/09/07 07:06:50.956037, 10] registry/reg_backend_db.c:602(regdb_open) regdb_open: registry db opened. refcount reset (1) [2012/09/07 07:06:50.956069, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \winreg [2012/09/07 07:06:50.956105, 10] rpc_server/rpc_handles.c:116(init_pipe_handles) init_pipe_handle_list: created handle list for pipe \winreg [2012/09/07 07:06:50.956125, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe \winreg [2012/09/07 07:06:50.956149, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \winreg (pipes_open=0) [2012/09/07 07:06:50.956191, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenHKLM: struct winreg_OpenHKLM in: struct winreg_OpenHKLM system_name : NULL access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2012/09/07 07:06:50.956326, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [HKLM] [2012/09/07 07:06:50.956347, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (1->2) [2012/09/07 07:06:50.956369, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM] [2012/09/07 07:06:50.956388, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM] [2012/09/07 07:06:50.956408, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.956426, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM] [2012/09/07 07:06:50.956465, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.956521, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenHKLM: struct winreg_OpenHKLM out: struct winreg_OpenHKLM handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-7aff6e050000 result : WERR_OK [2012/09/07 07:06:50.956657, 5] ../lib/util/charset/codepoints.c:235(map_locale) Substituting charset 'ANSI_X3.4-1968' for LOCALE [2012/09/07 07:06:50.956689, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey in: struct winreg_OpenKey parent_handle : * parent_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-7aff6e050000 keyname: struct winreg_String name_len : 0x0044 (68) name_size : 0x0044 (68) name : * name : 'SYSTEM\CurrentControlSet\Services' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2012/09/07 07:06:50.956938, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.956987, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.957007, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (2->3) [2012/09/07 07:06:50.957028, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.957047, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.957066, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.957084, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.957116, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.957138, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.957160, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.957178, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.957197, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.957216, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.957244, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.957266, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.957289, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.957310, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.957329, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.957348, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.957366, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.957401, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.957424, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[2] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.957468, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey out: struct winreg_OpenKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000002-0000-0000-4950-7aff6e050000 result : WERR_OK [2012/09/07 07:06:50.957560, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_QueryInfoKey: struct winreg_QueryInfoKey in: struct winreg_QueryInfoKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000002-0000-0000-4950-7aff6e050000 classname : * classname: struct winreg_String name_len : 0x0000 (0) name_size : 0x0000 (0) name : NULL [2012/09/07 07:06:50.957677, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.957755, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services' (ops 0xb77570e0) [2012/09/07 07:06:50.957779, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.957805, 10] registry/reg_backend_db.c:1871(regdb_get_secdesc) regdb_get_secdesc: Getting secdesc of key [HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.957836, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_QueryInfoKey: struct winreg_QueryInfoKey out: struct winreg_QueryInfoKey classname : * classname: struct winreg_String name_len : 0x0000 (0) name_size : 0x0000 (0) name : NULL num_subkeys : * num_subkeys : 0x00000007 (7) max_subkeylen : * max_subkeylen : 0x0000001c (28) max_classlen : * max_classlen : 0x00000000 (0) num_values : * num_values : 0x00000000 (0) max_valnamelen : * max_valnamelen : 0x00000002 (2) max_valbufsize : * max_valbufsize : 0x00000000 (0) secdescsize : * secdescsize : 0x00000078 (120) last_changed_time : * last_changed_time : NTTIME(0) result : WERR_OK [2012/09/07 07:06:50.958080, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey in: struct winreg_EnumKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000002-0000-0000-4950-7aff6e050000 enum_index : 0x00000000 (0) name : * name: struct winreg_StringBuf length : 0x0000 (0) size : 0x001e (30) name : * name : '' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) [2012/09/07 07:06:50.958284, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.958331, 8] rpc_server/winreg/srv_winreg_nt.c:420(_winreg_EnumKey) _winreg_EnumKey: enumerating key [HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.958367, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey out: struct winreg_EnumKey name : * name: struct winreg_StringBuf length : 0x001a (26) size : 0x001e (30) name : * name : 'LanmanServer' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) result : WERR_OK [2012/09/07 07:06:50.958546, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey in: struct winreg_EnumKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000002-0000-0000-4950-7aff6e050000 enum_index : 0x00000001 (1) name : * name: struct winreg_StringBuf length : 0x0000 (0) size : 0x001e (30) name : * name : '' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) [2012/09/07 07:06:50.958745, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.958797, 8] rpc_server/winreg/srv_winreg_nt.c:420(_winreg_EnumKey) _winreg_EnumKey: enumerating key [HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.958832, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey out: struct winreg_EnumKey name : * name: struct winreg_StringBuf length : 0x0012 (18) size : 0x001e (30) name : * name : 'Eventlog' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) result : WERR_OK [2012/09/07 07:06:50.959009, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey in: struct winreg_EnumKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000002-0000-0000-4950-7aff6e050000 enum_index : 0x00000002 (2) name : * name: struct winreg_StringBuf length : 0x0000 (0) size : 0x001e (30) name : * name : '' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) [2012/09/07 07:06:50.959210, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.959257, 8] rpc_server/winreg/srv_winreg_nt.c:420(_winreg_EnumKey) _winreg_EnumKey: enumerating key [HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.959294, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey out: struct winreg_EnumKey name : * name: struct winreg_StringBuf length : 0x000c (12) size : 0x001e (30) name : * name : 'Tcpip' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) result : WERR_OK [2012/09/07 07:06:50.959471, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey in: struct winreg_EnumKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000002-0000-0000-4950-7aff6e050000 enum_index : 0x00000003 (3) name : * name: struct winreg_StringBuf length : 0x0000 (0) size : 0x001e (30) name : * name : '' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) [2012/09/07 07:06:50.959674, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.959721, 8] rpc_server/winreg/srv_winreg_nt.c:420(_winreg_EnumKey) _winreg_EnumKey: enumerating key [HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.959756, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey out: struct winreg_EnumKey name : * name: struct winreg_StringBuf length : 0x0012 (18) size : 0x001e (30) name : * name : 'Netlogon' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) result : WERR_OK [2012/09/07 07:06:50.959933, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey in: struct winreg_EnumKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000002-0000-0000-4950-7aff6e050000 enum_index : 0x00000004 (4) name : * name: struct winreg_StringBuf length : 0x0000 (0) size : 0x001e (30) name : * name : '' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) [2012/09/07 07:06:50.960133, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.960180, 8] rpc_server/winreg/srv_winreg_nt.c:420(_winreg_EnumKey) _winreg_EnumKey: enumerating key [HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.960217, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey out: struct winreg_EnumKey name : * name: struct winreg_StringBuf length : 0x0010 (16) size : 0x001e (30) name : * name : 'Spooler' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) result : WERR_OK [2012/09/07 07:06:50.960398, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey in: struct winreg_EnumKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000002-0000-0000-4950-7aff6e050000 enum_index : 0x00000005 (5) name : * name: struct winreg_StringBuf length : 0x0000 (0) size : 0x001e (30) name : * name : '' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) [2012/09/07 07:06:50.960597, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.960645, 8] rpc_server/winreg/srv_winreg_nt.c:420(_winreg_EnumKey) _winreg_EnumKey: enumerating key [HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.960679, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey out: struct winreg_EnumKey name : * name: struct winreg_StringBuf length : 0x001e (30) size : 0x001e (30) name : * name : 'RemoteRegistry' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) result : WERR_OK [2012/09/07 07:06:50.960853, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey in: struct winreg_EnumKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000002-0000-0000-4950-7aff6e050000 enum_index : 0x00000006 (6) name : * name: struct winreg_StringBuf length : 0x0000 (0) size : 0x001e (30) name : * name : '' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) [2012/09/07 07:06:50.961055, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.961102, 8] rpc_server/winreg/srv_winreg_nt.c:420(_winreg_EnumKey) _winreg_EnumKey: enumerating key [HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.961139, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_EnumKey: struct winreg_EnumKey out: struct winreg_EnumKey name : * name: struct winreg_StringBuf length : 0x000a (10) size : 0x001e (30) name : * name : 'WINS' keyclass : * keyclass: struct winreg_StringBuf length : 0x0000 (0) size : 0x0002 (2) name : * name : '' last_changed_time : * last_changed_time : NTTIME(0) result : WERR_OK [2012/09/07 07:06:50.961328, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0054 (84) name_size : 0x0054 (84) name : * name : 'SYSTEM\CurrentControlSet\Services\Spooler' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_ACTION_NONE (0) [2012/09/07 07:06:50.961638, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.961685, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\Spooler' [2012/09/07 07:06:50.961723, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.961744, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.961765, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.961784, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.961803, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.961822, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.961850, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.961872, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.961893, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.961912, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.961931, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.961949, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.961977, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.961999, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.962019, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.962040, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.962058, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.962078, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.962096, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.962130, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.962152, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Spooler] [2012/09/07 07:06:50.962172, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.962193, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler] [2012/09/07 07:06:50.962212, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler] [2012/09/07 07:06:50.962232, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.962250, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler] [2012/09/07 07:06:50.962278, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.962300, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.962347, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000003-0000-0000-4950-7aff6e050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.962464, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000003-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x000c (12) name_size : 0x000c (12) name : * name : 'Start' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x02 (2) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.962656, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.962705, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\Spooler:Start] [2012/09/07 07:06:50.962725, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\Spooler' (ops 0xb77570e0) [2012/09/07 07:06:50.962745, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\Spooler] [2012/09/07 07:06:50.962773, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Start], len: 4 [2012/09/07 07:06:50.962795, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Type], len: 4 [2012/09/07 07:06:50.962815, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ErrorControl], len: 4 [2012/09/07 07:06:50.962835, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ObjectName], len: 24 [2012/09/07 07:06:50.962855, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [DisplayName], len: 28 [2012/09/07 07:06:50.962875, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ImagePath], len: 54 [2012/09/07 07:06:50.962895, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Description], len: 106 [2012/09/07 07:06:50.962915, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.962965, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000003-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x000a (10) name_size : 0x000a (10) name : * name : 'Type' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.963157, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.963203, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\Spooler:Type] [2012/09/07 07:06:50.963224, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.963272, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000003-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x001a (26) name_size : 0x001a (26) name : * name : 'ErrorControl' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.963460, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.963507, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\Spooler:ErrorControl] [2012/09/07 07:06:50.963528, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.963583, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000003-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0016 (22) name_size : 0x0016 (22) name : * name : 'ObjectName' type : REG_SZ (1) data : * data: ARRAY(24) [0] : 0x4c (76) [1] : 0x00 (0) [2] : 0x6f (111) [3] : 0x00 (0) [4] : 0x63 (99) [5] : 0x00 (0) [6] : 0x61 (97) [7] : 0x00 (0) [8] : 0x6c (108) [9] : 0x00 (0) [10] : 0x53 (83) [11] : 0x00 (0) [12] : 0x79 (121) [13] : 0x00 (0) [14] : 0x73 (115) [15] : 0x00 (0) [16] : 0x74 (116) [17] : 0x00 (0) [18] : 0x65 (101) [19] : 0x00 (0) [20] : 0x6d (109) [21] : 0x00 (0) [22] : 0x00 (0) [23] : 0x00 (0) size : 0x00000018 (24) [2012/09/07 07:06:50.963962, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.964009, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\Spooler:ObjectName] [2012/09/07 07:06:50.964030, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.964085, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000003-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'DisplayName' type : REG_SZ (1) data : * data: ARRAY(28) [0] : 0x50 (80) [1] : 0x00 (0) [2] : 0x72 (114) [3] : 0x00 (0) [4] : 0x69 (105) [5] : 0x00 (0) [6] : 0x6e (110) [7] : 0x00 (0) [8] : 0x74 (116) [9] : 0x00 (0) [10] : 0x20 (32) [11] : 0x00 (0) [12] : 0x53 (83) [13] : 0x00 (0) [14] : 0x70 (112) [15] : 0x00 (0) [16] : 0x6f (111) [17] : 0x00 (0) [18] : 0x6f (111) [19] : 0x00 (0) [20] : 0x6c (108) [21] : 0x00 (0) [22] : 0x65 (101) [23] : 0x00 (0) [24] : 0x72 (114) [25] : 0x00 (0) [26] : 0x00 (0) [27] : 0x00 (0) size : 0x0000001c (28) [2012/09/07 07:06:50.964497, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.964547, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\Spooler:DisplayName] [2012/09/07 07:06:50.964568, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.964617, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000003-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0014 (20) name_size : 0x0014 (20) name : * name : 'ImagePath' type : REG_SZ (1) data : * data: ARRAY(54) [0] : 0x2f (47) [1] : 0x00 (0) [2] : 0x75 (117) [3] : 0x00 (0) [4] : 0x73 (115) [5] : 0x00 (0) [6] : 0x72 (114) [7] : 0x00 (0) [8] : 0x2f (47) [9] : 0x00 (0) [10] : 0x6c (108) [11] : 0x00 (0) [12] : 0x69 (105) [13] : 0x00 (0) [14] : 0x62 (98) [15] : 0x00 (0) [16] : 0x2f (47) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x61 (97) [21] : 0x00 (0) [22] : 0x6d (109) [23] : 0x00 (0) [24] : 0x62 (98) [25] : 0x00 (0) [26] : 0x61 (97) [27] : 0x00 (0) [28] : 0x2f (47) [29] : 0x00 (0) [30] : 0x73 (115) [31] : 0x00 (0) [32] : 0x76 (118) [33] : 0x00 (0) [34] : 0x63 (99) [35] : 0x00 (0) [36] : 0x63 (99) [37] : 0x00 (0) [38] : 0x74 (116) [39] : 0x00 (0) [40] : 0x6c (108) [41] : 0x00 (0) [42] : 0x2f (47) [43] : 0x00 (0) [44] : 0x73 (115) [45] : 0x00 (0) [46] : 0x6d (109) [47] : 0x00 (0) [48] : 0x62 (98) [49] : 0x00 (0) [50] : 0x64 (100) [51] : 0x00 (0) [52] : 0x00 (0) [53] : 0x00 (0) size : 0x00000036 (54) [2012/09/07 07:06:50.965276, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.965323, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\Spooler:ImagePath] [2012/09/07 07:06:50.965344, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.965395, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000003-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'Description' type : REG_SZ (1) data : * data: ARRAY(106) [0] : 0x49 (73) [1] : 0x00 (0) [2] : 0x6e (110) [3] : 0x00 (0) [4] : 0x74 (116) [5] : 0x00 (0) [6] : 0x65 (101) [7] : 0x00 (0) [8] : 0x72 (114) [9] : 0x00 (0) [10] : 0x6e (110) [11] : 0x00 (0) [12] : 0x61 (97) [13] : 0x00 (0) [14] : 0x6c (108) [15] : 0x00 (0) [16] : 0x20 (32) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x65 (101) [21] : 0x00 (0) [22] : 0x72 (114) [23] : 0x00 (0) [24] : 0x76 (118) [25] : 0x00 (0) [26] : 0x69 (105) [27] : 0x00 (0) [28] : 0x63 (99) [29] : 0x00 (0) [30] : 0x65 (101) [31] : 0x00 (0) [32] : 0x20 (32) [33] : 0x00 (0) [34] : 0x66 (102) [35] : 0x00 (0) [36] : 0x6f (111) [37] : 0x00 (0) [38] : 0x72 (114) [39] : 0x00 (0) [40] : 0x20 (32) [41] : 0x00 (0) [42] : 0x73 (115) [43] : 0x00 (0) [44] : 0x70 (112) [45] : 0x00 (0) [46] : 0x6f (111) [47] : 0x00 (0) [48] : 0x6f (111) [49] : 0x00 (0) [50] : 0x6c (108) [51] : 0x00 (0) [52] : 0x69 (105) [53] : 0x00 (0) [54] : 0x6e (110) [55] : 0x00 (0) [56] : 0x67 (103) [57] : 0x00 (0) [58] : 0x20 (32) [59] : 0x00 (0) [60] : 0x66 (102) [61] : 0x00 (0) [62] : 0x69 (105) [63] : 0x00 (0) [64] : 0x6c (108) [65] : 0x00 (0) [66] : 0x65 (101) [67] : 0x00 (0) [68] : 0x73 (115) [69] : 0x00 (0) [70] : 0x20 (32) [71] : 0x00 (0) [72] : 0x74 (116) [73] : 0x00 (0) [74] : 0x6f (111) [75] : 0x00 (0) [76] : 0x20 (32) [77] : 0x00 (0) [78] : 0x70 (112) [79] : 0x00 (0) [80] : 0x72 (114) [81] : 0x00 (0) [82] : 0x69 (105) [83] : 0x00 (0) [84] : 0x6e (110) [85] : 0x00 (0) [86] : 0x74 (116) [87] : 0x00 (0) [88] : 0x20 (32) [89] : 0x00 (0) [90] : 0x64 (100) [91] : 0x00 (0) [92] : 0x65 (101) [93] : 0x00 (0) [94] : 0x76 (118) [95] : 0x00 (0) [96] : 0x69 (105) [97] : 0x00 (0) [98] : 0x63 (99) [99] : 0x00 (0) [100] : 0x65 (101) [101] : 0x00 (0) [102] : 0x73 (115) [103] : 0x00 (0) [104] : 0x00 (0) [105] : 0x00 (0) size : 0x0000006a (106) [2012/09/07 07:06:50.966584, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.966632, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\Spooler:Description] [2012/09/07 07:06:50.966654, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.966707, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000003-0000-0000-4950-7aff6e050000 [2012/09/07 07:06:50.966778, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.966825, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 03 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.966870, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.966889, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.966909, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.966999, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0066 (102) name_size : 0x0066 (102) name : * name : 'SYSTEM\CurrentControlSet\Services\Spooler\Security' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) [2012/09/07 07:06:50.967309, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.967357, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\Spooler\Security' [2012/09/07 07:06:50.967378, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.967398, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.967419, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.967437, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.967456, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.967474, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.967503, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.967524, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.967545, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.967563, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.967582, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.967601, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.967629, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.967651, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.967670, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.967691, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.967709, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.967729, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.967747, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.967781, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.967803, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Spooler] [2012/09/07 07:06:50.967822, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.967843, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler] [2012/09/07 07:06:50.967862, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler] [2012/09/07 07:06:50.967881, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.967899, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler] [2012/09/07 07:06:50.967927, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.967948, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Security] [2012/09/07 07:06:50.967972, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.967994, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security] [2012/09/07 07:06:50.968013, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security] [2012/09/07 07:06:50.968032, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.968050, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security] [2012/09/07 07:06:50.968076, 10] registry/reg_backend_db.c:1630(regdb_fetch_keys_internal) regdb_fetch_keys: no subkeys found for key [HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security] [2012/09/07 07:06:50.968097, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.968117, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 04 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.968162, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000004-0000-0000-4950-7aff6e050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.968279, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000004-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0012 (18) name_size : 0x0012 (18) name : * name : 'Security' type : REG_BINARY (3) data : * data: ARRAY(120) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x04 (4) [3] : 0x80 (128) [4] : 0x00 (0) [5] : 0x00 (0) [6] : 0x00 (0) [7] : 0x00 (0) [8] : 0x00 (0) [9] : 0x00 (0) [10] : 0x00 (0) [11] : 0x00 (0) [12] : 0x00 (0) [13] : 0x00 (0) [14] : 0x00 (0) [15] : 0x00 (0) [16] : 0x14 (20) [17] : 0x00 (0) [18] : 0x00 (0) [19] : 0x00 (0) [20] : 0x02 (2) [21] : 0x00 (0) [22] : 0x64 (100) [23] : 0x00 (0) [24] : 0x04 (4) [25] : 0x00 (0) [26] : 0x00 (0) [27] : 0x00 (0) [28] : 0x00 (0) [29] : 0x00 (0) [30] : 0x14 (20) [31] : 0x00 (0) [32] : 0x8d (141) [33] : 0x01 (1) [34] : 0x02 (2) [35] : 0x00 (0) [36] : 0x01 (1) [37] : 0x01 (1) [38] : 0x00 (0) [39] : 0x00 (0) [40] : 0x00 (0) [41] : 0x00 (0) [42] : 0x00 (0) [43] : 0x01 (1) [44] : 0x00 (0) [45] : 0x00 (0) [46] : 0x00 (0) [47] : 0x00 (0) [48] : 0x00 (0) [49] : 0x00 (0) [50] : 0x18 (24) [51] : 0x00 (0) [52] : 0xfd (253) [53] : 0x01 (1) [54] : 0x02 (2) [55] : 0x00 (0) [56] : 0x01 (1) [57] : 0x02 (2) [58] : 0x00 (0) [59] : 0x00 (0) [60] : 0x00 (0) [61] : 0x00 (0) [62] : 0x00 (0) [63] : 0x05 (5) [64] : 0x20 (32) [65] : 0x00 (0) [66] : 0x00 (0) [67] : 0x00 (0) [68] : 0x23 (35) [69] : 0x02 (2) [70] : 0x00 (0) [71] : 0x00 (0) [72] : 0x00 (0) [73] : 0x00 (0) [74] : 0x18 (24) [75] : 0x00 (0) [76] : 0xff (255) [77] : 0x01 (1) [78] : 0x0f (15) [79] : 0x00 (0) [80] : 0x01 (1) [81] : 0x02 (2) [82] : 0x00 (0) [83] : 0x00 (0) [84] : 0x00 (0) [85] : 0x00 (0) [86] : 0x00 (0) [87] : 0x05 (5) [88] : 0x20 (32) [89] : 0x00 (0) [90] : 0x00 (0) [91] : 0x00 (0) [92] : 0x25 (37) [93] : 0x02 (2) [94] : 0x00 (0) [95] : 0x00 (0) [96] : 0x00 (0) [97] : 0x00 (0) [98] : 0x18 (24) [99] : 0x00 (0) [100] : 0xff (255) [101] : 0x01 (1) [102] : 0x0f (15) [103] : 0x00 (0) [104] : 0x01 (1) [105] : 0x02 (2) [106] : 0x00 (0) [107] : 0x00 (0) [108] : 0x00 (0) [109] : 0x00 (0) [110] : 0x00 (0) [111] : 0x05 (5) [112] : 0x20 (32) [113] : 0x00 (0) [114] : 0x00 (0) [115] : 0x00 (0) [116] : 0x20 (32) [117] : 0x02 (2) [118] : 0x00 (0) [119] : 0x00 (0) size : 0x00000078 (120) [2012/09/07 07:06:50.969572, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 04 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.969618, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security:Security] [2012/09/07 07:06:50.969639, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security' (ops 0xb77570e0) [2012/09/07 07:06:50.969659, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security] [2012/09/07 07:06:50.969687, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Security], len: 120 [2012/09/07 07:06:50.969720, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.969770, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000004-0000-0000-4950-7aff6e050000 [2012/09/07 07:06:50.969841, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 04 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.969888, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 04 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.969933, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.969952, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.969972, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.970067, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0056 (86) name_size : 0x0056 (86) name : * name : 'SYSTEM\CurrentControlSet\Services\NETLOGON' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_ACTION_NONE (0) [2012/09/07 07:06:50.970376, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.970424, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\NETLOGON' [2012/09/07 07:06:50.970445, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.970464, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.970485, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.970503, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.970522, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.970540, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.970569, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.970590, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.970612, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.970630, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.970649, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.970668, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.970696, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.970722, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.970742, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.970763, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.970782, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.970802, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.970820, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.970854, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.970876, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [NETLOGON] [2012/09/07 07:06:50.970896, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.970917, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.970935, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.970955, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.970973, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.971002, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.971023, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.971070, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff6e050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.971178, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x000c (12) name_size : 0x000c (12) name : * name : 'Start' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x02 (2) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.971368, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.971419, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:Start] [2012/09/07 07:06:50.971439, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON' (ops 0xb77570e0) [2012/09/07 07:06:50.971459, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.971487, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Start], len: 4 [2012/09/07 07:06:50.971509, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Type], len: 4 [2012/09/07 07:06:50.971529, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ErrorControl], len: 4 [2012/09/07 07:06:50.971549, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ObjectName], len: 24 [2012/09/07 07:06:50.971569, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [DisplayName], len: 20 [2012/09/07 07:06:50.971589, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ImagePath], len: 54 [2012/09/07 07:06:50.971609, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Description], len: 164 [2012/09/07 07:06:50.971629, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.971679, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x000a (10) name_size : 0x000a (10) name : * name : 'Type' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.971866, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.971913, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:Type] [2012/09/07 07:06:50.971934, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.971982, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x001a (26) name_size : 0x001a (26) name : * name : 'ErrorControl' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.972174, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.972221, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:ErrorControl] [2012/09/07 07:06:50.972242, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.972292, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0016 (22) name_size : 0x0016 (22) name : * name : 'ObjectName' type : REG_SZ (1) data : * data: ARRAY(24) [0] : 0x4c (76) [1] : 0x00 (0) [2] : 0x6f (111) [3] : 0x00 (0) [4] : 0x63 (99) [5] : 0x00 (0) [6] : 0x61 (97) [7] : 0x00 (0) [8] : 0x6c (108) [9] : 0x00 (0) [10] : 0x53 (83) [11] : 0x00 (0) [12] : 0x79 (121) [13] : 0x00 (0) [14] : 0x73 (115) [15] : 0x00 (0) [16] : 0x74 (116) [17] : 0x00 (0) [18] : 0x65 (101) [19] : 0x00 (0) [20] : 0x6d (109) [21] : 0x00 (0) [22] : 0x00 (0) [23] : 0x00 (0) size : 0x00000018 (24) [2012/09/07 07:06:50.972661, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.972707, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:ObjectName] [2012/09/07 07:06:50.972728, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.972780, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'DisplayName' type : REG_SZ (1) data : * data: ARRAY(20) [0] : 0x4e (78) [1] : 0x00 (0) [2] : 0x65 (101) [3] : 0x00 (0) [4] : 0x74 (116) [5] : 0x00 (0) [6] : 0x20 (32) [7] : 0x00 (0) [8] : 0x4c (76) [9] : 0x00 (0) [10] : 0x6f (111) [11] : 0x00 (0) [12] : 0x67 (103) [13] : 0x00 (0) [14] : 0x6f (111) [15] : 0x00 (0) [16] : 0x6e (110) [17] : 0x00 (0) [18] : 0x00 (0) [19] : 0x00 (0) size : 0x00000014 (20) [2012/09/07 07:06:50.973114, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.973161, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:DisplayName] [2012/09/07 07:06:50.973182, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.973231, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0014 (20) name_size : 0x0014 (20) name : * name : 'ImagePath' type : REG_SZ (1) data : * data: ARRAY(54) [0] : 0x2f (47) [1] : 0x00 (0) [2] : 0x75 (117) [3] : 0x00 (0) [4] : 0x73 (115) [5] : 0x00 (0) [6] : 0x72 (114) [7] : 0x00 (0) [8] : 0x2f (47) [9] : 0x00 (0) [10] : 0x6c (108) [11] : 0x00 (0) [12] : 0x69 (105) [13] : 0x00 (0) [14] : 0x62 (98) [15] : 0x00 (0) [16] : 0x2f (47) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x61 (97) [21] : 0x00 (0) [22] : 0x6d (109) [23] : 0x00 (0) [24] : 0x62 (98) [25] : 0x00 (0) [26] : 0x61 (97) [27] : 0x00 (0) [28] : 0x2f (47) [29] : 0x00 (0) [30] : 0x73 (115) [31] : 0x00 (0) [32] : 0x76 (118) [33] : 0x00 (0) [34] : 0x63 (99) [35] : 0x00 (0) [36] : 0x63 (99) [37] : 0x00 (0) [38] : 0x74 (116) [39] : 0x00 (0) [40] : 0x6c (108) [41] : 0x00 (0) [42] : 0x2f (47) [43] : 0x00 (0) [44] : 0x73 (115) [45] : 0x00 (0) [46] : 0x6d (109) [47] : 0x00 (0) [48] : 0x62 (98) [49] : 0x00 (0) [50] : 0x64 (100) [51] : 0x00 (0) [52] : 0x00 (0) [53] : 0x00 (0) size : 0x00000036 (54) [2012/09/07 07:06:50.973893, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.973940, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:ImagePath] [2012/09/07 07:06:50.973961, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.974013, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'Description' type : REG_SZ (1) data : * data: ARRAY(164) [0] : 0x46 (70) [1] : 0x00 (0) [2] : 0x69 (105) [3] : 0x00 (0) [4] : 0x6c (108) [5] : 0x00 (0) [6] : 0x65 (101) [7] : 0x00 (0) [8] : 0x20 (32) [9] : 0x00 (0) [10] : 0x73 (115) [11] : 0x00 (0) [12] : 0x65 (101) [13] : 0x00 (0) [14] : 0x72 (114) [15] : 0x00 (0) [16] : 0x76 (118) [17] : 0x00 (0) [18] : 0x69 (105) [19] : 0x00 (0) [20] : 0x63 (99) [21] : 0x00 (0) [22] : 0x65 (101) [23] : 0x00 (0) [24] : 0x20 (32) [25] : 0x00 (0) [26] : 0x70 (112) [27] : 0x00 (0) [28] : 0x72 (114) [29] : 0x00 (0) [30] : 0x6f (111) [31] : 0x00 (0) [32] : 0x76 (118) [33] : 0x00 (0) [34] : 0x69 (105) [35] : 0x00 (0) [36] : 0x64 (100) [37] : 0x00 (0) [38] : 0x69 (105) [39] : 0x00 (0) [40] : 0x6e (110) [41] : 0x00 (0) [42] : 0x67 (103) [43] : 0x00 (0) [44] : 0x20 (32) [45] : 0x00 (0) [46] : 0x61 (97) [47] : 0x00 (0) [48] : 0x63 (99) [49] : 0x00 (0) [50] : 0x63 (99) [51] : 0x00 (0) [52] : 0x65 (101) [53] : 0x00 (0) [54] : 0x73 (115) [55] : 0x00 (0) [56] : 0x73 (115) [57] : 0x00 (0) [58] : 0x20 (32) [59] : 0x00 (0) [60] : 0x74 (116) [61] : 0x00 (0) [62] : 0x6f (111) [63] : 0x00 (0) [64] : 0x20 (32) [65] : 0x00 (0) [66] : 0x70 (112) [67] : 0x00 (0) [68] : 0x6f (111) [69] : 0x00 (0) [70] : 0x6c (108) [71] : 0x00 (0) [72] : 0x69 (105) [73] : 0x00 (0) [74] : 0x63 (99) [75] : 0x00 (0) [76] : 0x79 (121) [77] : 0x00 (0) [78] : 0x20 (32) [79] : 0x00 (0) [80] : 0x61 (97) [81] : 0x00 (0) [82] : 0x6e (110) [83] : 0x00 (0) [84] : 0x64 (100) [85] : 0x00 (0) [86] : 0x20 (32) [87] : 0x00 (0) [88] : 0x70 (112) [89] : 0x00 (0) [90] : 0x72 (114) [91] : 0x00 (0) [92] : 0x6f (111) [93] : 0x00 (0) [94] : 0x66 (102) [95] : 0x00 (0) [96] : 0x69 (105) [97] : 0x00 (0) [98] : 0x6c (108) [99] : 0x00 (0) [100] : 0x65 (101) [101] : 0x00 (0) [102] : 0x20 (32) [103] : 0x00 (0) [104] : 0x64 (100) [105] : 0x00 (0) [106] : 0x61 (97) [107] : 0x00 (0) [108] : 0x74 (116) [109] : 0x00 (0) [110] : 0x61 (97) [111] : 0x00 (0) [112] : 0x20 (32) [113] : 0x00 (0) [114] : 0x28 (40) [115] : 0x00 (0) [116] : 0x6e (110) [117] : 0x00 (0) [118] : 0x6f (111) [119] : 0x00 (0) [120] : 0x74 (116) [121] : 0x00 (0) [122] : 0x72 (114) [123] : 0x00 (0) [124] : 0x65 (101) [125] : 0x00 (0) [126] : 0x6d (109) [127] : 0x00 (0) [128] : 0x6f (111) [129] : 0x00 (0) [130] : 0x74 (116) [131] : 0x00 (0) [132] : 0x65 (101) [133] : 0x00 (0) [134] : 0x6c (108) [135] : 0x00 (0) [136] : 0x79 (121) [137] : 0x00 (0) [138] : 0x20 (32) [139] : 0x00 (0) [140] : 0x6d (109) [141] : 0x00 (0) [142] : 0x61 (97) [143] : 0x00 (0) [144] : 0x6e (110) [145] : 0x00 (0) [146] : 0x61 (97) [147] : 0x00 (0) [148] : 0x67 (103) [149] : 0x00 (0) [150] : 0x65 (101) [151] : 0x00 (0) [152] : 0x61 (97) [153] : 0x00 (0) [154] : 0x62 (98) [155] : 0x00 (0) [156] : 0x6c (108) [157] : 0x00 (0) [158] : 0x65 (101) [159] : 0x00 (0) [160] : 0x29 (41) [161] : 0x00 (0) [162] : 0x00 (0) [163] : 0x00 (0) size : 0x000000a4 (164) [2012/09/07 07:06:50.975730, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.975777, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON:Description] [2012/09/07 07:06:50.975798, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.975848, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000005-0000-0000-4950-7aff6e050000 [2012/09/07 07:06:50.975919, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.975964, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 05 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.976008, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.976027, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.976047, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.976137, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0068 (104) name_size : 0x0068 (104) name : * name : 'SYSTEM\CurrentControlSet\Services\NETLOGON\Security' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) [2012/09/07 07:06:50.976452, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.976499, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\NETLOGON\Security' [2012/09/07 07:06:50.976520, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.976540, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.976561, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.976579, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.976598, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.976617, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.976646, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.976667, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.976689, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.976707, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.976726, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.976745, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.976773, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.976795, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.976814, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.976835, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.976854, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.976873, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.976895, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.976930, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.976953, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [NETLOGON] [2012/09/07 07:06:50.976973, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.976994, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.977013, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.977033, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.977051, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON] [2012/09/07 07:06:50.977080, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.977101, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Security] [2012/09/07 07:06:50.977121, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.977142, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security] [2012/09/07 07:06:50.977161, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security] [2012/09/07 07:06:50.977181, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.977199, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security] [2012/09/07 07:06:50.977225, 10] registry/reg_backend_db.c:1630(regdb_fetch_keys_internal) regdb_fetch_keys: no subkeys found for key [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security] [2012/09/07 07:06:50.977246, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.977266, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 06 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.977312, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000006-0000-0000-4950-7aff6e050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.977423, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000006-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0012 (18) name_size : 0x0012 (18) name : * name : 'Security' type : REG_BINARY (3) data : * data: ARRAY(120) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x04 (4) [3] : 0x80 (128) [4] : 0x00 (0) [5] : 0x00 (0) [6] : 0x00 (0) [7] : 0x00 (0) [8] : 0x00 (0) [9] : 0x00 (0) [10] : 0x00 (0) [11] : 0x00 (0) [12] : 0x00 (0) [13] : 0x00 (0) [14] : 0x00 (0) [15] : 0x00 (0) [16] : 0x14 (20) [17] : 0x00 (0) [18] : 0x00 (0) [19] : 0x00 (0) [20] : 0x02 (2) [21] : 0x00 (0) [22] : 0x64 (100) [23] : 0x00 (0) [24] : 0x04 (4) [25] : 0x00 (0) [26] : 0x00 (0) [27] : 0x00 (0) [28] : 0x00 (0) [29] : 0x00 (0) [30] : 0x14 (20) [31] : 0x00 (0) [32] : 0x8d (141) [33] : 0x01 (1) [34] : 0x02 (2) [35] : 0x00 (0) [36] : 0x01 (1) [37] : 0x01 (1) [38] : 0x00 (0) [39] : 0x00 (0) [40] : 0x00 (0) [41] : 0x00 (0) [42] : 0x00 (0) [43] : 0x01 (1) [44] : 0x00 (0) [45] : 0x00 (0) [46] : 0x00 (0) [47] : 0x00 (0) [48] : 0x00 (0) [49] : 0x00 (0) [50] : 0x18 (24) [51] : 0x00 (0) [52] : 0xfd (253) [53] : 0x01 (1) [54] : 0x02 (2) [55] : 0x00 (0) [56] : 0x01 (1) [57] : 0x02 (2) [58] : 0x00 (0) [59] : 0x00 (0) [60] : 0x00 (0) [61] : 0x00 (0) [62] : 0x00 (0) [63] : 0x05 (5) [64] : 0x20 (32) [65] : 0x00 (0) [66] : 0x00 (0) [67] : 0x00 (0) [68] : 0x23 (35) [69] : 0x02 (2) [70] : 0x00 (0) [71] : 0x00 (0) [72] : 0x00 (0) [73] : 0x00 (0) [74] : 0x18 (24) [75] : 0x00 (0) [76] : 0xff (255) [77] : 0x01 (1) [78] : 0x0f (15) [79] : 0x00 (0) [80] : 0x01 (1) [81] : 0x02 (2) [82] : 0x00 (0) [83] : 0x00 (0) [84] : 0x00 (0) [85] : 0x00 (0) [86] : 0x00 (0) [87] : 0x05 (5) [88] : 0x20 (32) [89] : 0x00 (0) [90] : 0x00 (0) [91] : 0x00 (0) [92] : 0x25 (37) [93] : 0x02 (2) [94] : 0x00 (0) [95] : 0x00 (0) [96] : 0x00 (0) [97] : 0x00 (0) [98] : 0x18 (24) [99] : 0x00 (0) [100] : 0xff (255) [101] : 0x01 (1) [102] : 0x0f (15) [103] : 0x00 (0) [104] : 0x01 (1) [105] : 0x02 (2) [106] : 0x00 (0) [107] : 0x00 (0) [108] : 0x00 (0) [109] : 0x00 (0) [110] : 0x00 (0) [111] : 0x05 (5) [112] : 0x20 (32) [113] : 0x00 (0) [114] : 0x00 (0) [115] : 0x00 (0) [116] : 0x20 (32) [117] : 0x02 (2) [118] : 0x00 (0) [119] : 0x00 (0) size : 0x00000078 (120) [2012/09/07 07:06:50.978791, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 06 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.978841, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security:Security] [2012/09/07 07:06:50.978862, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security' (ops 0xb77570e0) [2012/09/07 07:06:50.978882, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\NETLOGON\Security] [2012/09/07 07:06:50.978912, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Security], len: 120 [2012/09/07 07:06:50.978934, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.978989, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000006-0000-0000-4950-7aff6e050000 [2012/09/07 07:06:50.979060, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 06 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.979106, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 06 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.979151, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.979170, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.979190, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.979280, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0062 (98) name_size : 0x0062 (98) name : * name : 'SYSTEM\CurrentControlSet\Services\RemoteRegistry' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_ACTION_NONE (0) [2012/09/07 07:06:50.979589, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.979635, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\RemoteRegistry' [2012/09/07 07:06:50.979657, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.979676, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.979702, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.979720, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.979739, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.979757, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.979786, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.979807, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.979828, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.979847, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.979866, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.979884, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.979912, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.979934, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.979953, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.979975, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.979993, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.980012, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.980030, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.980064, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.980086, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [RemoteRegistry] [2012/09/07 07:06:50.980105, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.980127, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.980145, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.980165, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.980183, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.980212, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.980234, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.980280, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff6e050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.980392, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x000c (12) name_size : 0x000c (12) name : * name : 'Start' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x02 (2) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.980580, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.980627, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:Start] [2012/09/07 07:06:50.980647, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry' (ops 0xb77570e0) [2012/09/07 07:06:50.980667, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.980696, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Start], len: 4 [2012/09/07 07:06:50.980718, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Type], len: 4 [2012/09/07 07:06:50.980738, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ErrorControl], len: 4 [2012/09/07 07:06:50.980758, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ObjectName], len: 24 [2012/09/07 07:06:50.980778, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [DisplayName], len: 48 [2012/09/07 07:06:50.980798, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ImagePath], len: 54 [2012/09/07 07:06:50.980818, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Description], len: 126 [2012/09/07 07:06:50.980838, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.980887, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x000a (10) name_size : 0x000a (10) name : * name : 'Type' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.981080, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.981128, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:Type] [2012/09/07 07:06:50.981149, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.981198, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x001a (26) name_size : 0x001a (26) name : * name : 'ErrorControl' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.981384, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.981430, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:ErrorControl] [2012/09/07 07:06:50.981452, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.981502, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0016 (22) name_size : 0x0016 (22) name : * name : 'ObjectName' type : REG_SZ (1) data : * data: ARRAY(24) [0] : 0x4c (76) [1] : 0x00 (0) [2] : 0x6f (111) [3] : 0x00 (0) [4] : 0x63 (99) [5] : 0x00 (0) [6] : 0x61 (97) [7] : 0x00 (0) [8] : 0x6c (108) [9] : 0x00 (0) [10] : 0x53 (83) [11] : 0x00 (0) [12] : 0x79 (121) [13] : 0x00 (0) [14] : 0x73 (115) [15] : 0x00 (0) [16] : 0x74 (116) [17] : 0x00 (0) [18] : 0x65 (101) [19] : 0x00 (0) [20] : 0x6d (109) [21] : 0x00 (0) [22] : 0x00 (0) [23] : 0x00 (0) size : 0x00000018 (24) [2012/09/07 07:06:50.981894, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.981941, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:ObjectName] [2012/09/07 07:06:50.981963, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.982017, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'DisplayName' type : REG_SZ (1) data : * data: ARRAY(48) [0] : 0x52 (82) [1] : 0x00 (0) [2] : 0x65 (101) [3] : 0x00 (0) [4] : 0x6d (109) [5] : 0x00 (0) [6] : 0x6f (111) [7] : 0x00 (0) [8] : 0x74 (116) [9] : 0x00 (0) [10] : 0x65 (101) [11] : 0x00 (0) [12] : 0x20 (32) [13] : 0x00 (0) [14] : 0x52 (82) [15] : 0x00 (0) [16] : 0x65 (101) [17] : 0x00 (0) [18] : 0x67 (103) [19] : 0x00 (0) [20] : 0x69 (105) [21] : 0x00 (0) [22] : 0x73 (115) [23] : 0x00 (0) [24] : 0x74 (116) [25] : 0x00 (0) [26] : 0x72 (114) [27] : 0x00 (0) [28] : 0x79 (121) [29] : 0x00 (0) [30] : 0x20 (32) [31] : 0x00 (0) [32] : 0x53 (83) [33] : 0x00 (0) [34] : 0x65 (101) [35] : 0x00 (0) [36] : 0x72 (114) [37] : 0x00 (0) [38] : 0x76 (118) [39] : 0x00 (0) [40] : 0x69 (105) [41] : 0x00 (0) [42] : 0x63 (99) [43] : 0x00 (0) [44] : 0x65 (101) [45] : 0x00 (0) [46] : 0x00 (0) [47] : 0x00 (0) size : 0x00000030 (48) [2012/09/07 07:06:50.982629, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.982679, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:DisplayName] [2012/09/07 07:06:50.982702, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.982753, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0014 (20) name_size : 0x0014 (20) name : * name : 'ImagePath' type : REG_SZ (1) data : * data: ARRAY(54) [0] : 0x2f (47) [1] : 0x00 (0) [2] : 0x75 (117) [3] : 0x00 (0) [4] : 0x73 (115) [5] : 0x00 (0) [6] : 0x72 (114) [7] : 0x00 (0) [8] : 0x2f (47) [9] : 0x00 (0) [10] : 0x6c (108) [11] : 0x00 (0) [12] : 0x69 (105) [13] : 0x00 (0) [14] : 0x62 (98) [15] : 0x00 (0) [16] : 0x2f (47) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x61 (97) [21] : 0x00 (0) [22] : 0x6d (109) [23] : 0x00 (0) [24] : 0x62 (98) [25] : 0x00 (0) [26] : 0x61 (97) [27] : 0x00 (0) [28] : 0x2f (47) [29] : 0x00 (0) [30] : 0x73 (115) [31] : 0x00 (0) [32] : 0x76 (118) [33] : 0x00 (0) [34] : 0x63 (99) [35] : 0x00 (0) [36] : 0x63 (99) [37] : 0x00 (0) [38] : 0x74 (116) [39] : 0x00 (0) [40] : 0x6c (108) [41] : 0x00 (0) [42] : 0x2f (47) [43] : 0x00 (0) [44] : 0x73 (115) [45] : 0x00 (0) [46] : 0x6d (109) [47] : 0x00 (0) [48] : 0x62 (98) [49] : 0x00 (0) [50] : 0x64 (100) [51] : 0x00 (0) [52] : 0x00 (0) [53] : 0x00 (0) size : 0x00000036 (54) [2012/09/07 07:06:50.983435, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.983483, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:ImagePath] [2012/09/07 07:06:50.983505, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.983556, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'Description' type : REG_SZ (1) data : * data: ARRAY(126) [0] : 0x49 (73) [1] : 0x00 (0) [2] : 0x6e (110) [3] : 0x00 (0) [4] : 0x74 (116) [5] : 0x00 (0) [6] : 0x65 (101) [7] : 0x00 (0) [8] : 0x72 (114) [9] : 0x00 (0) [10] : 0x6e (110) [11] : 0x00 (0) [12] : 0x61 (97) [13] : 0x00 (0) [14] : 0x6c (108) [15] : 0x00 (0) [16] : 0x20 (32) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x65 (101) [21] : 0x00 (0) [22] : 0x72 (114) [23] : 0x00 (0) [24] : 0x76 (118) [25] : 0x00 (0) [26] : 0x69 (105) [27] : 0x00 (0) [28] : 0x63 (99) [29] : 0x00 (0) [30] : 0x65 (101) [31] : 0x00 (0) [32] : 0x20 (32) [33] : 0x00 (0) [34] : 0x70 (112) [35] : 0x00 (0) [36] : 0x72 (114) [37] : 0x00 (0) [38] : 0x6f (111) [39] : 0x00 (0) [40] : 0x76 (118) [41] : 0x00 (0) [42] : 0x69 (105) [43] : 0x00 (0) [44] : 0x64 (100) [45] : 0x00 (0) [46] : 0x69 (105) [47] : 0x00 (0) [48] : 0x6e (110) [49] : 0x00 (0) [50] : 0x67 (103) [51] : 0x00 (0) [52] : 0x20 (32) [53] : 0x00 (0) [54] : 0x72 (114) [55] : 0x00 (0) [56] : 0x65 (101) [57] : 0x00 (0) [58] : 0x6d (109) [59] : 0x00 (0) [60] : 0x6f (111) [61] : 0x00 (0) [62] : 0x74 (116) [63] : 0x00 (0) [64] : 0x65 (101) [65] : 0x00 (0) [66] : 0x20 (32) [67] : 0x00 (0) [68] : 0x61 (97) [69] : 0x00 (0) [70] : 0x63 (99) [71] : 0x00 (0) [72] : 0x63 (99) [73] : 0x00 (0) [74] : 0x65 (101) [75] : 0x00 (0) [76] : 0x73 (115) [77] : 0x00 (0) [78] : 0x73 (115) [79] : 0x00 (0) [80] : 0x20 (32) [81] : 0x00 (0) [82] : 0x74 (116) [83] : 0x00 (0) [84] : 0x6f (111) [85] : 0x00 (0) [86] : 0x20 (32) [87] : 0x00 (0) [88] : 0x74 (116) [89] : 0x00 (0) [90] : 0x68 (104) [91] : 0x00 (0) [92] : 0x65 (101) [93] : 0x00 (0) [94] : 0x20 (32) [95] : 0x00 (0) [96] : 0x53 (83) [97] : 0x00 (0) [98] : 0x61 (97) [99] : 0x00 (0) [100] : 0x6d (109) [101] : 0x00 (0) [102] : 0x62 (98) [103] : 0x00 (0) [104] : 0x61 (97) [105] : 0x00 (0) [106] : 0x20 (32) [107] : 0x00 (0) [108] : 0x72 (114) [109] : 0x00 (0) [110] : 0x65 (101) [111] : 0x00 (0) [112] : 0x67 (103) [113] : 0x00 (0) [114] : 0x69 (105) [115] : 0x00 (0) [116] : 0x73 (115) [117] : 0x00 (0) [118] : 0x74 (116) [119] : 0x00 (0) [120] : 0x72 (114) [121] : 0x00 (0) [122] : 0x79 (121) [123] : 0x00 (0) [124] : 0x00 (0) [125] : 0x00 (0) size : 0x0000007e (126) [2012/09/07 07:06:50.984866, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.984913, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry:Description] [2012/09/07 07:06:50.984935, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.984983, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000007-0000-0000-4950-7aff6e050000 [2012/09/07 07:06:50.985053, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.985100, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 07 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.985146, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.985166, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.985186, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.985280, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0074 (116) name_size : 0x0074 (116) name : * name : 'SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) [2012/09/07 07:06:50.985592, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.985639, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security' [2012/09/07 07:06:50.985661, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.985681, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.985710, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.985730, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.985749, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.985768, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.985797, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.985819, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.985840, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.985859, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.985878, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.985897, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.985931, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.985953, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.985973, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.985994, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.986012, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.986031, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.986050, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.986084, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.986106, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [RemoteRegistry] [2012/09/07 07:06:50.986126, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.986147, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.986166, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.986186, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.986204, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] [2012/09/07 07:06:50.986232, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.986254, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Security] [2012/09/07 07:06:50.986273, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.986295, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security] [2012/09/07 07:06:50.986314, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security] [2012/09/07 07:06:50.986334, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.986352, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security] [2012/09/07 07:06:50.986377, 10] registry/reg_backend_db.c:1630(regdb_fetch_keys_internal) regdb_fetch_keys: no subkeys found for key [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security] [2012/09/07 07:06:50.986399, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.986419, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 08 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.986465, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000008-0000-0000-4950-7aff6e050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.986581, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000008-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0012 (18) name_size : 0x0012 (18) name : * name : 'Security' type : REG_BINARY (3) data : * data: ARRAY(120) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x04 (4) [3] : 0x80 (128) [4] : 0x00 (0) [5] : 0x00 (0) [6] : 0x00 (0) [7] : 0x00 (0) [8] : 0x00 (0) [9] : 0x00 (0) [10] : 0x00 (0) [11] : 0x00 (0) [12] : 0x00 (0) [13] : 0x00 (0) [14] : 0x00 (0) [15] : 0x00 (0) [16] : 0x14 (20) [17] : 0x00 (0) [18] : 0x00 (0) [19] : 0x00 (0) [20] : 0x02 (2) [21] : 0x00 (0) [22] : 0x64 (100) [23] : 0x00 (0) [24] : 0x04 (4) [25] : 0x00 (0) [26] : 0x00 (0) [27] : 0x00 (0) [28] : 0x00 (0) [29] : 0x00 (0) [30] : 0x14 (20) [31] : 0x00 (0) [32] : 0x8d (141) [33] : 0x01 (1) [34] : 0x02 (2) [35] : 0x00 (0) [36] : 0x01 (1) [37] : 0x01 (1) [38] : 0x00 (0) [39] : 0x00 (0) [40] : 0x00 (0) [41] : 0x00 (0) [42] : 0x00 (0) [43] : 0x01 (1) [44] : 0x00 (0) [45] : 0x00 (0) [46] : 0x00 (0) [47] : 0x00 (0) [48] : 0x00 (0) [49] : 0x00 (0) [50] : 0x18 (24) [51] : 0x00 (0) [52] : 0xfd (253) [53] : 0x01 (1) [54] : 0x02 (2) [55] : 0x00 (0) [56] : 0x01 (1) [57] : 0x02 (2) [58] : 0x00 (0) [59] : 0x00 (0) [60] : 0x00 (0) [61] : 0x00 (0) [62] : 0x00 (0) [63] : 0x05 (5) [64] : 0x20 (32) [65] : 0x00 (0) [66] : 0x00 (0) [67] : 0x00 (0) [68] : 0x23 (35) [69] : 0x02 (2) [70] : 0x00 (0) [71] : 0x00 (0) [72] : 0x00 (0) [73] : 0x00 (0) [74] : 0x18 (24) [75] : 0x00 (0) [76] : 0xff (255) [77] : 0x01 (1) [78] : 0x0f (15) [79] : 0x00 (0) [80] : 0x01 (1) [81] : 0x02 (2) [82] : 0x00 (0) [83] : 0x00 (0) [84] : 0x00 (0) [85] : 0x00 (0) [86] : 0x00 (0) [87] : 0x05 (5) [88] : 0x20 (32) [89] : 0x00 (0) [90] : 0x00 (0) [91] : 0x00 (0) [92] : 0x25 (37) [93] : 0x02 (2) [94] : 0x00 (0) [95] : 0x00 (0) [96] : 0x00 (0) [97] : 0x00 (0) [98] : 0x18 (24) [99] : 0x00 (0) [100] : 0xff (255) [101] : 0x01 (1) [102] : 0x0f (15) [103] : 0x00 (0) [104] : 0x01 (1) [105] : 0x02 (2) [106] : 0x00 (0) [107] : 0x00 (0) [108] : 0x00 (0) [109] : 0x00 (0) [110] : 0x00 (0) [111] : 0x05 (5) [112] : 0x20 (32) [113] : 0x00 (0) [114] : 0x00 (0) [115] : 0x00 (0) [116] : 0x20 (32) [117] : 0x02 (2) [118] : 0x00 (0) [119] : 0x00 (0) size : 0x00000078 (120) [2012/09/07 07:06:50.987869, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 08 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.987916, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security:Security] [2012/09/07 07:06:50.987940, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security' (ops 0xb77570e0) [2012/09/07 07:06:50.987961, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security] [2012/09/07 07:06:50.987990, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Security], len: 120 [2012/09/07 07:06:50.988012, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.988059, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000008-0000-0000-4950-7aff6e050000 [2012/09/07 07:06:50.988130, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 08 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.988176, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 08 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.988221, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.988240, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.988260, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.988351, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x004e (78) name_size : 0x004e (78) name : * name : 'SYSTEM\CurrentControlSet\Services\WINS' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_ACTION_NONE (0) [2012/09/07 07:06:50.988666, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.988713, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\WINS' [2012/09/07 07:06:50.988734, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.988753, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.988774, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.988793, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.988812, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.988830, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.988858, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.988879, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.988900, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.988919, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.988938, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.988956, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.988984, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.989006, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.989025, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.989046, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.989064, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.989084, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.989102, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.989135, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.989157, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [WINS] [2012/09/07 07:06:50.989176, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.989198, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.989216, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.989236, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.989254, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.989282, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.989308, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.989355, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff6e050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.989463, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x000c (12) name_size : 0x000c (12) name : * name : 'Start' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x02 (2) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.989651, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.989734, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:Start] [2012/09/07 07:06:50.989757, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\WINS' (ops 0xb77570e0) [2012/09/07 07:06:50.989777, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.989807, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Start], len: 4 [2012/09/07 07:06:50.989829, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Type], len: 4 [2012/09/07 07:06:50.989849, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ErrorControl], len: 4 [2012/09/07 07:06:50.989870, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ObjectName], len: 24 [2012/09/07 07:06:50.989890, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [DisplayName], len: 74 [2012/09/07 07:06:50.989911, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ImagePath], len: 54 [2012/09/07 07:06:50.989932, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Description], len: 178 [2012/09/07 07:06:50.989952, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.990002, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x000a (10) name_size : 0x000a (10) name : * name : 'Type' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.990195, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.990242, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:Type] [2012/09/07 07:06:50.990263, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.990312, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x001a (26) name_size : 0x001a (26) name : * name : 'ErrorControl' type : REG_DWORD (4) data : * data: ARRAY(4) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) size : 0x00000004 (4) [2012/09/07 07:06:50.990499, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.990546, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:ErrorControl] [2012/09/07 07:06:50.990567, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.990617, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0016 (22) name_size : 0x0016 (22) name : * name : 'ObjectName' type : REG_SZ (1) data : * data: ARRAY(24) [0] : 0x4c (76) [1] : 0x00 (0) [2] : 0x6f (111) [3] : 0x00 (0) [4] : 0x63 (99) [5] : 0x00 (0) [6] : 0x61 (97) [7] : 0x00 (0) [8] : 0x6c (108) [9] : 0x00 (0) [10] : 0x53 (83) [11] : 0x00 (0) [12] : 0x79 (121) [13] : 0x00 (0) [14] : 0x73 (115) [15] : 0x00 (0) [16] : 0x74 (116) [17] : 0x00 (0) [18] : 0x65 (101) [19] : 0x00 (0) [20] : 0x6d (109) [21] : 0x00 (0) [22] : 0x00 (0) [23] : 0x00 (0) size : 0x00000018 (24) [2012/09/07 07:06:50.990999, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.991047, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:ObjectName] [2012/09/07 07:06:50.991068, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.991122, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'DisplayName' type : REG_SZ (1) data : * data: ARRAY(74) [0] : 0x57 (87) [1] : 0x00 (0) [2] : 0x69 (105) [3] : 0x00 (0) [4] : 0x6e (110) [5] : 0x00 (0) [6] : 0x64 (100) [7] : 0x00 (0) [8] : 0x6f (111) [9] : 0x00 (0) [10] : 0x77 (119) [11] : 0x00 (0) [12] : 0x73 (115) [13] : 0x00 (0) [14] : 0x20 (32) [15] : 0x00 (0) [16] : 0x49 (73) [17] : 0x00 (0) [18] : 0x6e (110) [19] : 0x00 (0) [20] : 0x74 (116) [21] : 0x00 (0) [22] : 0x65 (101) [23] : 0x00 (0) [24] : 0x72 (114) [25] : 0x00 (0) [26] : 0x6e (110) [27] : 0x00 (0) [28] : 0x65 (101) [29] : 0x00 (0) [30] : 0x74 (116) [31] : 0x00 (0) [32] : 0x20 (32) [33] : 0x00 (0) [34] : 0x4e (78) [35] : 0x00 (0) [36] : 0x61 (97) [37] : 0x00 (0) [38] : 0x6d (109) [39] : 0x00 (0) [40] : 0x65 (101) [41] : 0x00 (0) [42] : 0x20 (32) [43] : 0x00 (0) [44] : 0x53 (83) [45] : 0x00 (0) [46] : 0x65 (101) [47] : 0x00 (0) [48] : 0x72 (114) [49] : 0x00 (0) [50] : 0x76 (118) [51] : 0x00 (0) [52] : 0x69 (105) [53] : 0x00 (0) [54] : 0x63 (99) [55] : 0x00 (0) [56] : 0x65 (101) [57] : 0x00 (0) [58] : 0x20 (32) [59] : 0x00 (0) [60] : 0x28 (40) [61] : 0x00 (0) [62] : 0x57 (87) [63] : 0x00 (0) [64] : 0x49 (73) [65] : 0x00 (0) [66] : 0x4e (78) [67] : 0x00 (0) [68] : 0x53 (83) [69] : 0x00 (0) [70] : 0x29 (41) [71] : 0x00 (0) [72] : 0x00 (0) [73] : 0x00 (0) size : 0x0000004a (74) [2012/09/07 07:06:50.991980, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.992028, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:DisplayName] [2012/09/07 07:06:50.992049, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.992099, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0014 (20) name_size : 0x0014 (20) name : * name : 'ImagePath' type : REG_SZ (1) data : * data: ARRAY(54) [0] : 0x2f (47) [1] : 0x00 (0) [2] : 0x75 (117) [3] : 0x00 (0) [4] : 0x73 (115) [5] : 0x00 (0) [6] : 0x72 (114) [7] : 0x00 (0) [8] : 0x2f (47) [9] : 0x00 (0) [10] : 0x6c (108) [11] : 0x00 (0) [12] : 0x69 (105) [13] : 0x00 (0) [14] : 0x62 (98) [15] : 0x00 (0) [16] : 0x2f (47) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x61 (97) [21] : 0x00 (0) [22] : 0x6d (109) [23] : 0x00 (0) [24] : 0x62 (98) [25] : 0x00 (0) [26] : 0x61 (97) [27] : 0x00 (0) [28] : 0x2f (47) [29] : 0x00 (0) [30] : 0x73 (115) [31] : 0x00 (0) [32] : 0x76 (118) [33] : 0x00 (0) [34] : 0x63 (99) [35] : 0x00 (0) [36] : 0x63 (99) [37] : 0x00 (0) [38] : 0x74 (116) [39] : 0x00 (0) [40] : 0x6c (108) [41] : 0x00 (0) [42] : 0x2f (47) [43] : 0x00 (0) [44] : 0x6e (110) [45] : 0x00 (0) [46] : 0x6d (109) [47] : 0x00 (0) [48] : 0x62 (98) [49] : 0x00 (0) [50] : 0x64 (100) [51] : 0x00 (0) [52] : 0x00 (0) [53] : 0x00 (0) size : 0x00000036 (54) [2012/09/07 07:06:50.992761, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.992808, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:ImagePath] [2012/09/07 07:06:50.992833, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.992885, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'Description' type : REG_SZ (1) data : * data: ARRAY(178) [0] : 0x49 (73) [1] : 0x00 (0) [2] : 0x6e (110) [3] : 0x00 (0) [4] : 0x74 (116) [5] : 0x00 (0) [6] : 0x65 (101) [7] : 0x00 (0) [8] : 0x72 (114) [9] : 0x00 (0) [10] : 0x6e (110) [11] : 0x00 (0) [12] : 0x61 (97) [13] : 0x00 (0) [14] : 0x6c (108) [15] : 0x00 (0) [16] : 0x20 (32) [17] : 0x00 (0) [18] : 0x73 (115) [19] : 0x00 (0) [20] : 0x65 (101) [21] : 0x00 (0) [22] : 0x72 (114) [23] : 0x00 (0) [24] : 0x76 (118) [25] : 0x00 (0) [26] : 0x69 (105) [27] : 0x00 (0) [28] : 0x63 (99) [29] : 0x00 (0) [30] : 0x65 (101) [31] : 0x00 (0) [32] : 0x20 (32) [33] : 0x00 (0) [34] : 0x70 (112) [35] : 0x00 (0) [36] : 0x72 (114) [37] : 0x00 (0) [38] : 0x6f (111) [39] : 0x00 (0) [40] : 0x76 (118) [41] : 0x00 (0) [42] : 0x69 (105) [43] : 0x00 (0) [44] : 0x64 (100) [45] : 0x00 (0) [46] : 0x69 (105) [47] : 0x00 (0) [48] : 0x6e (110) [49] : 0x00 (0) [50] : 0x67 (103) [51] : 0x00 (0) [52] : 0x20 (32) [53] : 0x00 (0) [54] : 0x61 (97) [55] : 0x00 (0) [56] : 0x20 (32) [57] : 0x00 (0) [58] : 0x4e (78) [59] : 0x00 (0) [60] : 0x65 (101) [61] : 0x00 (0) [62] : 0x74 (116) [63] : 0x00 (0) [64] : 0x42 (66) [65] : 0x00 (0) [66] : 0x49 (73) [67] : 0x00 (0) [68] : 0x4f (79) [69] : 0x00 (0) [70] : 0x53 (83) [71] : 0x00 (0) [72] : 0x20 (32) [73] : 0x00 (0) [74] : 0x70 (112) [75] : 0x00 (0) [76] : 0x6f (111) [77] : 0x00 (0) [78] : 0x69 (105) [79] : 0x00 (0) [80] : 0x6e (110) [81] : 0x00 (0) [82] : 0x74 (116) [83] : 0x00 (0) [84] : 0x2d (45) [85] : 0x00 (0) [86] : 0x74 (116) [87] : 0x00 (0) [88] : 0x6f (111) [89] : 0x00 (0) [90] : 0x2d (45) [91] : 0x00 (0) [92] : 0x70 (112) [93] : 0x00 (0) [94] : 0x6f (111) [95] : 0x00 (0) [96] : 0x69 (105) [97] : 0x00 (0) [98] : 0x6e (110) [99] : 0x00 (0) [100] : 0x74 (116) [101] : 0x00 (0) [102] : 0x20 (32) [103] : 0x00 (0) [104] : 0x6e (110) [105] : 0x00 (0) [106] : 0x61 (97) [107] : 0x00 (0) [108] : 0x6d (109) [109] : 0x00 (0) [110] : 0x65 (101) [111] : 0x00 (0) [112] : 0x20 (32) [113] : 0x00 (0) [114] : 0x73 (115) [115] : 0x00 (0) [116] : 0x65 (101) [117] : 0x00 (0) [118] : 0x72 (114) [119] : 0x00 (0) [120] : 0x76 (118) [121] : 0x00 (0) [122] : 0x65 (101) [123] : 0x00 (0) [124] : 0x72 (114) [125] : 0x00 (0) [126] : 0x28 (40) [127] : 0x00 (0) [128] : 0x6e (110) [129] : 0x00 (0) [130] : 0x6f (111) [131] : 0x00 (0) [132] : 0x74 (116) [133] : 0x00 (0) [134] : 0x20 (32) [135] : 0x00 (0) [136] : 0x72 (114) [137] : 0x00 (0) [138] : 0x65 (101) [139] : 0x00 (0) [140] : 0x6d (109) [141] : 0x00 (0) [142] : 0x6f (111) [143] : 0x00 (0) [144] : 0x74 (116) [145] : 0x00 (0) [146] : 0x65 (101) [147] : 0x00 (0) [148] : 0x6c (108) [149] : 0x00 (0) [150] : 0x79 (121) [151] : 0x00 (0) [152] : 0x20 (32) [153] : 0x00 (0) [154] : 0x6d (109) [155] : 0x00 (0) [156] : 0x61 (97) [157] : 0x00 (0) [158] : 0x6e (110) [159] : 0x00 (0) [160] : 0x61 (97) [161] : 0x00 (0) [162] : 0x67 (103) [163] : 0x00 (0) [164] : 0x65 (101) [165] : 0x00 (0) [166] : 0x61 (97) [167] : 0x00 (0) [168] : 0x62 (98) [169] : 0x00 (0) [170] : 0x6c (108) [171] : 0x00 (0) [172] : 0x65 (101) [173] : 0x00 (0) [174] : 0x29 (41) [175] : 0x00 (0) [176] : 0x00 (0) [177] : 0x00 (0) size : 0x000000b2 (178) [2012/09/07 07:06:50.994713, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.994762, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS:Description] [2012/09/07 07:06:50.994783, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.994832, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000009-0000-0000-4950-7aff6e050000 [2012/09/07 07:06:50.994907, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.994953, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 09 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.994999, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.995019, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.995039, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.995129, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey in: struct winreg_CreateKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000001-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0060 (96) name_size : 0x0060 (96) name : * name : 'SYSTEM\CurrentControlSet\Services\WINS\Security' keyclass: struct winreg_String name_len : 0x0002 (2) name_size : 0x0002 (2) name : * name : '' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY secdesc : NULL action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) [2012/09/07 07:06:50.995438, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[1] [0000] 00 00 00 00 01 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.995486, 10] rpc_server/winreg/srv_winreg_nt.c:782(_winreg_CreateKey) _winreg_CreateKey called with parent key 'HKLM' and subkey name 'SYSTEM\CurrentControlSet\Services\WINS\Security' [2012/09/07 07:06:50.995507, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.995527, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.995551, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.995571, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.995590, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.995608, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.995636, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.995658, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.995680, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.995698, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.995717, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.995735, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.995764, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.995785, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.995805, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.995826, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.995844, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.995863, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.995881, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.995915, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.995937, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [WINS] [2012/09/07 07:06:50.995956, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.995978, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.995996, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.996016, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.996034, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\WINS] [2012/09/07 07:06:50.996062, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.996083, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Security] [2012/09/07 07:06:50.996102, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (4->5) [2012/09/07 07:06:50.996124, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security] [2012/09/07 07:06:50.996142, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security] [2012/09/07 07:06:50.996161, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.996180, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security] [2012/09/07 07:06:50.996209, 10] registry/reg_backend_db.c:1630(regdb_fetch_keys_internal) regdb_fetch_keys: no subkeys found for key [HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security] [2012/09/07 07:06:50.996231, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (5->4) [2012/09/07 07:06:50.996251, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 0A 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.996296, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CreateKey: struct winreg_CreateKey out: struct winreg_CreateKey new_handle : * new_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000a-0000-0000-4950-7aff6e050000 action_taken : * action_taken : REG_OPENED_EXISTING_KEY (2) result : WERR_OK [2012/09/07 07:06:50.996407, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue in: struct winreg_SetValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000a-0000-0000-4950-7aff6e050000 name: struct winreg_String name_len : 0x0012 (18) name_size : 0x0012 (18) name : * name : 'Security' type : REG_BINARY (3) data : * data: ARRAY(120) [0] : 0x01 (1) [1] : 0x00 (0) [2] : 0x04 (4) [3] : 0x80 (128) [4] : 0x00 (0) [5] : 0x00 (0) [6] : 0x00 (0) [7] : 0x00 (0) [8] : 0x00 (0) [9] : 0x00 (0) [10] : 0x00 (0) [11] : 0x00 (0) [12] : 0x00 (0) [13] : 0x00 (0) [14] : 0x00 (0) [15] : 0x00 (0) [16] : 0x14 (20) [17] : 0x00 (0) [18] : 0x00 (0) [19] : 0x00 (0) [20] : 0x02 (2) [21] : 0x00 (0) [22] : 0x64 (100) [23] : 0x00 (0) [24] : 0x04 (4) [25] : 0x00 (0) [26] : 0x00 (0) [27] : 0x00 (0) [28] : 0x00 (0) [29] : 0x00 (0) [30] : 0x14 (20) [31] : 0x00 (0) [32] : 0x8d (141) [33] : 0x01 (1) [34] : 0x02 (2) [35] : 0x00 (0) [36] : 0x01 (1) [37] : 0x01 (1) [38] : 0x00 (0) [39] : 0x00 (0) [40] : 0x00 (0) [41] : 0x00 (0) [42] : 0x00 (0) [43] : 0x01 (1) [44] : 0x00 (0) [45] : 0x00 (0) [46] : 0x00 (0) [47] : 0x00 (0) [48] : 0x00 (0) [49] : 0x00 (0) [50] : 0x18 (24) [51] : 0x00 (0) [52] : 0xfd (253) [53] : 0x01 (1) [54] : 0x02 (2) [55] : 0x00 (0) [56] : 0x01 (1) [57] : 0x02 (2) [58] : 0x00 (0) [59] : 0x00 (0) [60] : 0x00 (0) [61] : 0x00 (0) [62] : 0x00 (0) [63] : 0x05 (5) [64] : 0x20 (32) [65] : 0x00 (0) [66] : 0x00 (0) [67] : 0x00 (0) [68] : 0x23 (35) [69] : 0x02 (2) [70] : 0x00 (0) [71] : 0x00 (0) [72] : 0x00 (0) [73] : 0x00 (0) [74] : 0x18 (24) [75] : 0x00 (0) [76] : 0xff (255) [77] : 0x01 (1) [78] : 0x0f (15) [79] : 0x00 (0) [80] : 0x01 (1) [81] : 0x02 (2) [82] : 0x00 (0) [83] : 0x00 (0) [84] : 0x00 (0) [85] : 0x00 (0) [86] : 0x00 (0) [87] : 0x05 (5) [88] : 0x20 (32) [89] : 0x00 (0) [90] : 0x00 (0) [91] : 0x00 (0) [92] : 0x25 (37) [93] : 0x02 (2) [94] : 0x00 (0) [95] : 0x00 (0) [96] : 0x00 (0) [97] : 0x00 (0) [98] : 0x18 (24) [99] : 0x00 (0) [100] : 0xff (255) [101] : 0x01 (1) [102] : 0x0f (15) [103] : 0x00 (0) [104] : 0x01 (1) [105] : 0x02 (2) [106] : 0x00 (0) [107] : 0x00 (0) [108] : 0x00 (0) [109] : 0x00 (0) [110] : 0x00 (0) [111] : 0x05 (5) [112] : 0x20 (32) [113] : 0x00 (0) [114] : 0x00 (0) [115] : 0x00 (0) [116] : 0x20 (32) [117] : 0x02 (2) [118] : 0x00 (0) [119] : 0x00 (0) size : 0x00000078 (120) [2012/09/07 07:06:50.997693, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0A 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.997753, 8] rpc_server/winreg/srv_winreg_nt.c:812(_winreg_SetValue) _winreg_SetValue: Setting value for [HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security:Security] [2012/09/07 07:06:50.997774, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security' (ops 0xb77570e0) [2012/09/07 07:06:50.997794, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\WINS\Security] [2012/09/07 07:06:50.997823, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [Security], len: 120 [2012/09/07 07:06:50.997845, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_SetValue: struct winreg_SetValue out: struct winreg_SetValue result : WERR_OK [2012/09/07 07:06:50.997893, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000a-0000-0000-4950-7aff6e050000 [2012/09/07 07:06:50.997964, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0A 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.998011, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0A 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.998057, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.998077, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.998096, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.998181, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000002-0000-0000-4950-7aff6e050000 [2012/09/07 07:06:50.998253, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.998304, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 02 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.998349, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:50.998376, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (3->2) [2012/09/07 07:06:50.998396, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:50.998485, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (2->1) [2012/09/07 07:06:50.998527, 3] rpc_server/eventlog/srv_eventlog_reg.c:59(eventlog_init_winreg) Initialise the eventlog registry keys if needed. [2012/09/07 07:06:50.998550, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \winreg [2012/09/07 07:06:50.998574, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 2 for pipe \winreg [2012/09/07 07:06:50.998599, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \winreg (pipes_open=0) [2012/09/07 07:06:50.998626, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenHKLM: struct winreg_OpenHKLM in: struct winreg_OpenHKLM system_name : NULL access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2012/09/07 07:06:50.998746, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [HKLM] [2012/09/07 07:06:50.998766, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (1->2) [2012/09/07 07:06:50.998787, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM] [2012/09/07 07:06:50.998806, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM] [2012/09/07 07:06:50.998825, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.998843, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM] [2012/09/07 07:06:50.998876, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[2] [0000] 00 00 00 00 0B 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.998926, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenHKLM: struct winreg_OpenHKLM out: struct winreg_OpenHKLM handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000b-0000-0000-4950-7aff6e050000 result : WERR_OK [2012/09/07 07:06:50.999017, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey in: struct winreg_OpenKey parent_handle : * parent_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000b-0000-0000-4950-7aff6e050000 keyname: struct winreg_String name_len : 0x0056 (86) name_size : 0x0056 (86) name : * name : 'SYSTEM\CurrentControlSet\Services\Eventlog' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2012/09/07 07:06:50.999264, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0B 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.999313, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2012/09/07 07:06:50.999333, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (2->3) [2012/09/07 07:06:50.999354, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2012/09/07 07:06:50.999373, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2012/09/07 07:06:50.999392, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.999410, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM] [2012/09/07 07:06:50.999442, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2012/09/07 07:06:50.999464, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.999485, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.999504, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.999523, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.999541, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet] [2012/09/07 07:06:50.999573, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.999595, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Services] [2012/09/07 07:06:50.999614, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.999636, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.999654, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.999674, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.999692, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services] [2012/09/07 07:06:50.999730, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.999752, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Eventlog] [2012/09/07 07:06:50.999772, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2012/09/07 07:06:50.999797, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Services\Eventlog] [2012/09/07 07:06:50.999816, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Services\Eventlog] [2012/09/07 07:06:50.999835, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2012/09/07 07:06:50.999854, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb77570e0 for key [\HKLM\SYSTEM\CurrentControlSet\Services\Eventlog] [2012/09/07 07:06:50.999884, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2012/09/07 07:06:50.999906, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[3] [0000] 00 00 00 00 0C 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:50.999952, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey out: struct winreg_OpenKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000c-0000-0000-4950-7aff6e050000 result : WERR_OK [2012/09/07 07:06:51.000042, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_QueryInfoKey: struct winreg_QueryInfoKey in: struct winreg_QueryInfoKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000c-0000-0000-4950-7aff6e050000 classname : * classname: struct winreg_String name_len : 0x0000 (0) name_size : 0x0000 (0) name : NULL [2012/09/07 07:06:51.000159, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0C 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:51.000218, 10] registry/reg_dispatcher.c:150(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Services\Eventlog' (ops 0xb77570e0) [2012/09/07 07:06:51.000240, 10] registry/reg_backend_db.c:1764(regdb_fetch_values_internal) regdb_fetch_values: Looking for value of key [HKLM\SYSTEM\CurrentControlSet\Services\Eventlog] [2012/09/07 07:06:51.000270, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [DisplayName], len: 20 [2012/09/07 07:06:51.000292, 8] registry/reg_backend_db.c:1710(regdb_unpack_values) specific: [ErrorControl], len: 4 [2012/09/07 07:06:51.000312, 10] registry/reg_backend_db.c:1871(regdb_get_secdesc) regdb_get_secdesc: Getting secdesc of key [HKLM\SYSTEM\CurrentControlSet\Services\Eventlog] [2012/09/07 07:06:51.000344, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_QueryInfoKey: struct winreg_QueryInfoKey out: struct winreg_QueryInfoKey classname : * classname: struct winreg_String name_len : 0x0000 (0) name_size : 0x0000 (0) name : NULL num_subkeys : * num_subkeys : 0x00000000 (0) max_subkeylen : * max_subkeylen : 0x00000000 (0) max_classlen : * max_classlen : 0x00000000 (0) num_values : * num_values : 0x00000002 (2) max_valnamelen : * max_valnamelen : 0x0000001a (26) max_valbufsize : * max_valbufsize : 0x00000014 (20) secdescsize : * secdescsize : 0x00000078 (120) last_changed_time : * last_changed_time : NTTIME(0) result : WERR_OK [2012/09/07 07:06:51.000586, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000c-0000-0000-4950-7aff6e050000 [2012/09/07 07:06:51.000658, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0C 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:51.000705, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0C 00 00 00 00 00 00 00 49 50 7A FF ........ ....IPz. [0010] 6E 05 00 00 n... [2012/09/07 07:06:51.000750, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2012/09/07 07:06:51.000769, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (3->2) [2012/09/07 07:06:51.000789, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2012/09/07 07:06:51.000889, 3] printing/pcap.c:138(pcap_cache_reload) reloading printcap cache [2012/09/07 07:06:51.000924, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 5052494E5445524C4953 [2012/09/07 07:06:51.000949, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb84fffd0 [2012/09/07 07:06:51.001014, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 5052494E5445524C4953 [2012/09/07 07:06:51.001048, 5] printing/print_cups.c:408(cups_pcap_load_async) cups_pcap_load_async: asynchronously loading cups printers [2012/09/07 07:06:51.001255, 10] printing/print_cups.c:425(cups_pcap_load_async) cups_pcap_load_async: child pid = 1391 [2012/09/07 07:06:51.001304, 10] printing/print_cups.c:545(cups_cache_reload) cups_cache_reload: async read on fd 25 [2012/09/07 07:06:51.001329, 3] printing/pcap.c:189(pcap_cache_reload) reload status: ok [2012/09/07 07:06:51.001355, 3] printing/printing.c:1644(start_background_queue) start_background_queue: Starting background LPQ thread [2012/09/07 07:06:51.001487, 5] printing/print_cups.c:277(cups_cache_reload_async) reloading cups printcap cache [2012/09/07 07:06:51.001566, 10] lib/util_sock.c:680(open_socket_in) bind succeeded on port 445 [2012/09/07 07:06:51.001601, 5] lib/util_sock.c:165(print_socket_options) [2012/09/07 07:06:51.001549, 5] printing/printing.c:1667(start_background_queue) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 start_background_queue: background LPQ thread started SO_BROADCAST = 0 TCP_NODELAY = 0 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 16384 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 [2012/09/07 07:06:51.001724, 10] printing/print_cups.c:89(cups_connect) SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 connecting to cups server localhost:631 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:06:51.001774, 5] lib/util_sock.c:165(print_socket_options) Socket options: SO_KEEPALIVE = 1 [2012/09/07 07:06:51.001796, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) SO_REUSEADDR = 1 SO_BROADCAST = 0 Locking key 70050000FFFFFFFF TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 [2012/09/07 07:06:51.001847, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) IPTOS_THROUGHPUT = 0 Allocated locked data 0x0xb8504110 SO_SNDBUF = 16384 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:06:51.001918, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) [2012/09/07 07:06:51.001942, 10] lib/util_sock.c:680(open_socket_in) Unlocking key 70050000FFFFFFFF bind succeeded on port 139 [2012/09/07 07:06:51.001967, 5] lib/util_sock.c:165(print_socket_options) Socket options: [2012/09/07 07:06:51.001971, 5] printing/printing.c:1703(start_background_queue) SO_KEEPALIVE = 1 start_background_queue: background LPQ thread waiting for messages SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 0 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 16384 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:06:51.002114, 5] lib/util_sock.c:165(print_socket_options) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 16384 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:06:51.002268, 2] lib/util_sock.c:667(open_socket_in) bind failed on port 445 socket_addr = fe80::227:eff:fe12:cb02%eth0. Error = Cannot assign requested address [2012/09/07 07:06:51.002325, 0] smbd/server.c:575(smbd_open_one_socket) smbd_open_once_socket: open_socket_in: Cannot assign requested address [2012/09/07 07:06:51.002352, 2] lib/util_sock.c:667(open_socket_in) bind failed on port 139 socket_addr = fe80::227:eff:fe12:cb02%eth0. Error = Cannot assign requested address [2012/09/07 07:06:51.002390, 0] smbd/server.c:575(smbd_open_one_socket) smbd_open_once_socket: open_socket_in: Cannot assign requested address [2012/09/07 07:06:51.002424, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 6E050000FFFFFFFF [2012/09/07 07:06:51.002448, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb8504110 [2012/09/07 07:06:51.002478, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 6E050000FFFFFFFF [2012/09/07 07:06:51.002517, 10] smbd/process.c:920(event_add_idle) event_add_idle: idle_evt(parent_housekeeping) 0xb8506648 [2012/09/07 07:06:51.002540, 5] lib/messages.c:300(messaging_register) Overriding messaging pointer for type 1 - private_data=(nil) [2012/09/07 07:06:51.002583, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (2->1) [2012/09/07 07:06:51.002606, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (1->0) [2012/09/07 07:06:51.002632, 10] rpc_server/rpc_handles.c:307(close_policy_by_pipe) close_policy_by_pipe: deleted handle list for pipe \winreg [2012/09/07 07:06:51.002666, 2] smbd/server.c:839(smbd_parent_loop) waiting for connections [2012/09/07 07:06:51.003209, 0] printing/print_cups.c:110(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused [2012/09/07 07:06:51.003292, 10] printing/print_cups.c:130(send_pcap_blob) successfully sent blob of len 12 [2012/09/07 07:06:51.003300, 5] printing/print_cups.c:471(cups_async_callback) cups_async_callback: callback received for printer data. fd = 25 [2012/09/07 07:06:51.003343, 10] printing/print_cups.c:155(recv_pcap_blob) successfully recvd blob of len 12 [2012/09/07 07:06:51.003381, 0] printing/print_cups.c:487(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2012/09/07 07:06:51.003491, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 6F050000FFFFFFFF [2012/09/07 07:06:51.003522, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb84fe940 [2012/09/07 07:06:51.003543, 1] lib/serverid.c:197(serverid_deregister) Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND [2012/09/07 07:06:51.003564, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 6F050000FFFFFFFF [2012/09/07 07:06:51.003586, 1] smbd/server.c:309(remove_child_pid) Could not remove pid 1391 from serverid.tdb [2012/09/07 07:06:51.003606, 1] smbd/server.c:323(remove_child_pid) Could not find child 1391 -- ignoring [2012/09/07 07:07:51.016924, 10] lib/events.c:221(run_events_poll) Running timed event "smbd_idle_event_handler" 0xb8506648 [2012/09/07 07:07:51.017038, 10] smbd/process.c:863(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) called [2012/09/07 07:07:51.017073, 5] smbd/server.c:624(smbd_parent_housekeeping) parent housekeeping [2012/09/07 07:07:51.017096, 10] smbd/process.c:874(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) rescheduled [2012/09/07 07:08:19.500764, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 71100000FFFFFFFF [2012/09/07 07:08:19.500879, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb84f8028 [2012/09/07 07:08:19.500933, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 71100000FFFFFFFF [2012/09/07 07:08:19.500997, 5] lib/util_sock.c:165(print_socket_options) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 21480 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:08:19.501249, 5] lib/util_sock.c:165(print_socket_options) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 21480 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:08:19.971953, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 71100000FFFFFFFF [2012/09/07 07:08:19.972007, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb84f80b8 [2012/09/07 07:08:19.972039, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 71100000FFFFFFFF [2012/09/07 07:08:28.935318, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 76100000FFFFFFFF [2012/09/07 07:08:28.936015, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb84f8028 [2012/09/07 07:08:28.936075, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 76100000FFFFFFFF [2012/09/07 07:08:28.936129, 5] lib/util_sock.c:165(print_socket_options) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 21480 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:08:28.936292, 5] lib/util_sock.c:165(print_socket_options) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 21480 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:08:29.079655, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 76100000FFFFFFFF [2012/09/07 07:08:29.079706, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb84f6f10 [2012/09/07 07:08:29.079733, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 76100000FFFFFFFF [2012/09/07 07:08:34.768523, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 77100000FFFFFFFF [2012/09/07 07:08:34.768667, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb84f8028 [2012/09/07 07:08:34.768716, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 77100000FFFFFFFF [2012/09/07 07:08:34.768769, 5] lib/util_sock.c:165(print_socket_options) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 21480 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:08:34.768993, 5] lib/util_sock.c:165(print_socket_options) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 21480 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:08:51.028067, 10] lib/events.c:221(run_events_poll) Running timed event "smbd_idle_event_handler" 0xb84faa60 [2012/09/07 07:08:51.028210, 10] smbd/process.c:863(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) called [2012/09/07 07:08:51.028271, 5] smbd/server.c:624(smbd_parent_housekeeping) parent housekeeping [2012/09/07 07:08:51.028319, 10] smbd/process.c:874(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) rescheduled [2012/09/07 07:09:51.063588, 10] lib/events.c:221(run_events_poll) Running timed event "smbd_idle_event_handler" 0xb84faa60 [2012/09/07 07:09:51.063731, 10] smbd/process.c:863(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) called [2012/09/07 07:09:51.063798, 5] smbd/server.c:624(smbd_parent_housekeeping) parent housekeeping [2012/09/07 07:09:51.063848, 10] smbd/process.c:874(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) rescheduled [2012/09/07 07:10:51.064186, 10] lib/events.c:221(run_events_poll) Running timed event "smbd_idle_event_handler" 0xb84faa60 [2012/09/07 07:10:51.064316, 10] smbd/process.c:863(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) called [2012/09/07 07:10:51.064370, 5] smbd/server.c:624(smbd_parent_housekeeping) parent housekeeping [2012/09/07 07:10:51.064411, 10] smbd/process.c:874(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) rescheduled [2012/09/07 07:11:28.694218, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key B1100000FFFFFFFF [2012/09/07 07:11:28.694515, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb84f8028 [2012/09/07 07:11:28.694616, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key B1100000FFFFFFFF [2012/09/07 07:11:28.694706, 5] lib/util_sock.c:165(print_socket_options) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 21480 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:11:28.695102, 5] lib/util_sock.c:165(print_socket_options) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 21480 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:11:28.763284, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key B1100000FFFFFFFF [2012/09/07 07:11:28.763419, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb84f56b0 [2012/09/07 07:11:28.763488, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key B1100000FFFFFFFF [2012/09/07 07:11:51.078911, 10] lib/events.c:221(run_events_poll) Running timed event "smbd_idle_event_handler" 0xb84fa7c8 [2012/09/07 07:11:51.079049, 10] smbd/process.c:863(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) called [2012/09/07 07:11:51.079101, 5] smbd/server.c:624(smbd_parent_housekeeping) parent housekeeping [2012/09/07 07:11:51.079140, 10] smbd/process.c:874(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) rescheduled [2012/09/07 07:12:51.108436, 10] lib/events.c:221(run_events_poll) Running timed event "smbd_idle_event_handler" 0xb84faa60 [2012/09/07 07:12:51.108580, 10] smbd/process.c:863(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) called [2012/09/07 07:12:51.108631, 5] smbd/server.c:624(smbd_parent_housekeeping) parent housekeeping [2012/09/07 07:12:51.108672, 10] smbd/process.c:874(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) rescheduled [2012/09/07 07:13:51.128165, 10] lib/events.c:221(run_events_poll) Running timed event "smbd_idle_event_handler" 0xb84fa7c8 [2012/09/07 07:13:51.128301, 10] smbd/process.c:863(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) called [2012/09/07 07:13:51.128353, 5] smbd/server.c:624(smbd_parent_housekeeping) parent housekeeping [2012/09/07 07:13:51.128394, 10] smbd/process.c:874(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) rescheduled [2012/09/07 07:14:28.761398, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key E8100000FFFFFFFF [2012/09/07 07:14:28.761562, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb84f8028 [2012/09/07 07:14:28.761629, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key E8100000FFFFFFFF [2012/09/07 07:14:28.761705, 5] lib/util_sock.c:165(print_socket_options) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 21480 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:14:28.762026, 5] lib/util_sock.c:165(print_socket_options) Socket options: SO_KEEPALIVE = 1 SO_REUSEADDR = 1 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 21480 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 [2012/09/07 07:14:28.836266, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key E8100000FFFFFFFF [2012/09/07 07:14:28.836382, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb85010e0 [2012/09/07 07:14:28.836453, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key E8100000FFFFFFFF [2012/09/07 07:14:51.129962, 10] lib/events.c:221(run_events_poll) Running timed event "smbd_idle_event_handler" 0xb84faa60 [2012/09/07 07:14:51.130116, 10] smbd/process.c:863(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) called [2012/09/07 07:14:51.130176, 5] smbd/server.c:624(smbd_parent_housekeeping) parent housekeeping [2012/09/07 07:14:51.130227, 10] smbd/process.c:874(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(parent_housekeeping) (nil) rescheduled