Skip to content

Instantly share code, notes, and snippets.

@ashishnegi

ashishnegi/dotnet_network_service_mode.csv

Created October 30, 2017 13:29
Show Gist options
  • Save ashishnegi/8e7aaa47931a372c94c5414b7601a69f to your computer and use it in GitHub Desktop.
Save ashishnegi/8e7aaa47931a372c94c5414b7601a69f to your computer and use it in GitHub Desktop.
Download ZIP
Procmon logs when dotnet runs as network service
Raw
dotnet_network_service_mode.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 3 should actually have 4 columns, instead of 1. in line 2.
"CreateFile","D:\Users\testadm\dotnet\dotnet.exe","ACCESS DENIED","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a"
"QueryOpen","D:\Users\testadm\dotnet\host\fxr","ACCESS DENIED",""
```
Full Process Monitor log here :
```
"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"1:05:34.9220360 PM","dotnet.exe","1084","Process Start","","SUCCESS","Parent PID: 2376, Command line: ""D:\Users\testadm\dotnet\dotnet.exe"" --version , Current directory: D:\Windows\system32\, Environment:
; ALLUSERSPROFILE=D:\ProgramData
; APPDATA=D:\Windows\ServiceProfiles\NetworkService\AppData\Roaming
; CommonProgramFiles=D:\Program Files\Common Files
; CommonProgramFiles(x86)=D:\Program Files (x86)\Common Files
; CommonProgramW6432=D:\Program Files\Common Files
; ComSpec=D:\Windows\system32\cmd.exe
; Coverage=D:\ProgramData\Coverage
; FP_NO_HOST_CHECK=NO
; LOCALAPPDATA=D:\Windows\ServiceProfiles\NetworkService\AppData\Local
; NUMBER_OF_PROCESSORS=2
; OS=Windows_NT
; Path=D:\Windows\system32;D:\Windows;D:\Windows\System32\Wbem;D:\Windows\System32\WindowsPowerShell\v1.0\;;E:\base\x64;E:\base\x86;;D:\Packages\GuestAgent\GuestAgent\LegacyRuntime\x64;D:\Packages\GuestAgent\GuestAgent\LegacyRuntime\x86;D:\Program Files\Windows Fabric\bin\Fabric\Fabric.Code;D:\Program Files\Microsoft Service Fabric\bin\Fabric\Fabric.Code;D:\Program Files (x86)\Magellan Toolset 5.2\
; PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
; PROCESSOR_ARCHITECTURE=AMD64
; PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 45 Stepping 7, GenuineIntel
; PROCESSOR_LEVEL=6
; PROCESSOR_REVISION=2d07
; ProgramData=D:\ProgramData
; ProgramFiles=D:\Program Files
; ProgramFiles(x86)=D:\Program Files (x86)
; ProgramW6432=D:\Program Files
; PSModulePath=D:\Windows\system32\WindowsPowerShell\v1.0\Modules\;d:\Program Files\Microsoft Security Client\MpProvider\
; PUBLIC=D:\Users\Public
; SystemDrive=D:
; SystemRoot=D:\Windows
; TEMP=D:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
; TE_PATH=C:\MCRoot\TAEF
; TMP=D:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
; USERDOMAIN=WORKGROUP
; USERNAME=RD00155DE6396A$
; USERPROFILE=D:\Windows\ServiceProfiles\NetworkService
; windir=D:\Windows
; WinFabric_BuildDestinationCache=C:\MCRoot\BinCache\bins
; WinFabric_UtilityPath=C:\MCRoot\Utility
; _NTTREE=C:\MCRoot\BinCache\bins
; _NT_SYMBOL_PATH=symsrv*symsrv.dll*\\symbols\symbols"
"1:05:34.9220420 PM","dotnet.exe","1084","Thread Create","","SUCCESS","Thread ID: 1952"
"1:05:34.9231300 PM","dotnet.exe","1084","Load Image","D:\Users\testadm\dotnet\dotnet.exe","SUCCESS","Image Base: 0x7ff75ca90000, Image Size: 0x27000"
"1:05:34.9231707 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\ntdll.dll","SUCCESS","Image Base: 0x7ffa50d10000, Image Size: 0x1ad000"
"1:05:34.9236773 PM","dotnet.exe","1084","CreateFile","D:\Users\testadm\dotnet\dotnet.exe","ACCESS DENIED","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a"
"1:05:34.9238774 PM","dotnet.exe","1084","CreateFile","D:\Windows\System32","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"1:05:34.9239107 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32","SUCCESS","Information: Attribute"
"1:05:34.9241522 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\kernel32.dll","SUCCESS","Image Base: 0x7ffa50bd0000, Image Size: 0x13e000"
"1:05:34.9244483 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\KernelBase.dll","SUCCESS","Image Base: 0x7ffa4dff0000, Image Size: 0x115000"
"1:05:34.9262819 PM","dotnet.exe","1084","CreateFile","D:\Windows\System32\conhost.exe","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"1:05:34.9263418 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32\conhost.exe","SUCCESS","Information: Attribute"
"1:05:34.9263646 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\conhost.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"1:05:34.9263963 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\conhost.exe","SUCCESS","SyncType: SyncTypeOther"
"1:05:34.9264288 PM","dotnet.exe","1084","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Conhost.exe","NAME NOT FOUND","Desired Access: Query Value, Enumerate Sub Keys"
"1:05:34.9264702 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32\conhost.exe","SUCCESS","Information: Label"
"1:05:34.9266243 PM","dotnet.exe","1084","QueryNameInformationFile","D:\Windows\System32\conhost.exe","SUCCESS","Name: \Windows\System32\conhost.exe"
"1:05:34.9267887 PM","dotnet.exe","1084","Process Create","D:\Windows\system32\conhost.exe","SUCCESS","PID: 1880, Command line: \??\D:\Windows\system32\conhost.exe 0xffffffff"
"1:05:34.9268234 PM","dotnet.exe","1084","CloseFile","D:\Windows\System32\conhost.exe","SUCCESS",""
"1:05:34.9569280 PM","dotnet.exe","1084","RegOpenKey","HKLM\System\CurrentControlSet\Control\SafeBoot\Option","REPARSE","Desired Access: Query Value, Set Value"
"1:05:34.9569494 PM","dotnet.exe","1084","RegOpenKey","HKLM\System\CurrentControlSet\Control\SafeBoot\Option","NAME NOT FOUND","Desired Access: Query Value, Set Value"
"1:05:34.9569665 PM","dotnet.exe","1084","RegOpenKey","HKLM\System\CurrentControlSet\Control\Srp\GP\DLL","REPARSE","Desired Access: Read"
"1:05:34.9569803 PM","dotnet.exe","1084","RegOpenKey","HKLM\System\CurrentControlSet\Control\Srp\GP\DLL","NAME NOT FOUND","Desired Access: Read"
"1:05:34.9569945 PM","dotnet.exe","1084","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS","Desired Access: Query Value"
"1:05:34.9570144 PM","dotnet.exe","1084","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled","NAME NOT FOUND","Length: 80"
"1:05:34.9570263 PM","dotnet.exe","1084","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers","SUCCESS",""
"1:05:34.9570540 PM","dotnet.exe","1084","RegOpenKey","HKU\S-1-5-20\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","NAME NOT FOUND","Desired Access: Query Value"
"1:05:34.9571036 PM","dotnet.exe","1084","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","REPARSE","Desired Access: Query Value"
"1:05:34.9571184 PM","dotnet.exe","1084","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS","Desired Access: Query Value"
"1:05:34.9572106 PM","dotnet.exe","1084","RegQueryValue","HKLM\System\CurrentControlSet\Control\SESSION MANAGER\SafeDllSearchMode","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"1:05:34.9573913 PM","dotnet.exe","1084","QueryOpen","D:\Users\testadm\dotnet\api-ms-win-crt-runtime-l1-1-0.dll","NAME NOT FOUND",""
"1:05:34.9574922 PM","dotnet.exe","1084","QueryOpen","D:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll","SUCCESS","CreationTime: 9/10/2017 2:37:09 AM, LastAccessTime: 9/10/2017 2:37:09 AM, LastWriteTime: 9/10/2017 2:37:09 AM, ChangeTime: 9/10/2017 5:47:05 AM, AllocationSize: 16,384, EndOfFile: 16,224, FileAttributes: A"
"1:05:34.9575968 PM","dotnet.exe","1084","CreateFile","D:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"1:05:34.9576347 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll","SUCCESS","Information: Attribute"
"1:05:34.9576513 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"1:05:34.9577046 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll","SUCCESS","SyncType: SyncTypeOther"
"1:05:34.9577913 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll","SUCCESS","Image Base: 0x7ffa3f940000, Image Size: 0x4000"
"1:05:34.9578145 PM","dotnet.exe","1084","CloseFile","D:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll","SUCCESS",""
"1:05:34.9579219 PM","dotnet.exe","1084","QueryOpen","D:\Users\testadm\dotnet\api-ms-win-crt-math-l1-1-0.dll","NAME NOT FOUND",""
"1:05:34.9580073 PM","dotnet.exe","1084","QueryOpen","D:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll","SUCCESS","CreationTime: 9/10/2017 2:37:09 AM, LastAccessTime: 9/10/2017 2:37:09 AM, LastWriteTime: 9/10/2017 2:37:09 AM, ChangeTime: 9/10/2017 5:47:05 AM, AllocationSize: 24,576, EndOfFile: 20,832, FileAttributes: A"
"1:05:34.9581015 PM","dotnet.exe","1084","CreateFile","D:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"1:05:34.9581361 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll","SUCCESS","Information: Attribute"
"1:05:34.9581506 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"1:05:34.9581913 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll","SUCCESS","SyncType: SyncTypeOther"
"1:05:34.9582772 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll","SUCCESS","Image Base: 0x7ffa3ee20000, Image Size: 0x5000"
"1:05:34.9582985 PM","dotnet.exe","1084","CloseFile","D:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll","SUCCESS",""
"1:05:34.9584004 PM","dotnet.exe","1084","QueryOpen","D:\Users\testadm\dotnet\api-ms-win-crt-heap-l1-1-0.dll","NAME NOT FOUND",""
"1:05:34.9584834 PM","dotnet.exe","1084","QueryOpen","D:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll","SUCCESS","CreationTime: 9/10/2017 2:37:09 AM, LastAccessTime: 9/10/2017 2:37:09 AM, LastWriteTime: 9/10/2017 2:37:09 AM, ChangeTime: 9/10/2017 5:47:05 AM, AllocationSize: 16,384, EndOfFile: 12,640, FileAttributes: A"
"1:05:34.9586131 PM","dotnet.exe","1084","CreateFile","D:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"1:05:34.9586486 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll","SUCCESS","Information: Attribute"
"1:05:34.9586627 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"1:05:34.9587017 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll","SUCCESS","SyncType: SyncTypeOther"
"1:05:34.9587812 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll","SUCCESS","Image Base: 0x7ffa3bc50000, Image Size: 0x3000"
"1:05:34.9588022 PM","dotnet.exe","1084","CloseFile","D:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll","SUCCESS",""
"1:05:34.9589040 PM","dotnet.exe","1084","QueryOpen","D:\Users\testadm\dotnet\api-ms-win-crt-convert-l1-1-0.dll","NAME NOT FOUND",""
"1:05:34.9589847 PM","dotnet.exe","1084","QueryOpen","D:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll","SUCCESS","CreationTime: 9/10/2017 2:37:09 AM, LastAccessTime: 9/10/2017 2:37:09 AM, LastWriteTime: 9/10/2017 2:37:09 AM, ChangeTime: 9/10/2017 5:47:05 AM, AllocationSize: 16,384, EndOfFile: 15,712, FileAttributes: A"
"1:05:34.9590684 PM","dotnet.exe","1084","CreateFile","D:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"1:05:34.9591017 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll","SUCCESS","Information: Attribute"
"1:05:34.9591304 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"1:05:34.9591690 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll","SUCCESS","SyncType: SyncTypeOther"
"1:05:34.9592540 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll","SUCCESS","Image Base: 0x7ffa3aa20000, Image Size: 0x4000"
"1:05:34.9592757 PM","dotnet.exe","1084","CloseFile","D:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll","SUCCESS",""
"1:05:34.9593742 PM","dotnet.exe","1084","QueryOpen","D:\Users\testadm\dotnet\api-ms-win-crt-stdio-l1-1-0.dll","NAME NOT FOUND",""
"1:05:34.9595131 PM","dotnet.exe","1084","QueryOpen","D:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll","SUCCESS","CreationTime: 9/10/2017 2:37:09 AM, LastAccessTime: 9/10/2017 2:37:09 AM, LastWriteTime: 9/10/2017 2:37:09 AM, ChangeTime: 9/10/2017 5:47:05 AM, AllocationSize: 20,480, EndOfFile: 17,760, FileAttributes: A"
"1:05:34.9596310 PM","dotnet.exe","1084","CreateFile","D:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"1:05:34.9596658 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll","SUCCESS","Information: Attribute"
"1:05:34.9596803 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"1:05:34.9597190 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll","SUCCESS","SyncType: SyncTypeOther"
"1:05:34.9597752 PM","dotnet.exe","1084","RegOpenKey","HKLM\SYSTEM\CurrentControlSet\Control\Session Manager","REPARSE","Desired Access: Query Value, Enumerate Sub Keys"
"1:05:34.9597942 PM","dotnet.exe","1084","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS","Desired Access: Query Value, Enumerate Sub Keys"
"1:05:34.9598144 PM","dotnet.exe","1084","RegQueryValue","HKLM\System\CurrentControlSet\Control\SESSION MANAGER\ResourcePolicies","NAME NOT FOUND","Length: 24"
"1:05:34.9598273 PM","dotnet.exe","1084","RegCloseKey","HKLM\System\CurrentControlSet\Control\SESSION MANAGER","SUCCESS",""
"1:05:34.9599059 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll","SUCCESS","Image Base: 0x7ffa3a290000, Image Size: 0x4000"
"1:05:34.9599275 PM","dotnet.exe","1084","CloseFile","D:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll","SUCCESS",""
"1:05:34.9600322 PM","dotnet.exe","1084","QueryOpen","D:\Users\testadm\dotnet\api-ms-win-crt-string-l1-1-0.dll","NAME NOT FOUND",""
"1:05:34.9601163 PM","dotnet.exe","1084","QueryOpen","D:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll","SUCCESS","CreationTime: 9/10/2017 2:37:09 AM, LastAccessTime: 9/10/2017 2:37:09 AM, LastWriteTime: 9/10/2017 2:37:09 AM, ChangeTime: 9/10/2017 5:47:05 AM, AllocationSize: 20,480, EndOfFile: 17,760, FileAttributes: A"
"1:05:34.9602068 PM","dotnet.exe","1084","CreateFile","D:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"1:05:34.9602402 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll","SUCCESS","Information: Attribute"
"1:05:34.9602550 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"1:05:34.9602951 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll","SUCCESS","SyncType: SyncTypeOther"
"1:05:34.9603729 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll","SUCCESS","Image Base: 0x7ffa3a240000, Image Size: 0x4000"
"1:05:34.9603939 PM","dotnet.exe","1084","CloseFile","D:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll","SUCCESS",""
"1:05:34.9605492 PM","dotnet.exe","1084","QueryOpen","D:\Users\testadm\dotnet\api-ms-win-crt-locale-l1-1-0.dll","NAME NOT FOUND",""
"1:05:34.9606291 PM","dotnet.exe","1084","QueryOpen","D:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll","SUCCESS","CreationTime: 9/10/2017 2:37:09 AM, LastAccessTime: 9/10/2017 2:37:09 AM, LastWriteTime: 9/10/2017 2:37:09 AM, ChangeTime: 9/10/2017 5:47:05 AM, AllocationSize: 12,288, EndOfFile: 12,128, FileAttributes: A"
"1:05:34.9607112 PM","dotnet.exe","1084","CreateFile","D:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"1:05:34.9607438 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll","SUCCESS","Information: Attribute"
"1:05:34.9607576 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"1:05:34.9608177 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll","SUCCESS","SyncType: SyncTypeOther"
"1:05:34.9608960 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll","SUCCESS","Image Base: 0x7ffa39b90000, Image Size: 0x3000"
"1:05:34.9609177 PM","dotnet.exe","1084","CloseFile","D:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll","SUCCESS",""
"1:05:34.9610297 PM","dotnet.exe","1084","QueryOpen","D:\Users\testadm\dotnet\api-ms-win-crt-multibyte-l1-1-0.dll","NAME NOT FOUND",""
"1:05:34.9611295 PM","dotnet.exe","1084","QueryOpen","D:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll","SUCCESS","CreationTime: 9/10/2017 2:37:09 AM, LastAccessTime: 9/10/2017 2:37:09 AM, LastWriteTime: 9/10/2017 2:37:09 AM, ChangeTime: 9/10/2017 5:47:05 AM, AllocationSize: 20,480, EndOfFile: 19,808, FileAttributes: A"
"1:05:34.9612177 PM","dotnet.exe","1084","CreateFile","D:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"1:05:34.9612537 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll","SUCCESS","Information: Attribute"
"1:05:34.9612681 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"1:05:34.9613571 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll","SUCCESS","SyncType: SyncTypeOther"
"1:05:34.9614414 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll","SUCCESS","Image Base: 0x7ffa32ec0000, Image Size: 0x5000"
"1:05:34.9614636 PM","dotnet.exe","1084","CloseFile","D:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll","SUCCESS",""
"1:05:34.9616679 PM","dotnet.exe","1084","QueryOpen","D:\Users\testadm\dotnet\ucrtbase.DLL","NAME NOT FOUND",""
"1:05:34.9617963 PM","dotnet.exe","1084","QueryOpen","D:\Windows\System32\ucrtbase.dll","SUCCESS","CreationTime: 9/10/2017 2:37:09 AM, LastAccessTime: 9/10/2017 2:37:09 AM, LastWriteTime: 9/10/2017 2:37:09 AM, ChangeTime: 9/10/2017 5:47:51 AM, AllocationSize: 995,328, EndOfFile: 994,760, FileAttributes: A"
"1:05:34.9618799 PM","dotnet.exe","1084","CreateFile","D:\Windows\System32\ucrtbase.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"1:05:34.9619342 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32\ucrtbase.dll","SUCCESS","Information: Attribute"
"1:05:34.9619488 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\ucrtbase.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"1:05:34.9621406 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\ucrtbase.dll","SUCCESS","SyncType: SyncTypeOther"
"1:05:34.9622124 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\ucrtbase.dll","SUCCESS","Image Base: 0x7ffa30220000, Image Size: 0xf4000"
"1:05:34.9622379 PM","dotnet.exe","1084","CloseFile","D:\Windows\System32\ucrtbase.dll","SUCCESS",""
"1:05:34.9627745 PM","dotnet.exe","1084","ReadFile","D:\Windows\System32\ucrtbase.dll","SUCCESS","Offset: 958,976, Length: 13,824, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"1:05:34.9628917 PM","dotnet.exe","1084","ReadFile","D:\Windows\System32\ucrtbase.dll","SUCCESS","Offset: 942,592, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"1:05:34.9629904 PM","dotnet.exe","1084","ReadFile","D:\Windows\System32\ucrtbase.dll","SUCCESS","Offset: 930,304, Length: 12,288, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"1:05:34.9631229 PM","dotnet.exe","1084","ReadFile","D:\Windows\System32\ucrtbase.dll","SUCCESS","Offset: 824,832, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"1:05:34.9635432 PM","dotnet.exe","1084","ReadFile","D:\Windows\System32\ucrtbase.dll","SUCCESS","Offset: 808,448, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"1:05:34.9640620 PM","dotnet.exe","1084","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions","REPARSE","Desired Access: Read"
"1:05:34.9640902 PM","dotnet.exe","1084","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions","SUCCESS","Desired Access: Read"
"1:05:34.9641173 PM","dotnet.exe","1084","RegQueryValue","HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions\(Default)","SUCCESS","Type: REG_SZ, Length: 18, Data: 0006020E"
"1:05:34.9643970 PM","dotnet.exe","1084","QueryNameInformationFile","D:\Users\testadm\dotnet\dotnet.exe","SUCCESS","Name: \Users\testadm\dotnet\dotnet.exe"
"1:05:34.9645823 PM","dotnet.exe","1084","QueryOpen","D:\Users\testadm\dotnet\host\fxr","ACCESS DENIED",""
"1:05:34.9649782 PM","dotnet.exe","1084","ReadFile","D:\Windows\System32\ucrtbase.dll","SUCCESS","Offset: 845,312, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"1:05:34.9654873 PM","dotnet.exe","1084","QueryOpen","D:\Windows\System32\kernel.appcore.dll","SUCCESS","CreationTime: 9/10/2017 2:34:00 AM, LastAccessTime: 9/10/2017 2:34:00 AM, LastWriteTime: 9/10/2017 2:34:00 AM, ChangeTime: 9/10/2017 5:47:28 AM, AllocationSize: 36,864, EndOfFile: 33,064, FileAttributes: A"
"1:05:34.9655896 PM","dotnet.exe","1084","CreateFile","D:\Windows\System32\kernel.appcore.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"1:05:34.9656218 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32\kernel.appcore.dll","SUCCESS","Information: Attribute"
"1:05:34.9656371 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\kernel.appcore.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"1:05:34.9656584 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\kernel.appcore.dll","SUCCESS","SyncType: SyncTypeOther"
"1:05:34.9657397 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\kernel.appcore.dll","SUCCESS","Image Base: 0x7ffa4cb20000, Image Size: 0xb000"
"1:05:34.9657600 PM","dotnet.exe","1084","CloseFile","D:\Windows\System32\kernel.appcore.dll","SUCCESS",""
"1:05:34.9659049 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\msvcrt.dll","SUCCESS","Image Base: 0x7ffa50550000, Image Size: 0xaa000"
"1:05:34.9659842 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\rpcrt4.dll","SUCCESS","Image Base: 0x7ffa4e3f0000, Image Size: 0x140000"
"1:05:34.9662965 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\sspicli.dll","SUCCESS","Image Base: 0x7ffa4df10000, Image Size: 0x2e000"
"1:05:34.9665557 PM","dotnet.exe","1084","QueryOpen","D:\Windows\System32\sechost.dll","SUCCESS","CreationTime: 9/10/2017 2:34:44 AM, LastAccessTime: 9/10/2017 2:34:44 AM, LastWriteTime: 9/10/2017 2:34:44 AM, ChangeTime: 9/10/2017 7:26:05 PM, AllocationSize: 364,544, EndOfFile: 360,480, FileAttributes: A"
"1:05:34.9666434 PM","dotnet.exe","1084","CreateFile","D:\Windows\System32\sechost.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"1:05:34.9666882 PM","dotnet.exe","1084","QuerySecurityFile","D:\Windows\System32\sechost.dll","SUCCESS","Information: Attribute"
"1:05:34.9667042 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\sechost.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"1:05:34.9667244 PM","dotnet.exe","1084","CreateFileMapping","D:\Windows\System32\sechost.dll","SUCCESS","SyncType: SyncTypeOther"
"1:05:34.9668455 PM","dotnet.exe","1084","Load Image","D:\Windows\System32\sechost.dll","SUCCESS","Image Base: 0x7ffa501c0000, Image Size: 0x59000"
"1:05:34.9668697 PM","dotnet.exe","1084","CloseFile","D:\Windows\System32\sechost.dll","SUCCESS",""
"1:05:34.9673617 PM","dotnet.exe","1084","RegOpenKey","HKLM\SYSTEM\CurrentControlSet\Control\Session Manager","REPARSE","Desired Access: Query Value, Enumerate Sub Keys"
"1:05:34.9673845 PM","dotnet.exe","1084","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS","Desired Access: Query Value, Enumerate Sub Keys"
"1:05:34.9674044 PM","dotnet.exe","1084","RegQueryValue","HKLM\System\CurrentControlSet\Control\SESSION MANAGER\ResourcePolicies","NAME NOT FOUND","Length: 24"
"1:05:34.9674192 PM","dotnet.exe","1084","RegCloseKey","HKLM\System\CurrentControlSet\Control\SESSION MANAGER","SUCCESS",""
"1:05:34.9675625 PM","dotnet.exe","1084","Thread Exit","","SUCCESS","Thread ID: 1952, User Time: 0.0000000, Kernel Time: 0.0000000"
"1:05:34.9679858 PM","dotnet.exe","1084","Process Exit","","SUCCESS","Exit Status: -2147450749, User Time: 0.0000000 seconds, Kernel Time: 0.0000000 seconds, Private Bytes: 524,288, Peak Private Bytes: 524,288, Working Set: 2,588,672, Peak Working Set: 2,588,672"
"1:05:34.9680107 PM","dotnet.exe","1084","CloseFile","D:\Windows\System32","SUCCESS",""
"1:05:34.9680811 PM","dotnet.exe","1084","RegCloseKey","HKLM\System\CurrentControlSet\Control\SESSION MANAGER","SUCCESS",""
"1:05:34.9680881 PM","dotnet.exe","1084","RegCloseKey","HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions","SUCCESS",""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment