Skip to content

Instantly share code, notes, and snippets.

@epcnt19

epcnt19/result.log

Last active April 2, 2018 07:10
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save epcnt19/a871a4ce8671ff3e72b8eca1c9f014d0 to your computer and use it in GitHub Desktop.
Save epcnt19/a871a4ce8671ff3e72b8eca1c9f014d0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
result.log
This file has been truncated, but you can view the full file.
DRAKVUF v0.5-a642efc
Socketmon plugin requires the Rekall profile for tcpip.sys!
poolmon,0,0xed1b85e0,notepad.exe,1,usbp,unknown_pool_type,140
poolmon,0,0xed1b85e0,notepad.exe,1,ExTm,unknown_pool_type,144
poolmon,0,0xed1b85e0,notepad.exe,1,IoUs,unknown_pool_type,16,nt!io,I/O SubSystem completion Context Allocation
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x2,,,OUT,PVOID,SystemInformation,0x3c7fc18,,,IN,ULONG,SystemInformationLength,0x158,,,OUT,PULONG,ReturnLength,0x0,,
filetracer,1,0xed1b81e0,svchost.exe,0,NtCreateFile,\??\PhysicalDrive0
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x3c7fa24,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3c7fa58,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3c7fa30,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x60,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
poolmon,0,0xed1b85e0,notepad.exe,1,Nb22,unknown_pool_type,40
objmon,1,0xed1b81e0,svchost.exe,0,File
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,1,0xed1b81e0,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b81e0,svchost.exe,0,ScLF,unknown_pool_type,32,classpnp.sys,File Object Extension
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x870,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3c7fa84,,,IN,ULONG,IoControlCode,0x70224,,,IN,PVOID,InputBuffer,0x3c7fb08,,,IN,ULONG,InputBufferLength,0x8,,,OUT,PVOID,OutputBuffer,0x3c7fb10,,,IN,ULONG,OutputBufferLength,0x58,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
poolmon,1,0xed1b81e0,svchost.exe,0,Io ,unknown_pool_type,92,nt!io,general IO allocations
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x870,,
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x4f,,,OUT,PVOID,SystemInformation,0x3c7fd34,,,IN,ULONG,SystemInformationLength,0x14,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x1c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xc40,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x3c7fd34,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x6f9be620,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x1fc,,,OUT,PLONG,PreviousCount,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x1c,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0xd1fc84,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcDeletePortSection,3,IN,HANDLE,PortHandle,0x190,,,RESERVED,ULONG,Flags,0x0,,,IN,ALPC_HANDLE,SectionHandle,0x10,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x879f7ec,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x879f6f8,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcDeletePortSection,3,IN,HANDLE,PortHandle,0x2f8,,,RESERVED,ULONG,Flags,0x0,,,IN,ALPC_HANDLE,SectionHandle,0x16,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x0,,,OUT,PVOID,ThreadInformation,0x879f730,,,IN,ULONG,ThreadInformationLength,0x1c,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcDeletePortSection,3,IN,HANDLE,PortHandle,0x2f8,,,RESERVED,ULONG,Flags,0x0,,,IN,ALPC_HANDLE,SectionHandle,0x15,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcDeletePortSection,3,IN,HANDLE,PortHandle,0x2f8,,,RESERVED,ULONG,Flags,0x0,,,IN,ALPC_HANDLE,SectionHandle,0x12,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x879f584,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcDeletePortSection,3,IN,HANDLE,PortHandle,0x2f8,,,RESERVED,ULONG,Flags,0x0,,,IN,ALPC_HANDLE,SectionHandle,0x13,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x879f584,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcDeletePortSection,3,IN,HANDLE,PortHandle,0x2f8,,,RESERVED,ULONG,Flags,0x0,,,IN,ALPC_HANDLE,SectionHandle,0x11,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x879f584,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcDeletePortSection,3,IN,HANDLE,PortHandle,0x2f8,,,RESERVED,ULONG,Flags,0x0,,,IN,ALPC_HANDLE,SectionHandle,0x10,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcDeletePortSection,3,IN,HANDLE,PortHandle,0x2f8,,,RESERVED,ULONG,Flags,0x0,,,IN,ALPC_HANDLE,SectionHandle,0x14,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x3f0,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0xbc2a418,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x33d9a4,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xbc2a418,,,INOUT,PULONG,BufferLength,0x879f030,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x33d9a4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xb1f624,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,0,0xed1b8540,explorer.exe,1,AlEB,PagedPool,8
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xb1f628,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb12500,,,INOUT,PULONG,BufferLength,0xedfc18,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xedfc2c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x62c,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xb1f4e0,,,IN,ULONG,IoControlCode,0x12c008,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0xeb9410,,,IN,ULONG,OutputBufferLength,0x808,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xedfb8c,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,1,0xed1b8320,svchost.exe,0,Io ,unknown_pool_type,2060,nt!io,general IO allocations
poolmon,1,0xed1b8320,svchost.exe,0,NDUI,PagedPool,40
poolmon,1,0xed1b8320,svchost.exe,0,NDUN,PagedPool,20
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtTraceEvent,4,IN,HANDLE,TraceHandle,0x638,,,IN,ULONG,Flags,0x300,,,IN,ULONG,FieldSize,0x70,,,IN,PVOID,Fields,0xb1f388,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xedfcb8,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x634,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xb1f48c,,,IN,ULONG,IoControlCode,0x1403a4,,,IN,PVOID,InputBuffer,0xb1f514,,,IN,ULONG,InputBufferLength,0x8,,,OUT,PVOID,OutputBuffer,0x20671a8,,,IN,ULONG,OutputBufferLength,0x800,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb71838,,
poolmon,1,0xed1b8320,svchost.exe,0,Io ,unknown_pool_type,2052,nt!io,general IO allocations
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x24,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x37b4828,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x840,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x12bbc00,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x12a38f4,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x12bbc00,,,INOUT,PULONG,BufferLength,0xb1ed40,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x12a38f4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x24,,,OUT,PVOID,ProcessInformation,0x310f410,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,AlEB,PagedPool,28
filetracer,0,0xed1b8340,MsMpEng.exe,0,NtOpenFile,\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x310f468,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x310f43c,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x310f430,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,OpenOptions,0x214040,,
objmon,0,0xed1b8340,MsMpEng.exe,0,File
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x3d8,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x76d6438,,,INOUT,PULONG,BufferLength,0x432f510,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x432f524,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b8340,MsMpEng.exe,0,IoNm,PagedPool,248,nt!io,Io parsing names
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x28,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x432f484,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,FSro,unknown_pool_type,80,nt!fsrtl,File System Run Time
poolmon,0,0xed1b8340,MsMpEng.exe,0,FSro,unknown_pool_type,32,nt!fsrtl,File System Run Time
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x28,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x432f5b0,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,FSro,unknown_pool_type,36,nt!fsrtl,File System Run Time
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,36,nt!io,general IO allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x28,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x40ad8a0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtFsControlFile,10,IN,HANDLE,FileHandle,0x52c,\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x6ed34f58,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x6ed34f58,,,IN,ULONG,IoControlCode,0x90240,,,IN,PVOID,InputBuffer,0x310f688,,,IN,ULONG,InputBufferLength,0xc,,,OUT,PVOID,OutputBuffer,0x6ed34f40,,,IN,ULONG,OutputBufferLength,0x18,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,28,nt!io,general IO allocations
poolmon,0,0xed1b8340,MsMpEng.exe,0,FSro,unknown_pool_type,36,nt!fsrtl,File System Run Time
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtFsControlFile,10,IN,HANDLE,FileHandle,0x52c,\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x310f63c,,,IN,ULONG,IoControlCode,0x902eb,,,IN,PVOID,InputBuffer,0x310f6e0,,,IN,ULONG,InputBufferLength,0x8,,,OUT,PVOID,OutputBuffer,0x670100,,,IN,ULONG,OutputBufferLength,0x400,,
syscall,1 0xed1b8520,ngentask.exe,0,ntoskrnl.exe,NtQueryFullAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x463f088,,,OUT,PFILE_NETWORK_OPEN_INFORMATION,FileInformation,0x463f0b8,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,FMfn,PagedPool,356,fltmgr.sys,NAME_CACHE_NODE structure
poolmon,1,0xed1b8520,ngentask.exe,0,IoNm,PagedPool,120,nt!io,Io parsing names
objmon,1,0xed1b8520,ngentask.exe,0,File
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x52c,,
poolmon,1,0xed1b8520,ngentask.exe,0,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b8520,ngentask.exe,0,NtFA,unknown_pool_type,232,ntfs.sys,AttrSup.c
poolmon,0,0xed1b8340,MsMpEng.exe,0,CcBc,unknown_pool_type,136,nt!cc,Cache Manager Bcb from pool
syscall,1 0xed1b8520,ngentask.exe,0,ntoskrnl.exe,NtDelayExecution,2,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,DelayInterval,0x463f0c4,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Ntf0,PagedPool,32,ntfs.sys,general pool allocation
poolmon,0,0xed1b8340,MsMpEng.exe,0,MmRl,unknown_pool_type,4,nt!mm,temporary readlists for file prefetch
poolmon,0,0xed1b8340,MsMpEng.exe,0,MmRl,unknown_pool_type,56,nt!mm,temporary readlists for file prefetch
poolmon,0,0xed1b8340,MsMpEng.exe,0,NtFv,unknown_pool_type,96,ntfs.sys,ViewSup.c
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x24,,,OUT,PVOID,ProcessInformation,0x310f410,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
filetracer,0,0xed1b8340,MsMpEng.exe,0,NtOpenFile,\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x310f468,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x310f43c,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x310f430,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,OpenOptions,0x214040,,
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x27c,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0xf4e808,,,IN,ULONG,TimerSetInformationLength,0x20,,
objmon,0,0xed1b8340,MsMpEng.exe,0,File
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x50,,,OUT,PVOID,SystemInformation,0x11f1540,,,IN,ULONG,SystemInformationLength,0x58,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x4f,,,OUT,PVOID,SystemInformation,0xf4e7e4,,,IN,ULONG,SystemInformationLength,0x14,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,IoNm,PagedPool,248,nt!io,Io parsing names
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x27c,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0xf4e808,,,IN,ULONG,TimerSetInformationLength,0x20,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,FSro,unknown_pool_type,80,nt!fsrtl,File System Run Time
poolmon,0,0xed1b8340,MsMpEng.exe,0,FSro,unknown_pool_type,32,nt!fsrtl,File System Run Time
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x4f,,,OUT,PVOID,SystemInformation,0xf4e80c,,,IN,ULONG,SystemInformationLength,0x14,,,OUT,PULONG,ReturnLength,0xf4e828,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,FSro,unknown_pool_type,36,nt!fsrtl,File System Run Time
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,36,nt!io,general IO allocations
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x77,,,OUT,PVOID,SystemInformation,0xa7ac46e8,,,IN,ULONG,SystemInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtFsControlFile,10,IN,HANDLE,FileHandle,0x52c,\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x6ed34f58,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x6ed34f58,,,IN,ULONG,IoControlCode,0x90240,,,IN,PVOID,InputBuffer,0x310f688,,,IN,ULONG,InputBufferLength,0xc,,,OUT,PVOID,OutputBuffer,0x6ed34f40,,,IN,ULONG,OutputBufferLength,0x18,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,28,nt!io,general IO allocations
poolmon,0,0xed1b8340,MsMpEng.exe,0,FSro,unknown_pool_type,36,nt!fsrtl,File System Run Time
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtFsControlFile,10,IN,HANDLE,FileHandle,0x52c,\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x310f63c,,,IN,ULONG,IoControlCode,0x902eb,,,IN,PVOID,InputBuffer,0x310f6e0,,,IN,ULONG,InputBufferLength,0x8,,,OUT,PVOID,OutputBuffer,0x670910,,,IN,ULONG,OutputBufferLength,0x400,,
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x27c,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0xf4e808,,,IN,ULONG,TimerSetInformationLength,0x20,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,FMfn,PagedPool,356,fltmgr.sys,NAME_CACHE_NODE structure
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x52c,,
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0xb,,,IN,HANDLE,Handles[],0xf4e900,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,CcBc,unknown_pool_type,136,nt!cc,Cache Manager Bcb from pool
poolmon,0,0xed1b8340,MsMpEng.exe,0,Ntf0,PagedPool,32,ntfs.sys,general pool allocation
syscall,1 0xed1b83e0,taskhostex.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x10,,,OUT,PVOID,ThreadInformation,0x13bf740,,,IN,ULONG,ThreadInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,MmRl,unknown_pool_type,4,nt!mm,temporary readlists for file prefetch
poolmon,0,0xed1b8340,MsMpEng.exe,0,MmRl,unknown_pool_type,56,nt!mm,temporary readlists for file prefetch
syscall,1 0xed1b83e0,taskhostex.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x144,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,NtFv,unknown_pool_type,96,ntfs.sys,ViewSup.c
syscall,1 0xed1b83e0,taskhostex.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x150,,
syscall,1 0xed1b83e0,taskhostex.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x144,,
syscall,1 0xed1b83e0,taskhostex.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xc,,,OUT,PVOID,ThreadInformation,0x13bf84c,,,IN,ULONG,ThreadInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x808,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x310f680,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x17,,,OUT,PVOID,ProcessInformation,0x310f574,,,IN,ULONG,ProcessInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b83e0,taskhostex.exe,0,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x24,,,OUT,PVOID,ProcessInformation,0x13bf620,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtReleaseSemaphore,3,IN,HANDLE,SemaphoreHandle,0x808,,,IN,LONG,ReleaseCount,0x1,,,OUT,PLONG,PreviousCount,0x0,,
syscall,1 0xed1b83e0,taskhostex.exe,0,ntoskrnl.exe,NtTerminateThread,2,IN,HANDLE,ThreadHandle,0x0,,,IN,NTSTATUS,ExitStatus,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x534,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x310f680,,
syscall,1 0xed1b83e0,taskhostex.exe,0,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x91a4cb44,,,INOUT,PSIZE_T,RegionSize,0x91a4cb48,,,IN,ULONG,FreeType,0x8000,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x17,,,OUT,PVOID,ProcessInformation,0x310f574,,,IN,ULONG,ProcessInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtReleaseSemaphore,3,IN,HANDLE,SemaphoreHandle,0x534,,,IN,LONG,ReleaseCount,0x1,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x720,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x310f680,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x17,,,OUT,PVOID,ProcessInformation,0x310f52c,,,IN,ULONG,ProcessInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x17,,,OUT,PVOID,ProcessInformation,0x310f52c,,,IN,ULONG,ProcessInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtReleaseSemaphore,3,IN,HANDLE,SemaphoreHandle,0x720,,,IN,LONG,ReleaseCount,0x1,,,OUT,PLONG,PreviousCount,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x720,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x310f680,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtReleaseSemaphore,3,IN,HANDLE,SemaphoreHandle,0x720,,,IN,LONG,ReleaseCount,0x1,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x490,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x310f680,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtReleaseSemaphore,3,IN,HANDLE,SemaphoreHandle,0x490,,,IN,LONG,ReleaseCount,0x1,,,OUT,PLONG,PreviousCount,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x30,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x671e28,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8460,taskhost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x3d9f8b0,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x144,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x12c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8060,csrss.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x9c,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x194fd90,,,INOUT,PULONG,BufferLength,0x194fe80,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x194feac,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,NtFL,unknown_pool_type,4248,ntfs.sys,LogSup.c
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,NtFL,unknown_pool_type,2530,ntfs.sys,LogSup.c
poolmon,0,0x1a5000,System,-1,Lfs ,PagedPool,224,<unknown>,Lfs allocations
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,Ntf9,unknown_pool_type,16384,ntfs.sys,Large Temporary Buffer
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x2f0f9f0,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x2f0f9cc,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,28
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,44,<unknown>,Universal Serial Bus Hub
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,48
poolmon,0,0x1a5000,System,-1,Ntf9,unknown_pool_type,4096,ntfs.sys,Large Temporary Buffer
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,ScC7,unknown_pool_type,18,classpnp.sys,Sense info buffer
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x3,,,OUT,PVOID,ProcessInformation,0x95f8d4,,,IN,ULONG,ProcessInformationLength,0x30,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,Ntf9,unknown_pool_type,4096,ntfs.sys,Large Temporary Buffer
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0x95fa5c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x2f0f9ec,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x2f0f9cc,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Key
poolmon,0,0xed1b84e0,dwm.exe,1,Key ,PagedPool,84
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x3d4,,,IN,PUNICODE_STRING,ValueName,0x2f0f994,CEIPEnable,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x2f0f99c,,,IN,ULONG,Length,0x14,,,OUT,PULONG,ResultLength,0x2f0f990,,
poolmon,0,0xed1b84e0,dwm.exe,1,CMvn,unknown_pool_type,24
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x2f0f8f0,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x2f0f8cc,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x2f0f8ec,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x2f0f8cc,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Key
poolmon,0,0xed1b84e0,dwm.exe,1,Key ,PagedPool,84
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x34c,,,IN,PUNICODE_STRING,ValueName,0x2f0f894,StudyId,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x2f0f89c,,,IN,ULONG,Length,0x14,,,OUT,PULONG,ResultLength,0x2f0f890,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,CMvn,unknown_pool_type,18
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x34c,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x2f0f970,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x2f0f948,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x2f0f970,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x2f0f948,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x2f0f970,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x2f0f948,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Key
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Key ,PagedPool,84
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x34c,,,IN,PUNICODE_STRING,ValueName,0x2f0f8d4,SampledOut,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x2f0f8dc,,,IN,ULONG,Length,0x14,,,OUT,PULONG,ResultLength,0x2f0f8d0,,
poolmon,0,0xed1b84e0,dwm.exe,1,CMvn,unknown_pool_type,24
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x34c,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3d4,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x2f0f800,,,IN,ACCESS_MASK,DesiredAccess,0x1000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x2f0f7d0,,,IN,PCLIENT_ID,ClientId,0x2f0f7e8,,
poolmon,0,0xed1b84e0,dwm.exe,1,Usti,unknown_pool_type,668,win32k!AllocateW32Thread,THREADINFO
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,unknown_pool_type,140,dxgkrnl.sys,Vista display driver support
poolmon,0,0xed1b84e0,dwm.exe,1,Usty,unknown_pool_type,34,win32k!NtUserResolveDesktopForWOW,TEXT2
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x81562eb0,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x0,,,IN,ULONG,OutputLength,0x0,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x2f0f98c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x77a600,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,0,0xed1b84e0,dwm.exe,1,Uspi,unknown_pool_type,64,win32k!MapDesktop,PROCESSINFO
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtTraceEvent,4,IN,HANDLE,TraceHandle,0x7c,,,IN,ULONG,Flags,0x300,,,IN,ULONG,FieldSize,0x70,,,IN,PVOID,Fields,0x2f0f938,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,UHUB,unknown_pool_type,44,<unknown>,Universal Serial Bus Hub
poolmon,0,0xed1b84e0,dwm.exe,1,usbp,unknown_pool_type,48
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x34c,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x2f0f994,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x77a600,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateThreadEx,11,OUT,PHANDLE,ThreadHandle,0x2f0f850,,,IN,ACCESS_MASK,DesiredAccess,0x1fffff,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,StartRoutine,0x8474e3,,,IN,PVOID,Argument,0x77a668,,,IN,ULONG,CreateFlags,0x1,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,StackSize,0x0,,,IN,SIZE_T,MaximumStackSize,0x0,,,IN,PPS_ATTRIBUTE_LIST,AttributeList,0x2f0f860,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Thre
poolmon,0,0xed1b84e0,dwm.exe,1,Thre,unknown_pool_type,1144,nt!ps,Thread objects
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetInformationProcess,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x29,,,IN,PVOID,ProcessInformation,0x9c698484,,,IN,ULONG,ProcessInformationLength,0x1c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9c69849c,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9c69830c,,,IN,ULONG,AllocationType,0x2000,,,IN,ULONG,Protect,0x4,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9c6984d0,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9c6984ac,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9c6984d0,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9c6984a8,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x104,,
poolmon,0,0xed1b84e0,dwm.exe,1,Vadl,unknown_pool_type,72,nt!mm,Mm virtual address descriptors (long)
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,0,0xed1b84e0,dwm.exe,1,SeSd,PagedPool,128,nt!se,Security Descriptor
poolmon,0,0xed1b84e0,dwm.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,SeSd,PagedPool,28,nt!se,Security Descriptor
poolmon,0,0xed1b84e0,dwm.exe,1,SeSd,PagedPool,132,nt!se,Security Descriptor
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtResumeThread,2,IN,HANDLE,ThreadHandle,0x3a0,,,OUT,PULONG,PreviousSuspendCount,0x2f0f9d8,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x2f0f9f4,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,20,<unknown>,Universal Serial Bus Hub
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,80,<unknown>,Universal Serial Bus Hub
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,28
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,24,<unknown>,Universal Serial Bus Hub
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,80,<unknown>,Universal Serial Bus Hub
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,28
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,36,<unknown>,Universal Serial Bus Hub
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,IoUs,unknown_pool_type,16,nt!io,I/O SubSystem completion Context Allocation
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,28
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,28
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,NtFL,unknown_pool_type,1432,ntfs.sys,LogSup.c
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtTestAlert
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtContinue,2,IN,PCONTEXT,ContextRecord,0x3aef9bc,,,IN,BOOLEAN,TestAlert,0x1,,
poolmon,0,0xed1b84e0,dwm.exe,1,Usti,unknown_pool_type,668,win32k!AllocateW32Thread,THREADINFO
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,unknown_pool_type,140,dxgkrnl.sys,Vista display driver support
poolmon,0,0xed1b84e0,dwm.exe,1,Usty,unknown_pool_type,34,win32k!NtUserResolveDesktopForWOW,TEXT2
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x80fc2158,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x0,,,IN,ULONG,OutputLength,0x0,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x2ac,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2ac,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x76cbb0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x3aefb88,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Ustx,unknown_pool_type,16,win32k!NtUserDrawCaptionTemp,TEXT
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef4cc,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef498,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtOpenSection,3,OUT,PHANDLE,SectionHandle,0x3aeec68,,,IN,ACCESS_MASK,DesiredAccess,0xf,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3aeeb60,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
filetracer,0,0xed1b84e0,dwm.exe,1,NtQueryAttributesFile,\??\C:\Windows\system32\dwmapi.dll
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3aee9c8,,,OUT,PFILE_BASIC_INFORMATION,FileInformation,0x3aee9e0,,
poolmon,0,0xed1b84e0,dwm.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,File
poolmon,0,0xed1b84e0,dwm.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
filetracer,0,0xed1b84e0,dwm.exe,1,NtOpenFile,\??\C:\Windows\system32\dwmapi.dll
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x3aeec44,,,IN,ACCESS_MASK,DesiredAccess,0x100021,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3aeebe0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3aeebd4,,,IN,ULONG,ShareAccess,0x5,,,IN,ULONG,OpenOptions,0x60,,
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,File
poolmon,0,0xed1b84e0,dwm.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b84e0,dwm.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,MPst,PagedPool,32
poolmon,0,0xed1b84e0,dwm.exe,1,FMfn,PagedPool,216,fltmgr.sys,NAME_CACHE_NODE structure
poolmon,0,0xed1b84e0,dwm.exe,1,FMfn,PagedPool,216,fltmgr.sys,NAME_CACHE_NODE structure
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,MPCp,PagedPool,102
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateSection,7,OUT,PHANDLE,SectionHandle,0x3aeec68,,,IN,ACCESS_MASK,DesiredAccess,0xf,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,PLARGE_INTEGER,MaximumSize,0x0,,,IN,ULONG,SectionPageProtection,0x10,,,IN,ULONG,AllocationAttributes,0x1000000,,,IN,HANDLE,FileHandle,0x2ac,\Windows\System32\dwmapi.dll,
objmon,0,0xed1b84e0,dwm.exe,1,Sect
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd82c,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Sect,PagedPool,80,<unknown>,Section objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtMapViewOfSection,10,IN,HANDLE,SectionHandle,0x3ac,,,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x3aeec94,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,CommitSize,0x0,,,INOUT,PLARGE_INTEGER,SectionOffset,0x0,,,INOUT,PSIZE_T,ViewSize,0x3aeec24,,,IN,SECTION_INHERIT,InheritDisposition,0x1,,,IN,ULONG,AllocationType,0x800000,,,IN,WIN32_PROTECTION_MASK,Win32Protect,0x4,,
poolmon,0,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,1 0xed1b84a0,mscorsvw.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x2dd838,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQueryWnfStateData
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQuerySection,5,IN,HANDLE,SectionHandle,0x3ac,,,IN,SECTION_INFORMATION_CLASS,SectionInformationClass,0x2,,,OUT,PVOID,SectionInformation,0x3aeec0c,,,IN,SIZE_T,SectionInformationLength,0x4,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3ac,,
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQueryWnfStateData
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2ac,,
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x50,,,OUT,PVOID,SystemInformation,0x2bef8f8,,,IN,ULONG,SystemInformationLength,0x58,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x3aeef8c,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x0,,
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xa64,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x2bef93c,,
poolmon,0,0xed1b84e0,dwm.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtProtectVirtualMemory,5,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x3aeef90,,,INOUT,PSIZE_T,RegionSize,0x3aeef94,,,IN,WIN32_PROTECTION_MASK,NewProtectWin32,0x4,,,OUT,PULONG,OldProtect,0x262f8dc,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x4a0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtProtectVirtualMemory,5,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x262f8c8,,,INOUT,PSIZE_T,RegionSize,0x262f8cc,,,IN,WIN32_PROTECTION_MASK,NewProtectWin32,0x2,,,OUT,PULONG,OldProtect,0x3aeee64,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtApphelpCacheControl,2,IN,APPHELPCOMMAND,type,0x9,,,IN,PVOID,buf,0x3aeeef8,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x15,,,IN,HANDLE,Handles[],0x2f9108,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Ahca,PagedPool,22
poolmon,1,0x1a5000,System,-1,IoUs,unknown_pool_type,16,nt!io,I/O SubSystem completion Context Allocation
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtTraceControl,6,IN,ULONG,FunctionCode,0xf,,,IN,PVOID,InBuffer,0x3aeeda0,,,IN,ULONG,InBufferLen,0xa0,,,OUT,PVOID,OutBuffer,0x3aeeda0,,,IN,ULONG,OutBufferLen,0xa0,,,OUT,PULONG,ReturnLength,0x3aeed94,,
poolmon,0,0xed1b84e0,dwm.exe,1,EtwP,unknown_pool_type,164,nt!etw,Etw Pool
objmon,0,0xed1b84e0,dwm.exe,1,EtwR
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x1d0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x3a8fa7c,,
poolmon,0,0xed1b84e0,dwm.exe,1,EtwR,unknown_pool_type,88,nt!etw,Etw Registration
poolmon,0,0xed1b84e0,dwm.exe,1,SeSd,PagedPool,128,nt!se,Security Descriptor
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x3d8,,,IN,ULONG,Flags,0x410000,,,IN,PPORT_MESSAGE,SendMessage,0x76d7540,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,SeSd,PagedPool,104,nt!se,Security Descriptor
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x3a8fa7c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtTraceControl,6,IN,ULONG,FunctionCode,0xf,,,IN,PVOID,InBuffer,0x3aeeda0,,,IN,ULONG,InBufferLen,0xa0,,,OUT,PVOID,OutBuffer,0x3aeeda0,,,IN,ULONG,OutBufferLen,0xa0,,,OUT,PULONG,ReturnLength,0x3aeed94,,
poolmon,0,0xed1b84e0,dwm.exe,1,EtwP,unknown_pool_type,164,nt!etw,Etw Pool
filetracer,1,0x1a5000,System,-1,ZwOpenFile,\Device\NetWareRedirector
objmon,0,0xed1b84e0,dwm.exe,1,EtwR
filetracer,1,0x1a5000,System,-1,NtOpenFile,\Device\NetWareRedirector
syscall,1 0x1a5000,System,-1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x91ab6b88,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x91ab6b98,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x91ab6b90,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x40,,
poolmon,0,0xed1b84e0,dwm.exe,1,EtwR,unknown_pool_type,88,nt!etw,Etw Registration
poolmon,0,0xed1b84e0,dwm.exe,1,SeSd,PagedPool,128,nt!se,Security Descriptor
filetracer,1,0x1a5000,System,-1,ZwOpenFile,\Device\NamedPipe
filetracer,1,0x1a5000,System,-1,NtOpenFile,\Device\NamedPipe
syscall,1 0x1a5000,System,-1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x91ab6b88,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x91ab6b98,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x91ab6b90,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x40,,
poolmon,0,0xed1b84e0,dwm.exe,1,SeSd,PagedPool,104,nt!se,Security Descriptor
objmon,1,0x1a5000,System,-1,File
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef4e4,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0x1a5000,System,-1,File,unknown_pool_type,160,<unknown>,File objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef468,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Usml,unknown_pool_type,32,win32k!MsgLookupTableAlloc,MESSAGE FILTER TABLE
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
poolmon,0,0xed1b84e0,dwm.exe,1,Usml,unknown_pool_type,64,win32k!MsgLookupTableAlloc,MESSAGE FILTER TABLE
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Usml,unknown_pool_type,64,win32k!MsgLookupTableAlloc,MESSAGE FILTER TABLE
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtFindAtom,3,IN,PWSTR,AtomName,0x847d20,,,IN,ULONG,Length,0x1c,,,OUT,PRTL_ATOM,Atom,0x3aef880,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x14c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x3aef7d8,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtTraceEvent,4,IN,HANDLE,TraceHandle,0xb8,,,IN,ULONG,Flags,0x300,,,IN,ULONG,FieldSize,0x70,,,IN,PVOID,Fields,0x3aef770,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0xed1b84e0,dwm.exe,1,Usty,unknown_pool_type,552,win32k!NtUserResolveDesktopForWOW,TEXT2
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x1a,,,OUT,PVOID,ProcessInformation,0x3aef7ac,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtConnectPort,8,OUT,PHANDLE,PortHandle,0x7bfb98,,,IN,PUNICODE_STRING,PortName,0x3aef6f4,\Sessions\1\Windows\DwmApiPort,,IN,PSECURITY_QUALITY_OF_SERVICE,SecurityQos,0x3aef700,,,INOUT,PPORT_VIEW,ClientView,0x0,,,INOUT,PREMOTE_PORT_VIEW,ServerView,0x0,,,OUT,PULONG,MaxMessageLength,0x0,,,INOUT,PVOID,ConnectionInformation,0x0,,,INOUT,PULONG,ConnectionInformationLength,0x3aef6fc,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSecureConnectPort,9,OUT,PHANDLE,PortHandle,0x7bfb98,,,IN,PUNICODE_STRING,PortName,0x3aef6f4,\Sessions\1\Windows\DwmApiPort,,IN,PSECURITY_QUALITY_OF_SERVICE,SecurityQos,0x3aef700,,,INOUT,PPORT_VIEW,ClientView,0x0,,,IN,PSID,RequiredServerSid,0x0,,,INOUT,PREMOTE_PORT_VIEW,ServerView,0x0,,,OUT,PULONG,MaxMessageLength,0x0,,,INOUT,PVOID,ConnectionInformation,0x0,,,INOUT,PULONG,ConnectionInformationLength,0x3aef6fc,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
objmon,0,0xed1b84e0,dwm.exe,1,ALPC
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,0,0xed1b84e0,dwm.exe,1,ALPC,unknown_pool_type,316,nt!alpc,ALPC port objects
poolmon,0,0xed1b84e0,dwm.exe,1,AlCI,PagedPool,64,nt!alpc,ALPC communication info
syscall,1 0x1a5000,System,-1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x80000a2c,,
poolmon,0,0xed1b84e0,dwm.exe,1,AlMs,PagedPool,168,nt!alpc,ALPC message
filetracer,1,0x1a5000,System,-1,ZwOpenFile,\Device\Mailslot
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
filetracer,1,0x1a5000,System,-1,NtOpenFile,\Device\Mailslot
syscall,1 0x1a5000,System,-1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x91ab6b88,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x91ab6b98,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x91ab6b90,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x40,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
objmon,1,0x1a5000,System,-1,File
poolmon,1,0x1a5000,System,-1,File,unknown_pool_type,160,<unknown>,File objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAcceptConnectPort,6,OUT,PHANDLE,PortHandle,0x229a780,,,IN,PVOID,PortContext,0x229a780,,,IN,PPORT_MESSAGE,ConnectionRequest,0x41ef558,,,IN,BOOLEAN,AcceptConnection,0x1,,,INOUT,PPORT_VIEW,ServerView,0x0,,,OUT,PREMOTE_PORT_VIEW,ClientView,0x229a784,,
objmon,0,0xed1b84e0,dwm.exe,1,ALPC
poolmon,0,0xed1b84e0,dwm.exe,1,ALPC,unknown_pool_type,316,nt!alpc,ALPC port objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCompleteConnectPort,1,IN,HANDLE,PortHandle,0x378,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtRequestWaitReplyPort,3,IN,HANDLE,PortHandle,0x360,,,IN,PPORT_MESSAGE,RequestMessage,0x6ef528,,,OUT,PPORT_MESSAGE,ReplyMessage,0x6ef528,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0x1a5000,System,-1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x80000a2c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0x1a5000,System,-1,Nb23,unknown_pool_type,41
poolmon,1,0x1a5000,System,-1,Nb14,unknown_pool_type,41
poolmon,1,0x1a5000,System,-1,Strg,PagedPool,82,<unknown>,Dynamic Translated strings
filetracer,1,0x1a5000,System,-1,ZwCreateFile,\SystemRoot\System32\drivers\etc\lmhosts
filetracer,1,0x1a5000,System,-1,NtCreateFile,\SystemRoot\System32\drivers\etc\lmhosts
syscall,1 0x1a5000,System,-1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x91ab6b34,,,IN,ACCESS_MASK,DesiredAccess,0x100001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x91ab6afc,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x91ab6b14,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x80,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x20,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
objmon,1,0x1a5000,System,-1,File
poolmon,1,0x1a5000,System,-1,File,unknown_pool_type,160,<unknown>,File objects
poolmon,1,0x1a5000,System,-1,IoNm,PagedPool,120,nt!io,Io parsing names
poolmon,1,0x1a5000,System,-1,NtFA,unknown_pool_type,160,ntfs.sys,AttrSup.c
poolmon,0,0xed1b8540,explorer.exe,1,Usty,unknown_pool_type,552,win32k!NtUserResolveDesktopForWOW,TEXT2
poolmon,0,0xed1b8540,explorer.exe,1,Usty,unknown_pool_type,552,win32k!NtUserResolveDesktopForWOW,TEXT2
poolmon,0,0xed1b8540,explorer.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
poolmon,1,0x1a5000,System,-1,UHUB,unknown_pool_type,24,<unknown>,Universal Serial Bus Hub
poolmon,1,0x1a5000,System,-1,UHUB,unknown_pool_type,20,<unknown>,Universal Serial Bus Hub
poolmon,1,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,1,0x1a5000,System,-1,UHUB,unknown_pool_type,80,<unknown>,Universal Serial Bus Hub
poolmon,1,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,1,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,1,0x1a5000,System,-1,usbp,unknown_pool_type,28
poolmon,1,0x1a5000,System,-1,UHUB,unknown_pool_type,24,<unknown>,Universal Serial Bus Hub
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9b29dbc8,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9b29dbfc,,,IN,ULONG,AllocationType,0x3000,,,IN,ULONG,Protect,0x4,,
poolmon,1,0x1a5000,System,-1,UHUB,unknown_pool_type,24,<unknown>,Universal Serial Bus Hub
poolmon,0,0xed1b8540,explorer.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
poolmon,1,0x1a5000,System,-1,ExTm,unknown_pool_type,144
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
poolmon,0,0x1a5000,System,-1,NtFf,unknown_pool_type,48,ntfs.sys,FsCtrl.c
poolmon,0,0x1a5000,System,-1,ScC9,unknown_pool_type,72
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyPort,2,IN,HANDLE,PortHandle,0xe4,,,IN,PPORT_MESSAGE,ReplyMessage,0x41ef558,,
poolmon,0,0x1a5000,System,-1,IdeP,unknown_pool_type,512,<unknown>,atapi IDE
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtRequestWaitReplyPort,3,IN,HANDLE,PortHandle,0x360,,,IN,PPORT_MESSAGE,RequestMessage,0x6eee20,,,OUT,PPORT_MESSAGE,ReplyMessage,0x6eee20,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,0,0x1a5000,System,-1,IdeP,unknown_pool_type,18,<unknown>,atapi IDE
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyPort,2,IN,HANDLE,PortHandle,0xe4,,,IN,PPORT_MESSAGE,ReplyMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,1,0xed1b8540,explorer.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,0,0xed1b84e0,dwm.exe,1,Gh15,unknown_pool_type,1400
poolmon,0,0xed1b84e0,dwm.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x440,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1b7f7b4,,
poolmon,0,0xed1b84e0,dwm.exe,1,Uscu,unknown_pool_type,100,win32k!_CreateEmptyCursorObject,CURSOR
poolmon,0,0xed1b84e0,dwm.exe,1,Gh15,unknown_pool_type,1400
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x478,\Endpoint,,IN,HANDLE,Event,0x490,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1b7f740,,,IN,ULONG,IoControlCode,0x1208b,,,IN,PVOID,InputBuffer,0x5ac,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x1b7f76c,,,IN,ULONG,OutputBufferLength,0x38,,
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x478,\Endpoint,,IN,HANDLE,Event,0x490,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1b7f65c,,,IN,ULONG,IoControlCode,0x12033,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x1b7f6c8,,,IN,ULONG,OutputBufferLength,0x8,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x50,,,OUT,PVOID,SystemInformation,0x328fbf8,,,IN,ULONG,SystemInformationLength,0x58,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x478,\Endpoint,,IN,HANDLE,Event,0x490,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1b7f708,,,IN,ULONG,IoControlCode,0x120cf,,,IN,PVOID,InputBuffer,0x1b7f6e4,,,IN,ULONG,InputBufferLength,0x24,,,OUT,PVOID,OutputBuffer,0x0,,,IN,ULONG,OutputBufferLength,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
poolmon,0,0xed1b84e0,dwm.exe,1,Gh15,unknown_pool_type,4472
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0xed1b84e0,dwm.exe,1,Uscu,unknown_pool_type,100,win32k!_CreateEmptyCursorObject,CURSOR
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,0,0xed1b84e0,dwm.exe,1,Gh15,unknown_pool_type,4472
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef8b8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef884,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Gh1?,unknown_pool_type,88
poolmon,0,0xed1b84e0,dwm.exe,1,DwmL,unknown_pool_type,32
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,0,0xed1b84e0,dwm.exe,1,Gh1B,unknown_pool_type,200
poolmon,0,0xed1b84e0,dwm.exe,1,AlMs,PagedPool,416,nt!alpc,ALPC message
poolmon,0,0xed1b84e0,dwm.exe,1,Dcdd,unknown_pool_type,760,cdd.dll,Canonical display driver
poolmon,0,0xed1b8480,dwm.exe,1,DxgK,PagedPool,96,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x470,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b8480,dwm.exe,1,DxgK,PagedPool,96,dxgkrnl.sys,Vista display driver support
poolmon,0,0xed1b8480,dwm.exe,1,DxgK,unknown_pool_type,40,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xc72a58,,
poolmon,0,0xed1b8480,dwm.exe,1,DxgK,PagedPool,88,dxgkrnl.sys,Vista display driver support
poolmon,0,0xed1b8480,dwm.exe,1,DxgK,PagedPool,32,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x0,,,OUT,PVOID,SystemInformation,0x328fc50,,,IN,ULONG,SystemInformationLength,0x2c,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b8480,dwm.exe,1,DxgK,unknown_pool_type,48,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x50,,,OUT,PVOID,SystemInformation,0x328fb48,,,IN,ULONG,SystemInformationLength,0x58,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b8480,dwm.exe,1,WPAL,PagedPool,176
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x7b,,,OUT,PVOID,SystemInformation,0x328fb38,,,IN,ULONG,SystemInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b8480,dwm.exe,1,WPAO,PagedPool,16
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x50,,,OUT,PVOID,SystemInformation,0x328fba0,,,IN,ULONG,SystemInformationLength,0x58,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b8480,dwm.exe,1,ViMm,PagedPool,8,dxgkrnl.sys,Video memory manager
poolmon,0,0xed1b8480,dwm.exe,1,ViMm,PagedPool,336,dxgkrnl.sys,Video memory manager
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x328fb08,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8480,dwm.exe,1,ViMm,unknown_pool_type,56,dxgkrnl.sys,Video memory manager
poolmon,0,0xed1b8480,dwm.exe,1,ViMm,PagedPool,48,dxgkrnl.sys,Video memory manager
poolmon,0,0xed1b8480,dwm.exe,1,ViMm,unknown_pool_type,20,dxgkrnl.sys,Video memory manager
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xc0,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x118ef90,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x118c6e4,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x118ef90,,,INOUT,PULONG,BufferLength,0xfbf210,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x118c6e4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b8580,dllhost.exe,1,AlMs,PagedPool,416,nt!alpc,ALPC message
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb14710,,,INOUT,PULONG,BufferLength,0xedfc18,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xedfc2c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8480,dwm.exe,1,ViMm,unknown_pool_type,16,dxgkrnl.sys,Video memory manager
poolmon,0,0xed1b8480,dwm.exe,1,MmCa,unknown_pool_type,128,nt!mm,Mm control areas for mapped files
poolmon,0,0xed1b8480,dwm.exe,1,MSeg,PagedPool,48
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0xed1b8480,dwm.exe,1,MmSt,unknown_pool_type,3160,nt!mm,Mm section object prototype ptes
objmon,0,0xed1b8480,dwm.exe,1,Sect
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,0,0xed1b8480,dwm.exe,1,Sect,PagedPool,80,<unknown>,Section objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8480,dwm.exe,1,ViMm,PagedPool,24,dxgkrnl.sys,Video memory manager
poolmon,0,0xed1b8480,dwm.exe,1,ViMm,unknown_pool_type,84,dxgkrnl.sys,Video memory manager
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0xed1b8480,dwm.exe,1,ViMm,PagedPool,72,dxgkrnl.sys,Video memory manager
poolmon,0,0xed1b8480,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
poolmon,0,0xed1b8480,dwm.exe,1,DxgK,PagedPool,48,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8480,dwm.exe,1,DxgK,PagedPool,96,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,0,0xed1b84e0,dwm.exe,1,Dcdd,unknown_pool_type,32,cdd.dll,Canonical display driver
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
poolmon,0,0xed1b84e0,dwm.exe,1,Gsem,unknown_pool_type,72,<unknown>,Gdi Semaphores
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,W32l,unknown_pool_type,72
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0xed1b84e0,dwm.exe,1,Urdr,unknown_pool_type,32,win32k!SetRedirectionBitmap,REDIRECT
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x144,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x12c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,ReTa,unknown_pool_type,56,<unknown>,Resource Extended Table
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,0,0xed1b84e0,dwm.exe,1,Usny,unknown_pool_type,40,win32k!CreateNotify,NOTIFY
poolmon,1,0x1a5000,System,-1,UHUB,unknown_pool_type,24,<unknown>,Universal Serial Bus Hub
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0x1a5000,System,-1,UHUB,unknown_pool_type,44,<unknown>,Universal Serial Bus Hub
poolmon,0,0xed1b84e0,dwm.exe,1,Ussw,unknown_pool_type,28,win32k!_BeginDeferWindowPos,SWP
poolmon,1,0x1a5000,System,-1,usbp,unknown_pool_type,48
poolmon,0,0xed1b84e0,dwm.exe,1,Ussw,unknown_pool_type,128,win32k!_BeginDeferWindowPos,SWP
poolmon,1,0x1a5000,System,-1,usbp,unknown_pool_type,32
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef8b8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,20,<unknown>,Universal Serial Bus Hub
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,80,<unknown>,Universal Serial Bus Hub
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,44,<unknown>,Universal Serial Bus Hub
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,48
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,20,<unknown>,Universal Serial Bus Hub
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,24,<unknown>,Universal Serial Bus Hub
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,20,<unknown>,Universal Serial Bus Hub
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,20,<unknown>,Universal Serial Bus Hub
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,1,0x1a5000,System,-1,usbp,unknown_pool_type,32
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef8d0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef034,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,Gh15,unknown_pool_type,1400
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,80,<unknown>,Universal Serial Bus Hub
poolmon,1,0xed1b84e0,dwm.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,1,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,1,0xed1b84e0,dwm.exe,1,Gtmp,unknown_pool_type,40,<unknown>,Gdi temporary allocations
poolmon,1,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef8d0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0xed1b84e0,dwm.exe,1,Gh17,unknown_pool_type,272
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef5dc,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,Gh14,unknown_pool_type,12704
poolmon,0,0xed1b84e0,dwm.exe,1,Usny,unknown_pool_type,40,win32k!CreateNotify,NOTIFY
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,0,0xed1b84e0,dwm.exe,1,Usny,unknown_pool_type,40,win32k!CreateNotify,NOTIFY
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0xed1b84e0,dwm.exe,1,Gh15,unknown_pool_type,10456
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef8d0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0xed1b84e0,dwm.exe,1,GTmp,unknown_pool_type,412
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,0,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0xed1b84e0,dwm.exe,1,Geto,unknown_pool_type,4096
poolmon,0,0xed1b84e0,dwm.exe,1,Uswl,unknown_pool_type,148,win32k!BuildHwndList,WINDOWLIST
poolmon,1,0x1a5000,System,-1,usbp,unknown_pool_type,28
poolmon,1,0xed1b84e0,dwm.exe,1,Gtmp,unknown_pool_type,40,<unknown>,Gdi temporary allocations
poolmon,1,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef8d0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x91f66c,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x91f668,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
poolmon,1,0xed1b84e0,dwm.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef8d0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtRequestWaitReplyPort,3,IN,HANDLE,PortHandle,0x360,,,IN,PPORT_MESSAGE,RequestMessage,0x6eef88,,,OUT,PPORT_MESSAGE,ReplyMessage,0x6eef88,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x89dfbac,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x81c,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x89dfa60,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x89dfa60,,,INOUT,PULONG,BufferLength,0x89df9e4,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x89df9e8,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x2f4,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x1dee7f0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xe01338,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x89df904,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x89df900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
objmon,0,0xed1b8540,explorer.exe,1,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8540,explorer.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x81c,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0xbb6dfd0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xbb56628,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,Gh17,unknown_pool_type,272
poolmon,0,0xed1b8540,explorer.exe,1,AlHd,PagedPool,56
poolmon,1,0xed1b84e0,dwm.exe,1,Gh14,unknown_pool_type,12704
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x81c,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x89df748,,,INOUT,PULONG,BufferLength,0x89df73c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xb760db8,,,IN,PLARGE_INTEGER,Timeout,0x89df740,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xa10,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x89df90c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x89df88c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x89df83c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
poolmon,0,0xed1b8540,explorer.exe,1,Usty,unknown_pool_type,552,win32k!NtUserResolveDesktopForWOW,TEXT2
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0x1a5000,System,-1,HidU,unknown_pool_type,80
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0x1a5000,System,-1,IoUs,unknown_pool_type,16,nt!io,I/O SubSystem completion Context Allocation
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,20,<unknown>,Universal Serial Bus Hub
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,28
poolmon,1,0xed1b84e0,dwm.exe,1,Gh15,unknown_pool_type,10456
poolmon,1,0xed1b84e0,dwm.exe,1,GTmp,unknown_pool_type,412
poolmon,1,0xed1b84e0,dwm.exe,1,Geto,unknown_pool_type,4096
poolmon,1,0xed1b84e0,dwm.exe,1,Gtmp,unknown_pool_type,40,<unknown>,Gdi temporary allocations
poolmon,1,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
poolmon,0,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,Gh17,unknown_pool_type,272
poolmon,1,0xed1b84e0,dwm.exe,1,Gh14,unknown_pool_type,12704
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x95eb54,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x95eb50,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
poolmon,1,0xed1b84e0,dwm.exe,1,Gh15,unknown_pool_type,10456
poolmon,1,0xed1b84e0,dwm.exe,1,GTmp,unknown_pool_type,412
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x95d6e4,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x95d6e0,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
poolmon,1,0xed1b84e0,dwm.exe,1,Geto,unknown_pool_type,4096
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,1,0xed1b84e0,dwm.exe,1,Gtmp,unknown_pool_type,40,<unknown>,Gdi temporary allocations
poolmon,1,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x160,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyPort,2,IN,HANDLE,PortHandle,0xe4,,,IN,PPORT_MESSAGE,ReplyMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x160,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,Uswl,unknown_pool_type,752,win32k!BuildHwndList,WINDOWLIST
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef8b8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x34c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x3aefb88,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x34c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x3aefb88,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x4299600,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,48,dxgkrnl.sys,Vista display driver support
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,96,dxgkrnl.sys,Vista display driver support
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,48,dxgkrnl.sys,Vista display driver support
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,56,dxgkrnl.sys,Vista display driver support
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,96,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3bc,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,unknown_pool_type,40,dxgkrnl.sys,Vista display driver support
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,unknown_pool_type,48,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3bc,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x340,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,WPAO,PagedPool,16
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x3e4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,ViMm,PagedPool,24,dxgkrnl.sys,Video memory manager
poolmon,0,0xed1b84e0,dwm.exe,1,ViMm,unknown_pool_type,84,dxgkrnl.sys,Video memory manager
poolmon,1,0xed1b84e0,dwm.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
poolmon,0,0xed1b84e0,dwm.exe,1,ViMm,PagedPool,72,dxgkrnl.sys,Video memory manager
poolmon,0,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
filetracer,1,0xed1b84e0,dwm.exe,1,NtCreateFile,\??\C:\Windows\system32\en-US\USER32.dll.mui
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x3aeeba8,,,IN,ACCESS_MASK,DesiredAccess,0x80100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3aeebe0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3aeebc8,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x5,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x0,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
objmon,1,0xed1b84e0,dwm.exe,1,File
poolmon,1,0xed1b84e0,dwm.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b84e0,dwm.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x95e360,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x95e364,,,IN,ULONG,AllocationType,0x2000,,,IN,ULONG,Protect,0x4,,
poolmon,1,0xed1b84e0,dwm.exe,1,FMfn,PagedPool,236,fltmgr.sys,NAME_CACHE_NODE structure
poolmon,0,0xed1b84e0,dwm.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
poolmon,1,0xed1b84e0,dwm.exe,1,FMfn,PagedPool,236,fltmgr.sys,NAME_CACHE_NODE structure
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x95e3a8,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x95e3dc,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
poolmon,1,0xed1b84e0,dwm.exe,1,MPCp,PagedPool,122
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateSection,7,OUT,PHANDLE,SectionHandle,0x3aeebac,,,IN,ACCESS_MASK,DesiredAccess,0xf0005,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,PLARGE_INTEGER,MaximumSize,0x0,,,IN,ULONG,SectionPageProtection,0x2,,,IN,ULONG,AllocationAttributes,0x8000000,,,IN,HANDLE,FileHandle,0x3bc,\Windows\System32\en-US\user32.dll.mui,
objmon,1,0xed1b84e0,dwm.exe,1,Sect
poolmon,1,0xed1b84e0,dwm.exe,1,Sect,PagedPool,80,<unknown>,Section objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x95eb54,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x95eb50,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtMapViewOfSection,10,IN,HANDLE,SectionHandle,0xe0,,,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x3aeebb0,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,CommitSize,0x0,,,INOUT,PLARGE_INTEGER,SectionOffset,0x3aeebc0,,,INOUT,PSIZE_T,ViewSize,0x3aeebb4,,,IN,SECTION_INHERIT,InheritDisposition,0x1,,,IN,ULONG,AllocationType,0x0,,,IN,WIN32_PROTECTION_MASK,Win32Protect,0x2,,
poolmon,1,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xe0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x160,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x2090000,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x3aeeb30,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x2090000,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x3aef450,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x3aeeee4,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3aeed70,,
objmon,1,0xed1b84e0,dwm.exe,1,Key
poolmon,1,0xed1b84e0,dwm.exe,1,Key ,PagedPool,84
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0xe0,,,IN,PUNICODE_STRING,ValueName,0x3aeed58,Disable,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x3aeed64,,,IN,ULONG,Length,0x13,,,OUT,PULONG,ResultLength,0x3aeed60,,
poolmon,1,0xed1b84e0,dwm.exe,1,CMvn,unknown_pool_type,18
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xe0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x3aef2e0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aef23c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x34c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x3aefb88,,
poolmon,0,0xed1b84e0,dwm.exe,1,Gh15,unknown_pool_type,20216
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aefb30,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,GTmp,unknown_pool_type,788
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x3aefb88,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8480,dwm.exe,1,Ttfd,unknown_pool_type,120,<unknown>,TrueType Font driver
poolmon,0,0xed1b8480,dwm.exe,1,Ttfd,unknown_pool_type,192,<unknown>,TrueType Font driver
poolmon,0,0xed1b8480,dwm.exe,1,Ttfd,unknown_pool_type,120,<unknown>,TrueType Font driver
poolmon,0,0xed1b84e0,dwm.exe,1,Geto,unknown_pool_type,8192
poolmon,0,0xed1b84e0,dwm.exe,1,Gtmp,unknown_pool_type,40,<unknown>,Gdi temporary allocations
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x340,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3e4,,
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,0,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
poolmon,0,0x1a5000,System,-1,HidU,unknown_pool_type,96
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,20,<unknown>,Universal Serial Bus Hub
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,28
poolmon,0,0x1a5000,System,-1,HidU,unknown_pool_type,96
poolmon,0,0x1a5000,System,-1,UHUB,unknown_pool_type,20,<unknown>,Universal Serial Bus Hub
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,32
poolmon,0,0x1a5000,System,-1,usbp,unknown_pool_type,28
poolmon,0,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,HidU,unknown_pool_type,96
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b8540,explorer.exe,1,UHUB,unknown_pool_type,20,<unknown>,Universal Serial Bus Hub
poolmon,0,0xed1b8540,explorer.exe,1,usbp,unknown_pool_type,32
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
poolmon,0,0xed1b8540,explorer.exe,1,usbp,unknown_pool_type,32
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
poolmon,0,0xed1b8540,explorer.exe,1,usbp,unknown_pool_type,28
syscall,1 0xed1b8480,csrss.exe,1,ntoskrnl.exe,NtSetTimer,7,IN,HANDLE,TimerHandle,0x800004ac,,,IN,PLARGE_INTEGER,DueTime,0x9c77a8a8,,,IN,PTIMER_APC_ROUTINE,TimerApcRoutine,0x0,,,IN,PVOID,TimerContext,0x0,,,IN,BOOLEAN,WakeTimer,0x0,,,IN,LONG,Period,0x0,,,OUT,PBOOLEAN,PreviousState,0x0,,
syscall,1 0xed1b8480,csrss.exe,1,ntoskrnl.exe,NtReadFile,9,IN,HANDLE,FileHandle,0x80000478,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x966b4823,,,IN,PVOID,ApcContext,0x80fad9c8,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x80fad9f8,,,OUT,PVOID,Buffer,0x80fada50,,,IN,ULONG,Length,0xf0,,,IN,PLARGE_INTEGER,ByteOffset,0x9692f010,,,IN,PULONG,Key,0x0,,
poolmon,1,0xed1b8480,csrss.exe,1,Io ,unknown_pool_type,244,nt!io,general IO allocations
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x202f55c,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x202f558,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x4299600,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x364,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x364,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x2b4,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x294,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x95d6e4,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x95d6e0,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x160,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b85e0,notepad.exe,1,Strg,PagedPool,10,<unknown>,Dynamic Translated strings
poolmon,1,0xed1b8540,explorer.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCancelTimer,2,IN,HANDLE,TimerHandle,0x800004ac,,,OUT,PBOOLEAN,CurrentState,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9b29dbc8,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9b29dbfc,,,IN,ULONG,AllocationType,0x3000,,,IN,ULONG,Protect,0x4,,
poolmon,0,0xed1b85e0,notepad.exe,1,Strg,PagedPool,16,<unknown>,Dynamic Translated strings
poolmon,1,0xed1b8540,explorer.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
poolmon,1,0xed1b8540,explorer.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,0,0xed1b85e0,notepad.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0xed1b84e0,dwm.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtRemoveIoCompletionEx,6,IN,HANDLE,IoCompletionHandle,0x8000047c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,IoCompletionInformation,0xa7a90ba8,,,IN,ULONG,Count,0x1,,,OUT,PULONG,NumEntriesRemoved,0xa7a90ba4,,,IN,PLARGE_INTEGER,Timeout,0x0,,,IN,BOOLEAN,Alertable,0x1,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aefb18,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2b4,,
poolmon,1,0xed1b84e0,dwm.exe,1,Usny,unknown_pool_type,40,win32k!CreateNotify,NOTIFY
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x294,,
poolmon,1,0xed1b84e0,dwm.exe,1,Usny,unknown_pool_type,40,win32k!CreateNotify,NOTIFY
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,Usny,unknown_pool_type,40,win32k!CreateNotify,NOTIFY
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
poolmon,1,0xed1b84e0,dwm.exe,1,Usny,unknown_pool_type,40,win32k!CreateNotify,NOTIFY
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aefb18,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aefb18,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95dfa4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aefb18,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aefb18,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,0,0xed1b8480,dwm.exe,1,ViMm,PagedPool,20,dxgkrnl.sys,Video memory manager
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aefb18,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b8480,dwm.exe,1,Mmdl,unknown_pool_type,1608,nt!mm,Mm Mdls for flushes
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aefb18,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x3aefb18,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0xed1b84e0,dwm.exe,1,Gh1B,unknown_pool_type,200
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
poolmon,1,0xed1b84e0,dwm.exe,1,Gh17,unknown_pool_type,272
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
poolmon,1,0xed1b84e0,dwm.exe,1,Gh14,unknown_pool_type,12704
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,1,0xed1b84e0,dwm.exe,1,Gh15,unknown_pool_type,20216
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x4299600,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,1,0xed1b84e0,dwm.exe,1,GTmp,unknown_pool_type,788
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
poolmon,1,0xed1b84e0,dwm.exe,1,Geto,unknown_pool_type,8192
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x294,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x294,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x2b4,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2b4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x394,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x3c4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
poolmon,1,0xed1b84e0,dwm.exe,1,Gtmp,unknown_pool_type,40,<unknown>,Gdi temporary allocations
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,1,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
poolmon,1,0xed1b84e0,dwm.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,0,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x394,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3c4,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
poolmon,0,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x14c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x3aefb58,,
poolmon,0,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x3aefb88,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x3aefb38,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x18fb30,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x18ec24,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x18f3dc,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x18fb30,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xa10,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x89df90c,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x89df88c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x89df83c,,
poolmon,0,0xed1b84e0,dwm.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
poolmon,1,0xed1b8540,explorer.exe,1,Geto,unknown_pool_type,796
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
poolmon,1,0xed1b8540,explorer.exe,1,Ustm,unknown_pool_type,72,win32k!InternalSetTimer,TIMER
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9b29daa8,,,INOUT,PSIZE_T,RegionSize,0x9b29daa0,,,IN,ULONG,FreeType,0x8000,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,1,0xed1b8540,explorer.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x429a500,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3cc,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3cc,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x37c,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x33c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9b29dbc8,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9b29dbfc,,,IN,ULONG,AllocationType,0x3000,,,IN,ULONG,Protect,0x4,,
poolmon,0,0xed1b8540,explorer.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
poolmon,0,0xed1b8540,explorer.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,0,0xed1b8540,explorer.exe,1,Geto,unknown_pool_type,796
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9b29daa8,,,INOUT,PSIZE_T,RegionSize,0x9b29daa0,,,IN,ULONG,FreeType,0x8000,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,1,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x37c,,
poolmon,1,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x33c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0x95fa5c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f99c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f99c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f99c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f664,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f968,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Uswl,unknown_pool_type,148,win32k!BuildHwndList,WINDOWLIST
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x18fb30,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x18ec24,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Gh15,unknown_pool_type,1400
poolmon,0,0xed1b84e0,dwm.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x18f3dc,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xedfb8c,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,0,0xed1b84e0,dwm.exe,1,Gtmp,unknown_pool_type,40,<unknown>,Gdi temporary allocations
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x18fb30,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,0,0xed1b84e0,dwm.exe,1,Gh17,unknown_pool_type,272
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19ec8c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Gh14,unknown_pool_type,12704
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f628,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Gh15,unknown_pool_type,10456
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f628,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,GTmp,unknown_pool_type,412
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b84e0,dwm.exe,1,Geto,unknown_pool_type,4096
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b84e0,dwm.exe,1,Gtmp,unknown_pool_type,40,<unknown>,Gdi temporary allocations
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b84e0,dwm.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x144,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x12c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f5c0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,104
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,0,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,376
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x28,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x1d6f0f0,,
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x28,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x1d6f0f0,,
poolmon,0,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x2,,,IN,ULONG,HandleAttributes,0x200,,,OUT,PHANDLE,TokenHandle,0x1d6f098,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtDuplicateToken,6,IN,HANDLE,ExistingTokenHandle,0xa08,,,IN,ACCESS_MASK,DesiredAccess,0x4,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1d6f080,,,IN,BOOLEAN,EffectiveOnly,0x0,,,IN,TOKEN_TYPE,TokenType,0x2,,,OUT,PHANDLE,NewTokenHandle,0x1d6f09c,,
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f5c0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b8540,explorer.exe,1,SeAt,PagedPool,24
poolmon,0,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,104
poolmon,1,0xed1b8540,explorer.exe,1,SeTl,unknown_pool_type,56
poolmon,0,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,436
objmon,1,0xed1b8540,explorer.exe,1,Toke
poolmon,1,0xed1b8540,explorer.exe,1,Toke,PagedPool,1196,nt!se,Token objects
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8540,explorer.exe,1,SeTd,PagedPool,120,nt!se,Security Token dynamic part
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8540,explorer.exe,1,SeSd,PagedPool,216,nt!se,Security Descriptor
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8540,explorer.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8540,explorer.exe,1,SeSd,PagedPool,28,nt!se,Security Descriptor
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8540,explorer.exe,1,SeSd,PagedPool,196,nt!se,Security Descriptor
poolmon,0,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,1,0xed1b8540,explorer.exe,1,ObSc,PagedPool,212,nt!ob,Object security descriptor cache block
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f5c0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b8540,explorer.exe,1,SeAc,PagedPool,116,nt!se,Security ACL
poolmon,0,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,148
poolmon,1,0xed1b8540,explorer.exe,1,SeSd,PagedPool,220,nt!se,Security Descriptor
poolmon,0,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,676
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x1d6f09c,,,IN,ULONG,ThreadInformationLength,0x4,,
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xa0c,,
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xa08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x160,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x160,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f5c0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x160,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,104
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,28,dxgkrnl.sys,Vista display driver support
poolmon,0,0xed1b84e0,dwm.exe,1,ViMm,unknown_pool_type,8,dxgkrnl.sys,Video memory manager
poolmon,1,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,436
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x429a500,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x33c,,,OUT,PLONG,PreviousState,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x33c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b84e0,dwm.exe,1,ViMm,unknown_pool_type,32,dxgkrnl.sys,Video memory manager
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x28,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x1d6f0f0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x28,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x1d6f0f0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x37c,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x3e8,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAdjustPrivilegesToken,6,IN,HANDLE,TokenHandle,0xa08,,,IN,BOOLEAN,DisableAllPrivileges,0x0,,,IN,PTOKEN_PRIVILEGES,NewState,0x1d6f124,,,IN,ULONG,BufferLength,0x1c,,,OUT,PTOKEN_PRIVILEGES,PreviousState,0x1d6f100,,,OUT,PULONG,ReturnLength,0x1d6f0f4,,
poolmon,1,0xed1b8540,explorer.exe,1,SeLu,PagedPool,24,nt!se,Security LUID and Attributes array
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtPowerInformation,5,IN,POWER_INFORMATION_LEVEL,InformationLevel,0x10,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x1d6f354,,,IN,ULONG,OutputBufferLength,0x4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x1d6f0d4,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xa08,,
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f5c0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
poolmon,1,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,104
poolmon,1,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,496
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f9b4,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f9b4,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x37c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3e8,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,1,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,1,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
poolmon,0,0xed1b85e0,notepad.exe,1,Ussw,unknown_pool_type,28,win32k!_BeginDeferWindowPos,SWP
poolmon,1,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b85e0,notepad.exe,1,Ussw,unknown_pool_type,128,win32k!_BeginDeferWindowPos,SWP
poolmon,1,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
poolmon,1,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f55c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19eda4,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b85e0,notepad.exe,1,Uswl,unknown_pool_type,752,win32k!BuildHwndList,WINDOWLIST
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f99c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b85e0,notepad.exe,1,Usny,unknown_pool_type,40,win32k!CreateNotify,NOTIFY
poolmon,1,0xed1b84e0,dwm.exe,1,Gh14,unknown_pool_type,392
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x95ed5c,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x95ed58,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x95ed5c,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x95ed58,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
poolmon,0,0xed1b85e0,notepad.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,0,0xed1b85e0,notepad.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
objmon,1,0xed1b84e0,dwm.exe,1,Even
poolmon,1,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x4299d00,,
objmon,1,0xed1b84e0,dwm.exe,1,Even
poolmon,1,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
objmon,1,0xed1b84e0,dwm.exe,1,Even
poolmon,1,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x33c,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x33c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3cc,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x3c4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
poolmon,1,0xed1b85e0,notepad.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
poolmon,1,0xed1b85e0,notepad.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
poolmon,0,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3cc,,
poolmon,1,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3c4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,1,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
poolmon,1,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
poolmon,1,0xed1b84e0,dwm.exe,1,Gh14,unknown_pool_type,360
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
objmon,1,0xed1b84e0,dwm.exe,1,Even
poolmon,1,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,0,0xed1b84e0,dwm.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x4299d00,,
objmon,1,0xed1b84e0,dwm.exe,1,Even
poolmon,1,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
objmon,1,0xed1b84e0,dwm.exe,1,Even
poolmon,1,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x394,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x394,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x2b4,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x294,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19ec8c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f628,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f628,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x328,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xedfcb8,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2b4,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x294,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,0,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f5c0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,104
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,376
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0x95fa5c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x144,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f5c0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,104
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x12c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,1,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,436
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb71838,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b8580,dllhost.exe,1,Usti,unknown_pool_type,668,win32k!AllocateW32Thread,THREADINFO
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f5c0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b8580,dllhost.exe,1,DxgK,unknown_pool_type,140,dxgkrnl.sys,Vista display driver support
poolmon,1,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,148
poolmon,0,0xed1b8580,dllhost.exe,1,Usty,unknown_pool_type,34,win32k!NtUserResolveDesktopForWOW,TEXT2
poolmon,1,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,676
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x86205a58,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b8580,dllhost.exe,1,Even
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
poolmon,0,0xed1b8580,dllhost.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x1c,,
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x6fc,\Endpoint,,IN,HANDLE,Event,0x8f4,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1134f7d4,,,IN,ULONG,IoControlCode,0x12023,,,IN,PVOID,InputBuffer,0x1134f79c,,,IN,ULONG,InputBufferLength,0x38,,,OUT,PVOID,OutputBuffer,0x0,,,IN,ULONG,OutputBufferLength,0x0,,
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f5c0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,104
poolmon,0,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,436
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8240,svchost.exe,0,NDIS,unknown_pool_type,48
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
poolmon,0,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x1134f85c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x120000,,
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f5c0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
objmon,1,0xed1b8240,svchost.exe,0,Even
poolmon,0,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,104
poolmon,1,0xed1b8240,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,0,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,496
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x354,,,IN,HANDLE,Event,0x874,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1134f8d0,,,IN,ULONG,IoControlCode,0x12001b,,,IN,PVOID,InputBuffer,0x1134f90c,,,IN,ULONG,InputBufferLength,0x3c,,,OUT,PVOID,OutputBuffer,0x1134f90c,,,IN,ULONG,OutputBufferLength,0x3c,,
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f9b4,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b8240,svchost.exe,0,NSpg,unknown_pool_type,5204,nsi.dll,NSI Proxy Generic Buffers
poolmon,0,0xed1b85e0,notepad.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,0,0xed1b85e0,notepad.exe,1,Usqm,unknown_pool_type,96,win32k!InitQEntryLookaside,QMSG
poolmon,1,0xed1b8240,svchost.exe,0,NSIr,unknown_pool_type,16,nsi.dll,NSI Generic Buffers
poolmon,1,0xed1b8240,svchost.exe,0,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f99c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b8240,svchost.exe,0,Wl2g,unknown_pool_type,140
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f99c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b8240,svchost.exe,0,NDre,unknown_pool_type,92
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f99c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x874,,
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f9ac,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x1134f85c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x120000,,
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19ea04,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
objmon,1,0xed1b8240,svchost.exe,0,Even
poolmon,1,0xed1b8240,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f3a0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x354,,,IN,HANDLE,Event,0x874,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1134f8d0,,,IN,ULONG,IoControlCode,0x12001b,,,IN,PVOID,InputBuffer,0x1134f90c,,,IN,ULONG,InputBufferLength,0x3c,,,OUT,PVOID,OutputBuffer,0x1134f90c,,,IN,ULONG,OutputBufferLength,0x3c,,
poolmon,1,0xed1b8240,svchost.exe,0,NSpg,unknown_pool_type,5204,nsi.dll,NSI Proxy Generic Buffers
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8240,svchost.exe,0,NSIr,unknown_pool_type,16,nsi.dll,NSI Generic Buffers
syscall,0 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f3a0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b8240,svchost.exe,0,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8240,svchost.exe,0,Wl2g,unknown_pool_type,140
poolmon,1,0xed1b8240,svchost.exe,0,NDre,unknown_pool_type,92
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x874,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,1,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x95ee2c,,,INOUT,PSIZE_T,RegionSize,0x95ee58,,,IN,ULONG,FreeType,0x8000,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f338,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
poolmon,1,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,104
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,1,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,376
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x374,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x374,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x429a500,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x394,,,OUT,PLONG,PreviousState,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x394,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3c4,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x3cc,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
syscall,0 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x1134f82c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x120000,,
objmon,0,0xed1b8240,svchost.exe,0,Even
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f338,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b8240,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,1,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,104
syscall,0 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x354,,,IN,HANDLE,Event,0x874,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1134f89c,,,IN,ULONG,IoControlCode,0x12001b,,,IN,PVOID,InputBuffer,0x1134f8d8,,,IN,ULONG,InputBufferLength,0x3c,,,OUT,PVOID,OutputBuffer,0x1134f8d8,,,IN,ULONG,OutputBufferLength,0x3c,,
poolmon,1,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,436
poolmon,0,0xed1b8240,svchost.exe,0,NSpg,unknown_pool_type,5124,nsi.dll,NSI Proxy Generic Buffers
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8240,svchost.exe,0,NSIr,unknown_pool_type,1116,nsi.dll,NSI Generic Buffers
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x874,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x1134f82c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x120000,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
objmon,0,0xed1b8240,svchost.exe,0,Even
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b8240,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x354,,,IN,HANDLE,Event,0x874,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1134f89c,,,IN,ULONG,IoControlCode,0x12001b,,,IN,PVOID,InputBuffer,0x1134f8d8,,,IN,ULONG,InputBufferLength,0x3c,,,OUT,PVOID,OutputBuffer,0x1134f8d8,,,IN,ULONG,OutputBufferLength,0x3c,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f338,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,148
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
poolmon,0,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
poolmon,0,0xed1b8240,svchost.exe,0,NSpg,unknown_pool_type,5844,nsi.dll,NSI Proxy Generic Buffers
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,1,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3c4,,
poolmon,1,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3cc,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
poolmon,0,0xed1b8240,svchost.exe,0,NSIr,unknown_pool_type,984,nsi.dll,NSI Generic Buffers
syscall,0 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x874,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,0 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x1134f78c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x120000,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
objmon,0,0xed1b8240,svchost.exe,0,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,0,0xed1b8240,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
objmon,1,0xed1b84e0,dwm.exe,1,Even
poolmon,1,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x374,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x354,,,IN,HANDLE,Event,0x874,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1134f800,,,IN,ULONG,IoControlCode,0x12001b,,,IN,PVOID,InputBuffer,0x1134f83c,,,IN,ULONG,InputBufferLength,0x3c,,,OUT,PVOID,OutputBuffer,0x1134f83c,,,IN,ULONG,OutputBufferLength,0x3c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x374,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b8240,svchost.exe,0,NSpg,unknown_pool_type,4692,nsi.dll,NSI Proxy Generic Buffers
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x4299600,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x394,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x394,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,1,0xed1b8240,svchost.exe,0,NSIr,unknown_pool_type,8,nsi.dll,NSI Generic Buffers
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3cc,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x3c4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x874,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtAlpcDeletePortSection,3,IN,HANDLE,PortHandle,0x3f8,,,RESERVED,ULONG,Flags,0x0,,,IN,ALPC_HANDLE,SectionHandle,0x10,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x1134fa04,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x1134fa08,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x5a06c0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3cc,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3c4,,
poolmon,1,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
poolmon,1,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,0 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x30,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,0 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x30,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xd2ec98,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0x95fa5c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x478,\Endpoint,,IN,HANDLE,Event,0x4e0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1a7fbb4,,,IN,ULONG,IoControlCode,0x1202f,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x1a7fbe4,,,IN,ULONG,OutputBufferLength,0x10,,
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x1c,,
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xc8,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1a7f838,,
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x478,\Endpoint,,IN,HANDLE,Event,0x4e0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1a7fbb4,,,IN,ULONG,IoControlCode,0x1202f,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x1a7fbe4,,,IN,ULONG,OutputBufferLength,0x10,,
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xc8,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1a7f838,,
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x478,\Endpoint,,IN,HANDLE,Event,0x4e0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1a7fbb4,,,IN,ULONG,IoControlCode,0x1202f,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x1a7fbe4,,,IN,ULONG,OutputBufferLength,0x10,,
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x4ec,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xc8,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1a7f838,,
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x1149f28,,
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x1a7fdc0,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x1a7fdc0,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x578,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x17d8,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x490e008,,,INOUT,PULONG,BufferLength,0x1bfd88,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x4aa2610,,,IN,PLARGE_INTEGER,Timeout,0x1bfda0,,
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,0 0xed1b8040,services.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,0 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x193f7bc,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b8040,services.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x2c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x5cfbcc,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x193f7c0,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b8040,services.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xcc,,
syscall,1 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xca5bb8,,
syscall,0 0xed1b8040,services.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x2c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x5cfbd0,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetTimer2
syscall,0 0xed1b8040,services.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x2c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x67bc20,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x49cd9b4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0xf09000,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x28,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x3a0f614,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
objmon,0,0xed1b82a0,SearchIndexer.,0,Even
poolmon,0,0xed1b82a0,SearchIndexer.,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x28,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x3a0f618,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtFsControlFile,10,IN,HANDLE,FileHandle,0x6a0,,,IN,HANDLE,Event,0x308,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x49cdac4,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x49cdac4,,,IN,ULONG,IoControlCode,0x900f4,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x49cdb88,,,IN,ULONG,OutputBufferLength,0x40,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x28,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x11f5060,,
poolmon,0,0xed1b82a0,SearchIndexer.,0,Io ,unknown_pool_type,68,nt!io,general IO allocations
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x308,,
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtFsControlFile,10,IN,HANDLE,FileHandle,0x6a0,,,IN,HANDLE,Event,0x5f4,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x39a107c,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x39a107c,,,IN,ULONG,IoControlCode,0x900bb,,,IN,PVOID,InputBuffer,0x49cdbc8,,,IN,ULONG,InputBufferLength,0x30,,,OUT,PVOID,OutputBuffer,0x49ceed0,,,IN,ULONG,OutputBufferLength,0x1008,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xb1f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b82a0,SearchIndexer.,0,Ntf0,PagedPool,32,ntfs.sys,general pool allocation
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xb1f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b82a0,SearchIndexer.,0,MmRl,unknown_pool_type,4,nt!mm,temporary readlists for file prefetch
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xb1f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b82a0,SearchIndexer.,0,MmRl,unknown_pool_type,56,nt!mm,temporary readlists for file prefetch
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xb1f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xb1f160,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xb1f160,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x5f4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x49cd9a8,,
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,1,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,676
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x1569c8,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x5d8,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x49cd678,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x5d8,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x49cd3e4,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xec,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x49cbe3c,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xec,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x49cbe3c,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f338,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x4fc,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,104
poolmon,1,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,436
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x5d8,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x49cd678,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x5d8,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x49cd3e4,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xec,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x49cbe3c,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f338,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xec,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x49cbe3c,,
poolmon,1,0xed1b85e0,notepad.exe,1,GTmp,unknown_pool_type,104
poolmon,1,0xed1b85e0,notepad.exe,1,Geto,unknown_pool_type,496
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x4fc,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f72c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3dc,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3dc,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f72c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f984,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtFsControlFile,10,IN,HANDLE,FileHandle,0x6a0,,,IN,HANDLE,Event,0x5f4,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x39a107c,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x39a107c,,,IN,ULONG,IoControlCode,0x900bb,,,IN,PVOID,InputBuffer,0x49cdb58,,,IN,ULONG,InputBufferLength,0x30,,,OUT,PVOID,OutputBuffer,0x39a10a8,,,IN,ULONG,OutputBufferLength,0x8,,
poolmon,0,0xed1b82a0,SearchIndexer.,0,NtFv,unknown_pool_type,96,ntfs.sys,ViewSup.c
poolmon,1,0xed1b85e0,notepad.exe,1,Gh14,unknown_pool_type,360
poolmon,1,0xed1b85e0,notepad.exe,1,Gh14,unknown_pool_type,360
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x384,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x392c970,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gh14,unknown_pool_type,360
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x440,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x18ff6ec,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x478,\Endpoint,,IN,HANDLE,Event,0x5b8,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x18ff678,,,IN,ULONG,IoControlCode,0x1208b,,,IN,PVOID,InputBuffer,0x5ac,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x18ff6a4,,,IN,ULONG,OutputBufferLength,0x38,,
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x478,\Endpoint,,IN,HANDLE,Event,0x5b8,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x18ff594,,,IN,ULONG,IoControlCode,0x12033,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x18ff600,,,IN,ULONG,OutputBufferLength,0x8,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x478,\Endpoint,,IN,HANDLE,Event,0x5b8,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x18ff640,,,IN,ULONG,IoControlCode,0x120cf,,,IN,PVOID,InputBuffer,0x18ff61c,,,IN,ULONG,InputBufferLength,0x24,,,OUT,PVOID,OutputBuffer,0x0,,,IN,ULONG,OutputBufferLength,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x470,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xca66c8,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x178,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0xf9fb18,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x178,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0xf9fa3c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gh15,unknown_pool_type,30636
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x144,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x12c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gh15,unknown_pool_type,50084
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x320fe20,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x1d6f29c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b8540,explorer.exe,1,Even
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtReleaseSemaphore,3,IN,HANDLE,SemaphoreHandle,0x480,,,IN,LONG,ReleaseCount,0x1,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x24,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x0,,,OUT,PVOID,ThreadInformation,0x879f730,,,IN,ULONG,ThreadInformationLength,0x1c,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x879f6ac,,,IN,ACCESS_MASK,DesiredAccess,0x100003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
objmon,0,0xed1b8540,explorer.exe,1,Even
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xa1c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xa1c,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x879f6f0,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x879f6a0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x0,,,OUT,PVOID,ThreadInformation,0x879f72c,,,IN,ULONG,ThreadInformationLength,0x1c,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtFindAtom,3,IN,PWSTR,AtomName,0x879f5fc,,,IN,ULONG,Length,0x50,,,OUT,PRTL_ATOM,Atom,0x879f390,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x879d498,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x879d498,,
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x879d498,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x879d498,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x879d498,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x879d498,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x879d498,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x879d498,,
poolmon,1,0xed1b85e0,notepad.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b85e0,notepad.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x1140,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x879e5e8,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f760,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x1170,,,IN,PUNICODE_STRING,ValueName,0x879d46c,{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\abgrcnq.rkr,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x879d3ac,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x879d388,,
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f760,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b8540,explorer.exe,1,CMvn,unknown_pool_type,104
poolmon,1,0xed1b85e0,notepad.exe,1,Usty,unknown_pool_type,552,win32k!NtUserResolveDesktopForWOW,TEXT2
poolmon,1,0xed1b85e0,notepad.exe,1,Ustm,unknown_pool_type,72,win32k!InternalSetTimer,TIMER
syscall,1 0xed1b85e0,notepad.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x19f984,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetValueKey,6,IN,HANDLE,KeyHandle,0x1170,,,IN,PUNICODE_STRING,ValueName,0x879d4cc,{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\abgrcnq.rkr,,IN,ULONG,TitleIndex,0x0,,,IN,ULONG,Type,0x3,,,IN,PVOID,Data,0x879e5d0,,,IN,ULONG,DataSize,0x48,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x320fe20,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8540,explorer.exe,1,CmVn,unknown_pool_type,180,nt!cm,captured value name
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x0,,,IN,ULONG,OutputLength,0x0,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b8540,explorer.exe,1,CMNb,PagedPool,344,nt!cm,notification block pool tag
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1d4,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x180,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af450,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetValueKey,6,IN,HANDLE,KeyHandle,0x1170,,,IN,PUNICODE_STRING,ValueName,0x879d4e4,HRZR_PGYFRFFVBA,,IN,ULONG,TitleIndex,0x0,,,IN,ULONG,Type,0x3,,,IN,PVOID,Data,0xbc271e8,,,IN,ULONG,DataSize,0x64c,,
poolmon,0,0xed1b8540,explorer.exe,1,CmVn,unknown_pool_type,1648,nt!cm,captured value name
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af450,,,IN,ULONG,ThreadInformationLength,0x4,,
poolmon,0,0xed1b8540,explorer.exe,1,CMNb,PagedPool,344,nt!cm,notification block pool tag
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x1140,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x3f0,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0xbc2a418,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x33d9a4,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xbc2a418,,,INOUT,PULONG,BufferLength,0x879ee58,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x33d9a4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
poolmon,0,0xed1b8540,explorer.exe,1,AlEB,PagedPool,40
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb14710,,,INOUT,PULONG,BufferLength,0xedfc18,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xedfc2c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xedfb8c,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x68,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0xedf214,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x68,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0xedf214,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x68,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0xedf214,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x68,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0xedf214,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x68,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0xedf214,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x68,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0xedf214,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xedfcb8,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb71838,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
poolmon,0,0xed1b8120,svchost.exe,0,AlEB,PagedPool,52
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x879f180,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x879f1bc,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x879f160,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x879f1c8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x879f1c8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x879f5b0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xa18,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xa18,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x879f6f0,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x879f6a0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xa,,,IN,PVOID,ThreadInformation,0x12af434,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1bc,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1a4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1a8,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1ac,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1b0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1b4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1b8,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1c0,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x19c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1a0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x198,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x17c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x184,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x188,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x18c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x190,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x194,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtUnmapViewOfSection,2,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x758f0000,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtUnmapViewOfSectionEx
poolmon,0,0xed1b84e0,dwm.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
poolmon,0,0xed1b84e0,dwm.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtUnmapViewOfSection,2,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x74f80000,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtUnmapViewOfSectionEx
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b8580,dllhost.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtUnmapViewOfSection,2,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x76aa0000,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtUnmapViewOfSectionEx
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b8580,dllhost.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtUnmapViewOfSection,2,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x70ed0000,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtUnmapViewOfSectionEx
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b8580,dllhost.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x12af720,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x12af720,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x429ac00,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3c4,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3c4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3cc,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x33c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x12af720,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xc0,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x118ef90,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x117e9dc,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x118ef90,,,INOUT,PULONG,BufferLength,0x12af1d0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x117e9dc,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb16920,,,INOUT,PULONG,BufferLength,0xedfc18,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xedfc2c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xedfb8c,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xedfcb8,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb71838,,
syscall,0 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x30,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x1e8fc54,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x634,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x11c,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x30,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x1e8fc58,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtCreateTimer,4,OUT,PHANDLE,TimerHandle,0x12af7cc,,,IN,ACCESS_MASK,DesiredAccess,0x100002,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,TIMER_TYPE,TimerType,0x1,,
objmon,1,0xed1b8580,dllhost.exe,1,Time
poolmon,1,0xed1b8580,dllhost.exe,1,Time,unknown_pool_type,224,nt!ke,Timer objects
syscall,0 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x30,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xd8abc8,,
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x194,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0x12af7c8,,,IN,ULONG,TimerSetInformationLength,0x20,,
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x12af818,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3cc,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x33c,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x332fc14,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x332fbcc,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x332fbcc,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0x95fa5c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x394,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x4ec,,
syscall,0 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xe4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xbd77b0,,,INOUT,PULONG,BufferLength,0x4ef9a0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x4ef9b4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x332fb54,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x1208000,,
objmon,1,0xed1b8180,svchost.exe,0,Even
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x478,\Endpoint,,IN,HANDLE,Event,0x4e0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1a7fbb4,,,IN,ULONG,IoControlCode,0x1202f,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x1a7fbe4,,,IN,ULONG,OutputBufferLength,0x10,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAlpcQueryInformation,5,IN,HANDLE,PortHandle,0x1bc,,,IN,ALPC_PORT_INFORMATION_CLASS,PortInformationClass,0x0,,,OUT,PVOID,PortInformation,0x4ef90c,,,IN,ULONG,Length,0xc,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1bc,,
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xc8,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1a7f838,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x2c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x4ef8dc,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x1a7fdc0,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x2c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x4efa40,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x19c,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x2c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x67f958,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x394fe98,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x18c,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x5,,,OUT,PVOID,SystemInformation,0x118aea0,,,IN,ULONG,SystemInformationLength,0xe000,,,OUT,PULONG,ReturnLength,0x394fcdc,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x21ef904,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x1a8,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x1d8,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3a4fb00,,,IN,ULONG,IoControlCode,0x224013,,,IN,PVOID,InputBuffer,0x3a4fb1c,,,IN,ULONG,InputBufferLength,0x4,,,OUT,PVOID,OutputBuffer,0x119f9f8,,,IN,ULONG,OutputBufferLength,0x1f8,,
syscall,1 0xed1b8400,SearchProtocol,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3d8,,
syscall,1 0xed1b8400,SearchProtocol,0,ntoskrnl.exe,NtCreateTimer,4,OUT,PHANDLE,TimerHandle,0x1169be4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,TIMER_TYPE,TimerType,0x1,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x394fea8,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
objmon,1,0xed1b8400,SearchProtocol,0,Time
poolmon,1,0xed1b8400,SearchProtocol,0,Time,unknown_pool_type,224,nt!ke,Timer objects
syscall,1 0xed1b8400,SearchProtocol,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x3d8,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0x1169bf0,,,IN,ULONG,TimerSetInformationLength,0x20,,
syscall,1 0xed1b8400,SearchProtocol,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x5,,,IN,HANDLE,Handles[],0x1169bd0,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x1d8,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394fc70,,,IN,ULONG,IoControlCode,0x224013,,,IN,PVOID,InputBuffer,0x394fc8c,,,IN,ULONG,InputBufferLength,0x4,,,OUT,PVOID,OutputBuffer,0x11857b0,,,IN,ULONG,OutputBufferLength,0x1b8,,
poolmon,1,0xed1b8400,SearchProtocol,0,ObWm,unknown_pool_type,120
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x1d8,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394fc70,,,IN,ULONG,IoControlCode,0x224013,,,IN,PVOID,InputBuffer,0x394fc8c,,,IN,ULONG,InputBufferLength,0x4,,,OUT,PVOID,OutputBuffer,0x1185a20,,,IN,ULONG,OutputBufferLength,0x78,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x320fe20,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x7b,,,OUT,PVOID,SystemInformation,0x394fcb4,,,IN,ULONG,SystemInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x1,,,OUT,PVOID,ProcessInformation,0x394fc68,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x11c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x3,,,OUT,PVOID,ProcessInformation,0x394fc88,,,IN,ULONG,ProcessInformationLength,0x2c,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x11c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394f944,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f914,,,IN,PCLIENT_ID,ClientId,0x394f92c,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xc0,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x118ef90,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x117e9dc,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x118ef90,,,INOUT,PULONG,BufferLength,0xfbefe8,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x117e9dc,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b8580,dllhost.exe,1,AlEB,PagedPool,8
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x510,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x394f908,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb13608,,,INOUT,PULONG,BufferLength,0xedfc18,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xedfc2c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394f4e8,,,IN,ACCESS_MASK,DesiredAccess,0x1000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f4b8,,,IN,PCLIENT_ID,ClientId,0x394f4d0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x510,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x394f4ac,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xedfb8c,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x510,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x1a,,,OUT,PVOID,ProcessInformation,0x394f518,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xedfcb8,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394f4d8,,,IN,ACCESS_MASK,DesiredAccess,0x1000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f4a8,,,IN,PCLIENT_ID,ClientId,0x394f4c0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x510,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x394f49c,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb71838,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x510,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x2b,,,OUT,PVOID,ProcessInformation,0x11d9d18,,,IN,ULONG,ProcessInformationLength,0x808,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,IoDn,PagedPool,200
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,512,nt!io,general IO allocations
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x7c,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x7c,,
filetracer,0,0xed1b82c0,Taskmgr.exe,1,ZwOpenFile,\Device\MountPointManager
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x100,,
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtOpenFile,\Device\MountPointManager
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9d6695b0,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9d6695c0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9d6695b8,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x40,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x120,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x194,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x120,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xc,,,OUT,PVOID,ThreadInformation,0x12af90c,,,IN,ULONG,ThreadInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x160,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x800004f8,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x15c,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,512,nt!io,general IO allocations
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtTerminateThread,2,IN,HANDLE,ThreadHandle,0x0,,,IN,NTSTATUS,ExitStatus,0x0,,
filetracer,0,0xed1b82c0,Taskmgr.exe,1,ZwOpenFile,\Device\HarddiskVolume2
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtOpenFile,\Device\HarddiskVolume2
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9d6694c8,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9d6694d8,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9d6694d0,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x40,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
syscall,1 0xed1b8480,csrss.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2c0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b8480,csrss.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa8,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x146fb10,,,INOUT,PULONG,BufferLength,0x146fc00,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x146fc2c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x800004f8,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtDelayExecution,2,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,DelayInterval,0xfbf574,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtYieldExecution
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,4
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,4,nt!io,general IO allocations
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,50
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,50,nt!io,general IO allocations
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x484,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x1149f28,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,48
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,4
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x69c,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x112e3e00,,,INOUT,PULONG,BufferLength,0x1134f968,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x1134f97c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,D2d ,PagedPool,16
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,512,nt!io,general IO allocations
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtAlpcQueryInformation,5,IN,HANDLE,PortHandle,0x98c,,,IN,ALPC_PORT_INFORMATION_CLASS,PortInformationClass,0x0,,,OUT,PVOID,PortInformation,0x1134f8d4,,,IN,ULONG,Length,0xc,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x98c,,
filetracer,0,0xed1b82c0,Taskmgr.exe,1,ZwOpenFile,\Device\HarddiskVolume2
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtOpenFile,\Device\HarddiskVolume2
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9d6694c8,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9d6694d8,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9d6694d0,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x40,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x5a06c0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x398fa54,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x800004f8,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x5,,,OUT,PVOID,SystemInformation,0x77cad50,,,IN,ULONG,SystemInformationLength,0xe000,,,OUT,PULONG,ReturnLength,0x398fa0c,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,4
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,4,nt!io,general IO allocations
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,1,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,50
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,50,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,48
poolmon,1,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,4
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x17,,,OUT,PVOID,ProcessInformation,0x394ee6c,,,IN,ULONG,ProcessInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394f0d0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394f0f0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f0c0,,,IN,PCLIENT_ID,ClientId,0x394f0d8,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f110,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f110,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x500,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f12c,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f128,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394f0a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f0b0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,0,0xed1b84e0,System,-1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x500,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
poolmon,0,0xed1b85e0,System,-1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x520,\Users\windows\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394f180,,,OUT,PVOID,FileInformation,0x394f188,,,IN,ULONG,Length,0x18,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x5,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394f0bc,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394f0dc,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f0ac,,,IN,PCLIENT_ID,ClientId,0x394f0c4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f0fc,,
poolmon,0,0xed1b8580,System,-1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f0fc,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x510,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f118,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f114,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394f08c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f098,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySystemInformationEx,6,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x6b,,,IN,PVOID,QueryInformation,0x398fa1c,,,IN,ULONG,QueryInformationLength,0x4,,,OUT,PVOID,SystemInformation,0x0,,,IN,ULONG,SystemInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x398fa34,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySystemInformationEx,6,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x6b,,,IN,PVOID,QueryInformation,0x398fa1c,,,IN,ULONG,QueryInformationLength,0x4,,,OUT,PVOID,SystemInformation,0x777d1a0,,,IN,ULONG,SystemInformationLength,0x4c,,,OUT,PULONG,ReturnLength,0x398fa34,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySystemInformationEx,6,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x6c,,,IN,PVOID,QueryInformation,0x398fa44,,,IN,ULONG,QueryInformationLength,0x2,,,OUT,PVOID,SystemInformation,0xe69ed0,,,IN,ULONG,SystemInformationLength,0x100,,,OUT,PULONG,ReturnLength,0x398fa64,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x17,,,OUT,PVOID,ThreadInformation,0x398fa54,,,IN,ULONG,ThreadInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x1d8,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x398fa18,,,IN,ULONG,IoControlCode,0x224013,,,IN,PVOID,InputBuffer,0x398fa34,,,IN,ULONG,InputBufferLength,0x4,,,OUT,PVOID,OutputBuffer,0x1186a88,,,IN,ULONG,OutputBufferLength,0x138,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x500,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
filetracer,1,0xed1b82c0,Taskmgr.exe,1,NtQueryAttributesFile,\??\c:\users\windows\desktop\test.exe
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394eb80,,,OUT,PFILE_BASIC_INFORMATION,FileInformation,0x394eb98,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,File
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x2e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
filetracer,1,0xed1b82c0,Taskmgr.exe,1,NtQueryAttributesFile,\??\c:\users\windows\desktop\test.exe
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394e678,,,OUT,PFILE_BASIC_INFORMATION,FileInformation,0x394e690,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
objmon,1,0xed1b82c0,Taskmgr.exe,1,File
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
filetracer,1,0xed1b82c0,Taskmgr.exe,1,NtQueryAttributesFile,\??\c:\users\windows\desktop\test.exe
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394e508,,,OUT,PFILE_BASIC_INFORMATION,FileInformation,0x394e520,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,File
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
filetracer,1,0xed1b82c0,Taskmgr.exe,1,NtCreateFile,\??\c:\users\windows\desktop\test.exe
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x394e70c,,,IN,ACCESS_MASK,DesiredAccess,0x80100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394e740,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394e718,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x5,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x20060,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x2e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,File
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,FMfn,PagedPool,222,fltmgr.sys,NAME_CACHE_NODE structure
poolmon,1,0xed1b82c0,Taskmgr.exe,1,FMfn,PagedPool,222,fltmgr.sys,NAME_CACHE_NODE structure
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,MPCp,PagedPool,108
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateSection,7,OUT,PHANDLE,SectionHandle,0x394e838,,,IN,ACCESS_MASK,DesiredAccess,0x5,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,PLARGE_INTEGER,MaximumSize,0x0,,,IN,ULONG,SectionPageProtection,0x2,,,IN,ULONG,AllocationAttributes,0x11000000,,,IN,HANDLE,FileHandle,0x500,\Users\windows\Desktop\test.exe,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x2e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Sect
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Sect,PagedPool,80,<unknown>,Section objects
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtMapViewOfSection,10,IN,HANDLE,SectionHandle,0x518,,,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x394e848,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,CommitSize,0x0,,,INOUT,PLARGE_INTEGER,SectionOffset,0x0,,,INOUT,PSIZE_T,ViewSize,0x394e834,,,IN,SECTION_INHERIT,InheritDisposition,0x1,,,IN,ULONG,AllocationType,0x0,,,IN,WIN32_PROTECTION_MASK,Win32Protect,0x2,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x500,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gh15,unknown_pool_type,1400
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x2e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gtmp,unknown_pool_type,64,<unknown>,Gdi temporary allocations
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gtmp,unknown_pool_type,64,<unknown>,Gdi temporary allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,88,<unknown>,Gdi Xlate
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x2e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gsth,unknown_pool_type,416
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,GTmp,unknown_pool_type,232
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,88,<unknown>,Gdi Xlate
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Uscu,unknown_pool_type,100,win32k!_CreateEmptyCursorObject,CURSOR
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gh15,unknown_pool_type,1400
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtUnmapViewOfSection,2,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x4710000,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtUnmapViewOfSectionEx
syscall,1 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtSetTimer2
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gh15,unknown_pool_type,1400
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gtmp,unknown_pool_type,40,<unknown>,Gdi temporary allocations
syscall,1 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtSetTimer2
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,1 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9d669bc8,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9d669bfc,,,IN,ULONG,AllocationType,0x3000,,,IN,ULONG,Protect,0x4,,
syscall,1 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x30,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xd8abc8,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9d669bc8,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9d669bfc,,,IN,ULONG,AllocationType,0x3000,,,IN,ULONG,Protect,0x4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x1149f28,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gh15,unknown_pool_type,1400
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gh15,unknown_pool_type,1400
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x0,,,OUT,PVOID,SystemInformation,0x3a4f9e4,,,IN,ULONG,SystemInformationLength,0x2c,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,88,<unknown>,Gdi Xlate
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x4f,,,OUT,PVOID,SystemInformation,0x3a4f9cc,,,IN,ULONG,SystemInformationLength,0x14,,,OUT,PULONG,ReturnLength,0x3a4f98c,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x4f,,,OUT,PVOID,SystemInformation,0x3a4f9cc,,,IN,ULONG,SystemInformationLength,0x14,,,OUT,PULONG,ReturnLength,0x3a4f98c,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x2,,,OUT,PVOID,SystemInformation,0x3a4fa10,,,IN,ULONG,SystemInformationLength,0x158,,,OUT,PULONG,ReturnLength,0x3a4f9e0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9d669bc8,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9d669bfc,,,IN,ULONG,AllocationType,0x3000,,,IN,ULONG,Protect,0x4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x7b,,,OUT,PVOID,SystemInformation,0x3a4f8ec,,,IN,ULONG,SystemInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x1,,,OUT,PVOID,ProcessInformation,0x3a4f8a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x3,,,OUT,PVOID,ProcessInformation,0x3a4f8c0,,,IN,ULONG,ProcessInformationLength,0x2c,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,88,<unknown>,Gdi Xlate
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x3a4f20c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9d669aa8,,,INOUT,PSIZE_T,RegionSize,0x9d669aa0,,,IN,ULONG,FreeType,0x8000,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Even
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x258,,,IN,HANDLE,Event,0x500,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3a4f2b4,,,IN,ULONG,IoControlCode,0x12000f,,,IN,PVOID,InputBuffer,0x3a4f27c,,,IN,ULONG,InputBufferLength,0x38,,,OUT,PVOID,OutputBuffer,0x3a4f27c,,,IN,ULONG,OutputBufferLength,0x38,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NSpg,unknown_pool_type,88,nsi.dll,NSI Proxy Generic Buffers
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x500,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x3a4f20c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Even
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9d669aa8,,,INOUT,PSIZE_T,RegionSize,0x9d669aa0,,,IN,ULONG,FreeType,0x8000,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x258,,,IN,HANDLE,Event,0x500,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3a4f2b4,,,IN,ULONG,IoControlCode,0x12000f,,,IN,PVOID,InputBuffer,0x3a4f27c,,,IN,ULONG,InputBufferLength,0x38,,,OUT,PVOID,OutputBuffer,0x3a4f27c,,,IN,ULONG,OutputBufferLength,0x38,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NSpg,unknown_pool_type,1996,nsi.dll,NSI Proxy Generic Buffers
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x394f154,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394f094,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394f0b4,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f084,,,IN,PCLIENT_ID,ClientId,0x394f09c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f0d4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f0d4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x304,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f0f0,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f0ec,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394f064,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f070,,,IN,BOOLEAN,InitialOwner,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
objmon,0,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x304,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394f094,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394f0b4,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f084,,,IN,PCLIENT_ID,ClientId,0x394f09c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f0d4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f0d4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x2e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f0f0,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f0ec,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394f064,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f070,,,IN,BOOLEAN,InitialOwner,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
objmon,0,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x304,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtOpenFile,\??\C:\Users\windows\AppData\Local\Microsoft\Windows\Explorer
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x394f17c,,,IN,ACCESS_MASK,DesiredAccess,0x100000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f14c,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394f164,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x800021,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVolumeInformationFile,5,IN,HANDLE,FileHandle,0x304,\Users\windows\AppData\Local\Microsoft\Windows\Explorer,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394f164,,,OUT,PVOID,FsInformation,0x394f180,,,IN,ULONG,Length,0x18,,,IN,FS_INFORMATION_CLASS,FsInformationClass,0x3,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,28,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x304,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x394ef98,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f044,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f044,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x514,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f078,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f070,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
objmon,0,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x304,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f040,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f040,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x304,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f0c8,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f074,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
objmon,0,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x304,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x394ef98,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f044,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f044,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x518,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f078,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f070,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtTraceEvent,4,IN,HANDLE,TraceHandle,0x164,,,IN,ULONG,Flags,0x300,,,IN,ULONG,FieldSize,0x70,,,IN,PVOID,Fields,0x1d6e898,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x1d6f220,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x1d6f218,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,0,0xed1b8540,explorer.exe,1,Ustm,unknown_pool_type,72,win32k!InternalSetTimer,TIMER
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x320fe20,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtFindAtom,3,IN,PWSTR,AtomName,0xde2e3c,,,IN,ULONG,Length,0x22,,,OUT,PRTL_ATOM,Atom,0x1d6f340,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x514,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f0c8,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f074,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x1d6f2a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
objmon,0,0xed1b8540,explorer.exe,1,Even
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,0,0xed1b8540,explorer.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtReleaseSemaphore,3,IN,HANDLE,SemaphoreHandle,0x1608,,,IN,LONG,ReleaseCount,0x1,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x24,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtFindAtom,3,IN,PWSTR,AtomName,0x1d6f2c4,,,IN,ULONG,Length,0x50,,,OUT,PRTL_ATOM,Atom,0x1d6f058,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtFindAtom,3,IN,PWSTR,AtomName,0xde2e3c,,,IN,ULONG,Length,0x22,,,OUT,PRTL_ATOM,Atom,0x1d6f330,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x28,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x1d6f0d0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x28,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x1d6f0d0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x2,,,IN,ULONG,HandleAttributes,0x200,,,OUT,PHANDLE,TokenHandle,0x1d6f078,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtDuplicateToken,6,IN,HANDLE,ExistingTokenHandle,0x9b8,,,IN,ACCESS_MASK,DesiredAccess,0x4,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1d6f060,,,IN,BOOLEAN,EffectiveOnly,0x0,,,IN,TOKEN_TYPE,TokenType,0x2,,,OUT,PHANDLE,NewTokenHandle,0x1d6f07c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
poolmon,0,0xed1b8540,explorer.exe,1,SeAt,PagedPool,24
poolmon,0,0xed1b8540,explorer.exe,1,SeTl,unknown_pool_type,56
objmon,0,0xed1b8540,explorer.exe,1,Toke
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b8540,explorer.exe,1,Toke,PagedPool,1196,nt!se,Token objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,0,0xed1b8540,explorer.exe,1,SeTd,PagedPool,120,nt!se,Security Token dynamic part
poolmon,0,0xed1b8540,explorer.exe,1,SeSd,PagedPool,216,nt!se,Security Descriptor
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x394ef98,,
poolmon,0,0xed1b8540,explorer.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b8540,explorer.exe,1,SeSd,PagedPool,28,nt!se,Security Descriptor
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
poolmon,0,0xed1b8540,explorer.exe,1,SeSd,PagedPool,196,nt!se,Security Descriptor
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f044,,
poolmon,0,0xed1b8540,explorer.exe,1,ObSc,PagedPool,212,nt!ob,Object security descriptor cache block
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f044,,
poolmon,0,0xed1b8540,explorer.exe,1,SeAc,PagedPool,116,nt!se,Security ACL
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x510,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f078,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f070,,
poolmon,0,0xed1b8540,explorer.exe,1,SeSd,PagedPool,220,nt!se,Security Descriptor
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x1d6f07c,,,IN,ULONG,ThreadInformationLength,0x4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x840,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x9b8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x28,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x1d6f0d0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x28,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x1d6f0d0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAdjustPrivilegesToken,6,IN,HANDLE,TokenHandle,0x9b8,,,IN,BOOLEAN,DisableAllPrivileges,0x0,,,IN,PTOKEN_PRIVILEGES,NewState,0x1d6f104,,,IN,ULONG,BufferLength,0x1c,,,OUT,PTOKEN_PRIVILEGES,PreviousState,0x1d6f0e0,,,OUT,PULONG,ReturnLength,0x1d6f0d4,,
poolmon,0,0xed1b8540,explorer.exe,1,SeLu,PagedPool,24,nt!se,Security LUID and Attributes array
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtPowerInformation,5,IN,POWER_INFORMATION_LEVEL,InformationLevel,0x10,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x1d6f334,,,IN,ULONG,OutputBufferLength,0x4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x1d6f0b4,,,IN,ULONG,ThreadInformationLength,0x4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x9b8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f2c8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x28,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x1d6f0f0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x28,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x1d6f0f0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x2,,,IN,ULONG,HandleAttributes,0x200,,,OUT,PHANDLE,TokenHandle,0x1d6f098,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtDuplicateToken,6,IN,HANDLE,ExistingTokenHandle,0x9b8,,,IN,ACCESS_MASK,DesiredAccess,0x4,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1d6f080,,,IN,BOOLEAN,EffectiveOnly,0x0,,,IN,TOKEN_TYPE,TokenType,0x2,,,OUT,PHANDLE,NewTokenHandle,0x1d6f09c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,0,0xed1b8540,explorer.exe,1,SeAt,PagedPool,24
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
poolmon,0,0xed1b8540,explorer.exe,1,SeTl,unknown_pool_type,56
objmon,0,0xed1b8540,explorer.exe,1,Toke
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
poolmon,0,0xed1b8540,explorer.exe,1,Toke,PagedPool,1196,nt!se,Token objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x0,,,OUT,PVOID,ThreadInformation,0x9f6f650,,,IN,ULONG,ThreadInformationLength,0x1c,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x9f6f610,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x9f6f5c0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x518,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f0c8,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f074,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x0,,,OUT,PVOID,ThreadInformation,0x9f6f64c,,,IN,ULONG,ThreadInformationLength,0x1c,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x9f6f380,,,IN,ACCESS_MASK,DesiredAccess,0x1000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6f350,,,IN,PCLIENT_ID,ClientId,0x9f6f368,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x840,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x2b,,,OUT,PVOID,ProcessInformation,0xbc968c0,,,IN,ULONG,ProcessInformationLength,0x210,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,0,0xed1b8540,explorer.exe,1,IoDn,PagedPool,200
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,0,0xed1b8540,explorer.exe,1,Io ,unknown_pool_type,512,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
filetracer,0,0xed1b8540,explorer.exe,1,ZwOpenFile,\Device\MountPointManager
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
filetracer,0,0xed1b8540,explorer.exe,1,NtOpenFile,\Device\MountPointManager
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9212b5b0,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9212b5c0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9212b5b8,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x40,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
objmon,0,0xed1b8540,explorer.exe,1,File
poolmon,0,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x800004f8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x89df8a0,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xa10,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x89df90c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x89df88c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x89df83c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8540,explorer.exe,1,Io ,unknown_pool_type,512,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
filetracer,0,0xed1b8540,explorer.exe,1,ZwOpenFile,\Device\HarddiskVolume2
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
filetracer,0,0xed1b8540,explorer.exe,1,NtOpenFile,\Device\HarddiskVolume2
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9212b4c8,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9212b4d8,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9212b4d0,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x40,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
objmon,0,0xed1b8540,explorer.exe,1,File
poolmon,0,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x800004f8,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
poolmon,0,0xed1b8540,explorer.exe,1,MntA,PagedPool,4
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
poolmon,0,0xed1b8540,explorer.exe,1,Io ,unknown_pool_type,4,nt!io,general IO allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,0,0xed1b8540,explorer.exe,1,MntA,PagedPool,50
poolmon,0,0xed1b8540,explorer.exe,1,Io ,unknown_pool_type,50,nt!io,general IO allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x394ef98,,
poolmon,0,0xed1b8540,explorer.exe,1,MntA,PagedPool,48
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
poolmon,0,0xed1b8540,explorer.exe,1,MntA,PagedPool,4
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f044,,
poolmon,0,0xed1b8540,explorer.exe,1,D2d ,PagedPool,16
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f044,,
poolmon,0,0xed1b8540,explorer.exe,1,Io ,unknown_pool_type,512,nt!io,general IO allocations
filetracer,0,0xed1b8540,explorer.exe,1,ZwOpenFile,\Device\HarddiskVolume2
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x514,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f078,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f070,,
filetracer,0,0xed1b8540,explorer.exe,1,NtOpenFile,\Device\HarddiskVolume2
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9212b4c8,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9212b4d8,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9212b4d0,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x40,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
objmon,0,0xed1b8540,explorer.exe,1,File
poolmon,0,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x800004f8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,0,0xed1b8540,explorer.exe,1,MntA,PagedPool,4
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,0,0xed1b8540,explorer.exe,1,Io ,unknown_pool_type,4,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,0,0xed1b8540,explorer.exe,1,MntA,PagedPool,50
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b8540,explorer.exe,1,Io ,unknown_pool_type,50,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8540,explorer.exe,1,MntA,PagedPool,48
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8540,explorer.exe,1,MntA,PagedPool,4
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x840,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x17,,,OUT,PVOID,ProcessInformation,0x9f6ef2c,,,IN,ULONG,ProcessInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0xc,,,OUT,PVOID,ProcessInformation,0x9f6f2d0,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetInformationProcess,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0xc,,,IN,PVOID,ProcessInformation,0x9f6f2e0,,,IN,ULONG,ProcessInformationLength,0x4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
filetracer,0,0xed1b8540,explorer.exe,1,NtQueryAttributesFile,\??\C:\Windows\System32\notepad.exe
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6f290,,,OUT,PFILE_BASIC_INFORMATION,FileInformation,0x9f6f2b0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
poolmon,0,0xed1b8540,explorer.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
objmon,0,0xed1b8540,explorer.exe,1,File
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
poolmon,0,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
filetracer,0,0xed1b8540,explorer.exe,1,NtOpenFile,\??\C:\
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9f6f000,,,IN,ACCESS_MASK,DesiredAccess,0x100001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6f038,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9f6f030,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,OpenOptions,0x4021,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
objmon,0,0xed1b8540,explorer.exe,1,File
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
poolmon,0,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b8540,explorer.exe,1,IoNm,PagedPool,56,nt!io,Io parsing names
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryDirectoryFile,11,IN,HANDLE,FileHandle,0x840,\,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9f6f030,,,OUT,PVOID,FileInformation,0x9f6f050,,,IN,ULONG,Length,0x268,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x3,,,IN,BOOLEAN,ReturnSingleEntry,0x1,,,IN,PUNICODE_STRING,FileName,0x9f6f004,Windows,,IN,BOOLEAN,RestartScan,0x0,,
poolmon,0,0xed1b8540,explorer.exe,1,Io ,unknown_pool_type,26,nt!io,general IO allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f040,,
poolmon,0,0xed1b8540,explorer.exe,1,NtFd,unknown_pool_type,80,ntfs.sys,DirCtrl.c
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x510,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f0c8,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f074,,
poolmon,0,0xed1b8540,explorer.exe,1,NtFI,unknown_pool_type,112,ntfs.sys,IndexSup.c
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x840,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,0,0xed1b8540,explorer.exe,1,SeTd,PagedPool,120,nt!se,Security Token dynamic part
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,0,0xed1b8540,explorer.exe,1,SeSd,PagedPool,216,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,0,0xed1b8540,explorer.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,0,0xed1b8540,explorer.exe,1,SeSd,PagedPool,28,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,0,0xed1b8540,explorer.exe,1,SeSd,PagedPool,196,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,0,0xed1b8540,explorer.exe,1,ObSc,PagedPool,212,nt!ob,Object security descriptor cache block
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b8540,explorer.exe,1,SeAc,PagedPool,116,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8540,explorer.exe,1,SeSd,PagedPool,220,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x1d6f09c,,,IN,ULONG,ThreadInformationLength,0x4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x97c,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x9b8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x28,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x1d6f0f0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x28,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x1d6f0f0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAdjustPrivilegesToken,6,IN,HANDLE,TokenHandle,0x9b8,,,IN,BOOLEAN,DisableAllPrivileges,0x0,,,IN,PTOKEN_PRIVILEGES,NewState,0x1d6f124,,,IN,ULONG,BufferLength,0x1c,,,OUT,PTOKEN_PRIVILEGES,PreviousState,0x1d6f100,,,OUT,PULONG,ReturnLength,0x1d6f0f4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,0,0xed1b8540,explorer.exe,1,SeLu,PagedPool,24,nt!se,Security LUID and Attributes array
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtPowerInformation,5,IN,POWER_INFORMATION_LEVEL,InformationLevel,0x10,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x1d6f354,,,IN,ULONG,OutputBufferLength,0x4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x1d6f0d4,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x9b8,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x1d6f29c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b8540,explorer.exe,1,Even
poolmon,0,0xed1b8540,explorer.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtReleaseSemaphore,3,IN,HANDLE,SemaphoreHandle,0x480,,,IN,LONG,ReleaseCount,0x1,,,OUT,PLONG,PreviousCount,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x394ef98,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xa1c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xa1c,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x0,,,OUT,PVOID,ThreadInformation,0x879f72c,,,IN,ULONG,ThreadInformationLength,0x1c,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f044,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f044,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtFindAtom,3,IN,PWSTR,AtomName,0x879f5fc,,,IN,ULONG,Length,0x50,,,OUT,PRTL_ATOM,Atom,0x879f390,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x518,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f078,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f070,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x879eff4,,,IN,ACCESS_MASK,DesiredAccess,0x1000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x879efc4,,,IN,PCLIENT_ID,ClientId,0x879efdc,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x97c,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x32,,,OUT,PVOID,ProcessInformation,0xbc98078,,,IN,ULONG,ProcessInformationLength,0x210,,,OUT,PULONG,ReturnLength,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x879efe4,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x879efb4,,,IN,PCLIENT_ID,ClientId,0x879efcc,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
filetracer,0,0xed1b8540,explorer.exe,1,NtOpenFile,\??\C:\Users\windows\Desktop
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x879ef80,,,IN,ACCESS_MASK,DesiredAccess,0x20000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x879ef3c,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x879ef64,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,OpenOptions,0x200000,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
objmon,0,0xed1b8540,explorer.exe,1,File
poolmon,0,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,0,0xed1b8540,explorer.exe,1,IoNm,PagedPool,56,nt!io,Io parsing names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQuerySecurityObject,5,IN,HANDLE,Handle,0xbc0,,,IN,SECURITY_INFORMATION,SecurityInformation,0x10,,,OUT,PSECURITY_DESCRIPTOR,SecurityDescriptor,0x0,,,IN,ULONG,Length,0x0,,,OUT,PULONG,LengthNeeded,0x879efa8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xbc0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
filetracer,0,0xed1b8540,explorer.exe,1,NtOpenFile,\??\C:\Users\windows\Desktop
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x879ef80,,,IN,ACCESS_MASK,DesiredAccess,0x20000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x879ef3c,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x879ef64,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,OpenOptions,0x200000,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
objmon,0,0xed1b8540,explorer.exe,1,File
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b8540,explorer.exe,1,IoNm,PagedPool,56,nt!io,Io parsing names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQuerySecurityObject,5,IN,HANDLE,Handle,0xbc0,,,IN,SECURITY_INFORMATION,SecurityInformation,0x10,,,OUT,PSECURITY_DESCRIPTOR,SecurityDescriptor,0xb82e7a8,,,IN,ULONG,Length,0x14,,,OUT,PULONG,LengthNeeded,0x879efa8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xbc0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x97c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x206,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x879e318,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x879e310,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
poolmon,0,0xed1b8540,explorer.exe,1,CMNb,PagedPool,146,nt!cm,notification block pool tag
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x879e618,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x879e0a0,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x879e618,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x879e0a0,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x514,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f0c8,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f074,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,0,0xed1b8540,explorer.exe,1,Key
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,0,0xed1b8540,explorer.exe,1,Key ,PagedPool,84
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x97e,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x879e1f0,,,IN,ULONG,Length,0x188,,,OUT,PULONG,ResultLength,0x879e1d8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,0,0xed1b8540,explorer.exe,1,CMNb,PagedPool,138,nt!cm,notification block pool tag
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x879dc98,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x879dc88,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x88f52a4,,,IN,ACCESS_MASK,DesiredAccess,0x2000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x879dd50,,,IN,ULONG,OpenOptions,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x320fe20,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9d8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x394ef98,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fd5c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x320fe6c,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
poolmon,1,0xed1b8540,explorer.exe,1,Usmo,unknown_pool_type,16
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f044,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f044,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtFindAtom,3,IN,PWSTR,AtomName,0x6c177d08,,,IN,ULONG,Length,0x3e,,,OUT,PRTL_ATOM,Atom,0x320f5c8,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x510,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f078,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f070,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x320f348,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x320f324,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x320f344,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x320f324,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
objmon,1,0xed1b8540,explorer.exe,1,Key
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b8540,explorer.exe,1,Key ,PagedPool,84
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0xa08,,,IN,PUNICODE_STRING,ValueName,0x320f2ec,CEIPEnable,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x320f2f4,,,IN,ULONG,Length,0x14,,,OUT,PULONG,ResultLength,0x320f2e8,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8540,explorer.exe,1,CMvn,unknown_pool_type,24
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x320f248,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x320f224,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x320f244,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x320f224,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
objmon,1,0xed1b8540,explorer.exe,1,Key
poolmon,1,0xed1b8540,explorer.exe,1,Key ,PagedPool,84
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0xa0c,,,IN,PUNICODE_STRING,ValueName,0x320f1ec,StudyId,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x320f1f4,,,IN,ULONG,Length,0x14,,,OUT,PULONG,ResultLength,0x320f1e8,,
poolmon,1,0xed1b8540,explorer.exe,1,CMvn,unknown_pool_type,18
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x2e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f0c8,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f074,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Muta
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xa0c,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x320f2c8,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x320f2a0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x320f2c8,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x320f2a0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x320f2c8,,,IN,ACCESS_MASK,DesiredAccess,0x20119,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x320f2a0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
objmon,1,0xed1b8540,explorer.exe,1,Key
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
poolmon,1,0xed1b8540,explorer.exe,1,Key ,PagedPool,84
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0xa0c,,,IN,PUNICODE_STRING,ValueName,0x320f22c,SampledOut,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x320f234,,,IN,ULONG,Length,0x14,,,OUT,PULONG,ResultLength,0x320f228,,
poolmon,1,0xed1b8540,explorer.exe,1,CMvn,unknown_pool_type,24
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x394ef98,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xa0c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f044,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f044,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x514,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f078,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f070,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xa08,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x320fe20,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9ec,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa14,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x1d6f8a0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1d6f8a0,,,INOUT,PULONG,BufferLength,0x1d6f824,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d6f828,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x1c,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x5d12f38,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x1c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x100,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x510,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f0c8,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f074,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtCreateThreadEx,11,OUT,PHANDLE,ThreadHandle,0xa1f730,,,IN,ACCESS_MASK,DesiredAccess,0x1fffff,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,StartRoutine,0x73f5a3d4,,,IN,PVOID,Argument,0x0,,,IN,ULONG,CreateFlags,0x1,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,StackSize,0x8000,,,IN,SIZE_T,MaximumStackSize,0x0,,,IN,PPS_ATTRIBUTE_LIST,AttributeList,0xa1f740,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,1,0xed1b8120,svchost.exe,0,Thre
objmon,0,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,1,0xed1b8120,svchost.exe,0,Thre,unknown_pool_type,1144,nt!ps,Thread objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationProcess,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x29,,,IN,PVOID,ProcessInformation,0x92147484,,,IN,ULONG,ProcessInformationLength,0x1c,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9214749c,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9214730c,,,IN,ULONG,AllocationType,0x2000,,,IN,ULONG,Protect,0x4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,1,0xed1b8120,svchost.exe,0,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x921474d0,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x921474ac,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x921474d0,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x921474a8,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x104,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8120,svchost.exe,0,Vadl,unknown_pool_type,72,nt!mm,Mm virtual address descriptors (long)
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8120,svchost.exe,0,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8120,svchost.exe,0,SeSd,PagedPool,204,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b8120,svchost.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8120,svchost.exe,0,SeSd,PagedPool,28,nt!se,Security Descriptor
poolmon,1,0xed1b8120,svchost.exe,0,SeSd,PagedPool,216,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtResumeThread,2,IN,HANDLE,ThreadHandle,0x748,,,OUT,PULONG,PreviousSuspendCount,0xa1f6ec,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x748,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x100,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb70f00,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x394ef98,,
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x1c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x1c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f044,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f044,,
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0xf8f42c,,,IN,ACCESS_MASK,DesiredAccess,0x2000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0xf8f3b4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x2e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f078,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f070,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Muta
objmon,1,0xed1b8260,svchost.exe,0,Key
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,1,0xed1b8260,svchost.exe,0,Key ,PagedPool,84
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0xf8f498,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0xf8f374,,,IN,ULONG,OpenOptions,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x7bc,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x1b4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0xf8f1ac,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
filetracer,1,0xed1b8260,svchost.exe,0,NtCreateFile,\Device\Afd\Endpoint
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0xf8f094,,,IN,ACCESS_MASK,DesiredAccess,0xc0140000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0xf8f04c,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xf8f06c,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,CreateDisposition,0x3,,,IN,ULONG,CreateOptions,0x0,,,IN,PVOID,EaBuffer,0xf8f0cc,,,IN,ULONG,EaLength,0x39,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
poolmon,1,0xed1b8260,svchost.exe,0,IoEa,unknown_pool_type,61,nt!io,Io extended attributes
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
objmon,1,0xed1b8260,svchost.exe,0,File
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,1,0xed1b8260,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b8260,svchost.exe,0,IoNm,PagedPool,56,nt!io,Io parsing names
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b8260,svchost.exe,0,SeSd,PagedPool,776,nt!se,Security Descriptor
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b8260,svchost.exe,0,SeSd,PagedPool,760,nt!se,Security Descriptor
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
poolmon,1,0xed1b8260,svchost.exe,0,ObSc,PagedPool,776,nt!ob,Object security descriptor cache block
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f040,,
poolmon,1,0xed1b8260,svchost.exe,0,Se ,PagedPool,56
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x80000a2c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x16,,,OUT,PVOID,TokenInformation,0x87231570,,,IN,ULONG,TokenInformationLength,0x800,,,OUT,PULONG,ReturnLength,0xaa2e35c8,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x514,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f0c8,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f074,,
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x7bc,\Endpoint,,IN,HANDLE,Event,0xaa8,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xf8f058,,,IN,ULONG,IoControlCode,0x12047,,,IN,PVOID,InputBuffer,0xf8f060,,,IN,ULONG,InputBufferLength,0xc4,,,OUT,PVOID,OutputBuffer,0xf8f100,,,IN,ULONG,OutputBufferLength,0x1c,,
poolmon,1,0xed1b8260,svchost.exe,0,AfdX,unknown_pool_type,200,afd.sys,Afd context buffer
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Muta
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x1b4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0xf8f0fc,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x7bc,\Endpoint,,IN,HANDLE,Event,0xaa8,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xf8f1d4,,,IN,ULONG,IoControlCode,0x120bf,,,IN,PVOID,InputBuffer,0xf8f1bc,,,IN,ULONG,InputBufferLength,0x18,,,OUT,PVOID,OutputBuffer,0x0,,,IN,ULONG,OutputBufferLength,0x0,,
poolmon,1,0xed1b8260,svchost.exe,0,AfdL,unknown_pool_type,60,afd.sys,Afd local address buffer
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x37df7f4,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x7ec,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x37df7f8,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x33de9e8,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0x1a5000,System,-1,CcWk,unknown_pool_type,40,nt!cc,Kernel Cache Manager lookaside list
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0x1a5000,System,-1,CcWk,unknown_pool_type,40,nt!cc,Kernel Cache Manager lookaside list
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,1,0x1a5000,System,-1,CcWk,unknown_pool_type,40,nt!cc,Kernel Cache Manager lookaside list
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
poolmon,1,0x1a5000,System,-1,CcWk,unknown_pool_type,40,nt!cc,Kernel Cache Manager lookaside list
poolmon,1,0x1a5000,System,-1,CcWk,unknown_pool_type,40,nt!cc,Kernel Cache Manager lookaside list
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
poolmon,1,0x1a5000,System,-1,CcWk,unknown_pool_type,40,nt!cc,Kernel Cache Manager lookaside list
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
poolmon,1,0x1a5000,System,-1,CcWk,unknown_pool_type,40,nt!cc,Kernel Cache Manager lookaside list
poolmon,1,0x1a5000,System,-1,CcWk,unknown_pool_type,40,nt!cc,Kernel Cache Manager lookaside list
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0x1a5000,System,-1,CcWk,unknown_pool_type,40,nt!cc,Kernel Cache Manager lookaside list
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,1,0x1a5000,System,-1,CcWk,unknown_pool_type,40,nt!cc,Kernel Cache Manager lookaside list
poolmon,1,0x1a5000,System,-1,CcWk,unknown_pool_type,40,nt!cc,Kernel Cache Manager lookaside list
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x394ef98,,
poolmon,1,0x1a5000,System,-1,CcWq,unknown_pool_type,20,nt!cc,Cache Manager Work Queue Item
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f044,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f044,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x0,,,OUT,PVOID,ThreadInformation,0x36ffbdc,,,IN,ULONG,ThreadInformationLength,0x1c,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x510,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f078,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f070,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x36ffb9c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x36ffb4c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Muta
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x0,,,OUT,PVOID,ThreadInformation,0x36ffbd8,,,IN,ULONG,ThreadInformationLength,0x1c,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
filetracer,1,0xed1b8540,explorer.exe,1,NtCreateFile,\??\C:\Users\windows\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x36ff934,,,IN,ACCESS_MASK,DesiredAccess,0x100001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x36ff8f0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x36ff918,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x80,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,CreateDisposition,0x2,,,IN,ULONG,CreateOptions,0x204021,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
objmon,1,0xed1b8540,explorer.exe,1,File
poolmon,1,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,1,0xed1b8540,explorer.exe,1,IoNm,PagedPool,248,nt!io,Io parsing names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,1,0xed1b8540,explorer.exe,1,PsIn,unknown_pool_type,98
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,1,0xed1b8540,explorer.exe,1,NtFC,unknown_pool_type,248,ntfs.sys,Create.c
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0xc,,,OUT,PVOID,ProcessInformation,0x36ff908,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetInformationProcess,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0xc,,,IN,PVOID,ProcessInformation,0x36ff918,,,IN,ULONG,ProcessInformationLength,0x4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
filetracer,1,0xed1b8540,explorer.exe,1,NtQueryAttributesFile,\??\C:\Users\windows\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x36ff8c8,,,OUT,PFILE_BASIC_INFORMATION,FileInformation,0x36ff8e8,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8540,explorer.exe,1,IoNm,PagedPool,248,nt!io,Io parsing names
objmon,1,0xed1b8540,explorer.exe,1,File
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0xc,,,OUT,PVOID,ProcessInformation,0x36ff908,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetInformationProcess,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0xc,,,IN,PVOID,ProcessInformation,0x36ff918,,,IN,ULONG,ProcessInformationLength,0x4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x2cc,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0xedfc2c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x2d8,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0xedfbc8,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0xedf9bc,,,IN,ACCESS_MASK,DesiredAccess,0x101000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0xedf98c,,,IN,PCLIENT_ID,ClientId,0xedf9a4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x2e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f0c8,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f074,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x830,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x1b,,,OUT,PVOID,ProcessInformation,0x632e68,,,IN,ULONG,ProcessInformationLength,0x210,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x830,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Muta
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenSymbolicLinkObject,3,OUT,PHANDLE,LinkHandle,0xedf978,,,IN,ACCESS_MASK,DesiredAccess,0x80000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0xedf944,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenSymbolicLinkObject,3,OUT,PHANDLE,LinkHandle,0xedf978,,,IN,ACCESS_MASK,DesiredAccess,0x80000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0xedf944,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenSymbolicLinkObject,3,OUT,PHANDLE,LinkHandle,0xedf978,,,IN,ACCESS_MASK,DesiredAccess,0x80000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0xedf944,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQuerySymbolicLinkObject,3,IN,HANDLE,LinkHandle,0x830,,,INOUT,PUNICODE_STRING,LinkTarget,0xedf964,,,OUT,PULONG,ReturnedLength,0x0,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x830,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
filetracer,1,0xed1b8340,MsMpEng.exe,0,NtCreateFile,\??\C:\Users\windows\Desktop\test.exe
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0xedfa04,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0xedfa38,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedfa10,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x424020,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
objmon,1,0xed1b8340,MsMpEng.exe,0,File
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b8340,MsMpEng.exe,0,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8340,MsMpEng.exe,0,IoNm,PagedPool,120,nt!io,Io parsing names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryVolumeInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedfa00,,,OUT,PVOID,FsInformation,0xedfa3c,,,IN,ULONG,Length,0x18,,,IN,FS_INFORMATION_CLASS,FsInformationClass,0x1,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,28,nt!io,general IO allocations
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedfa00,,,OUT,PVOID,FileInformation,0xedfa54,,,IN,ULONG,Length,0x68,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x12,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,108,nt!io,general IO allocations
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryVolumeInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedfa00,,,OUT,PVOID,FsInformation,0xedfa3c,,,IN,ULONG,Length,0x18,,,IN,FS_INFORMATION_CLASS,FsInformationClass,0x1,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,28,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedfa00,,,OUT,PVOID,FileInformation,0xedfa54,,,IN,ULONG,Length,0x68,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x12,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,108,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryVolumeInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedf8bc,,,OUT,PVOID,FsInformation,0xedf8f8,,,IN,ULONG,Length,0x18,,,IN,FS_INFORMATION_CLASS,FsInformationClass,0x1,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,28,nt!io,general IO allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedf8bc,,,OUT,PVOID,FileInformation,0xedf910,,,IN,ULONG,Length,0x68,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x12,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,108,nt!io,general IO allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryVolumeInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedf8bc,,,OUT,PVOID,FsInformation,0xedf8f8,,,IN,ULONG,Length,0x18,,,IN,FS_INFORMATION_CLASS,FsInformationClass,0x1,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,28,nt!io,general IO allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedf8bc,,,OUT,PVOID,FileInformation,0xedf910,,,IN,ULONG,Length,0x68,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x12,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,108,nt!io,general IO allocations
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtFsControlFile,10,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedf544,,,IN,ULONG,IoControlCode,0x900eb,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0xedf620,,,IN,ULONG,OutputBufferLength,0x140,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x394ef98,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x830,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
filetracer,0,0xed1b8340,MsMpEng.exe,0,NtCreateFile,\??\C:\Users\windows\Desktop\test.exe
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0xedfa04,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0xedfa38,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedfa10,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x424020,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f044,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,ObNm,PagedPool,248,nt!ob,object names
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f044,,
objmon,0,0xed1b8340,MsMpEng.exe,0,File
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x514,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f078,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f070,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,IoNm,PagedPool,120,nt!io,Io parsing names
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryVolumeInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedfa00,,,OUT,PVOID,FsInformation,0xedfa3c,,,IN,ULONG,Length,0x18,,,IN,FS_INFORMATION_CLASS,FsInformationClass,0x1,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,28,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedfa00,,,OUT,PVOID,FileInformation,0xedfa54,,,IN,ULONG,Length,0x68,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x12,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,108,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryVolumeInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedfa00,,,OUT,PVOID,FsInformation,0xedfa3c,,,IN,ULONG,Length,0x18,,,IN,FS_INFORMATION_CLASS,FsInformationClass,0x1,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,28,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedfa00,,,OUT,PVOID,FileInformation,0xedfa54,,,IN,ULONG,Length,0x68,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x12,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,108,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryVolumeInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedf8bc,,,OUT,PVOID,FsInformation,0xedf8f8,,,IN,ULONG,Length,0x18,,,IN,FS_INFORMATION_CLASS,FsInformationClass,0x1,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,28,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedf8bc,,,OUT,PVOID,FileInformation,0xedf910,,,IN,ULONG,Length,0x68,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x12,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,108,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryVolumeInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedf8bc,,,OUT,PVOID,FsInformation,0xedf8f8,,,IN,ULONG,Length,0x18,,,IN,FS_INFORMATION_CLASS,FsInformationClass,0x1,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,28,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedf8bc,,,OUT,PVOID,FileInformation,0xedf910,,,IN,ULONG,Length,0x68,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x12,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,108,nt!io,general IO allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtFsControlFile,10,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedf544,,,IN,ULONG,IoControlCode,0x900eb,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0xedf620,,,IN,ULONG,OutputBufferLength,0x140,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x830,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
filetracer,0,0xed1b8340,MsMpEng.exe,0,NtCreateFile,\??\C:\Users\windows\Desktop\test.exe
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0xedfa1c,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0xedfa50,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedfa28,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x424020,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc0,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
objmon,0,0xed1b8340,MsMpEng.exe,0,File
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe0,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb0,,,IN,PCLIENT_ID,ClientId,0x394efc8,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b8340,MsMpEng.exe,0,IoNm,PagedPool,120,nt!io,Io parsing names
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f040,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtFsControlFile,10,IN,HANDLE,FileHandle,0x830,\Users\windows\Desktop\test.exe,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xedfa7c,,,IN,ULONG,IoControlCode,0x902eb,,,IN,PVOID,InputBuffer,0xedfafc,,,IN,ULONG,InputBufferLength,0x4,,,OUT,PVOID,OutputBuffer,0xedfb04,,,IN,ULONG,OutputBufferLength,0x4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x518,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f0c8,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f074,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x830,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef94,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x2f8,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0xedfb98,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x2f8,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x2cc,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0xedfc2c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0xedfcd0,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xb6f97c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x608ab00,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x1d6f744,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x1d6f700,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
objmon,0,0xed1b8540,explorer.exe,1,Even
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8540,explorer.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa14,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0xbb6dc10,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xbb568b0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,0,0xed1b8540,explorer.exe,1,AlHd,PagedPool,56
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa14,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1d6f588,,,INOUT,PULONG,BufferLength,0x1d6f57c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xb760b50,,,IN,PLARGE_INTEGER,Timeout,0x1d6f580,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xbc0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d6f74c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x1d6f6cc,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d6f67c,,
objmon,0,0xed1b8340,MsMpEng.exe,0,Even
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x520,\Users\windows\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394ef9c,,,OUT,PVOID,FileInformation,0x394efa4,,,IN,ULONG,Length,0x18,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x5,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xb6f944,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x6f689f00,,
objmon,0,0xed1b8340,MsMpEng.exe,0,Even
poolmon,0,0xed1b8340,MsMpEng.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x394ef6c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394eeac,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0xb6f854,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,0,0xed1b8340,MsMpEng.exe,0,Muta
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394eecc,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394ee9c,,,IN,PCLIENT_ID,ClientId,0x394eeb4,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Muta,unknown_pool_type,72,<unknown>,Mutant objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394eeec,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394eeec,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xb6f854,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f339000,,
objmon,0,0xed1b8340,MsMpEng.exe,0,Even
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x2e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394ef08,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394ef04,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ee7c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394ee88,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,BOOLEAN,OpenAsSelf,0x0,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0xb6f7b0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0xa,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0xb6f7c8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtDuplicateToken,6,IN,HANDLE,ExistingTokenHandle,0x718,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0xb6f7e0,,,IN,BOOLEAN,EffectiveOnly,0x0,,,IN,TOKEN_TYPE,TokenType,0x2,,,OUT,PHANDLE,NewTokenHandle,0xb6f7b0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,0,0xed1b8340,MsMpEng.exe,0,SeAt,PagedPool,24
poolmon,0,0xed1b8340,MsMpEng.exe,0,SeTl,unknown_pool_type,56
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
objmon,0,0xed1b8340,MsMpEng.exe,0,Toke
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,0,0xed1b8340,MsMpEng.exe,0,Toke,PagedPool,1112,nt!se,Token objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8340,MsMpEng.exe,0,SeTd,PagedPool,112,nt!se,Security Token dynamic part
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,160,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8340,MsMpEng.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,28,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,172,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8340,MsMpEng.exe,0,ObSc,PagedPool,188,nt!ob,Object security descriptor cache block
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8340,MsMpEng.exe,0,SeAc,PagedPool,112,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,0,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,184,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x718,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtAccessCheck,8,IN,PSECURITY_DESCRIPTOR,SecurityDescriptor,0x65bfe8,,,IN,HANDLE,ClientToken,0x664,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,PGENERIC_MAPPING,GenericMapping,0xb6f804,,,OUT,PPRIVILEGE_SET,PrivilegeSet,0xb6f814,,,INOUT,PULONG,PrivilegeSetLength,0xb6f7d8,,,OUT,PACCESS_MASK,GrantedAccess,0xb6f7cc,,,OUT,PNTSTATUS,AccessStatus,0xb6f7d0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,SeSc,PagedPool,96,nt!se,Captured Security Descriptor
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x664,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x2000c,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0xb6f794,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x2000c,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0xb6f794,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394eeac,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x2000c,,,OUT,PHANDLE,TokenHandle,0xb6f798,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394eecc,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394ee9c,,,IN,PCLIENT_ID,ClientId,0x394eeb4,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x2000c,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0xb6f798,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394eeec,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394eeec,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x664,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x5f2bb08,,,IN,ULONG,TokenInformationLength,0x40,,,OUT,PULONG,ReturnLength,0xb6f7b4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x514,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394ef08,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394ef04,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x1b4,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xb6f4bc,,,IN,ULONG,IoControlCode,0x390402,,,IN,PVOID,InputBuffer,0xb6f558,,,IN,ULONG,InputBufferLength,0x28,,,OUT,PVOID,OutputBuffer,0xb6f4dc,,,IN,ULONG,OutputBufferLength,0x8,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ee7c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394ee88,,,IN,BOOLEAN,InitialOwner,0x0,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,44,nt!io,general IO allocations
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,0,0xed1b8340,MsMpEng.exe,0,Cngb,unknown_pool_type,148,ksecdd.sys,CNG kmode crypto pool tag
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x9c678854,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9c6787dc,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,0,0xed1b8340,MsMpEng.exe,0,CMNb,PagedPool,84,nt!cm,notification block pool tag
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
objmon,0,0xed1b8340,MsMpEng.exe,0,Key
poolmon,0,0xed1b8340,MsMpEng.exe,0,Key ,PagedPool,84
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x800004f8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
poolmon,0,0xed1b8340,MsMpEng.exe,0,Cngb,unknown_pool_type,156,ksecdd.sys,CNG kmode crypto pool tag
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x9c67884c,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9c6787bc,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,CMNb,PagedPool,84,nt!cm,notification block pool tag
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,0,0xed1b85c0,test.exe,1,PsIn,unknown_pool_type,118
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gtmp,unknown_pool_type,40,<unknown>,Gdi temporary allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,0,0xed1b85c0,test.exe,1,CcPF,unknown_pool_type,144,nt!ccpf,Prefetcher file name
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x534,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x418,\Users\windows\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394f12c,,,OUT,PVOID,FileInformation,0x394f134,,,IN,ULONG,Length,0x18,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x5,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
filetracer,0,0xed1b85c0,test.exe,1,NtOpenFile,\SystemRoot\Prefetch\TEST.EXE-01FCBB36.pf
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9d7f9a20,,,IN,ACCESS_MASK,DesiredAccess,0x80100000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9d7f99f4,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9d7f9a0c,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x20,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394efc8,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b85c0,test.exe,1,ObNm,PagedPool,248,nt!ob,object names
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394efe8,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efb8,,,IN,PCLIENT_ID,ClientId,0x394efd0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f008,,
objmon,0,0xed1b85c0,test.exe,1,File
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f008,,
poolmon,0,0xed1b85c0,test.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b85c0,test.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x518,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f024,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f020,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394ef9c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efa8,,,IN,BOOLEAN,InitialOwner,0x0,,
poolmon,0,0xed1b85c0,test.exe,1,NtFA,unknown_pool_type,212,ntfs.sys,AttrSup.c
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,0,0xed1b85c0,test.exe,1,CcPT,unknown_pool_type,368,nt!ccpf,Prefetcher trace
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,0,0xed1b85c0,test.exe,1,CcPB,unknown_pool_type,32768,nt!ccpf,Prefetcher trace buffer
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x13fca4,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtProtectVirtualMemory,5,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13fcd0,,,INOUT,PSIZE_T,RegionSize,0x13fcd4,,,IN,WIN32_PROTECTION_MASK,NewProtectWin32,0x4,,,OUT,PULONG,OldProtect,0x13fce4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtProtectVirtualMemory,5,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13fcd0,,,INOUT,PSIZE_T,RegionSize,0x13fcd4,,,IN,WIN32_PROTECTION_MASK,NewProtectWin32,0x4,,,OUT,PULONG,OldProtect,0x13fce4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x24,,,OUT,PVOID,ProcessInformation,0x13fb30,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtProtectVirtualMemory,5,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13fb2c,,,INOUT,PSIZE_T,RegionSize,0x13fb30,,,IN,WIN32_PROTECTION_MASK,NewProtectWin32,0x2,,,OUT,PULONG,OldProtect,0x13fb28,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x24,,,OUT,PVOID,ProcessInformation,0x13fb1c,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x24,,,OUT,PVOID,ProcessInformation,0x771c6f90,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x24,,,OUT,PVOID,ProcessInformation,0x13fabc,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x0,,,OUT,PVOID,SystemInformation,0x13faf0,,,IN,ULONG,SystemInformationLength,0x2c,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x0,,,OUT,PVOID,SystemInformation,0x13fad8,,,IN,ULONG,SystemInformationLength,0x2c,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13fa78,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x13fa6c,,,IN,ULONG,AllocationType,0x2000,,,IN,ULONG,Protect,0x4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,0,0xed1b85c0,test.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13fa78,,,INOUT,PSIZE_T,RegionSize,0x13fa7c,,,IN,ULONG,FreeType,0x8000,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13fa88,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x13fa90,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x37,,,OUT,PVOID,SystemInformation,0x13fa30,,,IN,ULONG,SystemInformationLength,0x108,,,OUT,PULONG,ReturnLength,0x13fa2c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x520,\Users\windows\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394f09c,,,OUT,PVOID,FileInformation,0x394f0a4,,,IN,ULONG,Length,0x18,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x5,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13f90c,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x13f938,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13fb34,,,INOUT,PSIZE_T,RegionSize,0x13fb30,,,IN,ULONG,FreeType,0x8000,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x418,\Users\windows\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394f0ac,,,OUT,PVOID,FileInformation,0x394f0b4,,,IN,ULONG,Length,0x18,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x5,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenDirectoryObject,3,OUT,PHANDLE,DirectoryHandle,0x771c82e0,,,IN,ACCESS_MASK,DesiredAccess,0x3,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x13fbb4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x418,\Users\windows\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394f0ac,,,OUT,PVOID,FileInformation,0x394f0b4,,,IN,ULONG,Length,0x18,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x5,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenSymbolicLinkObject,3,OUT,PHANDLE,LinkHandle,0x13fbf0,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x13fbb4,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQuerySymbolicLinkObject,3,IN,HANDLE,LinkHandle,0x8,,,INOUT,PUNICODE_STRING,LinkTarget,0x771c82e8,,,OUT,PULONG,ReturnedLength,0x13fbb0,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x8,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x394f0e8,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x770d0000,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x13fa94,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394f028,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394f048,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f018,,,IN,PCLIENT_ID,ClientId,0x394f030,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x13fabc,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f068,,
filetracer,0,0xed1b85c0,test.exe,1,NtOpenFile,\??\C:\Windows\system32\
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x13fae8,,,IN,ACCESS_MASK,DesiredAccess,0x100020,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x13fb08,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x13faf8,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,OpenOptions,0x21,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f068,,
objmon,0,0xed1b85c0,test.exe,1,File
poolmon,0,0xed1b85c0,test.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x2e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f084,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f080,,
poolmon,0,0xed1b85c0,test.exe,1,IoNm,PagedPool,56,nt!io,Io parsing names
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394effc,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f008,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryVolumeInformationFile,5,IN,HANDLE,FileHandle,0x8,\Windows\System32,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x13faf8,,,OUT,PVOID,FsInformation,0x13fb00,,,IN,ULONG,Length,0x8,,,IN,FS_INFORMATION_CLASS,FsInformationClass,0x4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenSection,3,OUT,PHANDLE,SectionHandle,0x13f7d0,,,IN,ACCESS_MASK,DesiredAccess,0xf,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x13f6c8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtMapViewOfSection,10,IN,HANDLE,SectionHandle,0xc,,,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13f7fc,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,CommitSize,0x0,,,INOUT,PLARGE_INTEGER,SectionOffset,0x0,,,INOUT,PSIZE_T,ViewSize,0x13f78c,,,IN,SECTION_INHERIT,InheritDisposition,0x1,,,IN,ULONG,AllocationType,0x800000,,,IN,WIN32_PROTECTION_MASK,Win32Protect,0x4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,0,0xed1b85c0,test.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,0,0xed1b85c0,test.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQuerySection,5,IN,HANDLE,SectionHandle,0xc,,,IN,SECTION_INFORMATION_CLASS,SectionInformationClass,0x2,,,OUT,PVOID,SectionInformation,0x13f774,,,IN,SIZE_T,SectionInformationLength,0x4,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xc,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x13f864,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtProtectVirtualMemory,5,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13f868,,,INOUT,PSIZE_T,RegionSize,0x13f86c,,,IN,WIN32_PROTECTION_MASK,NewProtectWin32,0x4,,,OUT,PULONG,OldProtect,0x6119c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenSection,3,OUT,PHANDLE,SectionHandle,0x13f478,,,IN,ACCESS_MASK,DesiredAccess,0xf,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x13f370,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtMapViewOfSection,10,IN,HANDLE,SectionHandle,0xc,,,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13f4a4,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,CommitSize,0x0,,,INOUT,PLARGE_INTEGER,SectionOffset,0x0,,,INOUT,PSIZE_T,ViewSize,0x13f434,,,IN,SECTION_INHERIT,InheritDisposition,0x1,,,IN,ULONG,AllocationType,0x800000,,,IN,WIN32_PROTECTION_MASK,Win32Protect,0x4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b85c0,test.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b85c0,test.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQuerySection,5,IN,HANDLE,SectionHandle,0xc,,,IN,SECTION_INFORMATION_CLASS,SectionInformationClass,0x2,,,OUT,PVOID,SectionInformation,0x13f41c,,,IN,SIZE_T,SectionInformationLength,0x4,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xc,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x13f864,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtProtectVirtualMemory,5,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13f868,,,INOUT,PSIZE_T,RegionSize,0x13f86c,,,IN,WIN32_PROTECTION_MASK,NewProtectWin32,0x4,,,OUT,PULONG,OldProtect,0x611bfc,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtProtectVirtualMemory,5,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x611be8,,,INOUT,PSIZE_T,RegionSize,0x611bec,,,IN,WIN32_PROTECTION_MASK,NewProtectWin32,0x2,,,OUT,PULONG,OldProtect,0x13f73c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394f044,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394f064,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f034,,,IN,PCLIENT_ID,ClientId,0x394f04c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f084,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtProtectVirtualMemory,5,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x6119b0,,,INOUT,PSIZE_T,RegionSize,0x6119b4,,,IN,WIN32_PROTECTION_MASK,NewProtectWin32,0x2,,,OUT,PULONG,OldProtect,0x13f73c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f084,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtApphelpCacheControl,2,IN,APPHELPCOMMAND,type,0x9,,,IN,PVOID,buf,0x13f7c0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x514,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f0a0,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f09c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394f014,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f020,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,0,0xed1b85c0,test.exe,1,Ahca,PagedPool,30
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtApphelpCacheControl,2,IN,APPHELPCOMMAND,type,0x9,,,IN,PVOID,buf,0x13f7d0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
poolmon,0,0xed1b85c0,test.exe,1,Ahca,PagedPool,26
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x32,,,OUT,PVOID,SystemInformation,0x13f584,,,IN,ULONG,SystemInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenSection,3,OUT,PHANDLE,SectionHandle,0x13f4e0,,,IN,ACCESS_MASK,DesiredAccess,0x4,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x13f47c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtCreateSection,7,OUT,PHANDLE,SectionHandle,0x13f4d4,,,IN,ACCESS_MASK,DesiredAccess,0xf001f,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,PLARGE_INTEGER,MaximumSize,0x13f4c0,,,IN,ULONG,SectionPageProtection,0x4,,,IN,ULONG,AllocationAttributes,0x8000000,,,IN,HANDLE,FileHandle,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b85c0,test.exe,1,MmCa,unknown_pool_type,128,nt!mm,Mm control areas for mapped files
poolmon,0,0xed1b85c0,test.exe,1,MSeg,PagedPool,48
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b85c0,test.exe,1,MmSt,unknown_pool_type,128,nt!mm,Mm section object prototype ptes
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
objmon,0,0xed1b85c0,test.exe,1,Sect
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b85c0,test.exe,1,Sect,PagedPool,80,<unknown>,Section objects
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtConnectPort,8,OUT,PHANDLE,PortHandle,0x771c8a6c,,,IN,PUNICODE_STRING,PortName,0x771c8a50,\Sessions\1\Windows\ApiPort,,IN,PSECURITY_QUALITY_OF_SERVICE,SecurityQos,0x13f530,,,INOUT,PPORT_VIEW,ClientView,0x13f4a0,,,INOUT,PREMOTE_PORT_VIEW,ServerView,0x13f494,,,OUT,PULONG,MaxMessageLength,0x13f478,,,INOUT,PVOID,ConnectionInformation,0x13f514,,,INOUT,PULONG,ConnectionInformationLength,0x13f4b8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtSecureConnectPort,9,OUT,PHANDLE,PortHandle,0x771c8a6c,,,IN,PUNICODE_STRING,PortName,0x771c8a50,\Sessions\1\Windows\ApiPort,,IN,PSECURITY_QUALITY_OF_SERVICE,SecurityQos,0x13f530,,,INOUT,PPORT_VIEW,ClientView,0x13f4a0,,,IN,PSID,RequiredServerSid,0x0,,,INOUT,PREMOTE_PORT_VIEW,ServerView,0x13f494,,,OUT,PULONG,MaxMessageLength,0x13f478,,,INOUT,PVOID,ConnectionInformation,0x13f514,,,INOUT,PULONG,ConnectionInformationLength,0x13f4b8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x638,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x684,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x530,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x684,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x52c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x634,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x0,,,OUT,PVOID,ProcessInformation,0x394eff4,,,IN,ULONG,ProcessInformationLength,0x18,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x394f014,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efe4,,,IN,PCLIENT_ID,ClientId,0x394effc,,
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x634,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394f034,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394f034,,
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x684,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x518,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394f050,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394f04c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x394efc4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394efd0,,,IN,BOOLEAN,InitialOwner,0x0,,
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x684,,,OUT,PLONG,PreviousState,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,100,nt!se,Captured Security Descriptor
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x634,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x223f9e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,190,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,88,<unknown>,Mutant objects
syscall,0 0xed1b82e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x638,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x227f7cc,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,212,nt!ob,object names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,174,nt!ob,object names
syscall,0 0xed1b8520,ngentask.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x10,,,OUT,PVOID,ThreadInformation,0x453f954,,,IN,ULONG,ThreadInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObDi,PagedPool,12,nt!ob,object directory
syscall,0 0xed1b8520,ngentask.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x2c4,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b8520,ngentask.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2d4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8520,ngentask.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8520,ngentask.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xc,,,OUT,PVOID,ThreadInformation,0x453fa5c,,,IN,ULONG,ThreadInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,0 0xed1b8520,ngentask.exe,0,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x24,,,OUT,PVOID,ProcessInformation,0x453f830,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8520,ngentask.exe,0,ntoskrnl.exe,NtTerminateThread,2,IN,HANDLE,ThreadHandle,0x0,,,IN,NTSTATUS,ExitStatus,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b8060,csrss.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x9c,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x78f8d0,,,INOUT,PULONG,BufferLength,0x78f9c0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x78f9ec,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
syscall,0 0xed1b8520,ngentask.exe,0,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9e169b44,,,INOUT,PSIZE_T,RegionSize,0x9e169b48,,,IN,ULONG,FreeType,0x8000,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,108,nt!se,Security Descriptor
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObSc,PagedPool,124,nt!ob,Object security descriptor cache block
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x518,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2e4,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x1,,,IN,HANDLE,Handles[],0x1c0f8c4,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1c0f814,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x15f0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x520,\Users\windows\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394f0c8,,,OUT,PVOID,FileInformation,0x394f0d0,,,IN,ULONG,Length,0x18,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x5,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1fd0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x52c,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xc,,,OUT,PVOID,ThreadInformation,0x1c0f8f4,,,IN,ULONG,ThreadInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x534,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0xf9fb18,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9d669aa8,,,INOUT,PSIZE_T,RegionSize,0x9d669aa0,,,IN,ULONG,FreeType,0x8000,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gh15,unknown_pool_type,1400
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x178,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gh15,unknown_pool_type,1400
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,88,<unknown>,Gdi Xlate
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0xf9fa3c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9d669bc8,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9d669bfc,,,IN,ULONG,AllocationType,0x3000,,,IN,ULONG,Protect,0x4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
poolmon,1,0xed1b82c0,Taskmgr.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x135874c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,88,<unknown>,Gdi Xlate
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x1490,,,OUT,PLONG,PreviousCount,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9d669aa8,,,INOUT,PSIZE_T,RegionSize,0x9d669aa0,,,IN,ULONG,FreeType,0x8000,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9d669bc8,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9d669bfc,,,IN,ULONG,AllocationType,0x3000,,,IN,ULONG,Protect,0x4,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x6eb0b068,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0xd24,,,OUT,PLONG,PreviousCount,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Uscu,unknown_pool_type,100,win32k!_CreateEmptyCursorObject,CURSOR
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gtmp,unknown_pool_type,40,<unknown>,Gdi temporary allocations
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtTerminateThread,2,IN,HANDLE,ThreadHandle,0x0,,,IN,NTSTATUS,ExitStatus,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
syscall,0 0xed1b8060,csrss.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x9c,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x62fc5c,,,INOUT,PULONG,BufferLength,0x62fd4c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x62fd78,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gh15,unknown_pool_type,1400
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0xaa3d0b44,,,INOUT,PSIZE_T,RegionSize,0xaa3d0b48,,,IN,ULONG,FreeType,0x8000,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xac,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Gh15,unknown_pool_type,1400
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9d669aa8,,,INOUT,PSIZE_T,RegionSize,0x9d669aa0,,,IN,ULONG,FreeType,0x8000,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa8,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x4928a80,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x31f874,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x4928a80,,,INOUT,PULONG,BufferLength,0xfefa8,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x31f874,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x17,,,OUT,PVOID,ProcessInformation,0x394ee8c,,,IN,ULONG,ProcessInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb12500,,,INOUT,PULONG,BufferLength,0xfef720,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xfef734,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0xc,,,OUT,PVOID,ProcessInformation,0x394f4b8,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef694,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetInformationProcess,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0xc,,,IN,PVOID,ProcessInformation,0x394f4c8,,,IN,ULONG,ProcessInformationLength,0x4,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef7c0,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
filetracer,1,0xed1b82c0,Taskmgr.exe,1,NtQueryAttributesFile,\??\C:\Users\windows\Desktop\test.exe
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f030,,,OUT,PFILE_BASIC_INFORMATION,FileInformation,0x394f048,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb70f00,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
objmon,1,0xed1b82c0,Taskmgr.exe,1,File
poolmon,1,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xac,,,OUT,PLONG,PreviousState,0x0,,
filetracer,1,0xed1b82c0,Taskmgr.exe,1,NtCreateFile,\??\C:\Users\windows\Desktop\test.exe
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x394f234,,,IN,ACCESS_MASK,DesiredAccess,0x80100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394f268,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394f240,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x5,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x20060,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x5e8,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0xff560,,,IN,ULONG,TimerSetInformationLength,0x20,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,File
poolmon,1,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b8200,svchost.exe,0,IoUs,unknown_pool_type,16,nt!io,I/O SubSystem completion Context Allocation
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x2,,,OUT,PVOID,SystemInformation,0x3c7fc18,,,IN,ULONG,SystemInformationLength,0x158,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0x1a5000,System,-1,IoUs,unknown_pool_type,16,nt!io,I/O SubSystem completion Context Allocation
filetracer,1,0xed1b81e0,svchost.exe,0,NtCreateFile,\??\PhysicalDrive0
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x3c7fa24,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3c7fa58,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3c7fa30,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x60,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
poolmon,1,0xed1b81e0,svchost.exe,0,ObNm,PagedPool,248,nt!ob,object names
objmon,1,0xed1b81e0,svchost.exe,0,File
poolmon,1,0xed1b81e0,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b81e0,svchost.exe,0,ScLF,unknown_pool_type,32,classpnp.sys,File Object Extension
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x870,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3c7fa84,,,IN,ULONG,IoControlCode,0x70224,,,IN,PVOID,InputBuffer,0x3c7fb08,,,IN,ULONG,InputBufferLength,0x8,,,OUT,PVOID,OutputBuffer,0x3c7fb10,,,IN,ULONG,OutputBufferLength,0x58,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
poolmon,1,0xed1b81e0,svchost.exe,0,Io ,unknown_pool_type,92,nt!io,general IO allocations
poolmon,0,0xed1b82c0,Taskmgr.exe,1,FMfn,PagedPool,222,fltmgr.sys,NAME_CACHE_NODE structure
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x870,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,FMfn,PagedPool,222,fltmgr.sys,NAME_CACHE_NODE structure
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x4f,,,OUT,PVOID,SystemInformation,0x3c7fd34,,,IN,ULONG,SystemInformationLength,0x14,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MPCp,PagedPool,108
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateSection,7,OUT,PHANDLE,SectionHandle,0x394f360,,,IN,ACCESS_MASK,DesiredAccess,0x5,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,PLARGE_INTEGER,MaximumSize,0x0,,,IN,ULONG,SectionPageProtection,0x2,,,IN,ULONG,AllocationAttributes,0x11000000,,,IN,HANDLE,FileHandle,0x510,\Users\windows\Desktop\test.exe,
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xc40,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x3c7fd34,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Sect
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Sect,PagedPool,80,<unknown>,Section objects
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtMapViewOfSection,10,IN,HANDLE,SectionHandle,0x304,,,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x394f370,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,CommitSize,0x0,,,INOUT,PLARGE_INTEGER,SectionOffset,0x0,,,INOUT,PSIZE_T,ViewSize,0x394f35c,,,IN,SECTION_INHERIT,InheritDisposition,0x1,,,IN,ULONG,AllocationType,0x0,,,IN,WIN32_PROTECTION_MASK,Win32Protect,0x2,,
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x1,,,IN,HANDLE,Handles[],0xff5b0,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x304,,
syscall,1 0xed1b8140,ngen.exe,0,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x158,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,1 0xed1b8140,ngen.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x154,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x1b4a208,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x1125fac,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1b4a208,,,INOUT,PULONG,BufferLength,0x1b3f358,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x1125fac,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0xc,,,OUT,PVOID,ProcessInformation,0x394f4b8,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb16920,,,INOUT,PULONG,BufferLength,0xfef720,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xfef734,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetInformationProcess,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0xc,,,IN,PVOID,ProcessInformation,0x394f4c8,,,IN,ULONG,ProcessInformationLength,0x4,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef694,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef7c0,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryDefaultLocale,2,IN,BOOLEAN,UserProfile,0x1,,,OUT,PLCID,DefaultLocaleId,0x394f044,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryDefaultLocale,2,IN,BOOLEAN,UserProfile,0x0,,,OUT,PLCID,DefaultLocaleId,0x394f054,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb70f00,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtUnmapViewOfSection,2,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x4710000,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtUnmapViewOfSectionEx
syscall,1 0xed1b8140,ngen.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x158,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x17,,,OUT,PVOID,ProcessInformation,0x394e904,,,IN,ULONG,ProcessInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8140,ngen.exe,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x1c0,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0x1b3fc78,,,IN,ULONG,TimerSetInformationLength,0x20,,
syscall,0 0xed1b8520,ngentask.exe,0,ntoskrnl.exe,NtQueryFullAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x463f088,,,OUT,PFILE_NETWORK_OPEN_INFORMATION,FileInformation,0x463f0b8,,
poolmon,0,0xed1b8520,ngentask.exe,0,IoNm,PagedPool,120,nt!io,Io parsing names
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
objmon,0,0xed1b8520,ngentask.exe,0,File
poolmon,0,0xed1b8520,ngentask.exe,0,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8520,ngentask.exe,0,NtFA,unknown_pool_type,232,ntfs.sys,AttrSup.c
poolmon,1,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,0 0xed1b8520,ngentask.exe,0,ntoskrnl.exe,NtDelayExecution,2,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,DelayInterval,0x463f0c4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x17,,,OUT,PVOID,ProcessInformation,0x394e38c,,,IN,ULONG,ProcessInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x144,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x17,,,OUT,PVOID,ProcessInformation,0x394e2f4,,,IN,ULONG,ProcessInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtOpenFile,\??\C:
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x394e514,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394e4f0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394e4e8,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,OpenOptions,0x10,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x12c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x510,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394e490,,,IN,ULONG,IoControlCode,0x4d0008,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x394e520,,,IN,ULONG,OutputBufferLength,0x208,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,524,nt!io,general IO allocations
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,1 0xed1b8140,ngen.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x1,,,IN,HANDLE,Handles[],0x1b3fcc8,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtCreateFile,\??\MountPointManager
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x394e404,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394e438,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394e410,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x80,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x20060,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b8440,dasHost.exe,0,ntoskrnl.exe,NtDelayExecution,2,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,DelayInterval,0x1c8fa48,,
syscall,1 0xed1b8380,wmpnetwk.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x1b5fe28,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x510,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394e490,,,IN,ULONG,IoControlCode,0x6d0008,,,IN,PVOID,InputBuffer,0x40fc338,,,IN,ULONG,InputBufferLength,0x46,,,OUT,PVOID,OutputBuffer,0x40c2448,,,IN,ULONG,OutputBufferLength,0x20,,
syscall,1 0xed1b8380,wmpnetwk.exe,0,ntoskrnl.exe,NtDelayExecution,2,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,DelayInterval,0x1b5fdd8,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,74,nt!io,general IO allocations
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,48
filetracer,0,0xed1b82c0,Taskmgr.exe,1,ZwOpenFile,\Device\HarddiskVolume2
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWaitForAlertByThreadId
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtOpenFile,\Device\HarddiskVolume2
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9d669968,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9d669978,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9d669970,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x40,,
syscall,1 0xed1b8400,SearchProtocol,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3f4,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b8400,SearchProtocol,0,ntoskrnl.exe,NtCreateTimer,4,OUT,PHANDLE,TimerHandle,0x12bf8b4,,,IN,ACCESS_MASK,DesiredAccess,0x100002,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,TIMER_TYPE,TimerType,0x1,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x800004f8,,
objmon,1,0xed1b8400,SearchProtocol,0,Time
poolmon,1,0xed1b8400,SearchProtocol,0,Time,unknown_pool_type,224,nt!ke,Timer objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,4
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,4,nt!io,general IO allocations
syscall,1 0xed1b8400,SearchProtocol,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x3f4,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0x12bf8ac,,,IN,ULONG,TimerSetInformationLength,0x20,,
syscall,1 0xed1b8400,SearchProtocol,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x12bf8fc,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,50
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,50,nt!io,general IO allocations
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,48
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xac,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x510,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394e490,,,IN,ULONG,IoControlCode,0x6d0008,,,IN,PVOID,InputBuffer,0x40fc338,,,IN,ULONG,InputBufferLength,0x46,,,OUT,PVOID,OutputBuffer,0x40bacb0,,,IN,ULONG,OutputBufferLength,0xee,,
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa8,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x31d39a8,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x9bf0cc,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x31d39a8,,,INOUT,PULONG,BufferLength,0x201f2f8,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x9bf0cc,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,242,nt!io,general IO allocations
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,48
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb13608,,,INOUT,PULONG,BufferLength,0xfef720,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xfef734,,,IN,PLARGE_INTEGER,Timeout,0x0,,
filetracer,0,0xed1b82c0,Taskmgr.exe,1,ZwOpenFile,\Device\HarddiskVolume2
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtOpenFile,\Device\HarddiskVolume2
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9d669968,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9d669978,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9d669970,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x40,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef694,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x800004f8,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef7c0,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,4
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb70f00,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,4,nt!io,general IO allocations
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,50
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xac,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,50,nt!io,general IO allocations
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x830,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0x201f804,,,IN,ULONG,TimerSetInformationLength,0x20,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MntA,PagedPool,48
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x1,,,IN,HANDLE,Handles[],0x201f854,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394e4fc,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394e3d8,,,IN,ULONG,OpenOptions,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMci,PagedPool,20
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x54c,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Key
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x348,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x1424630,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x587cdc,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1424630,,,INOUT,PULONG,BufferLength,0xd6f508,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x587cdc,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
poolmon,1,0xed1b8100,svchost.exe,0,AlSe,PagedPool,104,nt!alpc,ALPC client security
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb16920,,,INOUT,PULONG,BufferLength,0xfef720,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xfef734,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394e734,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394e5fc,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef694,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Key
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef7c0,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb70f00,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x54c,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x65c,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0xd6f9f4,,,IN,ULONG,TimerSetInformationLength,0x20,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x1,,,IN,HANDLE,Handles[],0xd6fa44,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x304,,,IN,PUNICODE_STRING,ValueName,0x394e690,Data,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x394e5d0,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x394e5ac,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMvn,unknown_pool_type,12
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtAlpcDeleteSecurityContext,3,IN,HANDLE,PortHandle,0x4e0,,,RESERVED,ULONG,Flags,0x0,,,IN,ALPC_HANDLE,ContextHandle,0x11,,
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x130,,
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x12c,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x396c1f0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xeda2dc,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x396c1f0,,,INOUT,PULONG,BufferLength,0x644f3b8,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xeda2dc,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x304,,,IN,PUNICODE_STRING,ValueName,0x394e690,Data,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x11a6590,,,IN,ULONG,Length,0x562,,,OUT,PULONG,ResultLength,0x394e5ac,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb13608,,,INOUT,PULONG,BufferLength,0xfef720,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xfef734,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMvn,unknown_pool_type,12
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef694,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQueryWnfStateData
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x304,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394e4fc,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394e3d8,,,IN,ULONG,OpenOptions,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Key
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x374,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQueryWnfStateData
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x374,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x50,,,OUT,PVOID,SystemInformation,0x2bef8f8,,,IN,ULONG,SystemInformationLength,0x58,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x429ac00,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3e8,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3e8,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,1 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xa64,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x2bef93c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x37c,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x3c0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394e734,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394e5fc,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Key
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtDelayExecution,2,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,DelayInterval,0x20ef8d8,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef7c0,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb70f00,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x304,,
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x130,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x88c,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0x644f898,,,IN,ULONG,TimerSetInformationLength,0x20,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x514,,,IN,PUNICODE_STRING,ValueName,0x394e690,Generation,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x394e5d0,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x394e5ac,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMvn,unknown_pool_type,24
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,0 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtDelayExecution,2,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,DelayInterval,0x29bf9c8,,
syscall,0 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x1,,,IN,HANDLE,Handles[],0x644f8e8,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xac,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa8,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x1afbf0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xef1b4,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1afbf0,,,INOUT,PULONG,BufferLength,0xf0f448,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xef1b4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb14710,,,INOUT,PULONG,BufferLength,0xfef720,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xfef734,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef694,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x394e718,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x394e718,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef7c0,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x514,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x19,,,OUT,PVOID,TokenInformation,0x11d9d18,,,IN,ULONG,TokenInformationLength,0x800,,,OUT,PULONG,ReturnLength,0x394e6f8,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb70f00,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x28,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x17,,,OUT,PVOID,ProcessInformation,0x394e7dc,,,IN,ULONG,ProcessInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenSection,3,OUT,PHANDLE,SectionHandle,0x3a0ed10,,,IN,ACCESS_MASK,DesiredAccess,0xf,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3a0ec08,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394e594,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394e470,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtMapViewOfSection,10,IN,HANDLE,SectionHandle,0x510,,,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x3a0ed3c,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,CommitSize,0x0,,,INOUT,PLARGE_INTEGER,SectionOffset,0x0,,,INOUT,PSIZE_T,ViewSize,0x3a0eccc,,,IN,SECTION_INHERIT,InheritDisposition,0x1,,,IN,ULONG,AllocationType,0x800000,,,IN,WIN32_PROTECTION_MASK,Win32Protect,0x4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
objmon,1,0xed1b82c0,Taskmgr.exe,1,Key
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySection,5,IN,HANDLE,SectionHandle,0x510,,,IN,SECTION_INFORMATION_CLASS,SectionInformationClass,0x2,,,OUT,PVOID,SectionInformation,0x3a0ecb4,,,IN,SIZE_T,SectionInformationLength,0x4,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x510,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x3a0f034,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394e7cc,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394e694,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtProtectVirtualMemory,5,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x3a0f038,,,INOUT,PSIZE_T,RegionSize,0x3a0f03c,,,IN,WIN32_PROTECTION_MASK,NewProtectWin32,0x4,,,OUT,PULONG,OldProtect,0x767e294,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Key
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtProtectVirtualMemory,5,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x767e280,,,INOUT,PSIZE_T,RegionSize,0x767e284,,,IN,WIN32_PROTECTION_MASK,NewProtectWin32,0x2,,,OUT,PULONG,OldProtect,0x3a0ef0c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x514,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtApphelpCacheControl,2,IN,APPHELPCOMMAND,type,0x9,,,IN,PVOID,buf,0x3a0efa0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Ahca,PagedPool,26
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x304,,,IN,PUNICODE_STRING,ValueName,0x394e728,Generation,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x394e668,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x394e644,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtTraceControl,6,IN,ULONG,FunctionCode,0xf,,,IN,PVOID,InBuffer,0x3a0ede0,,,IN,ULONG,InBufferLen,0xa0,,,OUT,PVOID,OutBuffer,0x3a0ede0,,,IN,ULONG,OutBufferLen,0xa0,,,OUT,PULONG,ReturnLength,0x3a0edd4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMvn,unknown_pool_type,24
poolmon,0,0xed1b82c0,Taskmgr.exe,1,EtwP,unknown_pool_type,164,nt!etw,Etw Pool
objmon,0,0xed1b82c0,Taskmgr.exe,1,EtwR
poolmon,0,0xed1b82c0,Taskmgr.exe,1,EtwR,unknown_pool_type,88,nt!etw,Etw Registration
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x304,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtTraceControl,6,IN,ULONG,FunctionCode,0xf,,,IN,PVOID,InBuffer,0x3a0ee08,,,IN,ULONG,InBufferLen,0xa0,,,OUT,PVOID,OutBuffer,0x3a0ee08,,,IN,ULONG,OutBufferLen,0xa0,,,OUT,PULONG,ReturnLength,0x3a0edfc,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,EtwP,unknown_pool_type,164,nt!etw,Etw Pool
objmon,0,0xed1b82c0,Taskmgr.exe,1,EtwR
poolmon,0,0xed1b82c0,Taskmgr.exe,1,EtwR,unknown_pool_type,88,nt!etw,Etw Registration
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394d454,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d324,,,IN,ULONG,OpenOptions,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,144,nt!se,Security Descriptor
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3d6cb40,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x3a0ed68,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x37c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3c0,,
poolmon,1,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
poolmon,1,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394d454,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d324,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0x95fa5c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtCreateFile,\??\C:\
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x394d64c,,,IN,ACCESS_MASK,DesiredAccess,0x100081,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d680,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394d658,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x24020,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x3a0ec2c,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3a0eab4,,,IN,ULONG,OpenOptions,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,248,nt!ob,object names
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,IoNm,PagedPool,56,nt!io,Io parsing names
objmon,1,0xed1b82c0,Taskmgr.exe,1,Key
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x4e4,\,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394d6fc,,,OUT,PVOID,FileInformation,0x394d748,,,IN,ULONG,Length,0x74,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x37,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,120,nt!io,general IO allocations
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryDirectoryFile,11,IN,HANDLE,FileHandle,0x4e4,\,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394daa8,,,OUT,PVOID,FileInformation,0x394dd58,,,IN,ULONG,Length,0x278,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x25,,,IN,BOOLEAN,ReturnSingleEntry,0x7f8bb001,,,IN,PUNICODE_STRING,FileName,0x394d740,Users,,IN,BOOLEAN,RestartScan,0x1,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x304,,,IN,PUNICODE_STRING,ValueName,0x3a0ec08,SourcePath,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x3a0ec34,,,IN,ULONG,Length,0x10,,,OUT,PULONG,ResultLength,0x3a0ec04,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,22,nt!io,general IO allocations
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMvn,unknown_pool_type,24
poolmon,0,0xed1b82c0,Taskmgr.exe,1,NtFd,unknown_pool_type,76,ntfs.sys,DirCtrl.c
poolmon,0,0xed1b82c0,Taskmgr.exe,1,NtFI,unknown_pool_type,112,ntfs.sys,IndexSup.c
syscall,0 0xed1b8460,taskhost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x3d9f8b0,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x304,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtCreateFile,\??\C:\Users\desktop.ini
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x394c184,,,IN,ACCESS_MASK,DesiredAccess,0x80100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394c1b8,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394c190,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x20064,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,IoNm,PagedPool,56,nt!io,Io parsing names
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x3a0eb38,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3a0ea04,,,IN,ULONG,OpenOptions,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,FMfn,PagedPool,196,fltmgr.sys,NAME_CACHE_NODE structure
poolmon,0,0xed1b82c0,Taskmgr.exe,1,FMfn,PagedPool,196,fltmgr.sys,NAME_CACHE_NODE structure
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MPCp,PagedPool,82
objmon,1,0xed1b82c0,Taskmgr.exe,1,Key
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x4e4,\Users\desktop.ini,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394c220,,,OUT,PVOID,FileInformation,0x394c228,,,IN,ULONG,Length,0x18,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x5,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReadFile,9,IN,HANDLE,FileHandle,0x4e4,\Users\desktop.ini,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394c21c,,,OUT,PVOID,Buffer,0x7771c88,,,IN,ULONG,Length,0xb0,,,IN,PLARGE_INTEGER,ByteOffset,0x0,,,IN,PULONG,Key,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x304,,,IN,PUNICODE_STRING,ValueName,0x3a0eac8,DevicePath,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x3a0ea08,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x3a0e9e4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x4e4,\Users\desktop.ini,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394c234,,,OUT,PVOID,FileInformation,0x394c280,,,IN,ULONG,Length,0x28,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMvn,unknown_pool_type,24
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtTraceEvent,4,IN,HANDLE,TraceHandle,0xd0,,,IN,ULONG,Flags,0x300,,,IN,ULONG,FieldSize,0x70,,,IN,PVOID,Fields,0x394c1f0,,
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtCreateFile,\??\C:\Users
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x394c804,,,IN,ACCESS_MASK,DesiredAccess,0x100081,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394c838,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394c810,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x24020,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x304,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,IoNm,PagedPool,56,nt!io,Io parsing names
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x4e4,\Users,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394c8b4,,,OUT,PVOID,FileInformation,0x394c900,,,IN,ULONG,Length,0x74,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x37,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,120,nt!io,general IO allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x3a0eb5c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7519e500,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Even
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryDirectoryFile,11,IN,HANDLE,FileHandle,0x4e4,\Users,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394cc60,,,OUT,PVOID,FileInformation,0x394cf10,,,IN,ULONG,Length,0x278,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x25,,,IN,BOOLEAN,ReturnSingleEntry,0x7f8bb001,,,IN,PUNICODE_STRING,FileName,0x394c8f8,windows,,IN,BOOLEAN,RestartScan,0x1,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,26,nt!io,general IO allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x3a0eb64,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,BOOLEAN,InitialOwner,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,NtFd,unknown_pool_type,80,ntfs.sys,DirCtrl.c
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
poolmon,0,0xed1b82c0,Taskmgr.exe,1,NtFI,unknown_pool_type,112,ntfs.sys,IndexSup.c
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,72,<unknown>,Mutant objects
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x3a0eb5c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7519e500,,
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtCreateFile,\??\C:\Users\windows
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x394b9bc,,,IN,ACCESS_MASK,DesiredAccess,0x100081,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394b9f0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394b9c8,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x24020,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Even
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,IoNm,PagedPool,56,nt!io,Io parsing names
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x3a0eb64,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Muta
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x4e4,\Users\windows,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394ba6c,,,OUT,PVOID,FileInformation,0x394bab8,,,IN,ULONG,Length,0x74,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x37,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Muta,unknown_pool_type,72,<unknown>,Mutant objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,120,nt!io,general IO allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x0,,,OUT,PVOID,SystemInformation,0x3a0eb88,,,IN,ULONG,SystemInformationLength,0x2c,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryDirectoryFile,11,IN,HANDLE,FileHandle,0x4e4,\Users\windows,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394be18,,,OUT,PVOID,FileInformation,0x394c0c8,,,IN,ULONG,Length,0x278,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x25,,,IN,BOOLEAN,ReturnSingleEntry,0x7f8bb001,,,IN,PUNICODE_STRING,FileName,0x394bab0,Desktop,,IN,BOOLEAN,RestartScan,0x1,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x1,,,OUT,PVOID,SystemInformation,0x3a0ebb4,,,IN,ULONG,SystemInformationLength,0xc,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,26,nt!io,general IO allocations
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x25,,,OUT,PVOID,ProcessInformation,0x3a0eb30,,,IN,ULONG,ProcessInformationLength,0x30,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,NtFd,unknown_pool_type,80,ntfs.sys,DirCtrl.c
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,BOOLEAN,OpenAsSelf,0x0,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x3a0ee40,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0xa,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x3a0ee58,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,NtFI,unknown_pool_type,112,ntfs.sys,IndexSup.c
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDuplicateToken,6,IN,HANDLE,ExistingTokenHandle,0x568,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3a0ee70,,,IN,BOOLEAN,EffectiveOnly,0x0,,,IN,TOKEN_TYPE,TokenType,0x2,,,OUT,PHANDLE,NewTokenHandle,0x3a0ee40,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAt,PagedPool,24
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtCreateFile,\??\C:\Users\windows\Desktop\desktop.ini
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x394a4dc,,,IN,ACCESS_MASK,DesiredAccess,0x80100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394a510,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394a4e8,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x20064,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeTl,unknown_pool_type,56
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
objmon,1,0xed1b82c0,Taskmgr.exe,1,Toke
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Toke,PagedPool,1196,nt!se,Token objects
poolmon,0,0xed1b82c0,Taskmgr.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeTd,PagedPool,108,nt!se,Security Token dynamic part
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,180,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,FMfn,PagedPool,228,fltmgr.sys,NAME_CACHE_NODE structure
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b82c0,Taskmgr.exe,1,FMfn,PagedPool,228,fltmgr.sys,NAME_CACHE_NODE structure
poolmon,1,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,28,nt!se,Security Descriptor
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,0,0xed1b82c0,Taskmgr.exe,1,MPCp,PagedPool,114
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xac,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x4e4,\Users\windows\Desktop\desktop.ini,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394a574,,,OUT,PVOID,FileInformation,0x394a57c,,,IN,ULONG,Length,0x18,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x5,,
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x168,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0xf0f978,,,IN,ULONG,TimerSetInformationLength,0x20,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtReadFile,9,IN,HANDLE,FileHandle,0x4e4,\Users\windows\Desktop\desktop.ini,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394a570,,,OUT,PVOID,Buffer,0x11a4098,,,IN,ULONG,Length,0x11c,,,IN,PLARGE_INTEGER,ByteOffset,0x0,,,IN,PULONG,Key,0x0,,
syscall,1 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x1,,,IN,HANDLE,Handles[],0xf0f9c8,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x4e4,\Users\windows\Desktop\desktop.ini,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394a588,,,OUT,PVOID,FileInformation,0x394a5d4,,,IN,ULONG,Length,0x28,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x7b,,,OUT,PVOID,SystemInformation,0x1d9ecfc,,,IN,ULONG,SystemInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x1,,,OUT,PVOID,ProcessInformation,0x1d9ecb0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtTraceEvent,4,IN,HANDLE,TraceHandle,0xd0,,,IN,ULONG,Flags,0x300,,,IN,ULONG,FieldSize,0x70,,,IN,PVOID,Fields,0x394a4c0,,
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x3,,,OUT,PVOID,ProcessInformation,0x1d9ecd0,,,IN,ULONG,ProcessInformationLength,0x2c,,,OUT,PULONG,ReturnLength,0x0,,
filetracer,0,0xed1b82c0,Taskmgr.exe,1,NtCreateFile,\??\C:\Users\windows\Desktop
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x394ab74,,,IN,ACCESS_MASK,DesiredAccess,0x100081,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394aba8,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394ab80,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x24020,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xec,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d9e334,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,File
poolmon,0,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xec,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d9e334,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,IoNm,PagedPool,56,nt!io,Io parsing names
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xec,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d9e334,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x4e4,\Users\windows\Desktop,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394ac24,,,OUT,PVOID,FileInformation,0x394ac70,,,IN,ULONG,Length,0x74,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x37,,
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xec,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d9e334,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,120,nt!io,general IO allocations
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryDirectoryFile,11,IN,HANDLE,FileHandle,0x4e4,\Users\windows\Desktop,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x394afd0,,,OUT,PVOID,FileInformation,0x394b280,,,IN,ULONG,Length,0x278,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x25,,,IN,BOOLEAN,ReturnSingleEntry,0x7f8bb001,,,IN,PUNICODE_STRING,FileName,0x394ac68,test.exe,,IN,BOOLEAN,RestartScan,0x1,,
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xec,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d9e334,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,28,nt!io,general IO allocations
poolmon,0,0xed1b82c0,Taskmgr.exe,1,NtFd,unknown_pool_type,82,ntfs.sys,DirCtrl.c
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x218,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,NtFI,unknown_pool_type,120,ntfs.sys,IndexSup.c
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x300,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0x1d9edac,,,IN,ULONG,TimerSetInformationLength,0x20,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
syscall,1 0xed1b82a0,SearchIndexer.,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x1d9edfc,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d9ed94,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x230,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0x175f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8380,wmpnetwk.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0x175f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0x175f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8380,wmpnetwk.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0x175f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8380,wmpnetwk.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x3c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x127f924,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x175ed94,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x175ed94,,
syscall,0 0xed1b8380,wmpnetwk.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x3c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x127f928,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1d,,,OUT,PVOID,TokenInformation,0x175edac,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x175ed90,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x7d0,,
syscall,0 0xed1b8380,wmpnetwk.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x3c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x992350,,
filetracer,1,0xed1b8320,svchost.exe,0,NtOpenDirectoryObject,\RPC Control
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenDirectoryObject,3,OUT,PHANDLE,DirectoryHandle,0x175f254,,,IN,ACCESS_MASK,DesiredAccess,0x20001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x175f21c,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySecurityObject,5,IN,HANDLE,Handle,0x7d0,,,IN,SECURITY_INFORMATION,SecurityInformation,0x17,,,OUT,PSECURITY_DESCRIPTOR,SecurityDescriptor,0x0,,,IN,ULONG,Length,0x0,,,OUT,PULONG,LengthNeeded,0x175f250,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySecurityObject,5,IN,HANDLE,Handle,0x7d0,,,IN,SECURITY_INFORMATION,SecurityInformation,0x17,,,OUT,PSECURITY_DESCRIPTOR,SecurityDescriptor,0x1279490,,,IN,ULONG,Length,0xe8,,,OUT,PULONG,LengthNeeded,0x175f250,,
syscall,0 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x175f258,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x175f258,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x175f258,,
syscall,0 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x175f258,,
syscall,0 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0xa,,,OUT,PVOID,TokenInformation,0x175f0a8,,,IN,ULONG,TokenInformationLength,0x38,,,OUT,PULONG,ReturnLength,0x175f004,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x4,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175ef28,,
syscall,0 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xdefd2c,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x4,,,OUT,PVOID,TokenInformation,0x1fce98,,,IN,ULONG,TokenInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x175ef28,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x19,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175ef24,,
syscall,0 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x674,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x19,,,OUT,PVOID,TokenInformation,0x124bd80,,,IN,ULONG,TokenInformationLength,0x14,,,OUT,PULONG,ReturnLength,0x175ef24,,
syscall,1 0xed1b80e0,lsass.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x48c,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x12cf948,,,INOUT,PULONG,BufferLength,0xdaf648,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xdaf65c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x5,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175ef20,,
syscall,1 0xed1b80e0,lsass.exe,0,ntoskrnl.exe,NtAlpcQueryInformation,5,IN,HANDLE,PortHandle,0x958,,,IN,ALPC_PORT_INFORMATION_CLASS,PortInformationClass,0x0,,,OUT,PVOID,PortInformation,0xdaf5b4,,,IN,ULONG,Length,0xc,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b80e0,lsass.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x958,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x5,,,OUT,PVOID,TokenInformation,0x1fcec8,,,IN,ULONG,TokenInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x175ef20,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x6,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175ef1c,,
syscall,1 0xed1b80e0,lsass.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x78,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb45a10,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x6,,,OUT,PVOID,TokenInformation,0x12a8448,,,IN,ULONG,TokenInformationLength,0x144,,,OUT,PULONG,ReturnLength,0x175ef1c,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffc,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x29,,,OUT,PVOID,TokenInformation,0x175eeb0,,,IN,ULONG,TokenInformationLength,0x48,,,OUT,PULONG,ReturnLength,0x175ee60,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x29,,,OUT,PVOID,TokenInformation,0x175ee68,,,IN,ULONG,TokenInformationLength,0x48,,,OUT,PULONG,ReturnLength,0x175ee5c,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0xa,,,OUT,PVOID,TokenInformation,0x175ee18,,,IN,ULONG,TokenInformationLength,0x38,,,OUT,PULONG,ReturnLength,0x175ed74,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xdefd30,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x4,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175ec98,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x4,,,OUT,PVOID,TokenInformation,0x1fcf58,,,IN,ULONG,TokenInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x175ec98,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x52f0a0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x19,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175ec94,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x19,,,OUT,PVOID,TokenInformation,0x124ba00,,,IN,ULONG,TokenInformationLength,0x14,,,OUT,PULONG,ReturnLength,0x175ec94,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x5,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175ec90,,
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x5,,,OUT,PVOID,TokenInformation,0x1fcee0,,,IN,ULONG,TokenInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x175ec90,,
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x1c,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x6,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175ec8c,,
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x6,,,OUT,PVOID,TokenInformation,0x12a7428,,,IN,ULONG,TokenInformationLength,0x144,,,OUT,PULONG,ReturnLength,0x175ec8c,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffc,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x29,,,OUT,PVOID,TokenInformation,0x175ec20,,,IN,ULONG,TokenInformationLength,0x48,,,OUT,PULONG,ReturnLength,0x175ebd0,,
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWriteFile,9,IN,HANDLE,FileHandle,0x654,\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x188faa4,,,IN,PVOID,Buffer,0x23ce738,,,IN,ULONG,Length,0x200,,,IN,PLARGE_INTEGER,ByteOffset,0x188faac,,,IN,PULONG,Key,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x29,,,OUT,PVOID,TokenInformation,0x175ebd8,,,IN,ULONG,TokenInformationLength,0x48,,,OUT,PULONG,ReturnLength,0x175ebcc,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x7d0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x81c,,
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWriteFile,9,IN,HANDLE,FileHandle,0x654,\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x188faa4,,,IN,PVOID,Buffer,0x23cf3f0,,,IN,ULONG,Length,0x480,,,IN,PLARGE_INTEGER,ByteOffset,0x188faac,,,IN,PULONG,Key,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x175ec6c,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x175ec6c,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x81c,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1d,,,OUT,PVOID,TokenInformation,0x175ec84,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x175ec68,,
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWriteFile,9,IN,HANDLE,FileHandle,0x494,\Windows\System32\winevt\Logs\Microsoft-Windows-HomeGroup Provider Service%4Operational.evtx,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x188faa4,,,IN,PVOID,Buffer,0x237d330,,,IN,ULONG,Length,0x200,,,IN,PLARGE_INTEGER,ByteOffset,0x188faac,,,IN,PULONG,Key,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x81c,,
filetracer,0,0xed1b8320,svchost.exe,0,NtOpenDirectoryObject,\RPC Control
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenDirectoryObject,3,OUT,PHANDLE,DirectoryHandle,0x175f12c,,,IN,ACCESS_MASK,DesiredAccess,0x20001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x175f0f4,,
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWriteFile,9,IN,HANDLE,FileHandle,0x494,\Windows\System32\winevt\Logs\Microsoft-Windows-HomeGroup Provider Service%4Operational.evtx,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x188faa4,,,IN,PVOID,Buffer,0x2380e68,,,IN,ULONG,Length,0x390,,,IN,PLARGE_INTEGER,ByteOffset,0x188faac,,,IN,PULONG,Key,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySecurityObject,5,IN,HANDLE,Handle,0x81c,,,IN,SECURITY_INFORMATION,SecurityInformation,0x17,,,OUT,PSECURITY_DESCRIPTOR,SecurityDescriptor,0x0,,,IN,ULONG,Length,0x0,,,OUT,PULONG,LengthNeeded,0x175f128,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySecurityObject,5,IN,HANDLE,Handle,0x81c,,,IN,SECURITY_INFORMATION,SecurityInformation,0x17,,,OUT,PSECURITY_DESCRIPTOR,SecurityDescriptor,0x1279490,,,IN,ULONG,Length,0xe8,,,OUT,PULONG,LengthNeeded,0x175f128,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x175f130,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x175f130,,
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWriteFile,9,IN,HANDLE,FileHandle,0x9ac,\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x188faa4,,,IN,PVOID,Buffer,0x3045050,,,IN,ULONG,Length,0x200,,,IN,PLARGE_INTEGER,ByteOffset,0x188faac,,,IN,PULONG,Key,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x175f130,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x175f130,,
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWriteFile,9,IN,HANDLE,FileHandle,0x9ac,\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x188faa4,,,IN,PVOID,Buffer,0x304c7e8,,,IN,ULONG,Length,0x558,,,IN,PLARGE_INTEGER,ByteOffset,0x188faac,,,IN,PULONG,Key,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0xa,,,OUT,PVOID,TokenInformation,0x175ef80,,,IN,ULONG,TokenInformationLength,0x38,,,OUT,PULONG,ReturnLength,0x175eedc,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x4,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175ee00,,
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWriteFile,9,IN,HANDLE,FileHandle,0x788,\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x188faa4,,,IN,PVOID,Buffer,0x3087d30,,,IN,ULONG,Length,0x200,,,IN,PLARGE_INTEGER,ByteOffset,0x188faac,,,IN,PULONG,Key,0x0,,
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,0 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWriteFile,9,IN,HANDLE,FileHandle,0x788,\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x188faa4,,,IN,PVOID,Buffer,0x308a408,,,IN,ULONG,Length,0x780,,,IN,PLARGE_INTEGER,ByteOffset,0x188faac,,,IN,PULONG,Key,0x0,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCancelWaitCompletionPacket
syscall,0 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWriteFile,9,IN,HANDLE,FileHandle,0x798,\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x188faa4,,,IN,PVOID,Buffer,0x1ca00a8,,,IN,ULONG,Length,0x200,,,IN,PLARGE_INTEGER,ByteOffset,0x188faac,,,IN,PULONG,Key,0x0,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,0 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWriteFile,9,IN,HANDLE,FileHandle,0x798,\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x188faa4,,,IN,PVOID,Buffer,0x1ca3700,,,IN,ULONG,Length,0xaa0,,,IN,PLARGE_INTEGER,ByteOffset,0x188faac,,,IN,PULONG,Key,0x0,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x1e4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x330f698,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,0 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWriteFile,9,IN,HANDLE,FileHandle,0x328,\Windows\System32\winevt\Logs\Security.evtx,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x188faa4,,,IN,PVOID,Buffer,0x2244940,,,IN,ULONG,Length,0x200,,,IN,PLARGE_INTEGER,ByteOffset,0x188faac,,,IN,PULONG,Key,0x0,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x30,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x671c50,,
syscall,0 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWriteFile,9,IN,HANDLE,FileHandle,0x328,\Windows\System32\winevt\Logs\Security.evtx,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x188faa4,,,IN,PVOID,Buffer,0x224d978,,,IN,ULONG,Length,0x2800,,,IN,PLARGE_INTEGER,ByteOffset,0x188faac,,,IN,PULONG,Key,0x0,,
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,0 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x23e6008,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x1c,,
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x21c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x33b240,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xe5f420,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x270,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1dee7f0,,,INOUT,PULONG,BufferLength,0x1dee7cc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xe01338,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xe5f420,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x2f4,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x1dee7f0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xe01338,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xe5f420,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xe5f420,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xe5f430,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xfc,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xe5f430,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xfc,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x81c,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x89df748,,,INOUT,PULONG,BufferLength,0x89df73c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xb760db8,,,IN,PLARGE_INTEGER,Timeout,0x89df740,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x270,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1dee7f0,,,INOUT,PULONG,BufferLength,0x1dee7cc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xe01338,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x81c,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x89df748,,,INOUT,PULONG,BufferLength,0x89df73c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xb760db8,,,IN,PLARGE_INTEGER,Timeout,0x89df740,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x270,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1dee7f0,,,INOUT,PULONG,BufferLength,0x1dee7cc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xe01338,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xa10,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x2f8,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x1dee7f0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xe01338,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x81c,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x89dfa70,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x89dfa70,,,INOUT,PULONG,BufferLength,0x89df9fc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x89dfa00,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xfc,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa14,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1d6f588,,,INOUT,PULONG,BufferLength,0x1d6f57c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xb760db8,,,IN,PLARGE_INTEGER,Timeout,0x1d6f580,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xfc,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa14,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1d6f588,,,INOUT,PULONG,BufferLength,0x1d6f57c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xb760db8,,,IN,PLARGE_INTEGER,Timeout,0x1d6f580,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x270,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1dee7f0,,,INOUT,PULONG,BufferLength,0x1dee7cc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xe01338,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xbc0,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x2f4,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x1dee7f0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xe01338,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa14,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x1d6f8b0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1d6f8b0,,,INOUT,PULONG,BufferLength,0x1d6f83c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d6f840,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x89dfbac,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x270,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1dee7f0,,,INOUT,PULONG,BufferLength,0x1dee7cc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xe01338,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x89dfbac,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x2f8,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x1dee7f0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xe01338,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x81c,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x89dfa60,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x89dfa60,,,INOUT,PULONG,BufferLength,0x89df9e4,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x89df9e8,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9ec,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x270,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1dee7f0,,,INOUT,PULONG,BufferLength,0x1dee7cc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xe01338,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9ec,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x2f4,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x1dee7f0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xe01338,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa14,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x1d6f8a0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1d6f8a0,,,INOUT,PULONG,BufferLength,0x1d6f824,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d6f828,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x89df904,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x89df900,,
syscall,0 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x270,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1dee7f0,,,INOUT,PULONG,BufferLength,0x1dee7cc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xe01338,,,IN,PLARGE_INTEGER,Timeout,0x0,,
objmon,1,0xed1b8540,explorer.exe,1,Even
syscall,0 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x2f8,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x1dee7f0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xe01338,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b8540,explorer.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x81c,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x2f9168,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xbb56a18,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x1d6f744,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x1d6f700,,
poolmon,1,0xed1b8540,explorer.exe,1,AlHd,PagedPool,56
objmon,0,0xed1b8540,explorer.exe,1,Even
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x81c,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x89df748,,,INOUT,PULONG,BufferLength,0x89df73c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xbbb2b80,,,IN,PLARGE_INTEGER,Timeout,0x89df740,,
poolmon,0,0xed1b8540,explorer.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa14,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0xbb6d730,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xbb56a60,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xa08,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x89df90c,,
poolmon,0,0xed1b8540,explorer.exe,1,AlHd,PagedPool,56
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa14,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1d6f588,,,INOUT,PULONG,BufferLength,0x1d6f57c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xb760b50,,,IN,PLARGE_INTEGER,Timeout,0x1d6f580,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x89df88c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x89df83c,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xbc0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d6f74c,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x270,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1dee7f0,,,INOUT,PULONG,BufferLength,0x1dee7cc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xe01338,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x2f4,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x1dee7f0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xe01338,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x1d6f6cc,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d6f67c,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xfc,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xe5f420,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xfc,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x270,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1dee7f0,,,INOUT,PULONG,BufferLength,0x1dee7cc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xe01338,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x81c,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x89df748,,,INOUT,PULONG,BufferLength,0x89df73c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xbbb2790,,,IN,PLARGE_INTEGER,Timeout,0x89df740,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x81c,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x89df748,,,INOUT,PULONG,BufferLength,0x89df73c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xbbb2790,,,IN,PLARGE_INTEGER,Timeout,0x89df740,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x2f8,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x1dee7f0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xe01338,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xa08,,
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x81c,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x89dfa70,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x89dfa70,,,INOUT,PULONG,BufferLength,0x89df9fc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x89dfa00,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xfc,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xfc,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa14,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1d6f588,,,INOUT,PULONG,BufferLength,0x1d6f57c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xb760b50,,,IN,PLARGE_INTEGER,Timeout,0x1d6f580,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x270,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1dee7f0,,,INOUT,PULONG,BufferLength,0x1dee7cc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xe01338,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa14,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1d6f588,,,INOUT,PULONG,BufferLength,0x1d6f57c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xb760b50,,,IN,PLARGE_INTEGER,Timeout,0x1d6f580,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x2f4,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x1dee7f0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xe01338,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xbc0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa14,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x1d6f8b0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1d6f8b0,,,INOUT,PULONG,BufferLength,0x1d6f83c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1d6f840,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x89dfbac,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x89dfca8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x270,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1dee7f0,,,INOUT,PULONG,BufferLength,0x1dee7cc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xe01338,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x2f8,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x1dee7f0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0xe01338,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x89dfc5c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f9ec,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xe5f420,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xe5f420,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f838,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xe5f420,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b8540,explorer.exe,1,Usty,unknown_pool_type,552,win32k!NtUserResolveDesktopForWOW,TEXT2
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x1162e0,,
poolmon,0,0xed1b8540,explorer.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9e189f08,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9e189f3c,,,IN,ULONG,AllocationType,0x3000,,,IN,ULONG,Protect,0x4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x1162e0,,
poolmon,0,0xed1b8540,explorer.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
poolmon,0,0xed1b8540,explorer.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,0,0xed1b8540,explorer.exe,1,Usty,unknown_pool_type,552,win32k!NtUserResolveDesktopForWOW,TEXT2
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x3e4,,
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0xb6fcb0,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x5a0168,,
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x114ece8,,
poolmon,0,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtQueryObject,5,IN,HANDLE,Handle,0x14cc,,,IN,OBJECT_INFORMATION_CLASS,ObjectInformationClass,0x1,,,OUT,PVOID,ObjectInformation,0x5dfa020,,,IN,ULONG,ObjectInformationLength,0x210,,,OUT,PULONG,ReturnLength,0x1ff494,,
poolmon,1,0xed1b8200,svchost.exe,0,Io ,PagedPool,528,nt!io,general IO allocations
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x14cc,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1ff480,,,OUT,PVOID,FileInformation,0x5df99a8,,,IN,ULONG,Length,0x210,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x9,,
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8200,svchost.exe,0,Io ,unknown_pool_type,532,nt!io,general IO allocations
poolmon,0,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
filetracer,1,0xed1b8200,svchost.exe,0,NtCreateFile,\??\MountPointManager
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x1ff394,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1ff3c8,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1ff3a0,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x80,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x60,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
objmon,1,0xed1b8200,svchost.exe,0,File
poolmon,1,0xed1b8200,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x17bc,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1ff420,,,IN,ULONG,IoControlCode,0x6d0030,,,IN,PVOID,InputBuffer,0x4a2c838,,,IN,ULONG,InputBufferLength,0x32,,,OUT,PVOID,OutputBuffer,0x5df9bd8,,,IN,ULONG,OutputBufferLength,0x210,,
poolmon,1,0xed1b8200,svchost.exe,0,Io ,unknown_pool_type,532,nt!io,general IO allocations
poolmon,0,0xed1b8540,explorer.exe,1,Geto,unknown_pool_type,796
filetracer,1,0xed1b8200,svchost.exe,0,ZwOpenFile,\Device\HarddiskVolume2
filetracer,1,0xed1b8200,svchost.exe,0,NtOpenFile,\Device\HarddiskVolume2
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x921e8998,,,IN,ACCESS_MASK,DesiredAccess,0x80,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x921e89a8,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x921e89a0,,,IN,ULONG,ShareAccess,0x0,,,IN,ULONG,OpenOptions,0x40,,
poolmon,0,0xed1b8540,explorer.exe,1,Geto,unknown_pool_type,796
objmon,1,0xed1b8200,svchost.exe,0,File
poolmon,1,0xed1b8200,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x80000564,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9e189de8,,,INOUT,PSIZE_T,RegionSize,0x9e189de0,,,IN,ULONG,FreeType,0x8000,,
poolmon,1,0xed1b8200,svchost.exe,0,MntA,PagedPool,4
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fafc,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b8200,svchost.exe,0,Io ,unknown_pool_type,4,nt!io,general IO allocations
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b8200,svchost.exe,0,MntA,PagedPool,50
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9e189de8,,,INOUT,PSIZE_T,RegionSize,0x9e189de0,,,IN,ULONG,FreeType,0x8000,,
poolmon,1,0xed1b8200,svchost.exe,0,Io ,unknown_pool_type,50,nt!io,general IO allocations
poolmon,0,0xed1b8540,explorer.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9e189f08,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9e189f3c,,,IN,ULONG,AllocationType,0x3000,,,IN,ULONG,Protect,0x4,,
poolmon,1,0xed1b8200,svchost.exe,0,MntA,PagedPool,48
poolmon,0,0xed1b8540,explorer.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
poolmon,1,0xed1b8200,svchost.exe,0,MntA,PagedPool,4
poolmon,0,0xed1b8540,explorer.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x17bc,,
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x14cc,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1ff480,,,OUT,PVOID,FileInformation,0x5df9df8,,,IN,ULONG,Length,0x210,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x30,,
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8200,svchost.exe,0,Io ,unknown_pool_type,532,nt!io,general IO allocations
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8200,svchost.exe,0,NtFs,unknown_pool_type,56,ntfs.sys,StrucSup.c
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8200,svchost.exe,0,NtFs,unknown_pool_type,120,ntfs.sys,StrucSup.c
poolmon,0,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x17,,,OUT,PVOID,ProcessInformation,0x1ff084,,,IN,ULONG,ProcessInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
filetracer,1,0xed1b8200,svchost.exe,0,NtQueryAttributesFile,\??\C:\Users\windows\Desktop\test.exe
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtQueryAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1ff470,,,OUT,PFILE_BASIC_INFORMATION,FileInformation,0x1ff490,,
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8200,svchost.exe,0,IoNm,PagedPool,120,nt!io,Io parsing names
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
objmon,1,0xed1b8200,svchost.exe,0,File
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8200,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
filetracer,1,0xed1b8200,svchost.exe,0,NtQueryAttributesFile,\??\C:\Users\windows\Desktop\AppxManifest.xml
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtQueryAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1ff1ac,,,OUT,PFILE_BASIC_INFORMATION,FileInformation,0x1ff1cc,,
poolmon,1,0xed1b8200,svchost.exe,0,IoNm,PagedPool,120,nt!io,Io parsing names
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
objmon,1,0xed1b8200,svchost.exe,0,File
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8200,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8200,svchost.exe,0,NtFA,unknown_pool_type,196,ntfs.sys,AttrSup.c
poolmon,0,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
filetracer,1,0xed1b8200,svchost.exe,0,NtQueryAttributesFile,\??\C:\Users\windows\AppxManifest.xml
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtQueryAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1ff1ac,,,OUT,PFILE_BASIC_INFORMATION,FileInformation,0x1ff1cc,,
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,0,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x144,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x12c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
poolmon,0,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fafc,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,1,0xed1b8200,svchost.exe,0,IoNm,PagedPool,120,nt!io,Io parsing names
objmon,1,0xed1b8200,svchost.exe,0,File
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x1d6f9c4,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x1d6f9bc,,
poolmon,1,0xed1b8200,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtRequestWaitReplyPort,3,IN,HANDLE,PortHandle,0x8fc,,,IN,PPORT_MESSAGE,RequestMessage,0xb7974e0,,,OUT,PPORT_MESSAGE,ReplyMessage,0xb7974e0,,
poolmon,1,0xed1b8200,svchost.exe,0,NtFA,unknown_pool_type,196,ntfs.sys,AttrSup.c
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePort,4,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,
filetracer,1,0xed1b8200,svchost.exe,0,NtQueryAttributesFile,\??\C:\Users\AppxManifest.xml
syscall,1 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtQueryAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1ff1ac,,,OUT,PFILE_BASIC_INFORMATION,FileInformation,0x1ff1cc,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyWaitReceivePortEx,5,IN,HANDLE,PortHandle,0xe4,,,OUT,PVOID,*PortContext,0x91fb0c,,,IN,PPORT_MESSAGE,ReplyMessage,0x0,,,OUT,PPORT_MESSAGE,ReceiveMessage,0x41ef558,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b8200,svchost.exe,0,IoNm,PagedPool,56,nt!io,Io parsing names
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReplyPort,2,IN,HANDLE,PortHandle,0xe4,,,IN,PPORT_MESSAGE,ReplyMessage,0x41ef558,,
objmon,1,0xed1b8200,svchost.exe,0,File
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x244,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x91f968,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x91f900,,
poolmon,1,0xed1b8540,explorer.exe,1,Ustm,unknown_pool_type,72,win32k!InternalSetTimer,TIMER
poolmon,0,0xed1b8200,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b8180,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
poolmon,0,0xed1b8200,svchost.exe,0,NtFA,unknown_pool_type,196,ntfs.sys,AttrSup.c
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x6,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x332fb40,,
filetracer,0,0xed1b8200,svchost.exe,0,NtQueryAttributesFile,\??\C:\AppxManifest.xml
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtQueryAttributesFile,2,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1ff1ac,,,OUT,PFILE_BASIC_INFORMATION,FileInformation,0x1ff1cc,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0x6,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x332fb40,,
poolmon,0,0xed1b8200,svchost.exe,0,IoNm,PagedPool,56,nt!io,Io parsing names
objmon,0,0xed1b8200,svchost.exe,0,File
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x332fafc,,,IN,ULONG,ThreadInformationLength,0x4,,
poolmon,0,0xed1b8200,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtDuplicateToken,6,IN,HANDLE,ExistingTokenHandle,0x694,,,IN,ACCESS_MASK,DesiredAccess,0x4,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,BOOLEAN,EffectiveOnly,0x0,,,IN,TOKEN_TYPE,TokenType,0x2,,,OUT,PHANDLE,NewTokenHandle,0x1167508,,
poolmon,0,0xed1b8200,svchost.exe,0,NtFA,unknown_pool_type,196,ntfs.sys,AttrSup.c
poolmon,1,0xed1b8180,svchost.exe,0,SeAt,PagedPool,24
filetracer,0,0xed1b8200,svchost.exe,0,NtCreateFile,\??\C:\Users\windows\Desktop\test.exe
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x1ff134,,,IN,ACCESS_MASK,DesiredAccess,0x80100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1ff168,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1ff140,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x1,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x64,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
poolmon,1,0xed1b8180,svchost.exe,0,SeTl,unknown_pool_type,56
objmon,0,0xed1b8200,svchost.exe,0,File
objmon,1,0xed1b8180,svchost.exe,0,Toke
poolmon,0,0xed1b8200,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b8180,svchost.exe,0,Toke,PagedPool,1496,nt!se,Token objects
poolmon,0,0xed1b8200,svchost.exe,0,IoNm,PagedPool,120,nt!io,Io parsing names
poolmon,1,0xed1b8180,svchost.exe,0,SeTd,PagedPool,508,nt!se,Security Token dynamic part
poolmon,0,0xed1b8200,svchost.exe,0,FMfn,PagedPool,222,fltmgr.sys,NAME_CACHE_NODE structure
poolmon,1,0xed1b8180,svchost.exe,0,SeSd,PagedPool,292,nt!se,Security Descriptor
poolmon,0,0xed1b8200,svchost.exe,0,FMfn,PagedPool,222,fltmgr.sys,NAME_CACHE_NODE structure
poolmon,1,0xed1b8180,svchost.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,0,0xed1b8200,svchost.exe,0,MPCp,PagedPool,108
poolmon,1,0xed1b8180,svchost.exe,0,SeSd,PagedPool,28,nt!se,Security Descriptor
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtQueryVolumeInformationFile,5,IN,HANDLE,FileHandle,0x1fd0,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1ff138,,,OUT,PVOID,FsInformation,0x1ff174,,,IN,ULONG,Length,0x18,,,IN,FS_INFORMATION_CLASS,FsInformationClass,0x1,,
poolmon,0,0xed1b8200,svchost.exe,0,Io ,unknown_pool_type,28,nt!io,general IO allocations
poolmon,1,0xed1b8180,svchost.exe,0,SeSd,PagedPool,304,nt!se,Security Descriptor
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtQueryInformationFile,5,IN,HANDLE,FileHandle,0x1fd0,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1ff138,,,OUT,PVOID,FileInformation,0x1ff18c,,,IN,ULONG,Length,0x68,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x12,,
poolmon,1,0xed1b8180,svchost.exe,0,ObSc,PagedPool,320,nt!ob,Object security descriptor cache block
poolmon,0,0xed1b8200,svchost.exe,0,Io ,unknown_pool_type,108,nt!io,general IO allocations
poolmon,1,0xed1b8180,svchost.exe,0,SeAc,PagedPool,232,nt!se,Security ACL
poolmon,1,0xed1b8180,svchost.exe,0,SeSd,PagedPool,304,nt!se,Security Descriptor
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1fd0,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtCreateWaitCompletionPacket
objmon,1,0xed1b8180,svchost.exe,0,Wait
filetracer,0,0xed1b8200,svchost.exe,0,NtOpenFile,\??\C:\Users\windows\Desktop\test.exe
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x1fe8f0,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1fe90c,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1fe924,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,OpenOptions,0x60,,
poolmon,1,0xed1b8180,svchost.exe,0,Wait,unknown_pool_type,96,<unknown>,NtWaitForMultipleObjects
objmon,0,0xed1b8200,svchost.exe,0,File
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
poolmon,0,0xed1b8200,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
poolmon,0,0xed1b8200,svchost.exe,0,IoNm,PagedPool,120,nt!io,Io parsing names
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x332faf8,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtOpenSymbolicLinkObject,3,OUT,PHANDLE,LinkHandle,0x1fe2ac,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1fe288,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x694,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1fd0,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x332f7ec,,
filetracer,0,0xed1b8200,svchost.exe,0,NtOpenFile,\??\C:\Users\windows\Desktop\test.exe
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x1fe8f0,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1fe90c,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1fe924,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,OpenOptions,0x20,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x332f7ec,,
objmon,0,0xed1b8200,svchost.exe,0,File
poolmon,0,0xed1b8200,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x694,,
poolmon,0,0xed1b8200,svchost.exe,0,IoNm,PagedPool,120,nt!io,Io parsing names
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x332f7ec,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x332f7ec,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtQueryVolumeInformationFile,5,IN,HANDLE,FileHandle,0x1fd0,\Users\windows\Desktop\test.exe,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1fe924,,,OUT,PVOID,FsInformation,0x1fe92c,,,IN,ULONG,Length,0x8,,,IN,FS_INFORMATION_CLASS,FsInformationClass,0x4,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1fd0,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x332f7dc,,,IN,ULONG,ThreadInformationLength,0x4,,
filetracer,0,0xed1b8200,svchost.exe,0,NtOpenFile,\??\C:\Users\windows\Desktop\test.exe
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x1feb50,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1feb30,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1feb28,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,OpenOptions,0x10,,
objmon,0,0xed1b8200,svchost.exe,0,File
poolmon,0,0xed1b8200,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x1b0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x332f75c,,
poolmon,0,0xed1b8200,svchost.exe,0,IoNm,PagedPool,120,nt!io,Io parsing names
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x332f57c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x332f600,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x1fd0,\Users\windows\Desktop\test.exe,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1fead0,,,IN,ULONG,IoControlCode,0x4d0008,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x1feb60,,,IN,ULONG,OutputBufferLength,0x208,,
objmon,1,0xed1b8180,svchost.exe,0,Even
poolmon,0,0xed1b8200,svchost.exe,0,Io ,unknown_pool_type,524,nt!io,general IO allocations
poolmon,1,0xed1b8180,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1fd0,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x19c,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x1208ac8,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x1168534,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1208ac8,,,INOUT,PULONG,BufferLength,0x332f040,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x1168534,,,IN,PLARGE_INTEGER,Timeout,0x0,,
filetracer,0,0xed1b8200,svchost.exe,0,NtCreateFile,\??\C:\Users\windows\Desktop\test.exe\
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x1fec64,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1fec98,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1fec70,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x80,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x204020,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
poolmon,1,0xed1b8180,svchost.exe,0,AlEB,PagedPool,32
objmon,0,0xed1b8200,svchost.exe,0,File
poolmon,0,0xed1b8200,svchost.exe,0,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xec,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x3245c30,,,INOUT,PULONG,BufferLength,0x105f9d8,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x105f9ec,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8200,svchost.exe,0,IoNm,PagedPool,120,nt!io,Io parsing names
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x105f94c,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
filetracer,0,0xed1b8200,svchost.exe,0,NtOpenFile,\??\C:\Users\windows\Desktop
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x1fe8f0,,,IN,ACCESS_MASK,DesiredAccess,0x100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x1fe90c,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x1fe924,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,OpenOptions,0x60,,
syscall,1 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtPowerInformation,5,IN,POWER_INFORMATION_LEVEL,InformationLevel,0x2b,,,IN,PVOID,InputBuffer,0x11f0320,,,IN,ULONG,InputBufferLength,0x1c,,,OUT,PVOID,OutputBuffer,0x105de9c,,,IN,ULONG,OutputBufferLength,0x4,,
poolmon,1,0xed1b8180,svchost.exe,0,Mem ,PagedPool,28
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
poolmon,1,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6fae8,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x1d6f9c4,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x1d6f9bc,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x1d6f5e0,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x1d6f5d8,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f830,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x374,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x374,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x429ac00,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3c0,,,OUT,PLONG,PreviousState,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3c0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9e189de8,,,INOUT,PSIZE_T,RegionSize,0x9e189de0,,,IN,ULONG,FreeType,0x8000,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x37c,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x270,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b8540,explorer.exe,1,Gtmp,unknown_pool_type,56,<unknown>,Gdi temporary allocations
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9e189f08,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9e189f3c,,,IN,ULONG,AllocationType,0x3000,,,IN,ULONG,Protect,0x4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
poolmon,1,0xed1b8540,explorer.exe,1,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
poolmon,1,0xed1b8540,explorer.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
poolmon,1,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
poolmon,1,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b8180,svchost.exe,0,PRCx,unknown_pool_type,20
poolmon,0,0xed1b8180,svchost.exe,0,PAVl,PagedPool,24
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
objmon,0,0xed1b8180,svchost.exe,0,Powe
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,Powe,unknown_pool_type,132
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,Umpo,PagedPool,56
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x80000284,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0xaa21e600,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtPowerInformation,5,IN,POWER_INFORMATION_LEVEL,InformationLevel,0x2c,,,IN,PVOID,InputBuffer,0x105de90,,,IN,ULONG,InputBufferLength,0x10,,,OUT,PVOID,OutputBuffer,0x0,,,IN,ULONG,OutputBufferLength,0x0,,
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,Mem ,PagedPool,16
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x86,,,OUT,PVOID,SystemInformation,0x105df94,,,IN,ULONG,SystemInformationLength,0x14,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,484
poolmon,1,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,24
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,304
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,160
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,8
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,296
poolmon,1,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,284
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,24
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,160
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,8
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,68
poolmon,1,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,4
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,52
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,64
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,72
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,72
poolmon,0,0xed1b8180,svchost.exe,0,SLS ,PagedPool,252
poolmon,1,0xed1b8540,explorer.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtPowerInformation,5,IN,POWER_INFORMATION_LEVEL,InformationLevel,0x2c,,,IN,PVOID,InputBuffer,0x105de90,,,IN,ULONG,InputBufferLength,0x10,,,OUT,PVOID,OutputBuffer,0x0,,,IN,ULONG,OutputBufferLength,0x0,,
poolmon,1,0xed1b8540,explorer.exe,1,Gxlt,unknown_pool_type,80,<unknown>,Gdi Xlate
poolmon,0,0xed1b8180,svchost.exe,0,Mem ,PagedPool,16
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x6ac,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCallbackReturn,3,IN,PVOID,OutputBuffer,0x1d6f988,,,IN,ULONG,OutputLength,0xc,,,IN,NTSTATUS,Status,0x0,,
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x80000284,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0xaa21e8d0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x1d6f9c0,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x1d6f9b8,,
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtAlpcImpersonateClientOfPort,3,IN,HANDLE,PortHandle,0x254,,,IN,PPORT_MESSAGE,PortMessage,0x3245c30,,,RESERVED,PVOID,Reserved,0x0,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0xaa31ab44,,,INOUT,PSIZE_T,RegionSize,0xaa31ab48,,,IN,ULONG,FreeType,0x8000,,
syscall,0 0xed1b8180,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x105ed64,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b8180,svchost.exe,0,Even
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xc4,,
syscall,1 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xc0,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x118ef90,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x117e9dc,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x118ef90,,,INOUT,PULONG,BufferLength,0xfbf038,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x117e9dc,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,1,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x37c,,
poolmon,1,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x270,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
poolmon,1,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb12500,,,INOUT,PULONG,BufferLength,0xfef720,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xfef734,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef694,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x558,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,0 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x6ec,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
objmon,1,0xed1b84e0,dwm.exe,1,Even
poolmon,1,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x4299600,,
objmon,1,0xed1b84e0,dwm.exe,1,Even
poolmon,1,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3c0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
objmon,1,0xed1b84e0,dwm.exe,1,Even
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3c0,,
poolmon,1,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x374,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x374,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcDeleteSecurityContext,3,IN,HANDLE,PortHandle,0x738,,,RESERVED,ULONG,Flags,0x0,,,IN,ALPC_HANDLE,ContextHandle,0x10,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3e8,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x33c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x728,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3e8,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x33c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef7c0,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0x95fa5c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb70f00,,
poolmon,0,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtUnmapViewOfSectionEx
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x94,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x9a,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,0 0xed1b8580,dllhost.exe,1,ntoskrnl.exe,NtTerminateProcess,2,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,NTSTATUS,ExitStatus,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
syscall,1 0xed1b8480,csrss.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x2b8,,
syscall,1 0xed1b8480,csrss.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa8,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x271f698,,,INOUT,PULONG,BufferLength,0x271f788,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x271f7b4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
syscall,0 0x1a5000,System,-1,ntoskrnl.exe,NtWriteFile,9,IN,HANDLE,FileHandle,0x80000750,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9204fb18,,,IN,PVOID,Buffer,0x86cc8000,,,IN,ULONG,Length,0x8000,,,IN,PLARGE_INTEGER,ByteOffset,0x86fd65d0,,,IN,PULONG,Key,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x500,,
filetracer,1,0xed1b82c0,Taskmgr.exe,1,NtOpenFile,\Device\{C09DA506-78CE-41DB-B9B1-2B0D8E6674D7}
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x3a4f7bc,,,IN,ACCESS_MASK,DesiredAccess,0x12019f,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x3a4f79c,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3a4f7b4,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,OpenOptions,0x20,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,ObNm,PagedPool,248,nt!ob,object names
objmon,1,0xed1b82c0,Taskmgr.exe,1,File
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDoc,unknown_pool_type,16
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x500,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3a4f754,,,IN,ULONG,IoControlCode,0x17003e,,,IN,PVOID,InputBuffer,0xe62fa0,,,IN,ULONG,InputBufferLength,0x3c,,,OUT,PVOID,OutputBuffer,0x3a4f7e4,,,IN,ULONG,OutputBufferLength,0x2d0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,64,nt!io,general IO allocations
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDam,unknown_pool_type,60,ndis.sys,NdisAllocateMemory
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDam,unknown_pool_type,720,ndis.sys,NdisAllocateMemory
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x27c,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0xf4e808,,,IN,ULONG,TimerSetInformationLength,0x20,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x50,,,OUT,PVOID,SystemInformation,0x11f1598,,,IN,ULONG,SystemInformationLength,0x58,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x27c,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0xf4e794,,,IN,ULONG,TimerSetInformationLength,0x20,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x27c,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0xf4e808,,,IN,ULONG,TimerSetInformationLength,0x20,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b81e0,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0xb,,,IN,HANDLE,Handles[],0xf4e900,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,152,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Pccr,unknown_pool_type,140,pacer.sys,PACER Filter Clone Requests
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Wl2g,unknown_pool_type,140
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDrq,unknown_pool_type,56,ndis.sys,NDIS_TAG_Q_REQ
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,NDre,unknown_pool_type,92
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x500,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x28c,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3a4faac,,,IN,ULONG,IoControlCode,0x70020,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x11ae240,,,IN,ULONG,OutputBufferLength,0x58,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Io ,unknown_pool_type,92,nt!io,general IO allocations
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x3a4fbb4,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x19c,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x18c,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x1a8,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x1d8,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3a4fb00,,,IN,ULONG,IoControlCode,0x224013,,,IN,PVOID,InputBuffer,0x3a4fb1c,,,IN,ULONG,InputBufferLength,0x4,,,OUT,PVOID,OutputBuffer,0x119eff0,,,IN,ULONG,OutputBufferLength,0x1f8,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x21ef904,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
filetracer,1,0xed1b8540,explorer.exe,1,NtOpenFile,\??\C:\Windows\
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9f6f000,,,IN,ACCESS_MASK,DesiredAccess,0x100001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6f038,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9f6f030,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,OpenOptions,0x4021,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
objmon,1,0xed1b8540,explorer.exe,1,File
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b8540,explorer.exe,1,IoNm,PagedPool,56,nt!io,Io parsing names
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0x524,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x398fa1c,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryDirectoryFile,11,IN,HANDLE,FileHandle,0x840,\Windows,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9f6f030,,,OUT,PVOID,FileInformation,0x9f6f050,,,IN,ULONG,Length,0x268,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x3,,,IN,BOOLEAN,ReturnSingleEntry,0x1,,,IN,PUNICODE_STRING,FileName,0x9f6f004,System32,,IN,BOOLEAN,RestartScan,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x4e4,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x17,,,OUT,PVOID,TokenInformation,0x398fa18,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x398fa0c,,
poolmon,1,0xed1b8540,explorer.exe,1,Io ,unknown_pool_type,28,nt!io,general IO allocations
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
poolmon,1,0xed1b8540,explorer.exe,1,NtFd,unknown_pool_type,82,ntfs.sys,DirCtrl.c
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x524,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x398f9dc,,,IN,ACCESS_MASK,DesiredAccess,0x1400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x398f9ac,,,IN,PCLIENT_ID,ClientId,0x398f9c4,,
poolmon,1,0xed1b8540,explorer.exe,1,NtFI,unknown_pool_type,120,ntfs.sys,IndexSup.c
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x4,,,OUT,PVOID,ProcessInformation,0x398f9a0,,,IN,ULONG,ProcessInformationLength,0x20,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x840,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x524,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x12,,,OUT,PVOID,ProcessInformation,0x398f9ec,,,IN,ULONG,ProcessInformationLength,0x2,,,OUT,PULONG,ReturnLength,0x0,,
filetracer,1,0xed1b8540,explorer.exe,1,NtOpenFile,\??\C:\Windows\System32\
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9f6f000,,,IN,ACCESS_MASK,DesiredAccess,0x100001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6f038,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9f6f030,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,OpenOptions,0x4021,,
objmon,1,0xed1b8540,explorer.exe,1,File
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
objmon,1,0xed1b8540,explorer.exe,1,File
poolmon,1,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtEnumerateKey,6,IN,HANDLE,KeyHandle,0x97e,,,IN,ULONG,Index,0x0,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x1,,,OUT,PVOID,KeyInformation,0x88f53f8,,,IN,ULONG,Length,0x120,,,OUT,PULONG,ResultLength,0x88f53ec,,
poolmon,1,0xed1b8540,explorer.exe,1,IoNm,PagedPool,56,nt!io,Io parsing names
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryDirectoryFile,11,IN,HANDLE,FileHandle,0x840,\Windows\System32,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9f6f030,,,OUT,PVOID,FileInformation,0x9f6f050,,,IN,ULONG,Length,0x268,,,IN,FILE_INFORMATION_CLASS,FileInformationClass,0x3,,,IN,BOOLEAN,ReturnSingleEntry,0x1,,,IN,PUNICODE_STRING,FileName,0x9f6f004,notepad.exe,,IN,BOOLEAN,RestartScan,0x0,,
poolmon,1,0xed1b8540,explorer.exe,1,Io ,unknown_pool_type,34,nt!io,general IO allocations
poolmon,1,0xed1b8540,explorer.exe,1,NtFd,unknown_pool_type,88,ntfs.sys,DirCtrl.c
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x206,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x879e0b0,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x879e0a8,,
poolmon,1,0xed1b8540,explorer.exe,1,NtFI,unknown_pool_type,544,ntfs.sys,IndexSup.c
poolmon,1,0xed1b8540,explorer.exe,1,NtFI,unknown_pool_type,128,ntfs.sys,IndexSup.c
poolmon,0,0xed1b8540,explorer.exe,1,CMNb,PagedPool,146,nt!cm,notification block pool tag
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x840,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0xc,,,OUT,PVOID,ProcessInformation,0x9f6f2d0,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x879e3a0,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x879de38,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetInformationProcess,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0xc,,,IN,PVOID,ProcessInformation,0x9f6f2e0,,,IN,ULONG,ProcessInformationLength,0x4,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtFindAtom,3,IN,PWSTR,AtomName,0x9f6f504,,,IN,ULONG,Length,0x50,,,OUT,PRTL_ATOM,Atom,0x9f6f298,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x879e3a0,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x879de38,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x9f6eefc,,,IN,ACCESS_MASK,DesiredAccess,0x1000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6eecc,,,IN,PCLIENT_ID,ClientId,0x9f6eee4,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0x840,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x32,,,OUT,PVOID,ProcessInformation,0xbc97160,,,IN,ULONG,ProcessInformationLength,0x210,,,OUT,PULONG,ReturnLength,0x0,,
objmon,0,0xed1b8540,explorer.exe,1,Key
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenProcess,4,OUT,PHANDLE,ProcessHandle,0x9f6eeec,,,IN,ACCESS_MASK,DesiredAccess,0x400,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6eebc,,,IN,PCLIENT_ID,ClientId,0x9f6eed4,,
poolmon,0,0xed1b8540,explorer.exe,1,Key ,PagedPool,84
filetracer,1,0xed1b8540,explorer.exe,1,NtOpenFile,\??\C:\Users\windows\Desktop
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9f6ee88,,,IN,ACCESS_MASK,DesiredAccess,0x20000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6ee44,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9f6ee6c,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,OpenOptions,0x200000,,
objmon,1,0xed1b8540,explorer.exe,1,File
poolmon,1,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
poolmon,1,0xed1b8540,explorer.exe,1,IoNm,PagedPool,56,nt!io,Io parsing names
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0xbc2,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x879e060,,,IN,ULONG,Length,0x188,,,OUT,PULONG,ResultLength,0x879e054,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQuerySecurityObject,5,IN,HANDLE,Handle,0xa0c,,,IN,SECURITY_INFORMATION,SecurityInformation,0x10,,,OUT,PSECURITY_DESCRIPTOR,SecurityDescriptor,0x0,,,IN,ULONG,Length,0x0,,,OUT,PULONG,LengthNeeded,0x9f6eeb0,,
poolmon,0,0xed1b8540,explorer.exe,1,CMNb,PagedPool,216,nt!cm,notification block pool tag
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xa0c,,
filetracer,1,0xed1b8540,explorer.exe,1,NtOpenFile,\??\C:\Users\windows\Desktop
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenFile,6,OUT,PHANDLE,FileHandle,0x9f6ee88,,,IN,ACCESS_MASK,DesiredAccess,0x20000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6ee44,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9f6ee6c,,,IN,ULONG,ShareAccess,0x7,,,IN,ULONG,OpenOptions,0x200000,,
objmon,1,0xed1b8540,explorer.exe,1,File
poolmon,1,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x879dd28,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x879dd18,,
poolmon,1,0xed1b8540,explorer.exe,1,IoNm,PagedPool,56,nt!io,Io parsing names
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x879e238,,,IN,ACCESS_MASK,DesiredAccess,0x2000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x879dde0,,,IN,ULONG,OpenOptions,0x0,,
poolmon,0,0xed1b8540,explorer.exe,1,ObNm,PagedPool,280,nt!ob,object names
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQuerySecurityObject,5,IN,HANDLE,Handle,0xa0c,,,IN,SECURITY_INFORMATION,SecurityInformation,0x10,,,OUT,PSECURITY_DESCRIPTOR,SecurityDescriptor,0xb78d430,,,IN,ULONG,Length,0x14,,,OUT,PULONG,LengthNeeded,0x9f6eeb0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xa0c,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x840,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0xbc2,,,IN,PUNICODE_STRING,ValueName,0x879e308,DriveMask,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x879e248,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x879e224,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x206,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x9f6e220,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x9f6e218,,
poolmon,0,0xed1b8540,explorer.exe,1,CMvn,unknown_pool_type,22
poolmon,1,0xed1b8540,explorer.exe,1,CMNb,PagedPool,146,nt!cm,notification block pool tag
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xbc2,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x9f6e520,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6dfa8,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x17,,,OUT,PVOID,ProcessInformation,0x879df7c,,,IN,ULONG,ProcessInformationLength,0x24,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x9f6e520,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6dfa8,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtEnumerateKey,6,IN,HANDLE,KeyHandle,0x97e,,,IN,ULONG,Index,0x1,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x1,,,OUT,PVOID,KeyInformation,0x88f53f8,,,IN,ULONG,Length,0x120,,,OUT,PULONG,ResultLength,0x88f53ec,,
objmon,1,0xed1b8540,explorer.exe,1,Key
poolmon,1,0xed1b8540,explorer.exe,1,Key ,PagedPool,84
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x97e,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x842,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x9f6e0f8,,,IN,ULONG,Length,0x188,,,OUT,PULONG,ResultLength,0x9f6e0e0,,
poolmon,1,0xed1b8540,explorer.exe,1,CMNb,PagedPool,138,nt!cm,notification block pool tag
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x9f6dba0,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x9f6db90,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x88f52a4,,,IN,ACCESS_MASK,DesiredAccess,0x2000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6dc58,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x879d8c4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b8540,explorer.exe,1,Even
poolmon,0,0xed1b8540,explorer.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0x879df54,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,0,0xed1b8540,explorer.exe,1,Muta
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtEnumerateKey,6,IN,HANDLE,KeyHandle,0x842,,,IN,ULONG,Index,0x0,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x1,,,OUT,PVOID,KeyInformation,0x88f53f8,,,IN,ULONG,Length,0x120,,,OUT,PULONG,ResultLength,0x88f53ec,,
poolmon,0,0xed1b8540,explorer.exe,1,Muta,unknown_pool_type,72,<unknown>,Mutant objects
filetracer,0,0xed1b8540,explorer.exe,1,NtCreateFile,\??\C:\Users\windows\Desktop\notepad.lnk
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x879de34,,,IN,ACCESS_MASK,DesiredAccess,0x80100080,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x879de68,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x879de40,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x0,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x60,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
objmon,0,0xed1b8540,explorer.exe,1,File
poolmon,0,0xed1b8540,explorer.exe,1,File,unknown_pool_type,176,<unknown>,File objects
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x206,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x9f6dfb8,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x9f6dfb0,,
poolmon,0,0xed1b8540,explorer.exe,1,IoNm,PagedPool,120,nt!io,Io parsing names
poolmon,0,0xed1b8540,explorer.exe,1,FMfn,PagedPool,228,fltmgr.sys,NAME_CACHE_NODE structure
poolmon,1,0xed1b8540,explorer.exe,1,CMNb,PagedPool,146,nt!cm,notification block pool tag
poolmon,0,0xed1b8540,explorer.exe,1,FMfn,PagedPool,228,fltmgr.sys,NAME_CACHE_NODE structure
poolmon,0,0xed1b8540,explorer.exe,1,MPCp,PagedPool,114
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x9f6e2a8,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6dd40,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xbc0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xbc0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x879dcf4,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0xbc0,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtReadFile,9,IN,HANDLE,FileHandle,0xa08,\Users\windows\Desktop\notepad.lnk,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x879dd04,,,OUT,PVOID,Buffer,0x2e537f4,,,IN,ULONG,Length,0x1000,,,IN,PLARGE_INTEGER,ByteOffset,0x0,,,IN,PULONG,Key,0x0,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x9f6e2a8,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9f6dd40,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x1c,,
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x1c8fd24,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb71838,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x1c8fd28,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtTestAlert
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtContinue,2,IN,PCONTEXT,ContextRecord,0x13ffc5c,,,IN,BOOLEAN,TestAlert,0x1,,
syscall,0 0xed1b8200,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x5d13110,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x13ffe3c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
objmon,1,0xed1b8120,svchost.exe,0,Even
poolmon,1,0xed1b8120,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x33ddb28,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x728,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtQueryInformationThread,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0xc,,,OUT,PVOID,ThreadInformation,0x13ffebc,,,IN,ULONG,ThreadInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtTerminateThread,2,IN,HANDLE,ThreadHandle,0x0,,,IN,NTSTATUS,ExitStatus,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetTimer2
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9e1b1b44,,,INOUT,PSIZE_T,RegionSize,0x9e1b1b48,,,IN,ULONG,FreeType,0x8000,,
syscall,0 0xed1b8060,csrss.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x9c,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x194fd90,,,INOUT,PULONG,BufferLength,0x194fe80,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x194feac,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x7bc,\Endpoint,,IN,HANDLE,Event,0xaa8,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xf8f090,,,IN,ULONG,IoControlCode,0x12047,,,IN,PVOID,InputBuffer,0xf8f098,,,IN,ULONG,InputBufferLength,0xc4,,,OUT,PVOID,OutputBuffer,0xf8f138,,,IN,ULONG,OutputBufferLength,0x1c,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x1c,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x62c,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xb1f4e0,,,IN,ULONG,IoControlCode,0x12c008,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0xeb9410,,,IN,ULONG,OutputBufferLength,0x808,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x7bc,\Endpoint,,IN,HANDLE,Event,0xaa8,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xf8f14c,,,IN,ULONG,IoControlCode,0x120b3,,,IN,PVOID,InputBuffer,0xf8f180,,,IN,ULONG,InputBufferLength,0x2,,,OUT,PVOID,OutputBuffer,0x33db060,,,IN,ULONG,OutputBufferLength,0x200,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x62c,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xb1f4e0,,,IN,ULONG,IoControlCode,0x12c008,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0xeb9410,,,IN,ULONG,OutputBufferLength,0x808,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x7bc,\Endpoint,,IN,HANDLE,Event,0xaa8,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xf8f1e8,,,IN,ULONG,IoControlCode,0x120bf,,,IN,PVOID,InputBuffer,0xf8f0f4,,,IN,ULONG,InputBufferLength,0x18,,,OUT,PVOID,OutputBuffer,0x33dae58,,,IN,ULONG,OutputBufferLength,0x4c,,
poolmon,1,0xed1b8320,svchost.exe,0,Io ,unknown_pool_type,2060,nt!io,general IO allocations
poolmon,0,0xed1b8260,svchost.exe,0,AfdL,unknown_pool_type,60,afd.sys,Afd local address buffer
poolmon,1,0xed1b8320,svchost.exe,0,NDUI,PagedPool,40
poolmon,0,0xed1b8260,svchost.exe,0,Ipas,unknown_pool_type,56
poolmon,1,0xed1b8320,svchost.exe,0,NDUA,PagedPool,36
poolmon,0,0xed1b8260,svchost.exe,0,Ipas,unknown_pool_type,16
poolmon,0,0xed1b8260,svchost.exe,0,Ipas,unknown_pool_type,56
poolmon,1,0xed1b8320,svchost.exe,0,NDUA,PagedPool,12
poolmon,0,0xed1b8260,svchost.exe,0,Ipas,unknown_pool_type,24
poolmon,1,0xed1b8320,svchost.exe,0,NDUI,PagedPool,40
poolmon,0,0xed1b8260,svchost.exe,0,Ipas,unknown_pool_type,96
poolmon,1,0xed1b8320,svchost.exe,0,NDUN,PagedPool,20
poolmon,0,0xed1b8260,svchost.exe,0,Ipas,unknown_pool_type,120
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtTraceEvent,4,IN,HANDLE,TraceHandle,0x638,,,IN,ULONG,Flags,0x300,,,IN,ULONG,FieldSize,0x70,,,IN,PVOID,Fields,0xb1f388,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtQuerySystemTime,1,OUT,PLARGE_INTEGER,SystemTime,0xf8f0c0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x634,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xb1f48c,,,IN,ULONG,IoControlCode,0x1403a4,,,IN,PVOID,InputBuffer,0xb1f514,,,IN,ULONG,InputBufferLength,0x8,,,OUT,PVOID,OutputBuffer,0x20681b8,,,IN,ULONG,OutputBufferLength,0x800,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xaa8,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0xf8f0b8,,
poolmon,1,0xed1b8320,svchost.exe,0,Io ,unknown_pool_type,2052,nt!io,general IO allocations
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x7bc,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x840,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x12bbc00,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x12a38f4,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x12bbc00,,,INOUT,PULONG,BufferLength,0xb1ed40,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x12a38f4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,AlEB,PagedPool,236
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xf8efcc,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x3d8,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x76d9750,,,INOUT,PULONG,BufferLength,0x432f510,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x432f524,,,IN,PLARGE_INTEGER,Timeout,0x0,,
objmon,0,0xed1b8260,svchost.exe,0,Even
poolmon,0,0xed1b8260,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x28,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x432f484,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x260,,,IN,HANDLE,Event,0x7bc,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xf8f070,,,IN,ULONG,IoControlCode,0x12000f,,,IN,PVOID,InputBuffer,0xf8f038,,,IN,ULONG,InputBufferLength,0x38,,,OUT,PVOID,OutputBuffer,0xf8f038,,,IN,ULONG,OutputBufferLength,0x38,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x28,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x432f5b0,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x28,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x40ad8a0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x1d0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x3a8fa7c,,
poolmon,1,0xed1b8260,svchost.exe,0,NSpg,unknown_pool_type,88,nsi.dll,NSI Proxy Generic Buffers
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x3d8,,,IN,ULONG,Flags,0x410000,,,IN,PPORT_MESSAGE,SendMessage,0x76d7540,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xb1f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x3a8fa7c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xb1f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x7bc,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xb1f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xf8efb4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x120000,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xb1f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
objmon,0,0xed1b8260,svchost.exe,0,Even
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xb1f160,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,0,0xed1b8260,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0xb1f160,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x260,,,IN,HANDLE,Event,0x7bc,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xf8f024,,,IN,ULONG,IoControlCode,0x120013,,,IN,PVOID,InputBuffer,0xf8f05c,,,IN,ULONG,InputBufferLength,0x28,,,OUT,PVOID,OutputBuffer,0xf8f05c,,,IN,ULONG,OutputBufferLength,0x28,,
poolmon,0,0xed1b8260,svchost.exe,0,NSpg,unknown_pool_type,72,nsi.dll,NSI Proxy Generic Buffers
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x1569c8,,
poolmon,0,0xed1b8260,svchost.exe,0,NDcm,unknown_pool_type,24
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x2f8,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x12bbc00,,,INOUT,PULONG,BufferLength,0xa0f5f0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xa0f604,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x7bc,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcQueryInformation,5,IN,HANDLE,PortHandle,0x69c,,,IN,ALPC_PORT_INFORMATION_CLASS,PortInformationClass,0x0,,,OUT,PVOID,PortInformation,0xa0f55c,,,IN,ULONG,Length,0xc,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x69c,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xf8efa4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b8260,svchost.exe,0,Even
poolmon,0,0xed1b8260,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xa0f52c,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x260,,,IN,HANDLE,Event,0x7bc,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xf8f05c,,,IN,ULONG,IoControlCode,0x12001b,,,IN,PVOID,InputBuffer,0xf8f018,,,IN,ULONG,InputBufferLength,0x3c,,,OUT,PVOID,OutputBuffer,0xf8f018,,,IN,ULONG,OutputBufferLength,0x3c,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xa0f690,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,0,0xed1b8260,svchost.exe,0,NSpg,unknown_pool_type,88,nsi.dll,NSI Proxy Generic Buffers
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x7bc,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xf82928,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xf8efa4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b8260,svchost.exe,0,Even
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtFreeVirtualMemory,4,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0xa7b8caa8,,,INOUT,PSIZE_T,RegionSize,0xa7b8caa0,,,IN,ULONG,FreeType,0x8000,,
poolmon,0,0xed1b8260,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x260,,,IN,HANDLE,Event,0x7bc,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xf8f054,,,IN,ULONG,IoControlCode,0x12001b,,,IN,PVOID,InputBuffer,0xf8f018,,,IN,ULONG,InputBufferLength,0x3c,,,OUT,PVOID,OutputBuffer,0xf8f018,,,IN,ULONG,OutputBufferLength,0x3c,,
poolmon,0,0xed1b8260,svchost.exe,0,NSpg,unknown_pool_type,11172,nsi.dll,NSI Proxy Generic Buffers
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x7bc,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xf8efa4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b8260,svchost.exe,0,Even
poolmon,0,0xed1b8260,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xa00,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x260,,,IN,HANDLE,Event,0x7bc,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xf8f05c,,,IN,ULONG,IoControlCode,0x12001b,,,IN,PVOID,InputBuffer,0xf8f018,,,IN,ULONG,InputBufferLength,0x3c,,,OUT,PVOID,OutputBuffer,0xf8f018,,,IN,ULONG,OutputBufferLength,0x3c,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xa00,,
poolmon,0,0xed1b8260,svchost.exe,0,NSpg,unknown_pool_type,88,nsi.dll,NSI Proxy Generic Buffers
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x7bc,,
syscall,1 0xed1b8540,explorer.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x3,,,IN,HANDLE,Handles[],0x36ffb9c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x36ffb4c,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xf8efa4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x1,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b8260,svchost.exe,0,Even
poolmon,0,0xed1b8260,svchost.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xac,,
syscall,0 0xed1b8260,svchost.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x260,,,IN,HANDLE,Event,0x7bc,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xf8f054,,,IN,ULONG,IoControlCode,0x12001b,,,IN,PVOID,InputBuffer,0xf8f018,,,IN,ULONG,InputBufferLength,0x3c,,,OUT,PVOID,OutputBuffer,0xf8f018,,,IN,ULONG,OutputBufferLength,0x3c,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa8,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x12bbc00,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x10efa4,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x12bbc00,,,INOUT,PULONG,BufferLength,0xc5f108,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x10efa4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8260,svchost.exe,0,NSpg,unknown_pool_type,1176,nsi.dll,NSI Proxy Generic Buffers
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb14710,,,INOUT,PULONG,BufferLength,0xedfc18,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xedfc2c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b8260,svchost.exe,0,Ipng,unknown_pool_type,8
poolmon,0,0xed1b8260,svchost.exe,0,NSIr,unknown_pool_type,552,nsi.dll,NSI Generic Buffers
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xedfb8c,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xedfcb8,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xb71838,,
objmon,0,0xed1b8340,MsMpEng.exe,0,Key
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xac,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Key ,PagedPool,84
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetTimerEx,4,IN,HANDLE,TimerHandle,0x31c,,,IN,TIMER_SET_INFORMATION_CLASS,TimerSetInformationClass,0x0,,,INOUT,PVOID,TimerSetInformation,0xc5f5f4,,,IN,ULONG,TimerSetInformationLength,0x20,,
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x80000a2c,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x1,,,IN,HANDLE,Handles[],0xc5f644,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b85c0,test.exe,1,ObNm,PagedPool,248,nt!ob,object names
objmon,1,0xed1b85c0,test.exe,1,ALPC
poolmon,1,0xed1b85c0,test.exe,1,ALPC,unknown_pool_type,316,nt!alpc,ALPC port objects
poolmon,1,0xed1b85c0,test.exe,1,AlCI,PagedPool,64,nt!alpc,ALPC communication info
poolmon,1,0xed1b85c0,test.exe,1,AlMs,PagedPool,168,nt!alpc,ALPC message
poolmon,1,0xed1b85c0,test.exe,1,AlSc,PagedPool,64,nt!alpc,ALPC section
poolmon,1,0xed1b85c0,test.exe,1,AlRe,PagedPool,72,nt!alpc,ALPC section region
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x1b4,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0xb6f4bc,,,IN,ULONG,IoControlCode,0x390402,,,IN,PVOID,InputBuffer,0xb6f558,,,IN,ULONG,InputBufferLength,0x28,,,OUT,PVOID,OutputBuffer,0x66dc30,,,IN,ULONG,OutputBufferLength,0x130,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Io ,unknown_pool_type,44,nt!io,general IO allocations
poolmon,1,0xed1b85c0,test.exe,1,AlVi,PagedPool,76,nt!alpc,ALPC view
poolmon,1,0xed1b85c0,test.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
poolmon,0,0xed1b8340,MsMpEng.exe,0,Cngb,unknown_pool_type,148,ksecdd.sys,CNG kmode crypto pool tag
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x9c678854,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9c6787dc,,
poolmon,1,0xed1b8480,csrss.exe,1,AlVi,PagedPool,76,nt!alpc,ALPC view
poolmon,1,0xed1b8480,csrss.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,1 0xed1b8480,csrss.exe,1,ntoskrnl.exe,NtAlpcAcceptConnectPort,9,OUT,PHANDLE,PortHandle,0x15bfa7c,,,IN,HANDLE,ConnectionPortHandle,0xa8,,,IN,ULONG,Flags,0x0,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,PALPC_PORT_ATTRIBUTES,PortAttributes,0x0,,,IN,PVOID,PortContext,0xd20a18,,,IN,PPORT_MESSAGE,ConnectionRequest,0x15bfa98,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ConnectionMessageAttributes,0x0,,,IN,BOOLEAN,AcceptConnection,0x15bfb01,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,CMNb,PagedPool,84,nt!cm,notification block pool tag
objmon,1,0xed1b8480,csrss.exe,1,ALPC
poolmon,1,0xed1b8480,csrss.exe,1,ALPC,unknown_pool_type,316,nt!alpc,ALPC port objects
syscall,1 0xed1b8480,csrss.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa8,,,IN,ULONG,Flags,0x10000,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x15bfa98,,,INOUT,PULONG,BufferLength,0x15bfb88,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x15bfbb4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x10,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x30,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtMapViewOfSection,10,IN,HANDLE,SectionHandle,0xc,,,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13f4dc,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,CommitSize,0x0,,,INOUT,PLARGE_INTEGER,SectionOffset,0x0,,,INOUT,PSIZE_T,ViewSize,0x13f4d8,,,IN,SECTION_INHERIT,InheritDisposition,0x2,,,IN,ULONG,AllocationType,0x500000,,,IN,WIN32_PROTECTION_MASK,Win32Protect,0x2,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x280,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x9d830c,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9d830c,,,IN,ULONG,IoControlCode,0x8401f,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x5fc4de8,,,IN,ULONG,OutputBufferLength,0x90b,,
poolmon,0,0xed1b85c0,test.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x248,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x6714f0,,
poolmon,0,0xed1b85c0,test.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xc,,
objmon,1,0xed1b8340,MsMpEng.exe,0,Key
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x24,,,OUT,PVOID,ProcessInformation,0x13f574,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,Key ,PagedPool,84
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x24,,,OUT,PVOID,ProcessInformation,0x13f580,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13f35c,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x13f388,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x80000564,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtInitializeNlsFiles,3,OUT,PVOID,*BaseAddress,0x13f570,,,OUT,PLCID,DefaultLocaleId,0x74cafc64,,,OUT,PLARGE_INTEGER,DefaultCasingTableSize,0x13f568,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryDefaultLocale,2,IN,BOOLEAN,UserProfile,0x0,,,OUT,PLCID,DefaultLocaleId,0x9d7f9bd8,,
poolmon,0,0xed1b85c0,test.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
poolmon,0,0xed1b85c0,test.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x24,,,OUT,PVOID,ProcessInformation,0x13f544,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,Cngb,unknown_pool_type,156,ksecdd.sys,CNG kmode crypto pool tag
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x1a,,,OUT,PVOID,ProcessInformation,0x13f568,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x9c67884c,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9c6787bc,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x13f5b0,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x13f58c,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,CMNb,PagedPool,84,nt!cm,notification block pool tag
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x280,,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x9d84cc,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x9d84cc,,,IN,ULONG,IoControlCode,0x8401f,,,IN,PVOID,InputBuffer,0x0,,,IN,ULONG,InputBufferLength,0x0,,,OUT,PVOID,OutputBuffer,0x9deff0,,,IN,ULONG,OutputBufferLength,0x400,,
poolmon,0,0xed1b85c0,test.exe,1,CMNb,PagedPool,84,nt!cm,notification block pool tag
objmon,1,0xed1b8340,MsMpEng.exe,0,Key
poolmon,1,0xed1b8340,MsMpEng.exe,0,Key ,PagedPool,84
objmon,0,0xed1b85c0,test.exe,1,Key
poolmon,0,0xed1b85c0,test.exe,1,Key ,PagedPool,84
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x80000564,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0xc,,,IN,PUNICODE_STRING,ValueName,0x13f5a4,TSAppCompat,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x612178,,,IN,ULONG,Length,0x224,,,OUT,PULONG,ResultLength,0x13f5ac,,
poolmon,0,0xed1b85c0,test.exe,1,CMvn,unknown_pool_type,26
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xb6f76c,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0xb6f778,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x53423100,,
objmon,1,0xed1b8340,MsMpEng.exe,0,Even
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0xc,,,IN,PUNICODE_STRING,ValueName,0x13f5a4,TSUserEnabled,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x612178,,,IN,ULONG,Length,0x224,,,OUT,PULONG,ResultLength,0x13f5ac,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeSc,PagedPool,60,nt!se,Captured Security Descriptor
poolmon,0,0xed1b85c0,test.exe,1,CMvn,unknown_pool_type,30
poolmon,1,0xed1b8340,MsMpEng.exe,0,ObNm,PagedPool,104,nt!ob,object names
poolmon,1,0xed1b8340,MsMpEng.exe,0,Even,unknown_pool_type,72,<unknown>,Event objects
poolmon,1,0xed1b8340,MsMpEng.exe,0,ObNm,PagedPool,126,nt!ob,object names
poolmon,1,0xed1b8340,MsMpEng.exe,0,ObNm,PagedPool,88,nt!ob,object names
poolmon,1,0xed1b8340,MsMpEng.exe,0,ObDi,PagedPool,12,nt!ob,object directory
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xc,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,160,nt!se,Security Descriptor
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,160,nt!se,Security Descriptor
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x13f928,,,IN,ACCESS_MASK,DesiredAccess,0x3,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x770d21e8,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,144,nt!se,Security Descriptor
poolmon,0,0xed1b85c0,test.exe,1,CMNb,PagedPool,84,nt!cm,notification block pool tag
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,72,nt!se,Security Descriptor
poolmon,1,0xed1b8340,MsMpEng.exe,0,ObSc,PagedPool,88,nt!ob,Object security descriptor cache block
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x664,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateMutant,4,OUT,PHANDLE,MutantHandle,0xb6f7c4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,BOOLEAN,InitialOwner,0x0,,
objmon,1,0xed1b8340,MsMpEng.exe,0,Muta
poolmon,1,0xed1b8340,MsMpEng.exe,0,Muta,unknown_pool_type,72,<unknown>,Mutant objects
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xb6f7e4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f339000,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x13f918,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x771c44e8,,
objmon,1,0xed1b8340,MsMpEng.exe,0,Even
poolmon,1,0xed1b8340,MsMpEng.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xb6f7e4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f339000,,
poolmon,0,0xed1b85c0,test.exe,1,CMNb,PagedPool,84,nt!cm,notification block pool tag
objmon,1,0xed1b8340,MsMpEng.exe,0,Even
poolmon,1,0xed1b8340,MsMpEng.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xb6f7e4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f339000,,
objmon,1,0xed1b8340,MsMpEng.exe,0,Even
poolmon,1,0xed1b8340,MsMpEng.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0xb6f7e4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f339000,,
objmon,1,0xed1b8340,MsMpEng.exe,0,Even
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x13f90c,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x770d21c8,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x22c,,,OUT,PLONG,PreviousState,0x0,,
objmon,0,0xed1b85c0,test.exe,1,Key
poolmon,0,0xed1b85c0,test.exe,1,Key ,PagedPool,84
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0xb6f8f8,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x210,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateThreadEx,11,OUT,PHANDLE,ThreadHandle,0x9c678b18,,,IN,ACCESS_MASK,DesiredAccess,0x1fffff,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x9c678af4,,,IN,HANDLE,ProcessHandle,0x800007e8,,,IN,PVOID,StartRoutine,0x77105900,,,IN,PVOID,Argument,0x608290,,,IN,ULONG,CreateFlags,0x1,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,StackSize,0x6000,,,IN,SIZE_T,MaximumStackSize,0x40000,,,IN,PPS_ATTRIBUTE_LIST,AttributeList,0x9c678b1c,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0xc,,,IN,PUNICODE_STRING,ValueName,0x770d21b8,TransparentEnabled,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x13f988,,,IN,ULONG,Length,0x50,,,OUT,PULONG,ResultLength,0x13f914,,
objmon,1,0xed1b8340,MsMpEng.exe,0,Thre
poolmon,0,0xed1b85c0,test.exe,1,CMvn,unknown_pool_type,40
poolmon,1,0xed1b8340,MsMpEng.exe,0,Thre,unknown_pool_type,1144,nt!ps,Thread objects
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtSetInformationProcess,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x29,,,IN,PVOID,ProcessInformation,0x9c6782b4,,,IN,ULONG,ProcessInformationLength,0x1c,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xc,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9c6782cc,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9c67813c,,,IN,ULONG,AllocationType,0x2000,,,IN,ULONG,Protect,0x4,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9c678300,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9c6782dc,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9c678300,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9c6782d8,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x104,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x13f898,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x13f888,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,Vadl,unknown_pool_type,72,nt!mm,Mm virtual address descriptors (long)
poolmon,1,0xed1b8340,MsMpEng.exe,0,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x13f90c,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x13f938,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,160,nt!se,Security Descriptor
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,28,nt!se,Security Descriptor
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,172,nt!se,Security Descriptor
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQueryInformationProcess,5,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x22,,,OUT,PVOID,ProcessInformation,0x13fc60,,,IN,ULONG,ProcessInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtProtectVirtualMemory,5,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13fa58,,,INOUT,PSIZE_T,RegionSize,0x13fa5c,,,IN,WIN32_PROTECTION_MASK,NewProtectWin32,0x4,,,OUT,PULONG,OldProtect,0x611634,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtResumeThread,2,IN,HANDLE,ThreadHandle,0x80000564,,,OUT,PULONG,PreviousSuspendCount,0x0,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtReleaseMutant,2,IN,HANDLE,MutantHandle,0x588,,,OUT,PLONG,PreviousCount,0x0,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenSection,3,OUT,PHANDLE,SectionHandle,0x13f668,,,IN,ACCESS_MASK,DesiredAccess,0xf,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x13f560,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtOpenEvent,3,OUT,PHANDLE,EventHandle,0xb6f8e4,,,IN,ACCESS_MASK,DesiredAccess,0x100000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0xb6f8f0,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtMapViewOfSection,10,IN,HANDLE,SectionHandle,0xc,,,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13f694,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,CommitSize,0x0,,,INOUT,PLARGE_INTEGER,SectionOffset,0x0,,,INOUT,PSIZE_T,ViewSize,0x13f624,,,IN,SECTION_INHERIT,InheritDisposition,0x1,,,IN,ULONG,AllocationType,0x800000,,,IN,WIN32_PROTECTION_MASK,Win32Protect,0x4,,
poolmon,0,0xed1b85c0,test.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtCreateThreadEx,11,OUT,PHANDLE,ThreadHandle,0xb6f778,,,IN,ACCESS_MASK,DesiredAccess,0x1fffff,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,StartRoutine,0x75420ca7,,,IN,PVOID,Argument,0x51d5938,,,IN,ULONG,CreateFlags,0x1,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,StackSize,0x0,,,IN,SIZE_T,MaximumStackSize,0x0,,,IN,PPS_ATTRIBUTE_LIST,AttributeList,0xb6f788,,
poolmon,0,0xed1b85c0,test.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
objmon,1,0xed1b8340,MsMpEng.exe,0,Thre
poolmon,1,0xed1b8340,MsMpEng.exe,0,Thre,unknown_pool_type,1144,nt!ps,Thread objects
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQuerySection,5,IN,HANDLE,SectionHandle,0xc,,,IN,SECTION_INFORMATION_CLASS,SectionInformationClass,0x2,,,OUT,PVOID,SectionInformation,0x13f60c,,,IN,SIZE_T,SectionInformationLength,0x4,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xc,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtSetInformationProcess,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PROCESSINFOCLASS,ProcessInformationClass,0x29,,,IN,PVOID,ProcessInformation,0x9c678484,,,IN,ULONG,ProcessInformationLength,0x1c,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenSection,3,OUT,PHANDLE,SectionHandle,0x13f668,,,IN,ACCESS_MASK,DesiredAccess,0xf,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x13f560,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtMapViewOfSection,10,IN,HANDLE,SectionHandle,0xc,,,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13f694,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,CommitSize,0x0,,,INOUT,PLARGE_INTEGER,SectionOffset,0x0,,,INOUT,PSIZE_T,ViewSize,0x13f624,,,IN,SECTION_INHERIT,InheritDisposition,0x1,,,IN,ULONG,AllocationType,0x800000,,,IN,WIN32_PROTECTION_MASK,Win32Protect,0x4,,
poolmon,0,0xed1b85c0,test.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9c67849c,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9c67830c,,,IN,ULONG,AllocationType,0x2000,,,IN,ULONG,Protect,0x4,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,VadS,unknown_pool_type,40,nt!mm,Mm virtual address descriptors (short)
poolmon,0,0xed1b85c0,test.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9c6784d0,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9c6784ac,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQuerySection,5,IN,HANDLE,SectionHandle,0xc,,,IN,SECTION_INFORMATION_CLASS,SectionInformationClass,0x2,,,OUT,PVOID,SectionInformation,0x13f60c,,,IN,SIZE_T,SectionInformationLength,0x4,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x9c6784d0,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x9c6784a8,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x104,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xc,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,Vadl,unknown_pool_type,72,nt!mm,Mm virtual address descriptors (long)
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenSection,3,OUT,PHANDLE,SectionHandle,0x13f668,,,IN,ACCESS_MASK,DesiredAccess,0xf,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x13f560,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtMapViewOfSection,10,IN,HANDLE,SectionHandle,0xc,,,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x13f694,,,IN,ULONG_PTR,ZeroBits,0x0,,,IN,SIZE_T,CommitSize,0x0,,,INOUT,PLARGE_INTEGER,SectionOffset,0x0,,,INOUT,PSIZE_T,ViewSize,0x13f624,,,IN,SECTION_INHERIT,InheritDisposition,0x1,,,IN,ULONG,AllocationType,0x800000,,,IN,WIN32_PROTECTION_MASK,Win32Protect,0x4,,
poolmon,0,0xed1b85c0,test.exe,1,Vad ,unknown_pool_type,72,nt!mm,Mm virtual address descriptors
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,160,nt!se,Security Descriptor
poolmon,0,0xed1b85c0,test.exe,1,MmSe,unknown_pool_type,24,nt!mm,Mm secured VAD allocation
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,28,nt!se,Security Descriptor
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtQuerySection,5,IN,HANDLE,SectionHandle,0xc,,,IN,SECTION_INFORMATION_CLASS,SectionInformationClass,0x2,,,OUT,PVOID,SectionInformation,0x13f60c,,,IN,SIZE_T,SectionInformationLength,0x4,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b8340,MsMpEng.exe,0,SeSd,PagedPool,172,nt!se,Security Descriptor
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0xc,,
syscall,1 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtResumeThread,2,IN,HANDLE,ThreadHandle,0x5b0,,,OUT,PULONG,PreviousSuspendCount,0xb6f734,,
syscall,0 0xed1b85c0,test.exe,1,ntoskrnl.exe,NtOpenSection,3,OUT,PHANDLE,SectionHandle,0x13f668,,,IN,ACCESS_MASK,DesiredAccess,0xf,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x13f560,,
poolmon,0,0xed1b8340,MsMpEng.exe,0,Nb22,unknown_pool_type,40
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
poolmon,1,0x1a5000,System,-1,Nb23,unknown_pool_type,41
poolmon,1,0x1a5000,System,-1,Nb14,unknown_pool_type,41
poolmon,1,0x1a5000,System,-1,Strg,PagedPool,82,<unknown>,Dynamic Translated strings
syscall,0 0xed1b8240,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0x1144fd94,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x1144fd24,,
filetracer,1,0x1a5000,System,-1,ZwCreateFile,\SystemRoot\System32\drivers\etc\lmhosts
filetracer,1,0x1a5000,System,-1,NtCreateFile,\SystemRoot\System32\drivers\etc\lmhosts
syscall,1 0x1a5000,System,-1,ntoskrnl.exe,NtCreateFile,11,OUT,PHANDLE,FileHandle,0x920e7b34,,,IN,ACCESS_MASK,DesiredAccess,0x100001,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x920e7afc,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x920e7b14,,,IN,PLARGE_INTEGER,AllocationSize,0x0,,,IN,ULONG,FileAttributes,0x80,,,IN,ULONG,ShareAccess,0x3,,,IN,ULONG,CreateDisposition,0x1,,,IN,ULONG,CreateOptions,0x20,,,IN,PVOID,EaBuffer,0x0,,,IN,ULONG,EaLength,0x0,,
objmon,1,0x1a5000,System,-1,File
syscall,0 0xed1b8340,MsMpEng.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x248,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x62b478,,
poolmon,1,0x1a5000,System,-1,File,unknown_pool_type,160,<unknown>,File objects
poolmon,1,0x1a5000,System,-1,IoNm,PagedPool,120,nt!io,Io parsing names
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSd,PagedPool,172,nt!se,Security Descriptor
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x568,,
poolmon,1,0x1a5000,System,-1,NtFA,unknown_pool_type,160,ntfs.sys,AttrSup.c
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtAccessCheck,8,IN,PSECURITY_DESCRIPTOR,SecurityDescriptor,0x40fc108,,,IN,HANDLE,ClientToken,0x4e4,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,PGENERIC_MAPPING,GenericMapping,0x3a0ee94,,,OUT,PPRIVILEGE_SET,PrivilegeSet,0x3a0eea4,,,INOUT,PULONG,PrivilegeSetLength,0x3a0ee68,,,OUT,PACCESS_MASK,GrantedAccess,0x3a0ee5c,,,OUT,PNTSTATUS,AccessStatus,0x3a0ee60,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,SeSc,PagedPool,96,nt!se,Captured Security Descriptor
syscall,1 0xed1b8220,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x1a12d58,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x4,,,OUT,PVOID,TokenInformation,0x1fcf40,,,IN,ULONG,TokenInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x175ee00,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x230,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x19,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175edfc,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x19,,,OUT,PVOID,TokenInformation,0x124bc20,,,IN,ULONG,TokenInformationLength,0x14,,,OUT,PULONG,ReturnLength,0x175edfc,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394d454,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d32c,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x5,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175edf8,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x5,,,OUT,PVOID,TokenInformation,0x1fcfb8,,,IN,ULONG,TokenInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x175edf8,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x6,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175edf4,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Key
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x6,,,OUT,PVOID,TokenInformation,0x12a7d90,,,IN,ULONG,TokenInformationLength,0x144,,,OUT,PULONG,ReturnLength,0x175edf4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffc,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x29,,,OUT,PVOID,TokenInformation,0x175ed88,,,IN,ULONG,TokenInformationLength,0x48,,,OUT,PULONG,ReturnLength,0x175ed38,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x29,,,OUT,PVOID,TokenInformation,0x175ed40,,,IN,ULONG,TokenInformationLength,0x48,,,OUT,PULONG,ReturnLength,0x175ed34,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0xa,,,OUT,PVOID,TokenInformation,0x175ecf0,,,IN,ULONG,TokenInformationLength,0x38,,,OUT,PULONG,ReturnLength,0x175ec4c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x4e4,,,IN,PUNICODE_STRING,ValueName,0x394d3b8,.exe,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x394d2f8,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x394d2d4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x4,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175eb70,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMvn,unknown_pool_type,12
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x4,,,OUT,PVOID,TokenInformation,0x1fcfe8,,,IN,ULONG,TokenInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x175eb70,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x19,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175eb6c,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x19,,,OUT,PVOID,TokenInformation,0x124bb40,,,IN,ULONG,TokenInformationLength,0x14,,,OUT,PULONG,ReturnLength,0x175eb6c,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x5,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175eb68,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x5,,,OUT,PVOID,TokenInformation,0x1fce08,,,IN,ULONG,TokenInformationLength,0x10,,,OUT,PULONG,ReturnLength,0x175eb68,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x6,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175eb64,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x6,,,OUT,PVOID,TokenInformation,0x12a7ee8,,,IN,ULONG,TokenInformationLength,0x144,,,OUT,PULONG,ReturnLength,0x175eb64,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffc,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x29,,,OUT,PVOID,TokenInformation,0x175eaf8,,,IN,ULONG,TokenInformationLength,0x48,,,OUT,PULONG,ReturnLength,0x175eaa8,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x29,,,OUT,PVOID,TokenInformation,0x175eab0,,,IN,ULONG,TokenInformationLength,0x48,,,OUT,PULONG,ReturnLength,0x175eaa4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x296,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394d168,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394d160,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x0,,,IN,ULONG,TokenInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175ee00,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x124ba80,,,IN,ULONG,TokenInformationLength,0x14,,,OUT,PULONG,ReturnLength,0x175ee00,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x81c,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,146,nt!cm,notification block pool tag
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x7d0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xe,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x175ef1c,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xe,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x175ef1c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394d454,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394cef0,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xe,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x175eeb4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xe,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x175eeb4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x175efac,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x175efac,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394d454,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394cef0,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x175efb4,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcCreateSecurityContext,3,IN,HANDLE,PortHandle,0xa8,,,RESERVED,ULONG,Flags,0x0,,,INOUT,PALPC_SECURITY_ATTR,SecurityAttribute,0x1264910,,
poolmon,1,0xed1b8320,svchost.exe,0,AlSe,PagedPool,104,nt!alpc,ALPC client security
poolmon,1,0xed1b8320,svchost.exe,0,SeAt,PagedPool,24
objmon,0,0xed1b82c0,Taskmgr.exe,1,Key
poolmon,1,0xed1b8320,svchost.exe,0,SeTl,unknown_pool_type,56
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
objmon,1,0xed1b8320,svchost.exe,0,Toke
poolmon,1,0xed1b8320,svchost.exe,0,Toke,PagedPool,1640,nt!se,Token objects
poolmon,1,0xed1b8320,svchost.exe,0,SeTd,PagedPool,332,nt!se,Security Token dynamic part
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x4e6,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394d110,,,IN,ULONG,Length,0x188,,,OUT,PULONG,ResultLength,0x394d104,,
poolmon,1,0xed1b8320,svchost.exe,0,SeSd,PagedPool,380,nt!se,Security Descriptor
poolmon,1,0xed1b8320,svchost.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
poolmon,1,0xed1b8320,svchost.exe,0,SeSd,PagedPool,28,nt!se,Security Descriptor
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,86,nt!cm,notification block pool tag
poolmon,1,0xed1b8320,svchost.exe,0,SeSd,PagedPool,392,nt!se,Security Descriptor
poolmon,1,0xed1b8320,svchost.exe,0,ObSc,PagedPool,408,nt!ob,Object security descriptor cache block
poolmon,1,0xed1b8320,svchost.exe,0,SeAc,PagedPool,312,nt!se,Security ACL
poolmon,1,0xed1b8320,svchost.exe,0,SeSd,PagedPool,384,nt!se,Security Descriptor
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394cdd8,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394cdc8,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394d2e8,,,IN,ACCESS_MASK,DesiredAccess,0x2000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394ce90,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x175ef94,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa8,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x12bbc00,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x15d0b4,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x12bbc00,,,INOUT,PULONG,BufferLength,0x175eb28,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x15d0b4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb12500,,,INOUT,PULONG,BufferLength,0xedfc18,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xedfc2c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x4e6,,,IN,PUNICODE_STRING,ValueName,0x394d3b8,Content Type,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x394d2f8,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x394d2d4,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xedfb8c,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMvn,unknown_pool_type,28
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAccessCheck,8,IN,PSECURITY_DESCRIPTOR,SecurityDescriptor,0xafebb8,,,IN,HANDLE,ClientToken,0x2d4,,,IN,ACCESS_MASK,DesiredAccess,0x20000,,,IN,PGENERIC_MAPPING,GenericMapping,0xedf418,,,OUT,PPRIVILEGE_SET,PrivilegeSet,0xedf710,,,INOUT,PULONG,PrivilegeSetLength,0xedf3e0,,,OUT,PACCESS_MASK,GrantedAccess,0xedf410,,,OUT,PNTSTATUS,AccessStatus,0xedf32c,,
poolmon,1,0xed1b8120,svchost.exe,0,SeSc,PagedPool,144,nt!se,Captured Security Descriptor
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x410000,,,IN,PPORT_MESSAGE,SendMessage,0xb14710,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b8120,svchost.exe,0,AlEB,PagedPool,260
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x4e6,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x175e9e4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xc,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x175e9e4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x175e9ec,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcCreateSecurityContext,3,IN,HANDLE,PortHandle,0xa8,,,RESERVED,ULONG,Flags,0x0,,,INOUT,PALPC_SECURITY_ATTR,SecurityAttribute,0x175ea34,,
poolmon,1,0xed1b8320,svchost.exe,0,AlSe,PagedPool,104,nt!alpc,ALPC client security
poolmon,1,0xed1b8320,svchost.exe,0,SeAt,PagedPool,24
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,SeTl,unknown_pool_type,56
objmon,1,0xed1b8320,svchost.exe,0,Toke
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,Toke,PagedPool,1640,nt!se,Token objects
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,SeTd,PagedPool,332,nt!se,Security Token dynamic part
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,SeSd,PagedPool,380,nt!se,Security Descriptor
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,SeAc,PagedPool,200,nt!se,Security ACL
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,SeSd,PagedPool,28,nt!se,Security Descriptor
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,SeSd,PagedPool,392,nt!se,Security Descriptor
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,ObSc,PagedPool,408,nt!ob,Object security descriptor cache block
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,SeAc,PagedPool,312,nt!se,Security ACL
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,SeSd,PagedPool,384,nt!se,Security Descriptor
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtSetInformationThread,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,THREADINFOCLASS,ThreadInformationClass,0x5,,,IN,PVOID,ThreadInformation,0x175e9cc,,,IN,ULONG,ThreadInformationLength,0x4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xe,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x175e8fc,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xe,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x175e8fc,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadToken,4,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xe,,,IN,BOOLEAN,OpenAsSelf,0x1,,,OUT,PHANDLE,TokenHandle,0x175e894,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenThreadTokenEx,5,IN,HANDLE,ThreadHandle,0xfffffffe,,,IN,ACCESS_MASK,DesiredAccess,0xe,,,IN,BOOLEAN,OpenAsSelf,0x1,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x175e894,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa8,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x12bbc00,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x15d0b4,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x12bbc00,,,INOUT,PULONG,BufferLength,0x175eb28,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x15d0b4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xb0cfd8,,,INOUT,PULONG,BufferLength,0xfef720,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xfef734,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x80000788,,,OUT,PLONG,PreviousState,0xa7a5e21c,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xfef694,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0xa7a5ea68,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x1,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf0,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x144,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x12c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,PVOID,BaseAddress,0x3cd4080,,,IN,MEMORY_INFORMATION_CLASS,MemoryInformationClass,0x3,,,OUT,PVOID,MemoryInformation,0x394d378,,,IN,SIZE_T,MemoryInformationLength,0x14,,,OUT,PSIZE_T,ReturnLength,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0xf4,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x95f9cc,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b8120,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xa4,,,IN,ULONG,Flags,0x410000,,,IN,PPORT_MESSAGE,SendMessage,0xb13608,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,1,0xed1b8120,svchost.exe,0,AlEB,PagedPool,64
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dad8,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d9b0,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcDeleteSecurityContext,3,IN,HANDLE,PortHandle,0xa8,,,RESERVED,ULONG,Flags,0x0,,,IN,ALPC_HANDLE,ContextHandle,0x26,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x175eca4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x175eca4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x7d0,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1d,,,OUT,PVOID,TokenInformation,0x175ecbc,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x175eca0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x7d0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dad8,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d9b0,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcConnectPortEx
poolmon,1,0xed1b8320,svchost.exe,0,SeSc,PagedPool,92,nt!se,Captured Security Descriptor
objmon,1,0xed1b8320,svchost.exe,0,ALPC
poolmon,1,0xed1b8320,svchost.exe,0,ALPC,unknown_pool_type,316,nt!alpc,ALPC port objects
poolmon,1,0xed1b8320,svchost.exe,0,AlCI,PagedPool,64,nt!alpc,ALPC communication info
poolmon,1,0xed1b8320,svchost.exe,0,AlMs,PagedPool,168,nt!alpc,ALPC message
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x296,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394d9a0,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394d998,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x40c,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1420210,,,INOUT,PULONG,BufferLength,0xa7fa08,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xa7fa1c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtAlpcAcceptConnectPort,9,OUT,PHANDLE,PortHandle,0x588574,,,IN,HANDLE,ConnectionPortHandle,0x40c,,,IN,ULONG,Flags,0x0,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,PALPC_PORT_ATTRIBUTES,PortAttributes,0xa7f998,,,IN,PVOID,PortContext,0x588558,,,IN,PPORT_MESSAGE,ConnectionRequest,0x1420210,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ConnectionMessageAttributes,0xa7fa1c,,,IN,BOOLEAN,AcceptConnection,0x1,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,146,nt!cm,notification block pool tag
objmon,1,0xed1b8100,svchost.exe,0,ALPC
poolmon,1,0xed1b8100,svchost.exe,0,ALPC,unknown_pool_type,316,nt!alpc,ALPC port objects
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x7d0,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x12bbc00,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x1293abc,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x12bbc00,,,INOUT,PULONG,BufferLength,0x175f1c4,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x1293abc,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x3819a9c,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d728,,,IN,ULONG,OpenOptions,0x0,,
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x40c,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1422420,,,INOUT,PULONG,BufferLength,0xcef650,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xcef664,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x3819a9c,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d728,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xcef5b8,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x40c,,,IN,ULONG,Flags,0x410000,,,IN,PPORT_MESSAGE,SendMessage,0x1422420,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x7d0,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0x12bbc00,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x15c2ec,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x12bbc00,,,INOUT,PULONG,BufferLength,0x175ee60,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x15c2ec,,,IN,PLARGE_INTEGER,Timeout,0x0,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Key
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x40c,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1424630,,,INOUT,PULONG,BufferLength,0xdaf5d0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xdaf5e4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x4e6,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394d850,,,IN,ULONG,Length,0x188,,,OUT,PULONG,ResultLength,0x394d844,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xdaf544,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x1c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xdaf670,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,86,nt!cm,notification block pool tag
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x58bbc0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394d518,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394d508,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcDeleteSecurityContext,3,IN,HANDLE,PortHandle,0xa8,,,RESERVED,ULONG,Flags,0x0,,,IN,ALPC_HANDLE,ContextHandle,0x25,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394da24,,,IN,ACCESS_MASK,DesiredAccess,0x2000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d5d0,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x8a4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x94,,,OUT,PVOID,SystemInformation,0x12d7660,,,IN,ULONG,SystemInformationLength,0x16000,,,OUT,PULONG,ReturnLength,0x175f458,,
poolmon,1,0xed1b8320,svchost.exe,0,RtPb,unknown_pool_type,136
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x4e6,,,IN,PUNICODE_STRING,ValueName,0x394daf4,,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x394da34,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x394da10,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x296,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394d928,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394d920,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAllocateVirtualMemory,6,IN,HANDLE,ProcessHandle,0xffffffff,,,INOUT,PVOID,*BaseAddress,0x175f234,,,IN,ULONG_PTR,ZeroBits,0x0,,,INOUT,PSIZE_T,RegionSize,0x175f230,,,IN,ULONG,AllocationType,0x1000,,,IN,ULONG,Protect,0x4,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryWnfStateData
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,146,nt!cm,notification block pool tag
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x8000005c,,,IN,PUNICODE_STRING,ValueName,0xbbdc3adc,0F950324A3BC0835,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x0,,,IN,ULONG,Length,0x0,,,OUT,PULONG,ResultLength,0xbbdc3ad4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dc18,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d6b0,,,IN,ULONG,OpenOptions,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,Wnf ,PagedPool,120
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x8000005c,,,IN,PUNICODE_STRING,ValueName,0xbbdc3adc,0F950324A3BC0835,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0xb4894bec,,,IN,ULONG,Length,0x6c,,,OUT,PULONG,ResultLength,0xbbdc3ad4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dc18,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d6b0,,,IN,ULONG,OpenOptions,0x0,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Key
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x8000005c,,,IN,PUNICODE_STRING,ValueName,0xbbdc3b14,0F950324A3BC0835,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x0,,,IN,ULONG,Length,0x0,,,OUT,PULONG,ResultLength,0xbbdc3b0c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x56a,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394d910,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394d908,,
poolmon,1,0xed1b8320,svchost.exe,0,Wnf ,PagedPool,120
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,92,nt!cm,notification block pool tag
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x8000005c,,,IN,PUNICODE_STRING,ValueName,0xbbdc3b14,0F950324A3BC0835,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0xb4894bec,,,IN,ULONG,Length,0x6c,,,OUT,PULONG,ResultLength,0xbbdc3b0c,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394d5e0,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394d5d0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dbf8,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d698,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryWnfStateData
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dbf8,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d698,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x8000005c,,,IN,PUNICODE_STRING,ValueName,0xbbdc3adc,0F950324A3BC0835,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x0,,,IN,ULONG,Length,0x0,,,OUT,PULONG,ResultLength,0xbbdc3ad4,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x56a,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394d980,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394d978,,
poolmon,1,0xed1b8320,svchost.exe,0,Wnf ,PagedPool,120
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x8000005c,,,IN,PUNICODE_STRING,ValueName,0xbbdc3adc,0F950324A3BC0835,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0xb4894bec,,,IN,ULONG,Length,0x6c,,,OUT,PULONG,ResultLength,0xbbdc3ad4,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,92,nt!cm,notification block pool tag
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394d650,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394d640,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x3819bd4,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d708,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x3819bd4,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d708,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
objmon,1,0xed1b82c0,Taskmgr.exe,1,Key
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95e9a4,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x374,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x374,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x429a500,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x3c0,,,OUT,PLONG,PreviousState,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x3c0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtCreateEvent,5,OUT,PHANDLE,EventHandle,0x95eb34,,,IN,ACCESS_MASK,DesiredAccess,0x1f0003,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,EVENT_TYPE,EventType,0x0,,,IN,BOOLEAN,InitialState,0x7f29d000,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
objmon,0,0xed1b84e0,dwm.exe,1,Even
poolmon,0,0xed1b84e0,dwm.exe,1,Even,unknown_pool_type,56,<unknown>,Event objects
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x160,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x16c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95ee10,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95ee08,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x270,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f984,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f97c,,
syscall,1 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x37c,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x56a,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0xf0,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa24,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa1c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x502,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394d940,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394d938,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,92,nt!cm,notification block pool tag
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformationEx,6,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x6b,,,IN,PVOID,QueryInformation,0x175f2bc,,,IN,ULONG,QueryInformationLength,0x4,,,OUT,PVOID,SystemInformation,0x0,,,IN,ULONG,SystemInformationLength,0x0,,,OUT,PULONG,ReturnLength,0x175f2d4,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformationEx,6,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x6b,,,IN,PVOID,QueryInformation,0x175f2bc,,,IN,ULONG,QueryInformationLength,0x4,,,OUT,PVOID,SystemInformation,0x1267f38,,,IN,ULONG,SystemInformationLength,0x4c,,,OUT,PULONG,ReturnLength,0x175f2d4,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformationEx,6,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x6c,,,IN,PVOID,QueryInformation,0x175f2e4,,,IN,ULONG,QueryInformationLength,0x2,,,OUT,PVOID,SystemInformation,0x175f308,,,IN,ULONG,SystemInformationLength,0x100,,,OUT,PULONG,ReturnLength,0x175f304,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394d610,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394d600,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0x175f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dc28,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d6c8,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0x175f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0x175f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0x175f150,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0x175f160,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtQuerySystemInformation,4,IN,SYSTEM_INFORMATION_CLASS,SystemInformationClass,0x66,,,OUT,PVOID,SystemInformation,0x175f160,,,IN,ULONG,SystemInformationLength,0x1b0,,,OUT,PULONG,ReturnLength,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dc28,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d6c8,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x1c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0xf85d78,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9f8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9f0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x180,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x270,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x37c,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtSetEvent,2,IN,HANDLE,EventHandle,0x160,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForWorkViaWorkerFactory,2,IN,HANDLE,WorkerFactoryHandle,0x16c,,,OUT,PFILE_IO_COMPLETION_INFORMATION,MiniPacket,0x722600,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95fa18,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95fa10,,
poolmon,0,0xed1b84e0,dwm.exe,1,DxgK,PagedPool,8,dxgkrnl.sys,Vista display driver support
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf4,,
poolmon,0,0xed1b84e0,dwm.exe,1,DCcf,unknown_pool_type,112
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000788,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0x80000e44,,
poolmon,1,0xed1b80e0,System,-1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
poolmon,0,0xed1b84e0,dwm.exe,1,XSav,unknown_pool_type,895
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtQueryPerformanceCounter,2,OUT,PLARGE_INTEGER,PerformanceCounter,0x95f9e8,,,OUT,PLARGE_INTEGER,PerformanceFrequency,0x95f9e0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtPulseEvent,2,IN,HANDLE,EventHandle,0x250,,,OUT,PLONG,PreviousState,0x0,,
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtClearEvent,1,IN,HANDLE,EventHandle,0xf0,,
poolmon,1,0xed1b80c0,System,-1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,0 0xed1b84e0,dwm.exe,1,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x4,,,IN,HANDLE,Handles[],0x95fa5c,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b84e0,dwm.exe,1,ObWm,unknown_pool_type,96
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x296,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394d7c8,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394d7c0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,146,nt!cm,notification block pool tag
poolmon,1,0xed1b8500,System,-1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x3819b8c,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d550,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x3819b8c,,,IN,ACCESS_MASK,DesiredAccess,0x20019,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d550,,,IN,ULONG,OpenOptions,0x0,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Key
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x56e,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394d940,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394d938,,
poolmon,1,0xed1b8540,System,-1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,132,nt!cm,notification block pool tag
poolmon,1,0xed1b8580,System,-1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394d610,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394d600,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dc28,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d6c8,,,IN,ULONG,OpenOptions,0x0,,
poolmon,1,0xed1b8340,System,-1,MmAc,unknown_pool_type,4096,nt!mm,Mm access log buffers
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dc28,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d6c8,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dc28,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d6c8,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x502,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394da50,,,IN,ULONG,Length,0x188,,,OUT,PULONG,ResultLength,0x394da44,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,92,nt!cm,notification block pool tag
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x84,\CMApi,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3a0f1e0,,,IN,ULONG,IoControlCode,0x470807,,,IN,PVOID,InputBuffer,0x3a0f264,,,IN,ULONG,InputBufferLength,0x24,,,OUT,PVOID,OutputBuffer,0x3a0f288,,,IN,ULONG,OutputBufferLength,0x14,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394d718,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394d708,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dc28,,,IN,ACCESS_MASK,DesiredAccess,0x2000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d7d0,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x502,,,IN,PUNICODE_STRING,ValueName,0x394dcf8,DocObject,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x394dc38,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x394dc14,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMvn,unknown_pool_type,22
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x502,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394da70,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394da68,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,92,nt!cm,notification block pool tag
poolmon,0,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394d740,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394d730,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dd58,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d7f8,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dd58,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d7f8,,,IN,ULONG,OpenOptions,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PNPR,PagedPool,512
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x56e,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394da50,,,IN,ULONG,Length,0x188,,,OUT,PULONG,ResultLength,0x394da44,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x85e6797c,,,IN,ACCESS_MASK,DesiredAccess,0xf003f,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x85e67850,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,132,nt!cm,notification block pool tag
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394d718,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394d708,,
objmon,0,0xed1b82c0,Taskmgr.exe,1,Key
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dc28,,,IN,ACCESS_MASK,DesiredAccess,0x2000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d7d0,,,IN,ULONG,OpenOptions,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PnpG,PagedPool,1024,nt!pnp,PNPMGR generic
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x85e67768,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x85e676d0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x56e,,,IN,PUNICODE_STRING,ValueName,0x394dcf8,DocObject,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x394dc38,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x394dc14,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMvn,unknown_pool_type,22
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Pp ,PagedPool,8192
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PnpZ,PagedPool,12
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x56e,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394da70,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394da68,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtPlugPlayControl,3,IN,PLUGPLAY_CONTROL_CLASS,PnPControlClass,0x17,,,INOUT,PVOID,PnPControlData,0x85e67698,,,IN,ULONG,PnPControlDataLength,0x10,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Ppsu,PagedPool,228,nt!pnp,plug
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PnpG,PagedPool,200,nt!pnp,PNPMGR generic
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,132,nt!cm,notification block pool tag
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PnpG,PagedPool,512,nt!pnp,PNPMGR generic
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtPlugPlayControl,3,IN,PLUGPLAY_CONTROL_CLASS,PnPControlClass,0x17,,,INOUT,PVOID,PnPControlData,0x85e67698,,,IN,ULONG,PnPControlDataLength,0x10,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Ppsu,PagedPool,228,nt!pnp,plug
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394d740,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394d730,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PnpG,PagedPool,200,nt!pnp,PNPMGR generic
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dd58,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d7f8,,,IN,ULONG,OpenOptions,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PnpG,PagedPool,512,nt!pnp,PNPMGR generic
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtPlugPlayControl,3,IN,PLUGPLAY_CONTROL_CLASS,PnPControlClass,0x17,,,INOUT,PVOID,PnPControlData,0x85e67698,,,IN,ULONG,PnPControlDataLength,0x10,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Ppsu,PagedPool,238,nt!pnp,plug
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PnpG,PagedPool,200,nt!pnp,PNPMGR generic
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PnpG,PagedPool,512,nt!pnp,PNPMGR generic
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dd58,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d7f8,,,IN,ULONG,OpenOptions,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x80000a2c,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x502,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394da50,,,IN,ULONG,Length,0x188,,,OUT,PULONG,ResultLength,0x394da44,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtDeviceIoControlFile,10,IN,HANDLE,FileHandle,0x84,\CMApi,,IN,HANDLE,Event,0x0,,,IN,PIO_APC_ROUTINE,ApcRoutine,0x0,,,IN,PVOID,ApcContext,0x0,,,OUT,PIO_STATUS_BLOCK,IoStatusBlock,0x3a0f1d8,,,IN,ULONG,IoControlCode,0x470807,,,IN,PVOID,InputBuffer,0x3a0f264,,,IN,ULONG,InputBufferLength,0x24,,,OUT,PVOID,OutputBuffer,0x77b8040,,,IN,ULONG,OutputBufferLength,0x2cc,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,92,nt!cm,notification block pool tag
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394d718,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394d708,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dc28,,,IN,ACCESS_MASK,DesiredAccess,0x2000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d7d0,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x502,,,IN,PUNICODE_STRING,ValueName,0x394dcf8,BrowseInPlace,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x394dc38,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x394dc14,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMvn,unknown_pool_type,30
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x502,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394da70,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394da68,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,92,nt!cm,notification block pool tag
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394d740,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394d730,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dd58,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d7f8,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dd58,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d7f8,,,IN,ULONG,OpenOptions,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PNPR,PagedPool,512
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x56e,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394da50,,,IN,ULONG,Length,0x188,,,OUT,PULONG,ResultLength,0x394da44,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x85e6797c,,,IN,ACCESS_MASK,DesiredAccess,0xf003f,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x85e67850,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,132,nt!cm,notification block pool tag
objmon,0,0xed1b82c0,Taskmgr.exe,1,Key
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394d718,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394d708,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Key ,PagedPool,84
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dc28,,,IN,ACCESS_MASK,DesiredAccess,0x2000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d7d0,,,IN,ULONG,OpenOptions,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PnpG,PagedPool,1024,nt!pnp,PNPMGR generic
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKey,3,OUT,PHANDLE,KeyHandle,0x85e67768,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x85e676d0,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x56e,,,IN,PUNICODE_STRING,ValueName,0x394dcf8,BrowseInPlace,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x394dc38,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x394dc14,,
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMvn,unknown_pool_type,30
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Pp ,PagedPool,8192
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PnpZ,PagedPool,12
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtPlugPlayControl,3,IN,PLUGPLAY_CONTROL_CLASS,PnPControlClass,0x17,,,INOUT,PVOID,PnPControlData,0x85e67698,,,IN,ULONG,PnPControlDataLength,0x10,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x56e,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394da70,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394da68,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Ppsu,PagedPool,228,nt!pnp,plug
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PnpG,PagedPool,200,nt!pnp,PNPMGR generic
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PnpG,PagedPool,512,nt!pnp,PNPMGR generic
poolmon,1,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,132,nt!cm,notification block pool tag
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtPlugPlayControl,3,IN,PLUGPLAY_CONTROL_CLASS,PnPControlClass,0x17,,,INOUT,PVOID,PnPControlData,0x85e67698,,,IN,ULONG,PnPControlDataLength,0x10,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,Ppsu,PagedPool,228,nt!pnp,plug
poolmon,0,0xed1b82c0,Taskmgr.exe,1,PnpG,PagedPool,200,nt!pnp,PNPMGR generic
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394d740,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394d730,,
syscall,1 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dd58,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d7f8,,,IN,ULONG,OpenOptions,0x0,,
poolmon,1,0x1a5000,System,-1,MmWe,unknown_pool_type,168,nt!mm,Work entries for writing out modified filesystem pages.
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x5d8,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0xef5b00,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394dd58,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394d7f8,,,IN,ULONG,OpenOptions,0x0,,
poolmon,1,0xed1b8320,svchost.exe,0,AlEB,PagedPool,64
syscall,1 0xed1b8320,svchost.exe,0,ntoskrnl.exe,NtWaitForMultipleObjects,5,IN,ULONG,Count,0x2,,,IN,HANDLE,Handles[],0xd5f550,,,IN,WAIT_TYPE,WaitType,0x1,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b81c0,taskhostex.exe,1,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x270,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x1dee7f0,,,INOUT,PULONG,BufferLength,0x1dee7cc,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xe01338,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x4e6,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394c538,,,IN,ULONG,Length,0x188,,,OUT,PULONG,ResultLength,0x394c52c,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtReleaseWorkerFactoryWorker,1,IN,HANDLE,WorkerFactoryHandle,0x3e4,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,86,nt!cm,notification block pool tag
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtQueryWnfStateData
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394c200,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394c1f0,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtQueryWnfStateNameInformation
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394c710,,,IN,ACCESS_MASK,DesiredAccess,0x2000000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394c2b8,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8100,svchost.exe,0,ntoskrnl.exe,NtUpdateWnfStateData
poolmon,1,0xed1b8100,svchost.exe,0,Wnf ,unknown_pool_type,88
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAssociateWaitCompletionPacket
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryValueKey,6,IN,HANDLE,KeyHandle,0x4e6,,,IN,PUNICODE_STRING,ValueName,0x394c7e0,Content Type,,IN,KEY_VALUE_INFORMATION_CLASS,KeyValueInformationClass,0x2,,,OUT,PVOID,KeyValueInformation,0x394c720,,,IN,ULONG,Length,0x90,,,OUT,PULONG,ResultLength,0x394c6fc,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtGetCompleteWnfStateSubscription
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMvn,unknown_pool_type,28
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtQuerySystemTime,1,OUT,PLARGE_INTEGER,SystemTime,0x4ef9ac,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtOpenEvent,3,OUT,PHANDLE,EventHandle,0x4ef724,,,IN,ACCESS_MASK,DesiredAccess,0x100000,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x4ef730,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtWaitForSingleObject,3,IN,HANDLE,Handle,0x1bc,,,IN,BOOLEAN,Alertable,0x0,,,IN,PLARGE_INTEGER,Timeout,0x4ef714,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x502,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394ce48,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394ce40,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1bc,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtOpenProcessToken,3,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,OUT,PHANDLE,TokenHandle,0x4eec14,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,92,nt!cm,notification block pool tag
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtOpenProcessTokenEx,4,IN,HANDLE,ProcessHandle,0xffffffff,,,IN,ACCESS_MASK,DesiredAccess,0x8,,,IN,ULONG,HandleAttributes,0x0,,,OUT,PHANDLE,TokenHandle,0x4eec14,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0x1bc,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1d,,,OUT,PVOID,TokenInformation,0x4eec2c,,,IN,ULONG,TokenInformationLength,0x4,,,OUT,PULONG,ReturnLength,0x4eec10,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtClose,1,IN,HANDLE,Handle,0x1bc,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAlpcConnectPort,11,OUT,PHANDLE,PortHandle,0x6dcd2c,,,IN,PUNICODE_STRING,PortName,0x4ef0c8,\RPC Control\ntsvcs,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x4ef0d0,,,IN,PALPC_PORT_ATTRIBUTES,PortAttributes,0x4ef108,,,IN,ULONG,Flags,0x20000,,,IN,PSID,RequiredServerSid,0x6b7ac0,,,INOUT,PPORT_MESSAGE,ConnectionMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,OutMessageAttributes,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,InMessageAttributes,0x4ef134,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394cb18,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394cb08,,
poolmon,1,0xed1b8040,services.exe,0,SeSi,PagedPool,12,nt!se,Security SID
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394d13c,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394cbd0,,,IN,ULONG,OpenOptions,0x0,,
objmon,1,0xed1b8040,services.exe,0,ALPC
poolmon,1,0xed1b8040,services.exe,0,ALPC,unknown_pool_type,316,nt!alpc,ALPC port objects
poolmon,1,0xed1b8040,services.exe,0,AlCI,PagedPool,64,nt!alpc,ALPC communication info
poolmon,1,0xed1b8040,services.exe,0,AlMs,PagedPool,168,nt!alpc,ALPC message
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394d13c,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394cbd0,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xe4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xbd77b0,,,INOUT,PULONG,BufferLength,0x5cfb30,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x5cfb44,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAlpcAcceptConnectPort,9,OUT,PHANDLE,PortHandle,0x6c52cc,,,IN,HANDLE,ConnectionPortHandle,0xe4,,,IN,ULONG,Flags,0x0,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x0,,,IN,PALPC_PORT_ATTRIBUTES,PortAttributes,0x5cfac0,,,IN,PVOID,PortContext,0x6c52b0,,,IN,PPORT_MESSAGE,ConnectionRequest,0xbd77b0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ConnectionMessageAttributes,0x5cfb44,,,IN,BOOLEAN,AcceptConnection,0x1,,
objmon,1,0xed1b8040,services.exe,0,ALPC
poolmon,1,0xed1b8040,services.exe,0,ALPC,unknown_pool_type,316,nt!alpc,ALPC port objects
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryKey,5,IN,HANDLE,KeyHandle,0x56e,,,IN,KEY_INFORMATION_CLASS,KeyInformationClass,0x3,,,OUT,PVOID,KeyInformation,0x394ce70,,,IN,ULONG,Length,0x180,,,OUT,PULONG,ResultLength,0x394ce68,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x1bc,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0xbd55a0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x6a911c,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xbd55a0,,,INOUT,PULONG,BufferLength,0x4ef16c,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x6a911c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xe4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xbdccd8,,,INOUT,PULONG,BufferLength,0x71faf8,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x71fb0c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
poolmon,0,0xed1b82c0,Taskmgr.exe,1,CMNb,PagedPool,132,nt!cm,notification block pool tag
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x2c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0x71fa60,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xe4,,,IN,ULONG,Flags,0x410000,,,IN,PPORT_MESSAGE,SendMessage,0xbdccd8,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0x0,,,INOUT,PULONG,BufferLength,0x0,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x0,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0x1bc,,,IN,ULONG,Flags,0x20000,,,IN,PPORT_MESSAGE,SendMessage,0xbd55a0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x6a911c,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xbd55a0,,,INOUT,PULONG,BufferLength,0x4ef218,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0x6a911c,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtQueryInformationToken,5,IN,HANDLE,TokenHandle,0xfffffffa,,,IN,TOKEN_INFORMATION_CLASS,TokenInformationClass,0x1,,,OUT,PVOID,TokenInformation,0x394cb40,,,IN,ULONG,TokenInformationLength,0x50,,,OUT,PULONG,ReturnLength,0x394cb30,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAlpcSendWaitReceivePort,8,IN,HANDLE,PortHandle,0xe4,,,IN,ULONG,Flags,0x0,,,IN,PPORT_MESSAGE,SendMessage,0x0,,,IN,PALPC_MESSAGE_ATTRIBUTES,SendMessageAttributes,0x0,,,INOUT,PPORT_MESSAGE,ReceiveMessage,0xbe3308,,,INOUT,PULONG,BufferLength,0xa8fc90,,,INOUT,PALPC_MESSAGE_ATTRIBUTES,ReceiveMessageAttributes,0xa8fca4,,,IN,PLARGE_INTEGER,Timeout,0x0,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394d168,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394cbf8,,,IN,ULONG,OpenOptions,0x0,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtSetInformationWorkerFactory,4,IN,HANDLE,WorkerFactoryHandle,0x2c,,,IN,WORKERFACTORYINFOCLASS,WorkerFactoryInformationClass,0x9,,,IN,PVOID,WorkerFactoryInformation,0xa8fc04,,,IN,ULONG,WorkerFactoryInformationLength,0x4,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAlpcImpersonateClientOfPort,3,IN,HANDLE,PortHandle,0x280,,,IN,PPORT_MESSAGE,PortMessage,0xbe3308,,,RESERVED,PVOID,Reserved,0x0,,
syscall,1 0xed1b8040,services.exe,0,ntoskrnl.exe,NtAccessCheckAndAuditAlarm,11,IN,PUNICODE_STRING,SubsystemName,0xa8f320,SC Manager,,IN,PVOID,HandleId,0x68c6e0,,,IN,PUNICODE_STRING,ObjectTypeName,0xa8f328,SC_MANAGER OBJECT,,IN,PUNICODE_STRING,ObjectName,0xa8f318,ServicesActive,,IN,PSECURITY_DESCRIPTOR,SecurityDescriptor,0x5e8790,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,PGENERIC_MAPPING,GenericMapping,0x2813b8,,,IN,BOOLEAN,ObjectCreation,0x0,,,OUT,PACCESS_MASK,GrantedAccess,0x68c6e8,,,OUT,PNTSTATUS,AccessStatus,0xa8f2fc,,,OUT,PBOOLEAN,GenerateOnClose,0xa8f307,,
syscall,0 0xed1b82c0,Taskmgr.exe,1,ntoskrnl.exe,NtOpenKeyEx,4,OUT,PHANDLE,KeyHandle,0x394d168,,,IN,ACCESS_MASK,DesiredAccess,0x1,,,IN,POBJECT_ATTRIBUTES,ObjectAttributes,0x394cbf8,,,IN,ULONG,OpenOptions,0x0,,
poolmon,1,0xed1b8040,services.exe,0,SeSc,PagedPool,228,nt!se,Captured Security Descriptor
poolmon,1,0xed1b8040,services.exe,0,SeUs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment