Skip to content

Instantly share code, notes, and snippets.

@fed-franz

fed-franz/Windows 8.1 x86

Created February 15, 2015 11:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save fed-franz/9208bb7585535f46b531 to your computer and use it in GitHub Desktop.
Save fed-franz/9208bb7585535f46b531 to your computer and use it in GitHub Desktop.
Download ZIP
Volatility Windows Memory Dump Analysis
Raw
Windows 8.1 x86
# imageinfo
$ ./vol.py --profile=Win8SP1x86 -f win8.1-x86_booted-imagecopy.raw imageinfo
Volatility Foundation Volatility Framework 2.4
Determining profile based on KDBG search...
Suggested Profile(s) : Win8SP1x86, Win8SP0x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/media/Data/Tesi/memdumps/vbox/win8/win8.1-x86_booted-imagecopy.raw)
PAE type : PAE
DTB : 0x1a5000L
KDBG : 0x81600a00
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0x8162a000
KUSER_SHARED_DATA : 0xffdf0000
Image date and time : 2015-02-12 14:58:27 UTC+0000
Image local date and time : 2015-02-12 15:58:27 +0100
# kdbgscan
$ ./vol.py --profile=Win8SP1x86 -f win8.1-x86_booted-imagecopy.raw kdbgscan
Volatility Foundation Volatility Framework 2.4
**************************************************
Instantiating KDBG using: Kernel AS Win8SP1x86 (6.3.9600 32bit)
Offset (V) : 0x81600a00
Offset (P) : 0x2600a00
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win8SP1x86
Version64 : 0x81600d60 (Major: 15, Minor: 9600)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab) : 9600.16384.x86fre.winblue_rtm.13
PsActiveProcessHead : 0x8160fc58 (32 processes)
PsLoadedModuleList : 0x81618218 (134 modules)
KernelBase : 0x8141e000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 3
KPCR : 0x8162a000 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win8SP1x86 (6.3.9600 32bit)
Offset (V) : 0x81600a00
Offset (P) : 0x2600a00
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win8SP0x86
Version64 : 0x81600d60 (Major: 15, Minor: 9600)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab) : 9600.16384.x86fre.winblue_rtm.13
PsActiveProcessHead : 0x8160fc58 (32 processes)
PsLoadedModuleList : 0x81618218 (134 modules)
KernelBase : 0x8141e000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 3
KPCR : 0x8162a000 (CPU 0)
# kpcrscan
$ ./vol.py --profile=Win8SP1x86 -f win8.1-x86_booted-imagecopy.raw kpcrscan
Volatility Foundation Volatility Framework 2.4
**************************************************
Offset (V) : 0x8162a000
Offset (P) : 0x262a000
KdVersionBlock : 0x81600d60
IDT : 0x80adf400
GDT : 0x80adf000
CurrentThread : 0x81639100 TID 0 (Idle:0)
IdleThread : 0x81639100 TID 0 (Idle:0)
Details : CPU 0 (GenuineIntel @ 2388 MHz)
CR3/DTB : 0x1a5000
# idt
$ ./vol.py --profile=Win8SP1x86 -f /media/Data/Tesi//memdumps/vbox/win8/win8.1-x86_booted-imagecopy.raw idt
Volatility Foundation Volatility Framework 2.4
CPU Index Selector Value Module Section
------ ------ ---------- ---------- -------------------- ------------
0 0 0x8 0x81530cbc ntoskrnl.exe .text
0 1 0x8 0x81530e6c ntoskrnl.exe .text
0 2 0x58 0x00000000 UNKNOWN
0 3 0x8 0x81531370 ntoskrnl.exe .text
0 4 0x8 0x81531538 ntoskrnl.exe .text
0 5 0x8 0x815316e0 ntoskrnl.exe .text
0 6 0x8 0x81531894 ntoskrnl.exe .text
0 7 0x8 0x81531f94 ntoskrnl.exe .text
0 8 0x50 0x00000000 UNKNOWN
0 9 0x8 0x815321a0 ntoskrnl.exe .text
0 A 0x8 0x815322fc ntoskrnl.exe .text
0 B 0x8 0x81532470 ntoskrnl.exe .text
0 C 0x8 0x81532730 ntoskrnl.exe .text
0 D 0x8 0x81532a8c ntoskrnl.exe .text
0 E 0x8 0x815331f4 ntoskrnl.exe .text
0 F 0x8 0x815334a8 ntoskrnl.exe .text
0 10 0x8 0x81533600 ntoskrnl.exe .text
0 11 0x8 0x81533850 ntoskrnl.exe .text
0 12 0xa0 0x00000000 UNKNOWN
0 13 0x8 0x815339f8 ntoskrnl.exe .text
0 14 0x8 0x815334a8 ntoskrnl.exe .text
0 15 0x8 0x815334a8 ntoskrnl.exe .text
0 16 0x8 0x815334a8 ntoskrnl.exe .text
0 17 0x8 0x815334a8 ntoskrnl.exe .text
0 18 0x8 0x815334a8 ntoskrnl.exe .text
0 19 0x8 0x815334a8 ntoskrnl.exe .text
0 1A 0x8 0x815334a8 ntoskrnl.exe .text
0 1B 0x8 0x815334a8 ntoskrnl.exe .text
0 1C 0x8 0x815334a8 ntoskrnl.exe .text
0 1D 0x8 0x815334a8 ntoskrnl.exe .text
0 1E 0x8 0x815334a8 ntoskrnl.exe .text
0 1F 0x8 0x819e4c5c hal.dll .text
0 20 0x8 0x00000000 UNKNOWN
0 21 0x8 0x00000000 UNKNOWN
0 22 0x8 0x00000000 UNKNOWN
0 23 0x8 0x00000000 UNKNOWN
0 24 0x8 0x00000000 UNKNOWN
0 25 0x8 0x00000000 UNKNOWN
0 26 0x8 0x00000000 UNKNOWN
0 27 0x8 0x00000000 UNKNOWN
0 28 0x8 0x00000000 UNKNOWN
0 29 0x8 0x815300f4 ntoskrnl.exe .text
0 2A 0x8 0x815302aa ntoskrnl.exe .text
0 2B 0x8 0x81530460 ntoskrnl.exe .text
0 2C 0x8 0x815305a8 ntoskrnl.exe .text
0 2D 0x8 0x81531210 ntoskrnl.exe .text
0 2E 0x8 0x8152fbee ntoskrnl.exe .text
0 2F 0x8 0x815334a8 ntoskrnl.exe .text
0 30 0x8 0x8152f0e0 ntoskrnl.exe .text
0 31 0x8 0x8152f0ec ntoskrnl.exe .text
0 32 0x8 0x8152f0f8 ntoskrnl.exe .text
0 33 0x8 0x8152f104 ntoskrnl.exe .text
0 34 0x8 0x8152f110 ntoskrnl.exe .text
0 35 0x8 0x8152f11c ntoskrnl.exe .text
0 36 0x8 0x8152f128 ntoskrnl.exe .text
0 37 0x8 0x819e4c5c hal.dll .text
0 38 0x8 0x8152f140 ntoskrnl.exe .text
0 39 0x8 0x8152f14c ntoskrnl.exe .text
0 3A 0x8 0x8152f158 ntoskrnl.exe .text
0 3B 0x8 0x8152f164 ntoskrnl.exe .text
0 3C 0x8 0x8152f170 ntoskrnl.exe .text
0 3D 0x8 0x8152f17c ntoskrnl.exe .text
0 3E 0x8 0x8152f188 ntoskrnl.exe .text
0 3F 0x8 0x8152f194 ntoskrnl.exe .text
0 40 0x8 0x8152f1a0 ntoskrnl.exe .text
0 41 0x8 0x8152f1ac ntoskrnl.exe .text
0 42 0x8 0x8152f1b8 ntoskrnl.exe .text
0 43 0x8 0x8152f1c4 ntoskrnl.exe .text
0 44 0x8 0x8152f1d0 ntoskrnl.exe .text
0 45 0x8 0x8152f1dc ntoskrnl.exe .text
0 46 0x8 0x8152f1e8 ntoskrnl.exe .text
0 47 0x8 0x8152f1f4 ntoskrnl.exe .text
0 48 0x8 0x8152f200 ntoskrnl.exe .text
0 49 0x8 0x8152f20c ntoskrnl.exe .text
0 4A 0x8 0x8152f218 ntoskrnl.exe .text
0 4B 0x8 0x8152f224 ntoskrnl.exe .text
0 4C 0x8 0x8152f230 ntoskrnl.exe .text
0 4D 0x8 0x8152f23c ntoskrnl.exe .text
0 4E 0x8 0x8152f248 ntoskrnl.exe .text
0 4F 0x8 0x8152f254 ntoskrnl.exe .text
0 50 0x8 0x8152f260 ntoskrnl.exe .text
0 51 0x8 0x8152f26c ntoskrnl.exe .text
0 52 0x8 0x8152f278 ntoskrnl.exe .text
0 53 0x8 0x8152f284 ntoskrnl.exe .text
0 54 0x8 0x8152f290 ntoskrnl.exe .text
0 55 0x8 0x8152f29c ntoskrnl.exe .text
0 56 0x8 0x8152f2a8 ntoskrnl.exe .text
0 57 0x8 0x8152f2b4 ntoskrnl.exe .text
0 58 0x8 0x8152f2c0 ntoskrnl.exe .text
0 59 0x8 0x8152f2cc ntoskrnl.exe .text
0 5A 0x8 0x8152f2d8 ntoskrnl.exe .text
0 5B 0x8 0x8152f2e4 ntoskrnl.exe .text
0 5C 0x8 0x8152f2f0 ntoskrnl.exe .text
0 5D 0x8 0x8152f2fc ntoskrnl.exe .text
0 5E 0x8 0x8152f308 ntoskrnl.exe .text
0 5F 0x8 0x8152f314 ntoskrnl.exe .text
0 60 0x8 0x8152f320 ntoskrnl.exe .text
0 61 0x8 0x8152f32c ntoskrnl.exe .text
0 62 0x8 0x8152f338 ntoskrnl.exe .text
0 63 0x8 0x8152f344 ntoskrnl.exe .text
0 64 0x8 0x8152f350 ntoskrnl.exe .text
0 65 0x8 0x8152f35c ntoskrnl.exe .text
0 66 0x8 0x8152f368 ntoskrnl.exe .text
0 67 0x8 0x8152f374 ntoskrnl.exe .text
0 68 0x8 0x8152f380 ntoskrnl.exe .text
0 69 0x8 0x8152f38c ntoskrnl.exe .text
0 6A 0x8 0x8152f398 ntoskrnl.exe .text
0 6B 0x8 0x8152f3a4 ntoskrnl.exe .text
0 6C 0x8 0x8152f3b0 ntoskrnl.exe .text
0 6D 0x8 0x8152f3bc ntoskrnl.exe .text
0 6E 0x8 0x8152f3c8 ntoskrnl.exe .text
0 6F 0x8 0x8152f3d4 ntoskrnl.exe .text
0 70 0x8 0x8152f3e0 ntoskrnl.exe .text
0 71 0x8 0x8152f3ec ntoskrnl.exe .text
0 72 0x8 0x8152f3f8 ntoskrnl.exe .text
0 73 0x8 0x8152f404 ntoskrnl.exe .text
0 74 0x8 0x8152f410 ntoskrnl.exe .text
0 75 0x8 0x8152f41c ntoskrnl.exe .text
0 76 0x8 0x8152f428 ntoskrnl.exe .text
0 77 0x8 0x8152f434 ntoskrnl.exe .text
0 78 0x8 0x8152f440 ntoskrnl.exe .text
0 79 0x8 0x8152f44c ntoskrnl.exe .text
0 7A 0x8 0x8152f458 ntoskrnl.exe .text
0 7B 0x8 0x8152f464 ntoskrnl.exe .text
0 7C 0x8 0x8152f470 ntoskrnl.exe .text
0 7D 0x8 0x8152f47c ntoskrnl.exe .text
0 7E 0x8 0x8152f488 ntoskrnl.exe .text
0 7F 0x8 0x8152f494 ntoskrnl.exe .text
0 80 0x8 0x8152f4a0 ntoskrnl.exe .text
0 81 0x8 0x8152f4ac ntoskrnl.exe .text
0 82 0x8 0x8152f4b8 ntoskrnl.exe .text
0 83 0x8 0x8152f4c4 ntoskrnl.exe .text
0 84 0x8 0x8152f4d0 ntoskrnl.exe .text
0 85 0x8 0x8152f4dc ntoskrnl.exe .text
0 86 0x8 0x8152f4e8 ntoskrnl.exe .text
0 87 0x8 0x8152f4f4 ntoskrnl.exe .text
0 88 0x8 0x8152f500 ntoskrnl.exe .text
0 89 0x8 0x8152f50c ntoskrnl.exe .text
0 8A 0x8 0x8152f518 ntoskrnl.exe .text
0 8B 0x8 0x8152f524 ntoskrnl.exe .text
0 8C 0x8 0x8152f530 ntoskrnl.exe .text
0 8D 0x8 0x8152f53c ntoskrnl.exe .text
0 8E 0x8 0x8152f548 ntoskrnl.exe .text
0 8F 0x8 0x8152f554 ntoskrnl.exe .text
0 90 0x8 0x8152f560 ntoskrnl.exe .text
0 91 0x8 0x8152f56c ntoskrnl.exe .text
0 92 0x8 0x8152f578 ntoskrnl.exe .text
0 93 0x8 0x8152f584 ntoskrnl.exe .text
0 94 0x8 0x8152f590 ntoskrnl.exe .text
0 95 0x8 0x8152f59c ntoskrnl.exe .text
0 96 0x8 0x8152f5a8 ntoskrnl.exe .text
0 97 0x8 0x8152f5b4 ntoskrnl.exe .text
0 98 0x8 0x8152f5c0 ntoskrnl.exe .text
0 99 0x8 0x8152f5cc ntoskrnl.exe .text
0 9A 0x8 0x8152f5d8 ntoskrnl.exe .text
0 9B 0x8 0x8152f5e4 ntoskrnl.exe .text
0 9C 0x8 0x8152f5f0 ntoskrnl.exe .text
0 9D 0x8 0x8152f5fc ntoskrnl.exe .text
0 9E 0x8 0x8152f608 ntoskrnl.exe .text
0 9F 0x8 0x8152f614 ntoskrnl.exe .text
0 A0 0x8 0x8152f620 ntoskrnl.exe .text
0 A1 0x8 0x8152f62c ntoskrnl.exe .text
0 A2 0x8 0x8152f638 ntoskrnl.exe .text
0 A3 0x8 0x8152f644 ntoskrnl.exe .text
0 A4 0x8 0x8152f650 ntoskrnl.exe .text
0 A5 0x8 0x8152f65c ntoskrnl.exe .text
0 A6 0x8 0x8152f668 ntoskrnl.exe .text
0 A7 0x8 0x8152f674 ntoskrnl.exe .text
0 A8 0x8 0x8152f680 ntoskrnl.exe .text
0 A9 0x8 0x8152f68c ntoskrnl.exe .text
0 AA 0x8 0x8152f698 ntoskrnl.exe .text
0 AB 0x8 0x8152f6a4 ntoskrnl.exe .text
0 AC 0x8 0x8152f6b0 ntoskrnl.exe .text
0 AD 0x8 0x8152f6bc ntoskrnl.exe .text
0 AE 0x8 0x8152f6c8 ntoskrnl.exe .text
0 AF 0x8 0x8152f6d4 ntoskrnl.exe .text
0 B0 0x8 0x8152f6e0 ntoskrnl.exe .text
0 B1 0x8 0x8152f6ec ntoskrnl.exe .text
0 B2 0x8 0x8152f6f8 ntoskrnl.exe .text
0 B3 0x8 0x8152f704 ntoskrnl.exe .text
0 B4 0x8 0x8152f710 ntoskrnl.exe .text
0 B5 0x8 0x8152f71c ntoskrnl.exe .text
0 B6 0x8 0x8152f728 ntoskrnl.exe .text
0 B7 0x8 0x8152f734 ntoskrnl.exe .text
0 B8 0x8 0x8152f740 ntoskrnl.exe .text
0 B9 0x8 0x8152f74c ntoskrnl.exe .text
0 BA 0x8 0x8152f758 ntoskrnl.exe .text
0 BB 0x8 0x8152f764 ntoskrnl.exe .text
0 BC 0x8 0x8152f770 ntoskrnl.exe .text
0 BD 0x8 0x8152f77c ntoskrnl.exe .text
0 BE 0x8 0x8152f788 ntoskrnl.exe .text
0 BF 0x8 0x8152f794 ntoskrnl.exe .text
0 C0 0x8 0x819e4d08 hal.dll .text
0 C1 0x8 0x8152f7ac ntoskrnl.exe .text
0 C2 0x8 0x8152f7b8 ntoskrnl.exe .text
0 C3 0x8 0x8152f7c4 ntoskrnl.exe .text
0 C4 0x8 0x8152f7d0 ntoskrnl.exe .text
0 C5 0x8 0x8152f7dc ntoskrnl.exe .text
0 C6 0x8 0x8152f7e8 ntoskrnl.exe .text
0 C7 0x8 0x8152f7f4 ntoskrnl.exe .text
0 C8 0x8 0x8152f800 ntoskrnl.exe .text
0 C9 0x8 0x8152f80c ntoskrnl.exe .text
0 CA 0x8 0x8152f818 ntoskrnl.exe .text
0 CB 0x8 0x8152f824 ntoskrnl.exe .text
0 CC 0x8 0x8152f830 ntoskrnl.exe .text
0 CD 0x8 0x8152f83c ntoskrnl.exe .text
0 CE 0x8 0x8152f848 ntoskrnl.exe .text
0 CF 0x8 0x8152f854 ntoskrnl.exe .text
0 D0 0x8 0x8152f860 ntoskrnl.exe .text
0 D1 0x8 0x819e5a08 hal.dll .text
0 D2 0x8 0x819e5ce4 hal.dll .text
0 D3 0x8 0x8152f884 ntoskrnl.exe .text
0 D4 0x8 0x8152f890 ntoskrnl.exe .text
0 D5 0x8 0x8152f89c ntoskrnl.exe .text
0 D6 0x8 0x8152f8a8 ntoskrnl.exe .text
0 D7 0x8 0x8152f8b4 ntoskrnl.exe .text
0 D8 0x8 0x8152f8c0 ntoskrnl.exe .text
0 D9 0x8 0x8152f8cc ntoskrnl.exe .text
0 DA 0x8 0x8152f8d8 ntoskrnl.exe .text
0 DB 0x8 0x8152f8e4 ntoskrnl.exe .text
0 DC 0x8 0x8152f8f0 ntoskrnl.exe .text
0 DD 0x8 0x8152f8fc ntoskrnl.exe .text
0 DE 0x8 0x8152f908 ntoskrnl.exe .text
0 DF 0x8 0x819e52b8 hal.dll .text
0 E0 0x8 0x8152f920 ntoskrnl.exe .text
0 E1 0x8 0x819e5518 hal.dll .text
0 E2 0x8 0x819e4fe0 hal.dll .text
0 E3 0x8 0x8152f944 ntoskrnl.exe .text
0 E4 0x8 0x8152f950 ntoskrnl.exe .text
0 E5 0x8 0x8152f95c ntoskrnl.exe .text
0 E6 0x8 0x8152f968 ntoskrnl.exe .text
0 E7 0x8 0x8152f974 ntoskrnl.exe .text
0 E8 0x8 0x8152f980 ntoskrnl.exe .text
0 E9 0x8 0x8152f98c ntoskrnl.exe .text
0 EA 0x8 0x8152f998 ntoskrnl.exe .text
0 EB 0x8 0x8152f9a4 ntoskrnl.exe .text
0 EC 0x8 0x8152f9b0 ntoskrnl.exe .text
0 ED 0x8 0x8152f9bc ntoskrnl.exe .text
0 EE 0x8 0x8152f9c8 ntoskrnl.exe .text
0 EF 0x8 0x8152f9d4 ntoskrnl.exe .text
0 F0 0x8 0x8152f9e0 ntoskrnl.exe .text
0 F1 0x8 0x8152f9ec ntoskrnl.exe .text
0 F2 0x8 0x8152f9f8 ntoskrnl.exe .text
0 F3 0x8 0x8152fa04 ntoskrnl.exe .text
0 F4 0x8 0x8152fa10 ntoskrnl.exe .text
0 F5 0x8 0x8152fa1c ntoskrnl.exe .text
0 F6 0x8 0x8152fa28 ntoskrnl.exe .text
0 F7 0x8 0x8152fa34 ntoskrnl.exe .text
0 F8 0x8 0x8152fa40 ntoskrnl.exe .text
0 F9 0x8 0x8152fa4c ntoskrnl.exe .text
0 FA 0x8 0x8152fa58 ntoskrnl.exe .text
0 FB 0x8 0x8152fa64 ntoskrnl.exe .text
0 FC 0x8 0x8152fa70 ntoskrnl.exe .text
0 FD 0x8 0x819e629c hal.dll .text
0 FE 0x8 0x819e6580 hal.dll .text
0 FF 0x8 0x8152fa94 ntoskrnl.exe .text
# gdt
$ ./vol.py --profile=Win8SP1x86 -f /media/Data/Tesi//memdumps/vbox/win8/win8.1-x86_booted-imagecopy.raw gdt
Volatility Foundation Volatility Framework 2.4
CPU Sel Base Limit Type DPL Gr Pr
------ ---------- ---------- ---------- -------------- ------ ---- ----
0 0x0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x8 0x00000000 0xffffffff Code RE Ac 0 Pg P
0 0x10 0x00000000 0xffffffff Data RW Ac 0 Pg P
0 0x18 0x00000000 0xffffffff Code RE Ac 3 Pg P
0 0x20 0x00000000 0xffffffff Data RW Ac 3 Pg P
0 0x28 0x81224000 0x000020ab TSS32 Busy 0 By P
0 0x30 0x8162a000 0x00004628 Data RW Ac 0 By P
0 0x38 0x00000000 0x00000fff Data RW Ac 3 By P
0 0x40 0x00000400 0x0000ffff Data RW 3 By P
0 0x48 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x50 0x81600000 0x00000068 TSS32 Avl 0 By P
0 0x58 0x81600068 0x00000068 TSS32 Avl 0 By P
0 0x60 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x68 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x70 0x80adf000 0x000003ff Data RW 0 By P
0 0x78 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x80 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x88 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x90 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x98 0x00000000 0x00000000 <Reserved> 0 By Np
0 0xa0 0x8379b240 0x00000068 TSS32 Avl 0 By P
0 0xa8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0xb0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0xb8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0xc0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0xc8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0xd0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0xd8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0xe0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0xe8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0xf0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0xf8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x100 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x108 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x110 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x118 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x120 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x128 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x130 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x138 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x140 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x148 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x150 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x158 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x160 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x168 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x170 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x178 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x180 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x188 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x190 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x198 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x1a0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x1a8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x1b0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x1b8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x1c0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x1c8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x1d0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x1d8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x1e0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x1e8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x1f0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x1f8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x200 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x208 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x210 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x218 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x220 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x228 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x230 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x238 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x240 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x248 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x250 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x258 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x260 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x268 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x270 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x278 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x280 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x288 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x290 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x298 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x2a0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x2a8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x2b0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x2b8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x2c0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x2c8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x2d0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x2d8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x2e0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x2e8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x2f0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x2f8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x300 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x308 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x310 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x318 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x320 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x328 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x330 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x338 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x340 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x348 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x350 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x358 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x360 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x368 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x370 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x378 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x380 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x388 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x390 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x398 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x3a0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x3a8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x3b0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x3b8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x3c0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x3c8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x3d0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x3d8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x3e0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x3e8 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x3f0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x3f8 0x00000000 0x00000000 <Reserved> 0 By Np
# envars
$ ./vol.py --profile=Win8SP1x86 -f win8.1-x86_booted-imagecopy.raw envars
Volatility Foundation Volatility Framework 2.4
Pid Process Block Variable Value
-------- -------------------- ---------- ------------------------------ -----
228 smss.exe 0x005705c8 Path C:\Windows\System32
228 smss.exe 0x005705c8 SystemDrive C:
228 smss.exe 0x005705c8 SystemRoot C:\Windows
312 csrss.exe 0x00fe05c8 ComSpec C:\Windows\system32\cmd.exe
312 csrss.exe 0x00fe05c8 FP_NO_HOST_CHECK NO
312 csrss.exe 0x00fe05c8 NUMBER_OF_PROCESSORS 1
312 csrss.exe 0x00fe05c8 OS Windows_NT
312 csrss.exe 0x00fe05c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
312 csrss.exe 0x00fe05c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
312 csrss.exe 0x00fe05c8 PROCESSOR_ARCHITECTURE x86
312 csrss.exe 0x00fe05c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
312 csrss.exe 0x00fe05c8 PROCESSOR_LEVEL 6
312 csrss.exe 0x00fe05c8 PROCESSOR_REVISION 3c03
312 csrss.exe 0x00fe05c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
312 csrss.exe 0x00fe05c8 SystemDrive C:
312 csrss.exe 0x00fe05c8 SystemRoot C:\Windows
312 csrss.exe 0x00fe05c8 TEMP C:\Windows\TEMP
312 csrss.exe 0x00fe05c8 TMP C:\Windows\TEMP
312 csrss.exe 0x00fe05c8 USERNAME SYSTEM
312 csrss.exe 0x00fe05c8 windir C:\Windows
364 wininit.exe 0x003288e0 ALLUSERSPROFILE C:\ProgramData
364 wininit.exe 0x003288e0 CommonProgramFiles C:\Program Files\Common Files
364 wininit.exe 0x003288e0 COMPUTERNAME WIN-PC
364 wininit.exe 0x003288e0 ComSpec C:\Windows\system32\cmd.exe
364 wininit.exe 0x003288e0 FP_NO_HOST_CHECK NO
364 wininit.exe 0x003288e0 NUMBER_OF_PROCESSORS 1
364 wininit.exe 0x003288e0 OS Windows_NT
364 wininit.exe 0x003288e0 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
364 wininit.exe 0x003288e0 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
364 wininit.exe 0x003288e0 PROCESSOR_ARCHITECTURE x86
364 wininit.exe 0x003288e0 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
364 wininit.exe 0x003288e0 PROCESSOR_LEVEL 6
364 wininit.exe 0x003288e0 PROCESSOR_REVISION 3c03
364 wininit.exe 0x003288e0 ProgramData C:\ProgramData
364 wininit.exe 0x003288e0 ProgramFiles C:\Program Files
364 wininit.exe 0x003288e0 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
364 wininit.exe 0x003288e0 PUBLIC C:\Users\Public
364 wininit.exe 0x003288e0 SystemDrive C:
364 wininit.exe 0x003288e0 SystemRoot C:\Windows
364 wininit.exe 0x003288e0 TEMP C:\Windows\TEMP
364 wininit.exe 0x003288e0 TMP C:\Windows\TEMP
364 wininit.exe 0x003288e0 USERNAME SYSTEM
364 wininit.exe 0x003288e0 USERPROFILE C:\Windows\system32\config\systemprofile
364 wininit.exe 0x003288e0 windir C:\Windows
372 csrss.exe 0x010105c8 ComSpec C:\Windows\system32\cmd.exe
372 csrss.exe 0x010105c8 FP_NO_HOST_CHECK NO
372 csrss.exe 0x010105c8 NUMBER_OF_PROCESSORS 1
372 csrss.exe 0x010105c8 OS Windows_NT
372 csrss.exe 0x010105c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
372 csrss.exe 0x010105c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
372 csrss.exe 0x010105c8 PROCESSOR_ARCHITECTURE x86
372 csrss.exe 0x010105c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
372 csrss.exe 0x010105c8 PROCESSOR_LEVEL 6
372 csrss.exe 0x010105c8 PROCESSOR_REVISION 3c03
372 csrss.exe 0x010105c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
372 csrss.exe 0x010105c8 SystemDrive C:
372 csrss.exe 0x010105c8 SystemRoot C:\Windows
372 csrss.exe 0x010105c8 TEMP C:\Windows\TEMP
372 csrss.exe 0x010105c8 TMP C:\Windows\TEMP
372 csrss.exe 0x010105c8 USERNAME SYSTEM
372 csrss.exe 0x010105c8 windir C:\Windows
400 winlogon.exe 0x009a7e68 ALLUSERSPROFILE C:\ProgramData
400 winlogon.exe 0x009a7e68 CommonProgramFiles C:\Program Files\Common Files
400 winlogon.exe 0x009a7e68 COMPUTERNAME WIN-PC
400 winlogon.exe 0x009a7e68 ComSpec C:\Windows\system32\cmd.exe
400 winlogon.exe 0x009a7e68 FP_NO_HOST_CHECK NO
400 winlogon.exe 0x009a7e68 NUMBER_OF_PROCESSORS 1
400 winlogon.exe 0x009a7e68 OS Windows_NT
400 winlogon.exe 0x009a7e68 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
400 winlogon.exe 0x009a7e68 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
400 winlogon.exe 0x009a7e68 PROCESSOR_ARCHITECTURE x86
400 winlogon.exe 0x009a7e68 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
400 winlogon.exe 0x009a7e68 PROCESSOR_LEVEL 6
400 winlogon.exe 0x009a7e68 PROCESSOR_REVISION 3c03
400 winlogon.exe 0x009a7e68 ProgramData C:\ProgramData
400 winlogon.exe 0x009a7e68 ProgramFiles C:\Program Files
400 winlogon.exe 0x009a7e68 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
400 winlogon.exe 0x009a7e68 PUBLIC C:\Users\Public
400 winlogon.exe 0x009a7e68 SystemDrive C:
400 winlogon.exe 0x009a7e68 SystemRoot C:\Windows
400 winlogon.exe 0x009a7e68 TEMP C:\Windows\TEMP
400 winlogon.exe 0x009a7e68 TMP C:\Windows\TEMP
400 winlogon.exe 0x009a7e68 USERNAME SYSTEM
400 winlogon.exe 0x009a7e68 USERPROFILE C:\Windows\system32\config\systemprofile
400 winlogon.exe 0x009a7e68 windir C:\Windows
456 services.exe 0x011505c8 ALLUSERSPROFILE C:\ProgramData
456 services.exe 0x011505c8 CommonProgramFiles C:\Program Files\Common Files
456 services.exe 0x011505c8 COMPUTERNAME WIN-PC
456 services.exe 0x011505c8 ComSpec C:\Windows\system32\cmd.exe
456 services.exe 0x011505c8 FP_NO_HOST_CHECK NO
456 services.exe 0x011505c8 NUMBER_OF_PROCESSORS 1
456 services.exe 0x011505c8 OS Windows_NT
456 services.exe 0x011505c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
456 services.exe 0x011505c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
456 services.exe 0x011505c8 PROCESSOR_ARCHITECTURE x86
456 services.exe 0x011505c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
456 services.exe 0x011505c8 PROCESSOR_LEVEL 6
456 services.exe 0x011505c8 PROCESSOR_REVISION 3c03
456 services.exe 0x011505c8 ProgramData C:\ProgramData
456 services.exe 0x011505c8 ProgramFiles C:\Program Files
456 services.exe 0x011505c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
456 services.exe 0x011505c8 PUBLIC C:\Users\Public
456 services.exe 0x011505c8 SystemDrive C:
456 services.exe 0x011505c8 SystemRoot C:\Windows
456 services.exe 0x011505c8 TEMP C:\Windows\TEMP
456 services.exe 0x011505c8 TMP C:\Windows\TEMP
456 services.exe 0x011505c8 USERNAME SYSTEM
456 services.exe 0x011505c8 USERPROFILE C:\Windows\system32\config\systemprofile
456 services.exe 0x011505c8 windir C:\Windows
464 lsass.exe 0x00d105c8 ALLUSERSPROFILE C:\ProgramData
464 lsass.exe 0x00d105c8 CommonProgramFiles C:\Program Files\Common Files
464 lsass.exe 0x00d105c8 COMPUTERNAME WIN-PC
464 lsass.exe 0x00d105c8 ComSpec C:\Windows\system32\cmd.exe
464 lsass.exe 0x00d105c8 FP_NO_HOST_CHECK NO
464 lsass.exe 0x00d105c8 NUMBER_OF_PROCESSORS 1
464 lsass.exe 0x00d105c8 OS Windows_NT
464 lsass.exe 0x00d105c8 Path C:\Windows\System32
464 lsass.exe 0x00d105c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
464 lsass.exe 0x00d105c8 PROCESSOR_ARCHITECTURE x86
464 lsass.exe 0x00d105c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
464 lsass.exe 0x00d105c8 PROCESSOR_LEVEL 6
464 lsass.exe 0x00d105c8 PROCESSOR_REVISION 3c03
464 lsass.exe 0x00d105c8 ProgramData C:\ProgramData
464 lsass.exe 0x00d105c8 ProgramFiles C:\Program Files
464 lsass.exe 0x00d105c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
464 lsass.exe 0x00d105c8 PUBLIC C:\Users\Public
464 lsass.exe 0x00d105c8 SystemDrive C:
464 lsass.exe 0x00d105c8 SystemRoot C:\Windows
464 lsass.exe 0x00d105c8 TEMP C:\Windows\TEMP
464 lsass.exe 0x00d105c8 TMP C:\Windows\TEMP
464 lsass.exe 0x00d105c8 USERNAME SYSTEM
464 lsass.exe 0x00d105c8 USERPROFILE C:\Windows\system32\config\systemprofile
464 lsass.exe 0x00d105c8 windir C:\Windows
532 svchost.exe 0x006905c8 ALLUSERSPROFILE C:\ProgramData
532 svchost.exe 0x006905c8 APPDATA C:\Windows\system32\config\systemprofile\AppData\Roaming
532 svchost.exe 0x006905c8 CommonProgramFiles C:\Program Files\Common Files
532 svchost.exe 0x006905c8 COMPUTERNAME WIN-PC
532 svchost.exe 0x006905c8 ComSpec C:\Windows\system32\cmd.exe
532 svchost.exe 0x006905c8 FP_NO_HOST_CHECK NO
532 svchost.exe 0x006905c8 LOCALAPPDATA C:\Windows\system32\config\systemprofile\AppData\Local
532 svchost.exe 0x006905c8 NUMBER_OF_PROCESSORS 1
532 svchost.exe 0x006905c8 OS Windows_NT
532 svchost.exe 0x006905c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
532 svchost.exe 0x006905c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
532 svchost.exe 0x006905c8 PROCESSOR_ARCHITECTURE x86
532 svchost.exe 0x006905c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
532 svchost.exe 0x006905c8 PROCESSOR_LEVEL 6
532 svchost.exe 0x006905c8 PROCESSOR_REVISION 3c03
532 svchost.exe 0x006905c8 ProgramData C:\ProgramData
532 svchost.exe 0x006905c8 ProgramFiles C:\Program Files
532 svchost.exe 0x006905c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
532 svchost.exe 0x006905c8 PUBLIC C:\Users\Public
532 svchost.exe 0x006905c8 SystemDrive C:
532 svchost.exe 0x006905c8 SystemRoot C:\Windows
532 svchost.exe 0x006905c8 TEMP C:\Windows\TEMP
532 svchost.exe 0x006905c8 TMP C:\Windows\TEMP
532 svchost.exe 0x006905c8 USERDOMAIN WORKGROUP
532 svchost.exe 0x006905c8 USERNAME WIN-PC$
532 svchost.exe 0x006905c8 USERPROFILE C:\Windows\system32\config\systemprofile
532 svchost.exe 0x006905c8 windir C:\Windows
560 svchost.exe 0x002d05c8 ALLUSERSPROFILE C:\ProgramData
560 svchost.exe 0x002d05c8 APPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming
560 svchost.exe 0x002d05c8 CommonProgramFiles C:\Program Files\Common Files
560 svchost.exe 0x002d05c8 COMPUTERNAME WIN-PC
560 svchost.exe 0x002d05c8 ComSpec C:\Windows\system32\cmd.exe
560 svchost.exe 0x002d05c8 FP_NO_HOST_CHECK NO
560 svchost.exe 0x002d05c8 LOCALAPPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Local
560 svchost.exe 0x002d05c8 NUMBER_OF_PROCESSORS 1
560 svchost.exe 0x002d05c8 OS Windows_NT
560 svchost.exe 0x002d05c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
560 svchost.exe 0x002d05c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
560 svchost.exe 0x002d05c8 PROCESSOR_ARCHITECTURE x86
560 svchost.exe 0x002d05c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
560 svchost.exe 0x002d05c8 PROCESSOR_LEVEL 6
560 svchost.exe 0x002d05c8 PROCESSOR_REVISION 3c03
560 svchost.exe 0x002d05c8 ProgramData C:\ProgramData
560 svchost.exe 0x002d05c8 ProgramFiles C:\Program Files
560 svchost.exe 0x002d05c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
560 svchost.exe 0x002d05c8 PUBLIC C:\Users\Public
560 svchost.exe 0x002d05c8 SystemDrive C:
560 svchost.exe 0x002d05c8 SystemRoot C:\Windows
560 svchost.exe 0x002d05c8 TEMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
560 svchost.exe 0x002d05c8 TMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
560 svchost.exe 0x002d05c8 USERDOMAIN WORKGROUP
560 svchost.exe 0x002d05c8 USERNAME WIN-PC$
560 svchost.exe 0x002d05c8 USERPROFILE C:\Windows\ServiceProfiles\NetworkService
560 svchost.exe 0x002d05c8 windir C:\Windows
652 dwm.exe 0x00c005c8 ALLUSERSPROFILE C:\ProgramData
652 dwm.exe 0x00c005c8 CommonProgramFiles C:\Program Files\Common Files
652 dwm.exe 0x00c005c8 COMPUTERNAME WIN-PC
652 dwm.exe 0x00c005c8 ComSpec C:\Windows\system32\cmd.exe
652 dwm.exe 0x00c005c8 FP_NO_HOST_CHECK NO
652 dwm.exe 0x00c005c8 NUMBER_OF_PROCESSORS 1
652 dwm.exe 0x00c005c8 OS Windows_NT
652 dwm.exe 0x00c005c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
652 dwm.exe 0x00c005c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
652 dwm.exe 0x00c005c8 PROCESSOR_ARCHITECTURE x86
652 dwm.exe 0x00c005c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
652 dwm.exe 0x00c005c8 PROCESSOR_LEVEL 6
652 dwm.exe 0x00c005c8 PROCESSOR_REVISION 3c03
652 dwm.exe 0x00c005c8 ProgramData C:\ProgramData
652 dwm.exe 0x00c005c8 ProgramFiles C:\Program Files
652 dwm.exe 0x00c005c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
652 dwm.exe 0x00c005c8 PUBLIC C:\Users\Public
652 dwm.exe 0x00c005c8 SystemDrive C:
652 dwm.exe 0x00c005c8 SystemRoot C:\Windows
652 dwm.exe 0x00c005c8 TEMP C:\Windows\TEMP
652 dwm.exe 0x00c005c8 TMP C:\Windows\TEMP
652 dwm.exe 0x00c005c8 USERNAME SYSTEM
652 dwm.exe 0x00c005c8 USERPROFILE C:\Windows\system32\config\systemprofile
652 dwm.exe 0x00c005c8 windir C:\Windows
748 svchost.exe 0x006405c8 ALLUSERSPROFILE C:\ProgramData
748 svchost.exe 0x006405c8 APPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Roaming
748 svchost.exe 0x006405c8 CommonProgramFiles C:\Program Files\Common Files
748 svchost.exe 0x006405c8 COMPUTERNAME WIN-PC
748 svchost.exe 0x006405c8 ComSpec C:\Windows\system32\cmd.exe
748 svchost.exe 0x006405c8 FP_NO_HOST_CHECK NO
748 svchost.exe 0x006405c8 LOCALAPPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Local
748 svchost.exe 0x006405c8 NUMBER_OF_PROCESSORS 1
748 svchost.exe 0x006405c8 OS Windows_NT
748 svchost.exe 0x006405c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
748 svchost.exe 0x006405c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
748 svchost.exe 0x006405c8 PROCESSOR_ARCHITECTURE x86
748 svchost.exe 0x006405c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
748 svchost.exe 0x006405c8 PROCESSOR_LEVEL 6
748 svchost.exe 0x006405c8 PROCESSOR_REVISION 3c03
748 svchost.exe 0x006405c8 ProgramData C:\ProgramData
748 svchost.exe 0x006405c8 ProgramFiles C:\Program Files
748 svchost.exe 0x006405c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
748 svchost.exe 0x006405c8 PUBLIC C:\Users\Public
748 svchost.exe 0x006405c8 SystemDrive C:
748 svchost.exe 0x006405c8 SystemRoot C:\Windows
748 svchost.exe 0x006405c8 TEMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
748 svchost.exe 0x006405c8 TMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
748 svchost.exe 0x006405c8 USERDOMAIN NT AUTHORITY
748 svchost.exe 0x006405c8 USERNAME LOCAL SERVICE
748 svchost.exe 0x006405c8 USERPROFILE C:\Windows\ServiceProfiles\LocalService
748 svchost.exe 0x006405c8 windir C:\Windows
776 svchost.exe 0x003105c8 ALLUSERSPROFILE C:\ProgramData
776 svchost.exe 0x003105c8 APPDATA C:\Windows\system32\config\systemprofile\AppData\Roaming
776 svchost.exe 0x003105c8 CommonProgramFiles C:\Program Files\Common Files
776 svchost.exe 0x003105c8 COMPUTERNAME WIN-PC
776 svchost.exe 0x003105c8 ComSpec C:\Windows\system32\cmd.exe
776 svchost.exe 0x003105c8 FP_NO_HOST_CHECK NO
776 svchost.exe 0x003105c8 LOCALAPPDATA C:\Windows\system32\config\systemprofile\AppData\Local
776 svchost.exe 0x003105c8 NUMBER_OF_PROCESSORS 1
776 svchost.exe 0x003105c8 OS Windows_NT
776 svchost.exe 0x003105c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
776 svchost.exe 0x003105c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
776 svchost.exe 0x003105c8 PROCESSOR_ARCHITECTURE x86
776 svchost.exe 0x003105c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
776 svchost.exe 0x003105c8 PROCESSOR_LEVEL 6
776 svchost.exe 0x003105c8 PROCESSOR_REVISION 3c03
776 svchost.exe 0x003105c8 ProgramData C:\ProgramData
776 svchost.exe 0x003105c8 ProgramFiles C:\Program Files
776 svchost.exe 0x003105c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
776 svchost.exe 0x003105c8 PUBLIC C:\Users\Public
776 svchost.exe 0x003105c8 SystemDrive C:
776 svchost.exe 0x003105c8 SystemRoot C:\Windows
776 svchost.exe 0x003105c8 TEMP C:\Windows\TEMP
776 svchost.exe 0x003105c8 TMP C:\Windows\TEMP
776 svchost.exe 0x003105c8 USERDOMAIN WORKGROUP
776 svchost.exe 0x003105c8 USERNAME WIN-PC$
776 svchost.exe 0x003105c8 USERPROFILE C:\Windows\system32\config\systemprofile
776 svchost.exe 0x003105c8 windir C:\Windows
820 svchost.exe 0x007905c8 ALLUSERSPROFILE C:\ProgramData
820 svchost.exe 0x007905c8 APPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Roaming
820 svchost.exe 0x007905c8 CommonProgramFiles C:\Program Files\Common Files
820 svchost.exe 0x007905c8 COMPUTERNAME WIN-PC
820 svchost.exe 0x007905c8 ComSpec C:\Windows\system32\cmd.exe
820 svchost.exe 0x007905c8 FP_NO_HOST_CHECK NO
820 svchost.exe 0x007905c8 LOCALAPPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Local
820 svchost.exe 0x007905c8 NUMBER_OF_PROCESSORS 1
820 svchost.exe 0x007905c8 OS Windows_NT
820 svchost.exe 0x007905c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
820 svchost.exe 0x007905c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
820 svchost.exe 0x007905c8 PROCESSOR_ARCHITECTURE x86
820 svchost.exe 0x007905c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
820 svchost.exe 0x007905c8 PROCESSOR_LEVEL 6
820 svchost.exe 0x007905c8 PROCESSOR_REVISION 3c03
820 svchost.exe 0x007905c8 ProgramData C:\ProgramData
820 svchost.exe 0x007905c8 ProgramFiles C:\Program Files
820 svchost.exe 0x007905c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
820 svchost.exe 0x007905c8 PUBLIC C:\Users\Public
820 svchost.exe 0x007905c8 SystemDrive C:
820 svchost.exe 0x007905c8 SystemRoot C:\Windows
820 svchost.exe 0x007905c8 TEMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
820 svchost.exe 0x007905c8 TMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
820 svchost.exe 0x007905c8 USERDOMAIN NT AUTHORITY
820 svchost.exe 0x007905c8 USERNAME LOCAL SERVICE
820 svchost.exe 0x007905c8 USERPROFILE C:\Windows\ServiceProfiles\LocalService
820 svchost.exe 0x007905c8 windir C:\Windows
876 svchost.exe 0x00f105c8 ALLUSERSPROFILE C:\ProgramData
876 svchost.exe 0x00f105c8 APPDATA C:\Windows\system32\config\systemprofile\AppData\Roaming
876 svchost.exe 0x00f105c8 CommonProgramFiles C:\Program Files\Common Files
876 svchost.exe 0x00f105c8 COMPUTERNAME WIN-PC
876 svchost.exe 0x00f105c8 ComSpec C:\Windows\system32\cmd.exe
876 svchost.exe 0x00f105c8 FP_NO_HOST_CHECK NO
876 svchost.exe 0x00f105c8 LOCALAPPDATA C:\Windows\system32\config\systemprofile\AppData\Local
876 svchost.exe 0x00f105c8 NUMBER_OF_PROCESSORS 1
876 svchost.exe 0x00f105c8 OS Windows_NT
876 svchost.exe 0x00f105c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
876 svchost.exe 0x00f105c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
876 svchost.exe 0x00f105c8 PROCESSOR_ARCHITECTURE x86
876 svchost.exe 0x00f105c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
876 svchost.exe 0x00f105c8 PROCESSOR_LEVEL 6
876 svchost.exe 0x00f105c8 PROCESSOR_REVISION 3c03
876 svchost.exe 0x00f105c8 ProgramData C:\ProgramData
876 svchost.exe 0x00f105c8 ProgramFiles C:\Program Files
876 svchost.exe 0x00f105c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
876 svchost.exe 0x00f105c8 PUBLIC C:\Users\Public
876 svchost.exe 0x00f105c8 SystemDrive C:
876 svchost.exe 0x00f105c8 SystemRoot C:\Windows
876 svchost.exe 0x00f105c8 TEMP C:\Windows\TEMP
876 svchost.exe 0x00f105c8 TMP C:\Windows\TEMP
876 svchost.exe 0x00f105c8 USERDOMAIN WORKGROUP
876 svchost.exe 0x00f105c8 USERNAME WIN-PC$
876 svchost.exe 0x00f105c8 USERPROFILE C:\Windows\system32\config\systemprofile
876 svchost.exe 0x00f105c8 windir C:\Windows
980 svchost.exe 0x00fa05c8 ALLUSERSPROFILE C:\ProgramData
980 svchost.exe 0x00fa05c8 APPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming
980 svchost.exe 0x00fa05c8 CommonProgramFiles C:\Program Files\Common Files
980 svchost.exe 0x00fa05c8 COMPUTERNAME WIN-PC
980 svchost.exe 0x00fa05c8 ComSpec C:\Windows\system32\cmd.exe
980 svchost.exe 0x00fa05c8 FP_NO_HOST_CHECK NO
980 svchost.exe 0x00fa05c8 LOCALAPPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Local
980 svchost.exe 0x00fa05c8 NUMBER_OF_PROCESSORS 1
980 svchost.exe 0x00fa05c8 OS Windows_NT
980 svchost.exe 0x00fa05c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
980 svchost.exe 0x00fa05c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
980 svchost.exe 0x00fa05c8 PROCESSOR_ARCHITECTURE x86
980 svchost.exe 0x00fa05c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
980 svchost.exe 0x00fa05c8 PROCESSOR_LEVEL 6
980 svchost.exe 0x00fa05c8 PROCESSOR_REVISION 3c03
980 svchost.exe 0x00fa05c8 ProgramData C:\ProgramData
980 svchost.exe 0x00fa05c8 ProgramFiles C:\Program Files
980 svchost.exe 0x00fa05c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
980 svchost.exe 0x00fa05c8 PUBLIC C:\Users\Public
980 svchost.exe 0x00fa05c8 SystemDrive C:
980 svchost.exe 0x00fa05c8 SystemRoot C:\Windows
980 svchost.exe 0x00fa05c8 TEMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
980 svchost.exe 0x00fa05c8 TMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
980 svchost.exe 0x00fa05c8 USERDOMAIN WORKGROUP
980 svchost.exe 0x00fa05c8 USERNAME WIN-PC$
980 svchost.exe 0x00fa05c8 USERPROFILE C:\Windows\ServiceProfiles\NetworkService
980 svchost.exe 0x00fa05c8 windir C:\Windows
1156 explorer.exe 0x006305c8 ALLUSERSPROFILE C:\ProgramData
1156 explorer.exe 0x006305c8 APPDATA C:\Users\Win\AppData\Roaming
1156 explorer.exe 0x006305c8 CommonProgramFiles C:\Program Files\Common Files
1156 explorer.exe 0x006305c8 COMPUTERNAME WIN-PC
1156 explorer.exe 0x006305c8 ComSpec C:\Windows\system32\cmd.exe
1156 explorer.exe 0x006305c8 FP_NO_HOST_CHECK NO
1156 explorer.exe 0x006305c8 HOMEDRIVE C:
1156 explorer.exe 0x006305c8 HOMEPATH \Users\Win
1156 explorer.exe 0x006305c8 LOCALAPPDATA C:\Users\Win\AppData\Local
1156 explorer.exe 0x006305c8 LOGONSERVER \\WIN-PC
1156 explorer.exe 0x006305c8 NUMBER_OF_PROCESSORS 1
1156 explorer.exe 0x006305c8 OS Windows_NT
1156 explorer.exe 0x006305c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
1156 explorer.exe 0x006305c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
1156 explorer.exe 0x006305c8 PROCESSOR_ARCHITECTURE x86
1156 explorer.exe 0x006305c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
1156 explorer.exe 0x006305c8 PROCESSOR_LEVEL 6
1156 explorer.exe 0x006305c8 PROCESSOR_REVISION 3c03
1156 explorer.exe 0x006305c8 ProgramData C:\ProgramData
1156 explorer.exe 0x006305c8 ProgramFiles C:\Program Files
1156 explorer.exe 0x006305c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
1156 explorer.exe 0x006305c8 PUBLIC C:\Users\Public
1156 explorer.exe 0x006305c8 SESSIONNAME Console
1156 explorer.exe 0x006305c8 SystemDrive C:
1156 explorer.exe 0x006305c8 SystemRoot C:\Windows
1156 explorer.exe 0x006305c8 TEMP C:\Users\Win\AppData\Local\Temp
1156 explorer.exe 0x006305c8 TMP C:\Users\Win\AppData\Local\Temp
1156 explorer.exe 0x006305c8 USERDOMAIN Win-PC
1156 explorer.exe 0x006305c8 USERDOMAIN_ROAMINGPROFILE Win-PC
1156 explorer.exe 0x006305c8 USERNAME Win
1156 explorer.exe 0x006305c8 USERPROFILE C:\Users\Win
1156 explorer.exe 0x006305c8 windir C:\Windows
1212 spoolsv.exe 0x009105c8 ALLUSERSPROFILE C:\ProgramData
1212 spoolsv.exe 0x009105c8 APPDATA C:\Windows\system32\config\systemprofile\AppData\Roaming
1212 spoolsv.exe 0x009105c8 CommonProgramFiles C:\Program Files\Common Files
1212 spoolsv.exe 0x009105c8 COMPUTERNAME WIN-PC
1212 spoolsv.exe 0x009105c8 ComSpec C:\Windows\system32\cmd.exe
1212 spoolsv.exe 0x009105c8 FP_NO_HOST_CHECK NO
1212 spoolsv.exe 0x009105c8 LOCALAPPDATA C:\Windows\system32\config\systemprofile\AppData\Local
1212 spoolsv.exe 0x009105c8 NUMBER_OF_PROCESSORS 1
1212 spoolsv.exe 0x009105c8 OS Windows_NT
1212 spoolsv.exe 0x009105c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
1212 spoolsv.exe 0x009105c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
1212 spoolsv.exe 0x009105c8 PROCESSOR_ARCHITECTURE x86
1212 spoolsv.exe 0x009105c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
1212 spoolsv.exe 0x009105c8 PROCESSOR_LEVEL 6
1212 spoolsv.exe 0x009105c8 PROCESSOR_REVISION 3c03
1212 spoolsv.exe 0x009105c8 ProgramData C:\ProgramData
1212 spoolsv.exe 0x009105c8 ProgramFiles C:\Program Files
1212 spoolsv.exe 0x009105c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
1212 spoolsv.exe 0x009105c8 PUBLIC C:\Users\Public
1212 spoolsv.exe 0x009105c8 SystemDrive C:
1212 spoolsv.exe 0x009105c8 SystemRoot C:\Windows
1212 spoolsv.exe 0x009105c8 TEMP C:\Windows\TEMP
1212 spoolsv.exe 0x009105c8 TMP C:\Windows\TEMP
1212 spoolsv.exe 0x009105c8 USERDOMAIN WORKGROUP
1212 spoolsv.exe 0x009105c8 USERNAME WIN-PC$
1212 spoolsv.exe 0x009105c8 USERPROFILE C:\Windows\system32\config\systemprofile
1212 spoolsv.exe 0x009105c8 windir C:\Windows
1256 svchost.exe 0x00ce05c8 ALLUSERSPROFILE C:\ProgramData
1256 svchost.exe 0x00ce05c8 APPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Roaming
1256 svchost.exe 0x00ce05c8 CommonProgramFiles C:\Program Files\Common Files
1256 svchost.exe 0x00ce05c8 COMPUTERNAME WIN-PC
1256 svchost.exe 0x00ce05c8 ComSpec C:\Windows\system32\cmd.exe
1256 svchost.exe 0x00ce05c8 FP_NO_HOST_CHECK NO
1256 svchost.exe 0x00ce05c8 LOCALAPPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Local
1256 svchost.exe 0x00ce05c8 NUMBER_OF_PROCESSORS 1
1256 svchost.exe 0x00ce05c8 OS Windows_NT
1256 svchost.exe 0x00ce05c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
1256 svchost.exe 0x00ce05c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
1256 svchost.exe 0x00ce05c8 PROCESSOR_ARCHITECTURE x86
1256 svchost.exe 0x00ce05c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
1256 svchost.exe 0x00ce05c8 PROCESSOR_LEVEL 6
1256 svchost.exe 0x00ce05c8 PROCESSOR_REVISION 3c03
1256 svchost.exe 0x00ce05c8 ProgramData C:\ProgramData
1256 svchost.exe 0x00ce05c8 ProgramFiles C:\Program Files
1256 svchost.exe 0x00ce05c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
1256 svchost.exe 0x00ce05c8 PUBLIC C:\Users\Public
1256 svchost.exe 0x00ce05c8 SystemDrive C:
1256 svchost.exe 0x00ce05c8 SystemRoot C:\Windows
1256 svchost.exe 0x00ce05c8 TEMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
1256 svchost.exe 0x00ce05c8 TMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
1256 svchost.exe 0x00ce05c8 USERDOMAIN NT AUTHORITY
1256 svchost.exe 0x00ce05c8 USERNAME LOCAL SERVICE
1256 svchost.exe 0x00ce05c8 USERPROFILE C:\Windows\ServiceProfiles\LocalService
1256 svchost.exe 0x00ce05c8 windir C:\Windows
1392 taskhostex.exe 0x006605c8 ALLUSERSPROFILE C:\ProgramData
1392 taskhostex.exe 0x006605c8 APPDATA C:\Users\Win\AppData\Roaming
1392 taskhostex.exe 0x006605c8 CommonProgramFiles C:\Program Files\Common Files
1392 taskhostex.exe 0x006605c8 COMPUTERNAME WIN-PC
1392 taskhostex.exe 0x006605c8 ComSpec C:\Windows\system32\cmd.exe
1392 taskhostex.exe 0x006605c8 FP_NO_HOST_CHECK NO
1392 taskhostex.exe 0x006605c8 HOMEDRIVE C:
1392 taskhostex.exe 0x006605c8 HOMEPATH \Users\Win
1392 taskhostex.exe 0x006605c8 LOCALAPPDATA C:\Users\Win\AppData\Local
1392 taskhostex.exe 0x006605c8 LOGONSERVER \\WIN-PC
1392 taskhostex.exe 0x006605c8 NUMBER_OF_PROCESSORS 1
1392 taskhostex.exe 0x006605c8 OS Windows_NT
1392 taskhostex.exe 0x006605c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
1392 taskhostex.exe 0x006605c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
1392 taskhostex.exe 0x006605c8 PROCESSOR_ARCHITECTURE x86
1392 taskhostex.exe 0x006605c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
1392 taskhostex.exe 0x006605c8 PROCESSOR_LEVEL 6
1392 taskhostex.exe 0x006605c8 PROCESSOR_REVISION 3c03
1392 taskhostex.exe 0x006605c8 ProgramData C:\ProgramData
1392 taskhostex.exe 0x006605c8 ProgramFiles C:\Program Files
1392 taskhostex.exe 0x006605c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
1392 taskhostex.exe 0x006605c8 PUBLIC C:\Users\Public
1392 taskhostex.exe 0x006605c8 SystemDrive C:
1392 taskhostex.exe 0x006605c8 SystemRoot C:\Windows
1392 taskhostex.exe 0x006605c8 TEMP C:\Users\Win\AppData\Local\Temp
1392 taskhostex.exe 0x006605c8 TMP C:\Users\Win\AppData\Local\Temp
1392 taskhostex.exe 0x006605c8 USERDOMAIN Win-PC
1392 taskhostex.exe 0x006605c8 USERDOMAIN_ROAMINGPROFILE Win-PC
1392 taskhostex.exe 0x006605c8 USERNAME Win
1392 taskhostex.exe 0x006605c8 USERPROFILE C:\Users\Win
1392 taskhostex.exe 0x006605c8 windir C:\Windows
1640 dllhost.exe 0x00ce05c8 ALLUSERSPROFILE C:\ProgramData
1640 dllhost.exe 0x00ce05c8 APPDATA C:\Users\Win\AppData\Roaming
1640 dllhost.exe 0x00ce05c8 CommonProgramFiles C:\Program Files\Common Files
1640 dllhost.exe 0x00ce05c8 COMPUTERNAME WIN-PC
1640 dllhost.exe 0x00ce05c8 ComSpec C:\Windows\system32\cmd.exe
1640 dllhost.exe 0x00ce05c8 FP_NO_HOST_CHECK NO
1640 dllhost.exe 0x00ce05c8 HOMEDRIVE C:
1640 dllhost.exe 0x00ce05c8 HOMEPATH \Users\Win
1640 dllhost.exe 0x00ce05c8 LOCALAPPDATA C:\Users\Win\AppData\Local
1640 dllhost.exe 0x00ce05c8 LOGONSERVER \\WIN-PC
1640 dllhost.exe 0x00ce05c8 NUMBER_OF_PROCESSORS 1
1640 dllhost.exe 0x00ce05c8 OS Windows_NT
1640 dllhost.exe 0x00ce05c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
1640 dllhost.exe 0x00ce05c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
1640 dllhost.exe 0x00ce05c8 PROCESSOR_ARCHITECTURE x86
1640 dllhost.exe 0x00ce05c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
1640 dllhost.exe 0x00ce05c8 PROCESSOR_LEVEL 6
1640 dllhost.exe 0x00ce05c8 PROCESSOR_REVISION 3c03
1640 dllhost.exe 0x00ce05c8 ProgramData C:\ProgramData
1640 dllhost.exe 0x00ce05c8 ProgramFiles C:\Program Files
1640 dllhost.exe 0x00ce05c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
1640 dllhost.exe 0x00ce05c8 PUBLIC C:\Users\Public
1640 dllhost.exe 0x00ce05c8 SESSIONNAME Console
1640 dllhost.exe 0x00ce05c8 SystemDrive C:
1640 dllhost.exe 0x00ce05c8 SystemRoot C:\Windows
1640 dllhost.exe 0x00ce05c8 TEMP C:\Users\Win\AppData\Local\Temp
1640 dllhost.exe 0x00ce05c8 TMP C:\Users\Win\AppData\Local\Temp
1640 dllhost.exe 0x00ce05c8 USERDOMAIN Win-PC
1640 dllhost.exe 0x00ce05c8 USERDOMAIN_ROAMINGPROFILE Win-PC
1640 dllhost.exe 0x00ce05c8 USERNAME Win
1640 dllhost.exe 0x00ce05c8 USERPROFILE C:\Users\Win
1640 dllhost.exe 0x00ce05c8 windir C:\Windows
1820 MsMpEng.exe 0x006025d0 ALLUSERSPROFILE C:\ProgramData
1820 MsMpEng.exe 0x006025d0 APPDATA C:\Windows\system32\config\systemprofile\AppData\Roaming
1820 MsMpEng.exe 0x006025d0 CommonProgramFiles C:\Program Files\Common Files
1820 MsMpEng.exe 0x006025d0 COMPUTERNAME WIN-PC
1820 MsMpEng.exe 0x006025d0 ComSpec C:\Windows\system32\cmd.exe
1820 MsMpEng.exe 0x006025d0 FP_NO_HOST_CHECK NO
1820 MsMpEng.exe 0x006025d0 LOCALAPPDATA C:\Windows\system32\config\systemprofile\AppData\Local
1820 MsMpEng.exe 0x006025d0 NUMBER_OF_PROCESSORS 1
1820 MsMpEng.exe 0x006025d0 OS Windows_NT
1820 MsMpEng.exe 0x006025d0 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
1820 MsMpEng.exe 0x006025d0 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
1820 MsMpEng.exe 0x006025d0 PROCESSOR_ARCHITECTURE x86
1820 MsMpEng.exe 0x006025d0 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
1820 MsMpEng.exe 0x006025d0 PROCESSOR_LEVEL 6
1820 MsMpEng.exe 0x006025d0 PROCESSOR_REVISION 3c03
1820 MsMpEng.exe 0x006025d0 ProgramData C:\ProgramData
1820 MsMpEng.exe 0x006025d0 ProgramFiles C:\Program Files
1820 MsMpEng.exe 0x006025d0 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
1820 MsMpEng.exe 0x006025d0 PUBLIC C:\Users\Public
1820 MsMpEng.exe 0x006025d0 SystemDrive C:
1820 MsMpEng.exe 0x006025d0 SystemRoot C:\Windows
1820 MsMpEng.exe 0x006025d0 TEMP C:\Windows\TEMP
1820 MsMpEng.exe 0x006025d0 TMP C:\Windows\TEMP
1820 MsMpEng.exe 0x006025d0 USERDOMAIN WORKGROUP
1820 MsMpEng.exe 0x006025d0 USERNAME WIN-PC$
1820 MsMpEng.exe 0x006025d0 USERPROFILE C:\Windows\system32\config\systemprofile
1820 MsMpEng.exe 0x006025d0 windir C:\Windows
1996 SearchIndexer. 0x00b34880 ALLUSERSPROFILE C:\ProgramData
1996 SearchIndexer. 0x00b34880 APPDATA C:\Windows\system32\config\systemprofile\AppData\Roaming
1996 SearchIndexer. 0x00b34880 CommonProgramFiles C:\Program Files\Common Files
1996 SearchIndexer. 0x00b34880 COMPUTERNAME WIN-PC
1996 SearchIndexer. 0x00b34880 ComSpec C:\Windows\system32\cmd.exe
1996 SearchIndexer. 0x00b34880 FP_NO_HOST_CHECK NO
1996 SearchIndexer. 0x00b34880 LOCALAPPDATA C:\Windows\system32\config\systemprofile\AppData\Local
1996 SearchIndexer. 0x00b34880 NUMBER_OF_PROCESSORS 1
1996 SearchIndexer. 0x00b34880 OS Windows_NT
1996 SearchIndexer. 0x00b34880 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\system32
1996 SearchIndexer. 0x00b34880 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
1996 SearchIndexer. 0x00b34880 PROCESSOR_ARCHITECTURE x86
1996 SearchIndexer. 0x00b34880 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
1996 SearchIndexer. 0x00b34880 PROCESSOR_LEVEL 6
1996 SearchIndexer. 0x00b34880 PROCESSOR_REVISION 3c03
1996 SearchIndexer. 0x00b34880 ProgramData C:\ProgramData
1996 SearchIndexer. 0x00b34880 ProgramFiles C:\Program Files
1996 SearchIndexer. 0x00b34880 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
1996 SearchIndexer. 0x00b34880 PUBLIC C:\Users\Public
1996 SearchIndexer. 0x00b34880 SystemDrive C:
1996 SearchIndexer. 0x00b34880 SystemRoot C:\Windows
1996 SearchIndexer. 0x00b34880 TEMP C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc
1996 SearchIndexer. 0x00b34880 TMP C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc
1996 SearchIndexer. 0x00b34880 USERDOMAIN WORKGROUP
1996 SearchIndexer. 0x00b34880 USERNAME WIN-PC$
1996 SearchIndexer. 0x00b34880 USERPROFILE C:\Windows\system32\config\systemprofile
1996 SearchIndexer. 0x00b34880 windir C:\Windows
1248 svchost.exe 0x004405c8 ALLUSERSPROFILE C:\ProgramData
1248 svchost.exe 0x004405c8 APPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Roaming
1248 svchost.exe 0x004405c8 CommonProgramFiles C:\Program Files\Common Files
1248 svchost.exe 0x004405c8 COMPUTERNAME WIN-PC
1248 svchost.exe 0x004405c8 ComSpec C:\Windows\system32\cmd.exe
1248 svchost.exe 0x004405c8 FP_NO_HOST_CHECK NO
1248 svchost.exe 0x004405c8 LOCALAPPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Local
1248 svchost.exe 0x004405c8 NUMBER_OF_PROCESSORS 1
1248 svchost.exe 0x004405c8 OS Windows_NT
1248 svchost.exe 0x004405c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
1248 svchost.exe 0x004405c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
1248 svchost.exe 0x004405c8 PROCESSOR_ARCHITECTURE x86
1248 svchost.exe 0x004405c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
1248 svchost.exe 0x004405c8 PROCESSOR_LEVEL 6
1248 svchost.exe 0x004405c8 PROCESSOR_REVISION 3c03
1248 svchost.exe 0x004405c8 ProgramData C:\ProgramData
1248 svchost.exe 0x004405c8 ProgramFiles C:\Program Files
1248 svchost.exe 0x004405c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
1248 svchost.exe 0x004405c8 PUBLIC C:\Users\Public
1248 svchost.exe 0x004405c8 SystemDrive C:
1248 svchost.exe 0x004405c8 SystemRoot C:\Windows
1248 svchost.exe 0x004405c8 TEMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
1248 svchost.exe 0x004405c8 TMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
1248 svchost.exe 0x004405c8 USERDOMAIN NT AUTHORITY
1248 svchost.exe 0x004405c8 USERNAME LOCAL SERVICE
1248 svchost.exe 0x004405c8 USERPROFILE C:\Windows\ServiceProfiles\LocalService
1248 svchost.exe 0x004405c8 windir C:\Windows
1080 NisSrv.exe 0x00634140 ALLUSERSPROFILE C:\ProgramData
1080 NisSrv.exe 0x00634140 APPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Roaming
1080 NisSrv.exe 0x00634140 CommonProgramFiles C:\Program Files\Common Files
1080 NisSrv.exe 0x00634140 COMPUTERNAME WIN-PC
1080 NisSrv.exe 0x00634140 ComSpec C:\Windows\system32\cmd.exe
1080 NisSrv.exe 0x00634140 FP_NO_HOST_CHECK NO
1080 NisSrv.exe 0x00634140 LOCALAPPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Local
1080 NisSrv.exe 0x00634140 NUMBER_OF_PROCESSORS 1
1080 NisSrv.exe 0x00634140 OS Windows_NT
1080 NisSrv.exe 0x00634140 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
1080 NisSrv.exe 0x00634140 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
1080 NisSrv.exe 0x00634140 PROCESSOR_ARCHITECTURE x86
1080 NisSrv.exe 0x00634140 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
1080 NisSrv.exe 0x00634140 PROCESSOR_LEVEL 6
1080 NisSrv.exe 0x00634140 PROCESSOR_REVISION 3c03
1080 NisSrv.exe 0x00634140 ProgramData C:\ProgramData
1080 NisSrv.exe 0x00634140 ProgramFiles C:\Program Files
1080 NisSrv.exe 0x00634140 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
1080 NisSrv.exe 0x00634140 PUBLIC C:\Users\Public
1080 NisSrv.exe 0x00634140 SystemDrive C:
1080 NisSrv.exe 0x00634140 SystemRoot C:\Windows
1080 NisSrv.exe 0x00634140 TEMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
1080 NisSrv.exe 0x00634140 TMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
1080 NisSrv.exe 0x00634140 USERDOMAIN NT AUTHORITY
1080 NisSrv.exe 0x00634140 USERNAME LOCAL SERVICE
1080 NisSrv.exe 0x00634140 USERPROFILE C:\Windows\ServiceProfiles\LocalService
1080 NisSrv.exe 0x00634140 windir C:\Windows
2080 SearchProtocol 0x004105c8 ALLUSERSPROFILE C:\ProgramData
2080 SearchProtocol 0x004105c8 APPDATA C:\Windows\system32\config\systemprofile\AppData\Roaming
2080 SearchProtocol 0x004105c8 CommonProgramFiles C:\Program Files\Common Files
2080 SearchProtocol 0x004105c8 COMPUTERNAME WIN-PC
2080 SearchProtocol 0x004105c8 ComSpec C:\Windows\system32\cmd.exe
2080 SearchProtocol 0x004105c8 FP_NO_HOST_CHECK NO
2080 SearchProtocol 0x004105c8 LOCALAPPDATA C:\Windows\system32\config\systemprofile\AppData\Local
2080 SearchProtocol 0x004105c8 NUMBER_OF_PROCESSORS 1
2080 SearchProtocol 0x004105c8 OS Windows_NT
2080 SearchProtocol 0x004105c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\system32
2080 SearchProtocol 0x004105c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
2080 SearchProtocol 0x004105c8 PROCESSOR_ARCHITECTURE x86
2080 SearchProtocol 0x004105c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
2080 SearchProtocol 0x004105c8 PROCESSOR_LEVEL 6
2080 SearchProtocol 0x004105c8 PROCESSOR_REVISION 3c03
2080 SearchProtocol 0x004105c8 ProgramData C:\ProgramData
2080 SearchProtocol 0x004105c8 ProgramFiles C:\Program Files
2080 SearchProtocol 0x004105c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
2080 SearchProtocol 0x004105c8 PUBLIC C:\Users\Public
2080 SearchProtocol 0x004105c8 SystemDrive C:
2080 SearchProtocol 0x004105c8 SystemRoot C:\Windows
2080 SearchProtocol 0x004105c8 TEMP C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc
2080 SearchProtocol 0x004105c8 TMP C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc
2080 SearchProtocol 0x004105c8 USERDOMAIN WORKGROUP
2080 SearchProtocol 0x004105c8 USERNAME WIN-PC$
2080 SearchProtocol 0x004105c8 USERPROFILE C:\Windows\system32\config\systemprofile
2080 SearchProtocol 0x004105c8 windir C:\Windows
2104 SearchFilterHo 0x005505c8 ALLUSERSPROFILE C:\ProgramData
2104 SearchFilterHo 0x005505c8 APPDATA C:\Windows\system32\config\systemprofile\AppData\Roaming
2104 SearchFilterHo 0x005505c8 CommonProgramFiles C:\Program Files\Common Files
2104 SearchFilterHo 0x005505c8 COMPUTERNAME WIN-PC
2104 SearchFilterHo 0x005505c8 ComSpec C:\Windows\system32\cmd.exe
2104 SearchFilterHo 0x005505c8 FP_NO_HOST_CHECK NO
2104 SearchFilterHo 0x005505c8 LOCALAPPDATA C:\Windows\system32\config\systemprofile\AppData\Local
2104 SearchFilterHo 0x005505c8 NUMBER_OF_PROCESSORS 1
2104 SearchFilterHo 0x005505c8 OS Windows_NT
2104 SearchFilterHo 0x005505c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\system32
2104 SearchFilterHo 0x005505c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
2104 SearchFilterHo 0x005505c8 PROCESSOR_ARCHITECTURE x86
2104 SearchFilterHo 0x005505c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
2104 SearchFilterHo 0x005505c8 PROCESSOR_LEVEL 6
2104 SearchFilterHo 0x005505c8 PROCESSOR_REVISION 3c03
2104 SearchFilterHo 0x005505c8 ProgramData C:\ProgramData
2104 SearchFilterHo 0x005505c8 ProgramFiles C:\Program Files
2104 SearchFilterHo 0x005505c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
2104 SearchFilterHo 0x005505c8 PUBLIC C:\Users\Public
2104 SearchFilterHo 0x005505c8 SystemDrive C:
2104 SearchFilterHo 0x005505c8 SystemRoot C:\Windows
2104 SearchFilterHo 0x005505c8 TEMP C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc
2104 SearchFilterHo 0x005505c8 TMP C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc
2104 SearchFilterHo 0x005505c8 USERDOMAIN WORKGROUP
2104 SearchFilterHo 0x005505c8 USERNAME WIN-PC$
2104 SearchFilterHo 0x005505c8 USERPROFILE C:\Windows\system32\config\systemprofile
2104 SearchFilterHo 0x005505c8 windir C:\Windows
2380 WWAHost.exe 0x00e205c8 ALLUSERSPROFILE C:\ProgramData
2380 WWAHost.exe 0x00e205c8 APPDATA C:\Users\Win\AppData\Roaming
2380 WWAHost.exe 0x00e205c8 CommonProgramFiles C:\Program Files\Common Files
2380 WWAHost.exe 0x00e205c8 COMPUTERNAME WIN-PC
2380 WWAHost.exe 0x00e205c8 ComSpec C:\Windows\system32\cmd.exe
2380 WWAHost.exe 0x00e205c8 FP_NO_HOST_CHECK NO
2380 WWAHost.exe 0x00e205c8 HOMEDRIVE C:
2380 WWAHost.exe 0x00e205c8 HOMEPATH \Users\Win
2380 WWAHost.exe 0x00e205c8 LOCALAPPDATA C:\Users\Win\AppData\Local\Packages\winstore_cw5n1h2txyewy\AC
2380 WWAHost.exe 0x00e205c8 LOGONSERVER \\WIN-PC
2380 WWAHost.exe 0x00e205c8 NUMBER_OF_PROCESSORS 1
2380 WWAHost.exe 0x00e205c8 OS Windows_NT
2380 WWAHost.exe 0x00e205c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
2380 WWAHost.exe 0x00e205c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
2380 WWAHost.exe 0x00e205c8 PROCESSOR_ARCHITECTURE x86
2380 WWAHost.exe 0x00e205c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
2380 WWAHost.exe 0x00e205c8 PROCESSOR_LEVEL 6
2380 WWAHost.exe 0x00e205c8 PROCESSOR_REVISION 3c03
2380 WWAHost.exe 0x00e205c8 ProgramData C:\ProgramData
2380 WWAHost.exe 0x00e205c8 ProgramFiles C:\Program Files
2380 WWAHost.exe 0x00e205c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
2380 WWAHost.exe 0x00e205c8 PUBLIC C:\Users\Public
2380 WWAHost.exe 0x00e205c8 SystemDrive C:
2380 WWAHost.exe 0x00e205c8 SystemRoot C:\Windows
2380 WWAHost.exe 0x00e205c8 TEMP C:\Users\Win\AppData\Local\Packages\winstore_cw5n1h2txyewy\AC\Temp
2380 WWAHost.exe 0x00e205c8 TMP C:\Users\Win\AppData\Local\Packages\winstore_cw5n1h2txyewy\AC\Temp
2380 WWAHost.exe 0x00e205c8 USERDOMAIN Win-PC
2380 WWAHost.exe 0x00e205c8 USERDOMAIN_ROAMINGPROFILE Win-PC
2380 WWAHost.exe 0x00e205c8 USERNAME Win
2380 WWAHost.exe 0x00e205c8 USERPROFILE C:\Users\Win
2380 WWAHost.exe 0x00e205c8 windir C:\Windows
2468 RuntimeBroker. 0x00bc05c8 ALLUSERSPROFILE C:\ProgramData
2468 RuntimeBroker. 0x00bc05c8 APPDATA C:\Users\Win\AppData\Roaming
2468 RuntimeBroker. 0x00bc05c8 CommonProgramFiles C:\Program Files\Common Files
2468 RuntimeBroker. 0x00bc05c8 COMPUTERNAME WIN-PC
2468 RuntimeBroker. 0x00bc05c8 ComSpec C:\Windows\system32\cmd.exe
2468 RuntimeBroker. 0x00bc05c8 FP_NO_HOST_CHECK NO
2468 RuntimeBroker. 0x00bc05c8 HOMEDRIVE C:
2468 RuntimeBroker. 0x00bc05c8 HOMEPATH \Users\Win
2468 RuntimeBroker. 0x00bc05c8 LOCALAPPDATA C:\Users\Win\AppData\Local
2468 RuntimeBroker. 0x00bc05c8 LOGONSERVER \\WIN-PC
2468 RuntimeBroker. 0x00bc05c8 NUMBER_OF_PROCESSORS 1
2468 RuntimeBroker. 0x00bc05c8 OS Windows_NT
2468 RuntimeBroker. 0x00bc05c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
2468 RuntimeBroker. 0x00bc05c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
2468 RuntimeBroker. 0x00bc05c8 PROCESSOR_ARCHITECTURE x86
2468 RuntimeBroker. 0x00bc05c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
2468 RuntimeBroker. 0x00bc05c8 PROCESSOR_LEVEL 6
2468 RuntimeBroker. 0x00bc05c8 PROCESSOR_REVISION 3c03
2468 RuntimeBroker. 0x00bc05c8 ProgramData C:\ProgramData
2468 RuntimeBroker. 0x00bc05c8 ProgramFiles C:\Program Files
2468 RuntimeBroker. 0x00bc05c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
2468 RuntimeBroker. 0x00bc05c8 PUBLIC C:\Users\Public
2468 RuntimeBroker. 0x00bc05c8 SystemDrive C:
2468 RuntimeBroker. 0x00bc05c8 SystemRoot C:\Windows
2468 RuntimeBroker. 0x00bc05c8 TEMP C:\Users\Win\AppData\Local\Temp
2468 RuntimeBroker. 0x00bc05c8 TMP C:\Users\Win\AppData\Local\Temp
2468 RuntimeBroker. 0x00bc05c8 USERDOMAIN Win-PC
2468 RuntimeBroker. 0x00bc05c8 USERDOMAIN_ROAMINGPROFILE Win-PC
2468 RuntimeBroker. 0x00bc05c8 USERNAME Win
2468 RuntimeBroker. 0x00bc05c8 USERPROFILE C:\Users\Win
2468 RuntimeBroker. 0x00bc05c8 windir C:\Windows
2516 WSHost.exe 0x00a505c8 ALLUSERSPROFILE C:\ProgramData
2516 WSHost.exe 0x00a505c8 APPDATA C:\Users\Win\AppData\Roaming
2516 WSHost.exe 0x00a505c8 CommonProgramFiles C:\Program Files\Common Files
2516 WSHost.exe 0x00a505c8 COMPUTERNAME WIN-PC
2516 WSHost.exe 0x00a505c8 ComSpec C:\Windows\system32\cmd.exe
2516 WSHost.exe 0x00a505c8 FP_NO_HOST_CHECK NO
2516 WSHost.exe 0x00a505c8 HOMEDRIVE C:
2516 WSHost.exe 0x00a505c8 HOMEPATH \Users\Win
2516 WSHost.exe 0x00a505c8 LOCALAPPDATA C:\Users\Win\AppData\Local
2516 WSHost.exe 0x00a505c8 LOGONSERVER \\WIN-PC
2516 WSHost.exe 0x00a505c8 NUMBER_OF_PROCESSORS 1
2516 WSHost.exe 0x00a505c8 OS Windows_NT
2516 WSHost.exe 0x00a505c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
2516 WSHost.exe 0x00a505c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
2516 WSHost.exe 0x00a505c8 PROCESSOR_ARCHITECTURE x86
2516 WSHost.exe 0x00a505c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
2516 WSHost.exe 0x00a505c8 PROCESSOR_LEVEL 6
2516 WSHost.exe 0x00a505c8 PROCESSOR_REVISION 3c03
2516 WSHost.exe 0x00a505c8 ProgramData C:\ProgramData
2516 WSHost.exe 0x00a505c8 ProgramFiles C:\Program Files
2516 WSHost.exe 0x00a505c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
2516 WSHost.exe 0x00a505c8 PUBLIC C:\Users\Public
2516 WSHost.exe 0x00a505c8 SystemDrive C:
2516 WSHost.exe 0x00a505c8 SystemRoot C:\Windows
2516 WSHost.exe 0x00a505c8 TEMP C:\Users\Win\AppData\Local\Temp
2516 WSHost.exe 0x00a505c8 TMP C:\Users\Win\AppData\Local\Temp
2516 WSHost.exe 0x00a505c8 USERDOMAIN Win-PC
2516 WSHost.exe 0x00a505c8 USERDOMAIN_ROAMINGPROFILE Win-PC
2516 WSHost.exe 0x00a505c8 USERNAME Win
2516 WSHost.exe 0x00a505c8 USERPROFILE C:\Users\Win
2516 WSHost.exe 0x00a505c8 windir C:\Windows
2624 svchost.exe 0x00ab05c8 ALLUSERSPROFILE C:\ProgramData
2624 svchost.exe 0x00ab05c8 APPDATA C:\Windows\system32\config\systemprofile\AppData\Roaming
2624 svchost.exe 0x00ab05c8 CommonProgramFiles C:\Program Files\Common Files
2624 svchost.exe 0x00ab05c8 COMPUTERNAME WIN-PC
2624 svchost.exe 0x00ab05c8 ComSpec C:\Windows\system32\cmd.exe
2624 svchost.exe 0x00ab05c8 FP_NO_HOST_CHECK NO
2624 svchost.exe 0x00ab05c8 LOCALAPPDATA C:\Windows\system32\config\systemprofile\AppData\Local
2624 svchost.exe 0x00ab05c8 NUMBER_OF_PROCESSORS 1
2624 svchost.exe 0x00ab05c8 OS Windows_NT
2624 svchost.exe 0x00ab05c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
2624 svchost.exe 0x00ab05c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
2624 svchost.exe 0x00ab05c8 PROCESSOR_ARCHITECTURE x86
2624 svchost.exe 0x00ab05c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
2624 svchost.exe 0x00ab05c8 PROCESSOR_LEVEL 6
2624 svchost.exe 0x00ab05c8 PROCESSOR_REVISION 3c03
2624 svchost.exe 0x00ab05c8 ProgramData C:\ProgramData
2624 svchost.exe 0x00ab05c8 ProgramFiles C:\Program Files
2624 svchost.exe 0x00ab05c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
2624 svchost.exe 0x00ab05c8 PUBLIC C:\Users\Public
2624 svchost.exe 0x00ab05c8 SystemDrive C:
2624 svchost.exe 0x00ab05c8 SystemRoot C:\Windows
2624 svchost.exe 0x00ab05c8 TEMP C:\Windows\TEMP
2624 svchost.exe 0x00ab05c8 TMP C:\Windows\TEMP
2624 svchost.exe 0x00ab05c8 USERDOMAIN WORKGROUP
2624 svchost.exe 0x00ab05c8 USERNAME WIN-PC$
2624 svchost.exe 0x00ab05c8 USERPROFILE C:\Windows\system32\config\systemprofile
2624 svchost.exe 0x00ab05c8 windir C:\Windows
2752 ThumbnailExtra 0x00b305c8 ALLUSERSPROFILE C:\ProgramData
2752 ThumbnailExtra 0x00b305c8 APPDATA C:\Users\Win\AppData\Roaming
2752 ThumbnailExtra 0x00b305c8 CommonProgramFiles C:\Program Files\Common Files
2752 ThumbnailExtra 0x00b305c8 COMPUTERNAME WIN-PC
2752 ThumbnailExtra 0x00b305c8 ComSpec C:\Windows\system32\cmd.exe
2752 ThumbnailExtra 0x00b305c8 FP_NO_HOST_CHECK NO
2752 ThumbnailExtra 0x00b305c8 HOMEDRIVE C:
2752 ThumbnailExtra 0x00b305c8 HOMEPATH \Users\Win
2752 ThumbnailExtra 0x00b305c8 LOCALAPPDATA C:\Users\Win\AppData\Local
2752 ThumbnailExtra 0x00b305c8 LOGONSERVER \\WIN-PC
2752 ThumbnailExtra 0x00b305c8 NUMBER_OF_PROCESSORS 1
2752 ThumbnailExtra 0x00b305c8 OS Windows_NT
2752 ThumbnailExtra 0x00b305c8 Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
2752 ThumbnailExtra 0x00b305c8 PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
2752 ThumbnailExtra 0x00b305c8 PROCESSOR_ARCHITECTURE x86
2752 ThumbnailExtra 0x00b305c8 PROCESSOR_IDENTIFIER x86 Family 6 Model 60 Stepping 3, GenuineIntel
2752 ThumbnailExtra 0x00b305c8 PROCESSOR_LEVEL 6
2752 ThumbnailExtra 0x00b305c8 PROCESSOR_REVISION 3c03
2752 ThumbnailExtra 0x00b305c8 ProgramData C:\ProgramData
2752 ThumbnailExtra 0x00b305c8 ProgramFiles C:\Program Files
2752 ThumbnailExtra 0x00b305c8 PSModulePath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
2752 ThumbnailExtra 0x00b305c8 PUBLIC C:\Users\Public
2752 ThumbnailExtra 0x00b305c8 SystemDrive C:
2752 ThumbnailExtra 0x00b305c8 SystemRoot C:\Windows
2752 ThumbnailExtra 0x00b305c8 TEMP C:\Users\Win\AppData\Local\Temp
2752 ThumbnailExtra 0x00b305c8 TMP C:\Users\Win\AppData\Local\Temp
2752 ThumbnailExtra 0x00b305c8 USERDOMAIN Win-PC
2752 ThumbnailExtra 0x00b305c8 USERDOMAIN_ROAMINGPROFILE Win-PC
2752 ThumbnailExtra 0x00b305c8 USERNAME Win
2752 ThumbnailExtra 0x00b305c8 USERPROFILE C:\Users\Win
2752 ThumbnailExtra 0x00b305c8 windir C:\Windows
# ssdt
$ ./vol.py --profile=Win8SP1x86 -f win8.1-x86_booted-imagecopy.raw ssdt
Volatility Foundation Volatility Framework 2.4
[x86] Gathering all referenced SSDTs from KTHREADs...
Finding appropriate address space for tables...
SSDT[0] at 8151f57c with 433 entries
Entry 0x0000: 0x8143cfd8 (NtWorkerFactoryWorkerReady) owned by ntoskrnl.exe
Entry 0x0001: 0x8174bd30 (NtAcceptConnectPort) owned by ntoskrnl.exe
Entry 0x0002: 0x814502e0 (NtYieldExecution) owned by ntoskrnl.exe
Entry 0x0003: 0x8173d91a (NtWriteVirtualMemory) owned by ntoskrnl.exe
Entry 0x0004: 0x81862d00 (NtWriteRequestData) owned by ntoskrnl.exe
Entry 0x0005: 0x81747ad6 (NtWriteFileGather) owned by ntoskrnl.exe
Entry 0x0006: 0x816a4a34 (NtWriteFile) owned by ntoskrnl.exe
Entry 0x0007: 0x817a3ca6 (NtWaitLowEventPair) owned by ntoskrnl.exe
Entry 0x0008: 0x817a3ca6 (NtWaitHighEventPair) owned by ntoskrnl.exe
Entry 0x0009: 0x81473b10 (NtWaitForWorkViaWorkerFactory) owned by ntoskrnl.exe
Entry 0x000a: 0x816bf930 (NtWaitForSingleObject) owned by ntoskrnl.exe
Entry 0x000b: 0x8186d3a9 (NtWaitForMultipleObjects32) owned by ntoskrnl.exe
Entry 0x000c: 0x816c27d2 (NtWaitForMultipleObjects) owned by ntoskrnl.exe
Entry 0x000d: 0x81756de2 (NtWaitForKeyedEvent) owned by ntoskrnl.exe
Entry 0x000e: 0x8183ea34 (NtWaitForDebugEvent) owned by ntoskrnl.exe
Entry 0x000f: 0x81735678 (NtWaitForAlertByThreadId) owned by ntoskrnl.exe
Entry 0x0010: 0x8188f607 (NtVdmControl) owned by ntoskrnl.exe
Entry 0x0011: 0x81685a86 (NtUnsubscribeWnfStateChange) owned by ntoskrnl.exe
Entry 0x0012: 0x81686e9a (NtUpdateWnfStateData) owned by ntoskrnl.exe
Entry 0x0013: 0x816dc1ba (NtUnmapViewOfSection) owned by ntoskrnl.exe
Entry 0x0014: 0x816dc1d6 (NtUnmapViewOfSectionEx) owned by ntoskrnl.exe
Entry 0x0015: 0x8145c2ee (NtUnlockVirtualMemory) owned by ntoskrnl.exe
Entry 0x0016: 0x8173d65e (NtUnlockFile) owned by ntoskrnl.exe
Entry 0x0017: 0x8173f75a (NtUnloadKeyEx) owned by ntoskrnl.exe
Entry 0x0018: 0x8177bfc0 (NtUnloadKey2) owned by ntoskrnl.exe
Entry 0x0019: 0x8182ff10 (NtUnloadKey) owned by ntoskrnl.exe
Entry 0x001a: 0x8184b635 (NtUnloadDriver) owned by ntoskrnl.exe
Entry 0x001b: 0x81860832 (NtUmsThreadYield) owned by ntoskrnl.exe
Entry 0x001c: 0x818a417f (NtTranslateFilePath) owned by ntoskrnl.exe
Entry 0x001d: 0x814775b2 (NtTraceEvent) owned by ntoskrnl.exe
Entry 0x001e: 0x816fec00 (NtTraceControl) owned by ntoskrnl.exe
Entry 0x001f: 0x8143beca (NtThawTransactions) owned by ntoskrnl.exe
Entry 0x0020: 0x8158772a (NtThawRegistry) owned by ntoskrnl.exe
Entry 0x0021: 0x81738a6c (NtTestAlert) owned by ntoskrnl.exe
Entry 0x0022: 0x8171404a (NtTerminateThread) owned by ntoskrnl.exe
Entry 0x0023: 0x817138d8 (NtTerminateProcess) owned by ntoskrnl.exe
Entry 0x0024: 0x8166b404 (NtTerminateJobObject) owned by ntoskrnl.exe
Entry 0x0025: 0x818a5c61 (NtSystemDebugControl) owned by ntoskrnl.exe
Entry 0x0026: 0x8175e194 (NtSuspendThread) owned by ntoskrnl.exe
Entry 0x0027: 0x81879a04 (NtSuspendProcess) owned by ntoskrnl.exe
Entry 0x0028: 0x81686450 (NtSubscribeWnfStateChange) owned by ntoskrnl.exe
Entry 0x0029: 0x818a6a43 (NtStopProfile) owned by ntoskrnl.exe
Entry 0x002a: 0x818a6850 (NtStartProfile) owned by ntoskrnl.exe
Entry 0x002b: 0x8143bf96 (NtSinglePhaseReject) owned by ntoskrnl.exe
Entry 0x002c: 0x814f546e (NtSignalAndWaitForSingleObject) owned by ntoskrnl.exe
Entry 0x002d: 0x8143d0d2 (NtShutdownWorkerFactory) owned by ntoskrnl.exe
Entry 0x002e: 0x8189ca18 (NtShutdownSystem) owned by ntoskrnl.exe
Entry 0x002f: 0x8174a1ae (NtSetWnfProcessNotificationEvent) owned by ntoskrnl.exe
Entry 0x0030: 0x8175ea50 (NtSetVolumeInformationFile) owned by ntoskrnl.exe
Entry 0x0031: 0x8167f04a (NtSetValueKey) owned by ntoskrnl.exe
Entry 0x0032: 0x8179ce30 (NtSetUuidSeed) owned by ntoskrnl.exe
Entry 0x0033: 0x8170cc6c (NtSetTimerResolution) owned by ntoskrnl.exe
Entry 0x0034: 0x814d2b38 (NtSetTimerEx) owned by ntoskrnl.exe
Entry 0x0035: 0x814d2a76 (NtSetTimer) owned by ntoskrnl.exe
Entry 0x0036: 0x81716792 (NtSetThreadExecutionState) owned by ntoskrnl.exe
Entry 0x0037: 0x8175f8a6 (NtSetSystemTime) owned by ntoskrnl.exe
Entry 0x0038: 0x8164c40e (NtSetSystemPowerState) owned by ntoskrnl.exe
Entry 0x0039: 0x816f9b42 (NtSetSystemInformation) owned by ntoskrnl.exe
Entry 0x003a: 0x818a3f82 (NtSetSystemEnvironmentValueEx) owned by ntoskrnl.exe
Entry 0x003b: 0x818a3c79 (NtSetSystemEnvironmentValue) owned by ntoskrnl.exe
Entry 0x003c: 0x8173b0c0 (NtSetSecurityObject) owned by ntoskrnl.exe
Entry 0x003d: 0x8184a2a3 (NtSetQuotaInformationFile) owned by ntoskrnl.exe
Entry 0x003e: 0x817a3ca6 (NtSetLowWaitHighEventPair) owned by ntoskrnl.exe
Entry 0x003f: 0x817a3ca6 (NtSetLowEventPair) owned by ntoskrnl.exe
Entry 0x0040: 0x8187ab17 (NtSetLdtEntries) owned by ntoskrnl.exe
Entry 0x0041: 0x814f5704 (NtSetIRTimer) owned by ntoskrnl.exe
Entry 0x0042: 0x81471af0 (NtSetTimer2) owned by ntoskrnl.exe
Entry 0x0043: 0x81471808 (NtCancelTimer2) owned by ntoskrnl.exe
Entry 0x0044: 0x8184875f (NtSetIoCompletionEx) owned by ntoskrnl.exe
Entry 0x0045: 0x816e0e2a (NtSetIoCompletion) owned by ntoskrnl.exe
Entry 0x0046: 0x81760862 (NtSetIntervalProfile) owned by ntoskrnl.exe
Entry 0x0047: 0x8143d210 (NtSetInformationWorkerFactory) owned by ntoskrnl.exe
Entry 0x0048: 0x8143bf9c (NtSetInformationTransactionManager) owned by ntoskrnl.exe
Entry 0x0049: 0x8143bec4 (NtSetInformationTransaction) owned by ntoskrnl.exe
Entry 0x004a: 0x816f6d60 (NtSetInformationToken) owned by ntoskrnl.exe
Entry 0x004b: 0x816aafd2 (NtSetInformationThread) owned by ntoskrnl.exe
Entry 0x004c: 0x8143bebe (NtSetInformationResourceManager) owned by ntoskrnl.exe
Entry 0x004d: 0x816788e6 (NtSetInformationProcess) owned by ntoskrnl.exe
Entry 0x004e: 0x81739822 (NtSetInformationObject) owned by ntoskrnl.exe
Entry 0x004f: 0x8182f873 (NtSetInformationKey) owned by ntoskrnl.exe
Entry 0x0050: 0x8166ba86 (NtSetInformationJobObject) owned by ntoskrnl.exe
Entry 0x0051: 0x814ac0a0 (NtSetInformationFile) owned by ntoskrnl.exe
Entry 0x0052: 0x8143beb8 (NtSetInformationEnlistment) owned by ntoskrnl.exe
Entry 0x0053: 0x8183e891 (NtSetInformationDebugObject) owned by ntoskrnl.exe
Entry 0x0054: 0x817a3ca6 (NtSetHighWaitLowEventPair) owned by ntoskrnl.exe
Entry 0x0055: 0x817a3ca6 (NtSetHighEventPair) owned by ntoskrnl.exe
Entry 0x0056: 0x8189e91d (NtSetEventBoostPriority) owned by ntoskrnl.exe
Entry 0x0057: 0x816b75a6 (NtSetEvent) owned by ntoskrnl.exe
Entry 0x0058: 0x8184975e (NtSetEaFile) owned by ntoskrnl.exe
Entry 0x0059: 0x818a3a51 (NtSetDriverEntryOrder) owned by ntoskrnl.exe
Entry 0x005a: 0x8177b392 (NtSetDefaultUILanguage) owned by ntoskrnl.exe
Entry 0x005b: 0x8177bbb6 (NtSetDefaultLocale) owned by ntoskrnl.exe
Entry 0x005c: 0x817a24e4 (NtSetDefaultHardErrorPort) owned by ntoskrnl.exe
Entry 0x005d: 0x8177f18a (NtSetDebugFilterState) owned by ntoskrnl.exe
Entry 0x005e: 0x818795ef (NtSetContextThread) owned by ntoskrnl.exe
Entry 0x005f: 0x81745606 (NtSetCachedSigningLevel) owned by ntoskrnl.exe
Entry 0x0060: 0x818a382b (NtSetBootOptions) owned by ntoskrnl.exe
Entry 0x0061: 0x818a3603 (NtSetBootEntryOrder) owned by ntoskrnl.exe
Entry 0x0062: 0x817a2678 (NtSerializeBoot) owned by ntoskrnl.exe
Entry 0x0063: 0x816dcb2a (NtSecureConnectPort) owned by ntoskrnl.exe
Entry 0x0064: 0x8182f57f (NtSaveMergedKeys) owned by ntoskrnl.exe
Entry 0x0065: 0x8182f167 (NtSaveKeyEx) owned by ntoskrnl.exe
Entry 0x0066: 0x8182edea (NtSaveKey) owned by ntoskrnl.exe
Entry 0x0067: 0x8143bfa2 (NtRollforwardTransactionManager) owned by ntoskrnl.exe
Entry 0x0068: 0x8143beb2 (NtRollbackTransaction) owned by ntoskrnl.exe
Entry 0x0069: 0x8143beac (NtRollbackEnlistment) owned by ntoskrnl.exe
Entry 0x006a: 0x8143bea6 (NtRollbackComplete) owned by ntoskrnl.exe
Entry 0x006b: 0x81738c8c (NtResumeThread) owned by ntoskrnl.exe
Entry 0x006c: 0x818799a1 (NtResumeProcess) owned by ntoskrnl.exe
Entry 0x006d: 0x8182ea37 (NtRestoreKey) owned by ntoskrnl.exe
Entry 0x006e: 0x81496870 (NtResetWriteWatch) owned by ntoskrnl.exe
Entry 0x006f: 0x8167c012 (NtResetEvent) owned by ntoskrnl.exe
Entry 0x0070: 0x81737b0c (NtRequestWaitReplyPort) owned by ntoskrnl.exe
Entry 0x0071: 0x81742574 (NtRequestPort) owned by ntoskrnl.exe
Entry 0x0072: 0x81862c86 (NtReplyWaitReplyPort) owned by ntoskrnl.exe
Entry 0x0073: 0x816ac600 (NtReplyWaitReceivePortEx) owned by ntoskrnl.exe
Entry 0x0074: 0x816ac72c (NtReplyWaitReceivePort) owned by ntoskrnl.exe
Entry 0x0075: 0x817384e2 (NtReplyPort) owned by ntoskrnl.exe
Entry 0x0076: 0x815ee211 (NtReplacePartitionUnit) owned by ntoskrnl.exe
Entry 0x0077: 0x8182e606 (NtReplaceKey) owned by ntoskrnl.exe
Entry 0x0078: 0x8143bfa8 (NtRenameTransactionManager) owned by ntoskrnl.exe
Entry 0x0079: 0x8182e113 (NtRenameKey) owned by ntoskrnl.exe
Entry 0x007a: 0x8183e7b7 (NtRemoveProcessDebug) owned by ntoskrnl.exe
Entry 0x007b: 0x81740446 (NtRemoveIoCompletionEx) owned by ntoskrnl.exe
Entry 0x007c: 0x816a53fe (NtRemoveIoCompletion) owned by ntoskrnl.exe
Entry 0x007d: 0x8143d884 (NtReleaseWorkerFactoryWorker) owned by ntoskrnl.exe
Entry 0x007e: 0x816e1122 (NtReleaseSemaphore) owned by ntoskrnl.exe
Entry 0x007f: 0x81676902 (NtReleaseMutant) owned by ntoskrnl.exe
Entry 0x0080: 0x81756c3e (NtReleaseKeyedEvent) owned by ntoskrnl.exe
Entry 0x0081: 0x8175a25e (NtRegisterThreadTerminatePort) owned by ntoskrnl.exe
Entry 0x0082: 0x8143bfae (NtRegisterProtocolAddressInformation) owned by ntoskrnl.exe
Entry 0x0083: 0x8143bea0 (NtRecoverTransactionManager) owned by ntoskrnl.exe
Entry 0x0084: 0x8143be9a (NtRecoverResourceManager) owned by ntoskrnl.exe
Entry 0x0085: 0x8143be94 (NtRecoverEnlistment) owned by ntoskrnl.exe
Entry 0x0086: 0x816b5f34 (NtReadVirtualMemory) owned by ntoskrnl.exe
Entry 0x0087: 0x81862c1c (NtReadRequestData) owned by ntoskrnl.exe
Entry 0x0088: 0x8143be8e (NtReadOnlyEnlistment) owned by ntoskrnl.exe
Entry 0x0089: 0x8175689e (NtReadFileScatter) owned by ntoskrnl.exe
Entry 0x008a: 0x816bbe30 (NtReadFile) owned by ntoskrnl.exe
Entry 0x008b: 0x818a4993 (NtRaiseHardError) owned by ntoskrnl.exe
Entry 0x008c: 0x81533c28 (NtRaiseException) owned by ntoskrnl.exe
Entry 0x008d: 0x8170b24e (NtQueueApcThreadEx) owned by ntoskrnl.exe
Entry 0x008e: 0x8170b22a (NtQueueApcThread) owned by ntoskrnl.exe
Entry 0x008f: 0x816860cc (NtQueryWnfStateData) owned by ntoskrnl.exe
Entry 0x0090: 0x81688d02 (NtQueryWnfStateNameInformation) owned by ntoskrnl.exe
Entry 0x0091: 0x816b7b60 (NtQueryVolumeInformationFile) owned by ntoskrnl.exe
Entry 0x0092: 0x816ccdce (NtQueryVirtualMemory) owned by ntoskrnl.exe
Entry 0x0093: 0x816c3840 (NtQueryValueKey) owned by ntoskrnl.exe
Entry 0x0094: 0x817532c4 (NtQueryTimerResolution) owned by ntoskrnl.exe
Entry 0x0095: 0x8189e77f (NtQueryTimer) owned by ntoskrnl.exe
Entry 0x0096: 0x816b1996 (NtQuerySystemTime) owned by ntoskrnl.exe
Entry 0x0097: 0x8173e8dc (NtQuerySystemInformationEx) owned by ntoskrnl.exe
Entry 0x0098: 0x816d3550 (NtQuerySystemInformation) owned by ntoskrnl.exe
Entry 0x0099: 0x8177cf1c (NtQuerySystemEnvironmentValueEx) owned by ntoskrnl.exe
Entry 0x009a: 0x818a32d6 (NtQuerySystemEnvironmentValue) owned by ntoskrnl.exe
Entry 0x009b: 0x817352d4 (NtQuerySymbolicLinkObject) owned by ntoskrnl.exe
Entry 0x009c: 0x8175ba46 (NtQuerySemaphore) owned by ntoskrnl.exe
Entry 0x009d: 0x8167ad70 (NtQuerySecurityObject) owned by ntoskrnl.exe
Entry 0x009e: 0x816ac7c4 (NtQuerySecurityAttributesToken) owned by ntoskrnl.exe
Entry 0x009f: 0x816a3010 (NtQuerySection) owned by ntoskrnl.exe
Entry 0x00a0: 0x81849bf4 (NtQueryQuotaInformationFile) owned by ntoskrnl.exe
Entry 0x00a1: 0x817a40de (NtQueryPortInformationProcess) owned by ntoskrnl.exe
Entry 0x00a2: 0x81735ba2 (NtQueryPerformanceCounter) owned by ntoskrnl.exe
Entry 0x00a3: 0x8182dcfb (NtQueryOpenSubKeysEx) owned by ntoskrnl.exe
Entry 0x00a4: 0x8182dad7 (NtQueryOpenSubKeys) owned by ntoskrnl.exe
Entry 0x00a5: 0x81711746 (NtQueryObject) owned by ntoskrnl.exe
Entry 0x00a6: 0x818a6afe (NtQueryMutant) owned by ntoskrnl.exe
Entry 0x00a7: 0x81745c7c (NtQueryMultipleValueKey) owned by ntoskrnl.exe
Entry 0x00a8: 0x817525ae (NtQueryLicenseValue) owned by ntoskrnl.exe
Entry 0x00a9: 0x817125de (NtQueryKey) owned by ntoskrnl.exe
Entry 0x00aa: 0x81848642 (NtQueryIoCompletion) owned by ntoskrnl.exe
Entry 0x00ab: 0x8176044c (NtQueryIntervalProfile) owned by ntoskrnl.exe
Entry 0x00ac: 0x81757ba8 (NtQueryInstallUILanguage) owned by ntoskrnl.exe
Entry 0x00ad: 0x815eac4c (NtQueryInformationWorkerFactory) owned by ntoskrnl.exe
Entry 0x00ae: 0x8143be88 (NtQueryInformationTransactionManager) owned by ntoskrnl.exe
Entry 0x00af: 0x8143be82 (NtQueryInformationTransaction) owned by ntoskrnl.exe
Entry 0x00b0: 0x816c9700 (NtQueryInformationToken) owned by ntoskrnl.exe
Entry 0x00b1: 0x81714136 (NtQueryInformationThread) owned by ntoskrnl.exe
Entry 0x00b2: 0x8143be7c (NtQueryInformationResourceManager) owned by ntoskrnl.exe
Entry 0x00b3: 0x816a0f1a (NtQueryInformationProcess) owned by ntoskrnl.exe
Entry 0x00b4: 0x81862b3e (NtQueryInformationPort) owned by ntoskrnl.exe
Entry 0x00b5: 0x8166cd38 (NtQueryInformationJobObject) owned by ntoskrnl.exe
Entry 0x00b6: 0x816be210 (NtQueryInformationFile) owned by ntoskrnl.exe
Entry 0x00b7: 0x8143be76 (NtQueryInformationEnlistment) owned by ntoskrnl.exe
Entry 0x00b8: 0x8173a15a (NtQueryInformationAtom) owned by ntoskrnl.exe
Entry 0x00b9: 0x81701e84 (NtQueryFullAttributesFile) owned by ntoskrnl.exe
Entry 0x00ba: 0x8174a0de (NtQueryEvent) owned by ntoskrnl.exe
Entry 0x00bb: 0x8174f7b0 (NtQueryEaFile) owned by ntoskrnl.exe
Entry 0x00bc: 0x818a2f84 (NtQueryDriverEntryOrder) owned by ntoskrnl.exe
Entry 0x00bd: 0x8172b152 (NtQueryDirectoryObject) owned by ntoskrnl.exe
Entry 0x00be: 0x8172aca6 (NtQueryDirectoryFile) owned by ntoskrnl.exe
Entry 0x00bf: 0x8176b798 (NtQueryDefaultUILanguage) owned by ntoskrnl.exe
Entry 0x00c0: 0x8167358e (NtQueryDefaultLocale) owned by ntoskrnl.exe
Entry 0x00c1: 0x814e896c (NtQueryDebugFilterState) owned by ntoskrnl.exe
Entry 0x00c2: 0x818a2c7e (NtQueryBootOptions) owned by ntoskrnl.exe
Entry 0x00c3: 0x818a2a24 (NtQueryBootEntryOrder) owned by ntoskrnl.exe
Entry 0x00c4: 0x8170211c (NtQueryAttributesFile) owned by ntoskrnl.exe
Entry 0x00c5: 0x816e0eb8 (NtPulseEvent) owned by ntoskrnl.exe
Entry 0x00c6: 0x816a3638 (NtProtectVirtualMemory) owned by ntoskrnl.exe
Entry 0x00c7: 0x8143be70 (NtPropagationFailed) owned by ntoskrnl.exe
Entry 0x00c8: 0x8143be6a (NtPropagationComplete) owned by ntoskrnl.exe
Entry 0x00c9: 0x8177b1d8 (NtPrivilegeObjectAuditAlarm) owned by ntoskrnl.exe
Entry 0x00ca: 0x81750602 (NtPrivilegedServiceAuditAlarm) owned by ntoskrnl.exe
Entry 0x00cb: 0x816f798e (NtPrivilegeCheck) owned by ntoskrnl.exe
Entry 0x00cc: 0x81689aa8 (NtSetInformationVirtualMemory) owned by ntoskrnl.exe
Entry 0x00cd: 0x8143be58 (NtPrePrepareEnlistment) owned by ntoskrnl.exe
Entry 0x00ce: 0x8143be52 (NtPrePrepareComplete) owned by ntoskrnl.exe
Entry 0x00cf: 0x8143be64 (NtPrepareEnlistment) owned by ntoskrnl.exe
Entry 0x00d0: 0x8143be5e (NtPrepareComplete) owned by ntoskrnl.exe
Entry 0x00d1: 0x81718da8 (NtPowerInformation) owned by ntoskrnl.exe
Entry 0x00d2: 0x816936a8 (NtPlugPlayControl) owned by ntoskrnl.exe
Entry 0x00d3: 0x8143be4c (NtOpenTransactionManager) owned by ntoskrnl.exe
Entry 0x00d4: 0x8143be46 (NtOpenTransaction) owned by ntoskrnl.exe
Entry 0x00d5: 0x8189e6c6 (NtOpenTimer) owned by ntoskrnl.exe
Entry 0x00d6: 0x816d5e9e (NtOpenThreadTokenEx) owned by ntoskrnl.exe
Entry 0x00d7: 0x816d5e7c (NtOpenThreadToken) owned by ntoskrnl.exe
Entry 0x00d8: 0x816d7f0c (NtOpenThread) owned by ntoskrnl.exe
Entry 0x00d9: 0x817389bc (NtOpenSymbolicLinkObject) owned by ntoskrnl.exe
Entry 0x00da: 0x817564a6 (NtOpenSession) owned by ntoskrnl.exe
Entry 0x00db: 0x8174e358 (NtOpenSemaphore) owned by ntoskrnl.exe
Entry 0x00dc: 0x81735c8c (NtOpenSection) owned by ntoskrnl.exe
Entry 0x00dd: 0x8143be40 (NtOpenResourceManager) owned by ntoskrnl.exe
Entry 0x00de: 0x816d5760 (NtOpenProcessTokenEx) owned by ntoskrnl.exe
Entry 0x00df: 0x816d5740 (NtOpenProcessToken) owned by ntoskrnl.exe
Entry 0x00e0: 0x816d328c (NtOpenProcess) owned by ntoskrnl.exe
Entry 0x00e1: 0x816f601e (NtOpenPrivateNamespace) owned by ntoskrnl.exe
Entry 0x00e2: 0x817687f4 (NtOpenObjectAuditAlarm) owned by ntoskrnl.exe
Entry 0x00e3: 0x81735ede (NtOpenMutant) owned by ntoskrnl.exe
Entry 0x00e4: 0x81713460 (NtOpenKeyTransactedEx) owned by ntoskrnl.exe
Entry 0x00e5: 0x8171338a (NtOpenKeyTransacted) owned by ntoskrnl.exe
Entry 0x00e6: 0x8171355a (NtOpenKeyEx) owned by ntoskrnl.exe
Entry 0x00e7: 0x818a5b9b (NtOpenKeyedEvent) owned by ntoskrnl.exe
Entry 0x00e8: 0x81713538 (NtOpenKey) owned by ntoskrnl.exe
Entry 0x00e9: 0x81879b40 (NtOpenJobObject) owned by ntoskrnl.exe
Entry 0x00ea: 0x81848585 (NtOpenIoCompletion) owned by ntoskrnl.exe
Entry 0x00eb: 0x817020aa (NtOpenFile) owned by ntoskrnl.exe
Entry 0x00ec: 0x818a5b8e (NtOpenEventPair) owned by ntoskrnl.exe
Entry 0x00ed: 0x81739d38 (NtOpenEvent) owned by ntoskrnl.exe
Entry 0x00ee: 0x8143be3a (NtOpenEnlistment) owned by ntoskrnl.exe
Entry 0x00ef: 0x81738b56 (NtOpenDirectoryObject) owned by ntoskrnl.exe
Entry 0x00f0: 0x81758fa4 (NtNotifyChangeSession) owned by ntoskrnl.exe
Entry 0x00f1: 0x8170bb34 (NtNotifyChangeMultipleKeys) owned by ntoskrnl.exe
Entry 0x00f2: 0x8170bafe (NtNotifyChangeKey) owned by ntoskrnl.exe
Entry 0x00f3: 0x81742b34 (NtNotifyChangeDirectoryFile) owned by ntoskrnl.exe
Entry 0x00f4: 0x818a29fa (NtModifyDriverEntry) owned by ntoskrnl.exe
Entry 0x00f5: 0x818a29d0 (NtModifyBootEntry) owned by ntoskrnl.exe
Entry 0x00f6: 0x8172bd88 (NtMapViewOfSection) owned by ntoskrnl.exe
Entry 0x00f7: 0x81869fbe (NtMapUserPhysicalPagesScatter) owned by ntoskrnl.exe
Entry 0x00f8: 0x8186998e (NtMapUserPhysicalPages) owned by ntoskrnl.exe
Entry 0x00f9: 0x8172f284 (NtMapCMFModule) owned by ntoskrnl.exe
Entry 0x00fa: 0x81753e6e (NtMakeTemporaryObject) owned by ntoskrnl.exe
Entry 0x00fb: 0x817707aa (NtMakePermanentObject) owned by ntoskrnl.exe
Entry 0x00fc: 0x8145cb20 (NtLockVirtualMemory) owned by ntoskrnl.exe
Entry 0x00fd: 0x8179a6c8 (NtLockRegistryKey) owned by ntoskrnl.exe
Entry 0x00fe: 0x81792836 (NtLockProductActivationKeys) owned by ntoskrnl.exe
Entry 0x00ff: 0x8173b672 (NtLockFile) owned by ntoskrnl.exe
Entry 0x0100: 0x81705fb6 (NtLoadKeyEx) owned by ntoskrnl.exe
Entry 0x0101: 0x8177d352 (NtLoadKey2) owned by ntoskrnl.exe
Entry 0x0102: 0x81772fca (NtLoadKey) owned by ntoskrnl.exe
Entry 0x0103: 0x81754794 (NtLoadDriver) owned by ntoskrnl.exe
Entry 0x0104: 0x817a29c6 (NtListenPort) owned by ntoskrnl.exe
Entry 0x0105: 0x817905d6 (NtIsUILanguageComitted) owned by ntoskrnl.exe
Entry 0x0106: 0x817730f8 (NtIsSystemResumeAutomatic) owned by ntoskrnl.exe
Entry 0x0107: 0x8166efba (NtIsProcessInJob) owned by ntoskrnl.exe
Entry 0x0108: 0x8176431e (NtInitiatePowerAction) owned by ntoskrnl.exe
Entry 0x0109: 0x8177cb12 (NtInitializeRegistry) owned by ntoskrnl.exe
Entry 0x010a: 0x8173ad32 (NtInitializeNlsFiles) owned by ntoskrnl.exe
Entry 0x010b: 0x81738d84 (NtImpersonateThread) owned by ntoskrnl.exe
Entry 0x010c: 0x81862b17 (NtImpersonateClientOfPort) owned by ntoskrnl.exe
Entry 0x010d: 0x816f3d7c (NtImpersonateAnonymousToken) owned by ntoskrnl.exe
Entry 0x010e: 0x81492b00 (NtGetWriteWatch) owned by ntoskrnl.exe
Entry 0x010f: 0x8143be34 (NtGetNotificationResourceManager) owned by ntoskrnl.exe
Entry 0x0110: 0x816e604c (NtGetNlsSectionPtr) owned by ntoskrnl.exe
Entry 0x0111: 0x8187a26f (NtGetNextThread) owned by ntoskrnl.exe
Entry 0x0112: 0x81773628 (NtGetNextProcess) owned by ntoskrnl.exe
Entry 0x0113: 0x8172f4a6 (NtGetMUIRegistryInfo) owned by ntoskrnl.exe
Entry 0x0114: 0x81873618 (NtGetDevicePowerState) owned by ntoskrnl.exe
Entry 0x0115: 0x8175a712 (NtGetCurrentProcessorNumber) owned by ntoskrnl.exe
Entry 0x0116: 0x8175e612 (NtGetContextThread) owned by ntoskrnl.exe
Entry 0x0117: 0x816867ec (NtGetCompleteWnfStateSubscription) owned by ntoskrnl.exe
Entry 0x0118: 0x8175db3a (NtGetCachedSigningLevel) owned by ntoskrnl.exe
Entry 0x0119: 0x81704644 (NtFsControlFile) owned by ntoskrnl.exe
Entry 0x011a: 0x8143be2e (NtFreezeTransactions) owned by ntoskrnl.exe
Entry 0x011b: 0x815876d3 (NtFreezeRegistry) owned by ntoskrnl.exe
Entry 0x011c: 0x81495900 (NtFreeVirtualMemory) owned by ntoskrnl.exe
Entry 0x011d: 0x8186947b (NtFreeUserPhysicalPages) owned by ntoskrnl.exe
Entry 0x011e: 0x8186a717 (NtFlushWriteBuffer) owned by ntoskrnl.exe
Entry 0x011f: 0x8173e538 (NtFlushVirtualMemory) owned by ntoskrnl.exe
Entry 0x0120: 0x814ce75e (NtFlushProcessWriteBuffers) owned by ntoskrnl.exe
Entry 0x0121: 0x81751846 (NtFlushKey) owned by ntoskrnl.exe
Entry 0x0122: 0x81753e64 (NtFlushInstructionCache) owned by ntoskrnl.exe
Entry 0x0123: 0x817a21d4 (NtFlushInstallUILanguage) owned by ntoskrnl.exe
Entry 0x0124: 0x81740188 (NtFlushBuffersFile) owned by ntoskrnl.exe
Entry 0x0125: 0x817401a6 (NtFlushBuffersFileEx) owned by ntoskrnl.exe
Entry 0x0126: 0x816ad09a (NtFindAtom) owned by ntoskrnl.exe
Entry 0x0127: 0x816f8ff6 (NtFilterToken) owned by ntoskrnl.exe
Entry 0x0128: 0x81883280 (NtFilterTokenEx) owned by ntoskrnl.exe
Entry 0x0129: 0x8188821d (NtFilterBootOption) owned by ntoskrnl.exe
Entry 0x012a: 0x81867071 (NtExtendSection) owned by ntoskrnl.exe
Entry 0x012b: 0x81714ebe (NtEnumerateValueKey) owned by ntoskrnl.exe
Entry 0x012c: 0x8143be28 (NtEnumerateTransactionObject) owned by ntoskrnl.exe
Entry 0x012d: 0x818a26ce (NtEnumerateSystemEnvironmentValuesEx) owned by ntoskrnl.exe
Entry 0x012e: 0x816c8a9a (NtEnumerateKey) owned by ntoskrnl.exe
Entry 0x012f: 0x818a2270 (NtEnumerateDriverEntries) owned by ntoskrnl.exe
Entry 0x0130: 0x818a1d7a (NtEnumerateBootEntries) owned by ntoskrnl.exe
Entry 0x0131: 0x818b9d70 (NtEnableLastKnownGood) owned by ntoskrnl.exe
Entry 0x0132: 0x816d798e (NtDuplicateToken) owned by ntoskrnl.exe
Entry 0x0133: 0x8168f180 (NtDuplicateObject) owned by ntoskrnl.exe
Entry 0x0134: 0x815e8e50 (NtDrawText) owned by ntoskrnl.exe
Entry 0x0135: 0x8189c85c (NtDisplayString) owned by ntoskrnl.exe
Entry 0x0136: 0x818b9c79 (NtDisableLastKnownGood) owned by ntoskrnl.exe
Entry 0x0137: 0x816bc4ec (NtDeviceIoControlFile) owned by ntoskrnl.exe
Entry 0x0138: 0x81688ff0 (NtDeleteWnfStateName) owned by ntoskrnl.exe
Entry 0x0139: 0x817a035c (NtDeleteWnfStateData) owned by ntoskrnl.exe
Entry 0x013a: 0x81715a4c (NtDeleteValueKey) owned by ntoskrnl.exe
Entry 0x013b: 0x81741c72 (NtDeletePrivateNamespace) owned by ntoskrnl.exe
Entry 0x013c: 0x8175c8c4 (NtDeleteObjectAuditAlarm) owned by ntoskrnl.exe
Entry 0x013d: 0x8171561e (NtDeleteKey) owned by ntoskrnl.exe
Entry 0x013e: 0x8184882e (NtDeleteFile) owned by ntoskrnl.exe
Entry 0x013f: 0x818a1bad (NtDeleteDriverEntry) owned by ntoskrnl.exe
Entry 0x0140: 0x818a19e0 (NtDeleteBootEntry) owned by ntoskrnl.exe
Entry 0x0141: 0x8173833e (NtDeleteAtom) owned by ntoskrnl.exe
Entry 0x0142: 0x8167acd6 (NtDelayExecution) owned by ntoskrnl.exe
Entry 0x0143: 0x8183e5c3 (NtDebugContinue) owned by ntoskrnl.exe
Entry 0x0144: 0x8183e456 (NtDebugActiveProcess) owned by ntoskrnl.exe
Entry 0x0145: 0x81738f7e (NtCreateWorkerFactory) owned by ntoskrnl.exe
Entry 0x0146: 0x81685c18 (NtCreateWnfStateName) owned by ntoskrnl.exe
Entry 0x0147: 0x81738eba (NtCreateWaitCompletionPacket) owned by ntoskrnl.exe
Entry 0x0148: 0x8177d1f0 (NtCreateWaitablePort) owned by ntoskrnl.exe
Entry 0x0149: 0x8168fa46 (NtCreateUserProcess) owned by ntoskrnl.exe
Entry 0x014a: 0x8143be22 (NtCreateTransactionManager) owned by ntoskrnl.exe
Entry 0x014b: 0x8143be1c (NtCreateTransaction) owned by ntoskrnl.exe
Entry 0x014c: 0x81887bec (NtCreateToken) owned by ntoskrnl.exe
Entry 0x014d: 0x816f55c6 (NtCreateLowBoxToken) owned by ntoskrnl.exe
Entry 0x014e: 0x816f8508 (NtCreateTokenEx) owned by ntoskrnl.exe
Entry 0x014f: 0x816cd704 (NtCreateTimer) owned by ntoskrnl.exe
Entry 0x0150: 0x8168e6a8 (NtCreateThreadEx) owned by ntoskrnl.exe
Entry 0x0151: 0x81877edd (NtCreateThread) owned by ntoskrnl.exe
Entry 0x0152: 0x817496c8 (NtCreateSymbolicLinkObject) owned by ntoskrnl.exe
Entry 0x0153: 0x81676a20 (NtCreateSemaphore) owned by ntoskrnl.exe
Entry 0x0154: 0x816cdcae (NtCreateSection) owned by ntoskrnl.exe
Entry 0x0155: 0x8143be16 (NtCreateResourceManager) owned by ntoskrnl.exe
Entry 0x0156: 0x818a681d (NtCreateProfileEx) owned by ntoskrnl.exe
Entry 0x0157: 0x818a678f (NtCreateProfile) owned by ntoskrnl.exe
Entry 0x0158: 0x81877e50 (NtCreateProcessEx) owned by ntoskrnl.exe
Entry 0x0159: 0x81877e0a (NtCreateProcess) owned by ntoskrnl.exe
Entry 0x015a: 0x816f5aba (NtCreatePrivateNamespace) owned by ntoskrnl.exe
Entry 0x015b: 0x8177cdac (NtCreatePort) owned by ntoskrnl.exe
Entry 0x015c: 0x8177dd24 (NtCreatePagingFile) owned by ntoskrnl.exe
Entry 0x015d: 0x81701d7e (NtCreateNamedPipeFile) owned by ntoskrnl.exe
Entry 0x015e: 0x817315c4 (NtCreateMutant) owned by ntoskrnl.exe
Entry 0x015f: 0x8176f5ae (NtCreateMailslotFile) owned by ntoskrnl.exe
Entry 0x0160: 0x81714940 (NtCreateKeyTransacted) owned by ntoskrnl.exe
Entry 0x0161: 0x8179b71c (NtCreateKeyedEvent) owned by ntoskrnl.exe
Entry 0x0162: 0x81714a20 (NtCreateKey) owned by ntoskrnl.exe
Entry 0x0163: 0x81879b33 (NtCreateJobSet) owned by ntoskrnl.exe
Entry 0x0164: 0x817484ba (NtCreateJobObject) owned by ntoskrnl.exe
Entry 0x0165: 0x817a379a (NtCreateIRTimer) owned by ntoskrnl.exe
Entry 0x0166: 0x81739f86 (NtCreateTimer2) owned by ntoskrnl.exe
Entry 0x0167: 0x8173bf50 (NtCreateIoCompletion) owned by ntoskrnl.exe
Entry 0x0168: 0x817020de (NtCreateFile) owned by ntoskrnl.exe
Entry 0x0169: 0x818a5b8e (NtCreateEventPair) owned by ntoskrnl.exe
Entry 0x016a: 0x816cec40 (NtCreateEvent) owned by ntoskrnl.exe
Entry 0x016b: 0x8143be10 (NtCreateEnlistment) owned by ntoskrnl.exe
Entry 0x016c: 0x81744e9e (NtCreateDirectoryObjectEx) owned by ntoskrnl.exe
Entry 0x016d: 0x81744ec0 (NtCreateDirectoryObject) owned by ntoskrnl.exe
Entry 0x016e: 0x8183e337 (NtCreateDebugObject) owned by ntoskrnl.exe
Entry 0x016f: 0x81533b74 (NtContinue) owned by ntoskrnl.exe
Entry 0x0170: 0x816dcafc (NtConnectPort) owned by ntoskrnl.exe
Entry 0x0171: 0x8182d9b3 (NtCompressKey) owned by ntoskrnl.exe
Entry 0x0172: 0x81759896 (NtCompleteConnectPort) owned by ntoskrnl.exe
Entry 0x0173: 0x816f39d2 (NtCompareTokens) owned by ntoskrnl.exe
Entry 0x0174: 0x8182d778 (NtCompactKeys) owned by ntoskrnl.exe
Entry 0x0175: 0x8143be0a (NtCommitTransaction) owned by ntoskrnl.exe
Entry 0x0176: 0x8143be04 (NtCommitEnlistment) owned by ntoskrnl.exe
Entry 0x0177: 0x8143bdfe (NtCommitComplete) owned by ntoskrnl.exe
Entry 0x0178: 0x8173c020 (NtCloseObjectAuditAlarm) owned by ntoskrnl.exe
Entry 0x0179: 0x816b668a (NtClose) owned by ntoskrnl.exe
Entry 0x017a: 0x8172c91a (NtClearEvent) owned by ntoskrnl.exe
Entry 0x017b: 0x8143e098 (NtCancelWaitCompletionPacket) owned by ntoskrnl.exe
Entry 0x017c: 0x814c4e42 (NtCancelTimer) owned by ntoskrnl.exe
Entry 0x017d: 0x8175f6ac (NtCancelSynchronousIoFile) owned by ntoskrnl.exe
Entry 0x017e: 0x8170b856 (NtCancelIoFileEx) owned by ntoskrnl.exe
Entry 0x017f: 0x8170b068 (NtCancelIoFile) owned by ntoskrnl.exe
Entry 0x0180: 0x8151f4a4 (NtCallbackReturn) owned by ntoskrnl.exe
Entry 0x0181: 0x8147124a (NtAssociateWaitCompletionPacket) owned by ntoskrnl.exe
Entry 0x0182: 0x8166f130 (NtAssignProcessToJobObject) owned by ntoskrnl.exe
Entry 0x0183: 0x81752ba6 (NtAreMappedFilesTheSame) owned by ntoskrnl.exe
Entry 0x0184: 0x81695e6c (NtApphelpCacheControl) owned by ntoskrnl.exe
Entry 0x0185: 0x8173c0ea (NtAlpcSetInformation) owned by ntoskrnl.exe
Entry 0x0186: 0x816a6590 (NtAlpcSendWaitReceivePort) owned by ntoskrnl.exe
Entry 0x0187: 0x81863cd8 (NtAlpcRevokeSecurityContext) owned by ntoskrnl.exe
Entry 0x0188: 0x8173f452 (NtAlpcQueryInformationMessage) owned by ntoskrnl.exe
Entry 0x0189: 0x8173ba60 (NtAlpcQueryInformation) owned by ntoskrnl.exe
Entry 0x018a: 0x817406c8 (NtAlpcOpenSenderThread) owned by ntoskrnl.exe
Entry 0x018b: 0x8173e26a (NtAlpcOpenSenderProcess) owned by ntoskrnl.exe
Entry 0x018c: 0x816aac42 (NtAlpcImpersonateClientOfPort) owned by ntoskrnl.exe
Entry 0x018d: 0x816ddf7e (NtAlpcDisconnectPort) owned by ntoskrnl.exe
Entry 0x018e: 0x816dea64 (NtAlpcDeleteSecurityContext) owned by ntoskrnl.exe
Entry 0x018f: 0x816de01e (NtAlpcDeleteSectionView) owned by ntoskrnl.exe
Entry 0x0190: 0x8186434a (NtAlpcDeleteResourceReserve) owned by ntoskrnl.exe
Entry 0x0191: 0x816e04e6 (NtAlpcDeletePortSection) owned by ntoskrnl.exe
Entry 0x0192: 0x816d9ca2 (NtAlpcCreateSecurityContext) owned by ntoskrnl.exe
Entry 0x0193: 0x816dddbc (NtAlpcCreateSectionView) owned by ntoskrnl.exe
Entry 0x0194: 0x81744a9c (NtAlpcCreateResourceReserve) owned by ntoskrnl.exe
Entry 0x0195: 0x816e019c (NtAlpcCreatePortSection) owned by ntoskrnl.exe
Entry 0x0196: 0x81742670 (NtAlpcCreatePort) owned by ntoskrnl.exe
Entry 0x0197: 0x816dda04 (NtAlpcConnectPort) owned by ntoskrnl.exe
Entry 0x0198: 0x816e05fe (NtAlpcConnectPortEx) owned by ntoskrnl.exe
Entry 0x0199: 0x81757498 (NtAlpcCancelMessage) owned by ntoskrnl.exe
Entry 0x019a: 0x816db1d6 (NtAlpcAcceptConnectPort) owned by ntoskrnl.exe
Entry 0x019b: 0x816b469e (NtAllocateVirtualMemory) owned by ntoskrnl.exe
Entry 0x019c: 0x8173277a (NtAllocateUuids) owned by ntoskrnl.exe
Entry 0x019d: 0x81868f04 (NtAllocateUserPhysicalPages) owned by ntoskrnl.exe
Entry 0x019e: 0x81878329 (NtAllocateReserveObject) owned by ntoskrnl.exe
Entry 0x019f: 0x8172cba6 (NtAllocateLocallyUniqueId) owned by ntoskrnl.exe
Entry 0x01a0: 0x81679d0a (NtAlertThreadByThreadId) owned by ntoskrnl.exe
Entry 0x01a1: 0x8171332c (NtAlertThread) owned by ntoskrnl.exe
Entry 0x01a2: 0x818798a3 (NtAlertResumeThread) owned by ntoskrnl.exe
Entry 0x01a3: 0x816f7b1c (NtAdjustPrivilegesToken) owned by ntoskrnl.exe
Entry 0x01a4: 0x816f6976 (NtAdjustGroupsToken) owned by ntoskrnl.exe
Entry 0x01a5: 0x81883273 (NtAdjustTokenClaimsAndDeviceGroups) owned by ntoskrnl.exe
Entry 0x01a6: 0x818a19b4 (NtAddDriverEntry) owned by ntoskrnl.exe
Entry 0x01a7: 0x818a1988 (NtAddBootEntry) owned by ntoskrnl.exe
Entry 0x01a8: 0x818a4c97 (NtAddAtom) owned by ntoskrnl.exe
Entry 0x01a9: 0x81675290 (NtAddAtomEx) owned by ntoskrnl.exe
Entry 0x01aa: 0x81886e0c (NtAccessCheckByTypeResultListAndAuditAlarmByHandle) owned by ntoskrnl.exe
Entry 0x01ab: 0x81886dc8 (NtAccessCheckByTypeResultListAndAuditAlarm) owned by ntoskrnl.exe
Entry 0x01ac: 0x815ca524 (NtAccessCheckByTypeResultList) owned by ntoskrnl.exe
Entry 0x01ad: 0x816d855e (NtAccessCheckByTypeAndAuditAlarm) owned by ntoskrnl.exe
Entry 0x01ae: 0x814ea9f2 (NtAccessCheckByType) owned by ntoskrnl.exe
Entry 0x01af: 0x81742aba (NtAccessCheckAndAuditAlarm) owned by ntoskrnl.exe
Entry 0x01b0: 0x814b8072 (NtAccessCheck) owned by ntoskrnl.exe
SSDT[1] at 8db25000 with 1036 entries
Entry 0x1000: 0x8da557cc (NtUserYieldTask) owned by win32k.sys
Entry 0x1001: 0x8d85b5bc (NtUserSetSensorPresence) owned by win32k.sys
Entry 0x1002: 0x8dac79f2 (NtGdiWidenPath) owned by win32k.sys
Entry 0x1003: 0x8dac8693 (NtGdiUpdateColors) owned by win32k.sys
Entry 0x1004: 0x8dac9f61 (NtGdiUnrealizeObject) owned by win32k.sys
Entry 0x1005: 0x8dac9f56 (NtGdiUnmapMemFont) owned by win32k.sys
Entry 0x1006: 0x8d9d8eb2 (NtGdiUnloadPrinterDriver) owned by win32k.sys
Entry 0x1007: 0x8d83ed86 (NtGdiTransparentBlt) owned by win32k.sys
Entry 0x1008: 0x8d8d4cb3 (NtGdiTransformPoints) owned by win32k.sys
Entry 0x1009: 0x8daca429 (NtGdiSwapBuffers) owned by win32k.sys
Entry 0x100a: 0x8dac7910 (NtGdiStrokePath) owned by win32k.sys
Entry 0x100b: 0x8dac780e (NtGdiStrokeAndFillPath) owned by win32k.sys
Entry 0x100c: 0x8d8fc2ca (NtGdiStretchDIBitsInternal) owned by win32k.sys
Entry 0x100d: 0x8d851e76 (NtGdiStretchBlt) owned by win32k.sys
Entry 0x100e: 0x8daaa0a3 (NtGdiStartPage) owned by win32k.sys
Entry 0x100f: 0x8daa9d0f (NtGdiStartDoc) owned by win32k.sys
Entry 0x1010: 0x8d9ce8e5 (NtGdiSetSizeDevice) owned by win32k.sys
Entry 0x1011: 0x8d9ce52d (NtGdiSetVirtualResolution) owned by win32k.sys
Entry 0x1012: 0x8dacac1f (NtGdiSetTextJustification) owned by win32k.sys
Entry 0x1013: 0x8dac9f3d (NtGdiSetSystemPaletteUse) owned by win32k.sys
Entry 0x1014: 0x8dac9f2d (NtGdiSetRectRgn) owned by win32k.sys
Entry 0x1015: 0x8daca268 (NtGdiSetPixelFormat) owned by win32k.sys
Entry 0x1016: 0x8d84e728 (NtGdiSetPixel) owned by win32k.sys
Entry 0x1017: 0x8d854c8e (NtGdiSetOPMSigningKeyAndSequenceNumbers) owned by win32k.sys
Entry 0x1018: 0x8d87307d (NtGdiSetLayout) owned by win32k.sys
Entry 0x1019: 0x8dac99f6 (NtGdiMirrorWindowOrg) owned by win32k.sys
Entry 0x101a: 0x8dac90be (NtGdiGetDeviceWidth) owned by win32k.sys
Entry 0x101b: 0x8d9ce5b4 (NtGdiSetMiterLimit) owned by win32k.sys
Entry 0x101c: 0x8d8a7fc0 (NtGdiSetMetaRgn) owned by win32k.sys
Entry 0x101d: 0x8dac8677 (NtGdiSetMagicColors) owned by win32k.sys
Entry 0x101e: 0x8daa9c0c (NtGdiSetLinkedUFIs) owned by win32k.sys
Entry 0x101f: 0x8d9c492b (NtGdiSetIcmMode) owned by win32k.sys
Entry 0x1020: 0x8d9cd47a (NtGdiSetFontXform) owned by win32k.sys
Entry 0x1021: 0x8dacbd4b (NtGdiSetFontEnumeration) owned by win32k.sys
Entry 0x1022: 0x8d8f13c9 (NtGdiSetDIBitsToDeviceInternal) owned by win32k.sys
Entry 0x1023: 0x8dacbcc6 (NtGdiSetDeviceGammaRamp) owned by win32k.sys
Entry 0x1024: 0x8d9d1e6d (NtGdiSetColorSpace) owned by win32k.sys
Entry 0x1025: 0x8dac9e30 (NtGdiSetColorAdjustment) owned by win32k.sys
Entry 0x1026: 0x8d83e63b (NtGdiSetBrushOrg) owned by win32k.sys
Entry 0x1027: 0x8dac9e10 (NtGdiSetBrushAttributes) owned by win32k.sys
Entry 0x1028: 0x8d8d607f (NtGdiSetBoundsRect) owned by win32k.sys
Entry 0x1029: 0x8dac9da2 (NtGdiSetBitmapDimension) owned by win32k.sys
Entry 0x102a: 0x8d857565 (NtGdiSetBitmapBits) owned by win32k.sys
Entry 0x102b: 0x8d99fe7b (NtGdiSetBitmapAttributes) owned by win32k.sys
Entry 0x102c: 0x8dac9d89 (NtGdiSelectPen) owned by win32k.sys
Entry 0x102d: 0x8d8c8821 (NtGdiSelectFont) owned by win32k.sys
Entry 0x102e: 0x8d9bd0b2 (NtGdiSelectClipPath) owned by win32k.sys
Entry 0x102f: 0x8dac9d70 (NtGdiSelectBrush) owned by win32k.sys
Entry 0x1030: 0x8d960aea (NtGdiSelectBitmap) owned by win32k.sys
Entry 0x1031: 0x8dac9d04 (NtGdiScaleWindowExtEx) owned by win32k.sys
Entry 0x1032: 0x8dac01d9 (NtGdiScaleViewportExtEx) owned by win32k.sys
Entry 0x1033: 0x8d8f0377 (NtGdiSaveDC) owned by win32k.sys
Entry 0x1034: 0x8d9bc6c9 (NtGdiRoundRect) owned by win32k.sys
Entry 0x1035: 0x8d8f0454 (NtGdiRestoreDC) owned by win32k.sys
Entry 0x1036: 0x8dac846e (NtGdiResizePalette) owned by win32k.sys
Entry 0x1037: 0x8d9c4d5b (NtGdiResetDC) owned by win32k.sys
Entry 0x1038: 0x8dac9b9b (NtGdiRemoveFontMemResourceEx) owned by win32k.sys
Entry 0x1039: 0x8dac9bb9 (NtGdiRemoveFontResourceW) owned by win32k.sys
Entry 0x103a: 0x8d936ca5 (NtGdiRectVisible) owned by win32k.sys
Entry 0x103b: 0x8d9ce9c3 (NtGdiRectInRegion) owned by win32k.sys
Entry 0x103c: 0x8d84053c (NtGdiRectangle) owned by win32k.sys
Entry 0x103d: 0x8d967bb1 (NtGdiQueryFontAssocInfo) owned by win32k.sys
Entry 0x103e: 0x8d9d331f (NtGdiQueryFonts) owned by win32k.sys
Entry 0x103f: 0x8dab53da (NtGdiPtVisible) owned by win32k.sys
Entry 0x1040: 0x8d85e05e (NtGdiPtInRegion) owned by win32k.sys
Entry 0x1041: 0x8d983de0 (NtGdiPolyTextOutW) owned by win32k.sys
Entry 0x1042: 0x8d8412e8 (NtGdiPolyPolyDraw) owned by win32k.sys
Entry 0x1043: 0x8dac9a9d (NtGdiPolyDraw) owned by win32k.sys
Entry 0x1044: 0x8d9befc6 (NtGdiPlgBlt) owned by win32k.sys
Entry 0x1045: 0x8dac771a (NtGdiPathToRegion) owned by win32k.sys
Entry 0x1046: 0x8d95600f (NtGdiPolyPatBlt) owned by win32k.sys
Entry 0x1047: 0x8d8c3727 (NtGdiPatBlt) owned by win32k.sys
Entry 0x1048: 0x8d8deb43 (NtGdiOpenDCW) owned by win32k.sys
Entry 0x1049: 0x8d8d4161 (NtGdiOffsetRgn) owned by win32k.sys
Entry 0x104a: 0x8dab5245 (NtGdiOffsetClipRgn) owned by win32k.sys
Entry 0x104b: 0x8dac9a37 (NtGdiMoveTo) owned by win32k.sys
Entry 0x104c: 0x8daccfa9 (NtGdiMonoBitmap) owned by win32k.sys
Entry 0x104d: 0x8d8cb7be (NtGdiModifyWorldTransform) owned by win32k.sys
Entry 0x104e: 0x8d8c8895 (NtGdiMaskBlt) owned by win32k.sys
Entry 0x104f: 0x8d9c6999 (NtGdiMakeInfoDC) owned by win32k.sys
Entry 0x1050: 0x8dac98d6 (NtGdiMakeFontDir) owned by win32k.sys
Entry 0x1051: 0x8d8d8108 (NtGdiLineTo) owned by win32k.sys
Entry 0x1052: 0x8d9bcad4 (NtGdiInvertRgn) owned by win32k.sys
Entry 0x1053: 0x8d8fab46 (NtGdiIntersectClipRect) owned by win32k.sys
Entry 0x1054: 0x8dab74b0 (NtGdiInitSpool) owned by win32k.sys
Entry 0x1055: 0x8d967245 (NtGdiInit) owned by win32k.sys
Entry 0x1056: 0x8dacbaaf (NtGdiIcmBrushInfo) owned by win32k.sys
Entry 0x1057: 0x8d915268 (NtGdiHfontCreate) owned by win32k.sys
Entry 0x1058: 0x8d8b24a5 (NtGdiGradientFill) owned by win32k.sys
Entry 0x1059: 0x8d935806 (NtGdiGetWidthTable) owned by win32k.sys
Entry 0x105a: 0x8d85bad2 (NtGdiGetFontUnicodeRanges) owned by win32k.sys
Entry 0x105b: 0x8daa96ff (NtGdiAddEmbFontToDC) owned by win32k.sys
Entry 0x105c: 0x8dac88db (NtGdiChangeGhostFont) owned by win32k.sys
Entry 0x105d: 0x8dac91c6 (NtGdiGetEmbedFonts) owned by win32k.sys
Entry 0x105e: 0x8dac95f1 (NtGdiGetUFIPathname) owned by win32k.sys
Entry 0x105f: 0x8dac90d4 (NtGdiGetEmbUFI) owned by win32k.sys
Entry 0x1060: 0x8d9c3126 (NtGdiGetUFI) owned by win32k.sys
Entry 0x1061: 0x8d8cba39 (NtGdiGetTransform) owned by win32k.sys
Entry 0x1062: 0x8d9180cb (NtGdiGetTextMetricsW) owned by win32k.sys
Entry 0x1063: 0x8d918175 (NtGdiGetTextFaceW) owned by win32k.sys
Entry 0x1064: 0x8d8a469c (NtGdiGetTextExtentExW) owned by win32k.sys
Entry 0x1065: 0x8dac94bd (NtGdiGetTextExtent) owned by win32k.sys
Entry 0x1066: 0x8d8b121a (NtGdiGetTextCharsetInfo) owned by win32k.sys
Entry 0x1067: 0x8d9d5260 (NtGdiGetSystemPaletteUse) owned by win32k.sys
Entry 0x1068: 0x8d8543d6 (NtGdiGetSuggestedOPMProtectedOutputArraySize) owned by win32k.sys
Entry 0x1069: 0x8dace1ad (NtGdiGetStringBitmapW) owned by win32k.sys
Entry 0x106a: 0x8d968f30 (NtGdiGetStockObject) owned by win32k.sys
Entry 0x106b: 0x8dace578 (NtGdiGetStats) owned by win32k.sys
Entry 0x106c: 0x8d9d8e9f (NtGdiGetSpoolMessage) owned by win32k.sys
Entry 0x106d: 0x8dace694 (NtGdiGetServerMetaFileBits) owned by win32k.sys
Entry 0x106e: 0x8d8d4351 (NtGdiGetRgnBox) owned by win32k.sys
Entry 0x106f: 0x8d934b44 (NtGdiGetRegionData) owned by win32k.sys
Entry 0x1070: 0x8d917a9e (NtGdiGetRealizationInfo) owned by win32k.sys
Entry 0x1071: 0x8dac9439 (NtGdiGetRasterizerCaps) owned by win32k.sys
Entry 0x1072: 0x8d8faf2d (NtGdiGetRandomRgn) owned by win32k.sys
Entry 0x1073: 0x8d84e2e0 (NtGdiGetPixel) owned by win32k.sys
Entry 0x1074: 0x8dac7561 (NtGdiGetPath) owned by win32k.sys
Entry 0x1075: 0x8d8ce9e7 (NtGdiGetOutlineTextMetricsInternalW) owned by win32k.sys
Entry 0x1076: 0x8d854b48 (NtGdiGetOPMRandomNumber) owned by win32k.sys
Entry 0x1077: 0x8dac93c6 (NtGdiGetObjectBitmapHandle) owned by win32k.sys
Entry 0x1078: 0x8d9d0f75 (NtGdiGetNearestPaletteIndex) owned by win32k.sys
Entry 0x1079: 0x8d938635 (NtGdiGetNearestColor) owned by win32k.sys
Entry 0x107a: 0x8dabb647 (NtGdiGetMonitorID) owned by win32k.sys
Entry 0x107b: 0x8d9d2e7b (NtGdiGetMiterLimit) owned by win32k.sys
Entry 0x107c: 0x8d9bdb1d (NtGdiGetLinkedUFIs) owned by win32k.sys
Entry 0x107d: 0x8d9c6ae8 (NtGdiGetKerningPairs) owned by win32k.sys
Entry 0x107e: 0x8d85405d (NtGdiGetOPMInformation) owned by win32k.sys
Entry 0x107f: 0x8d845961 (NtGdiGetGlyphOutline) owned by win32k.sys
Entry 0x1080: 0x8d918ac5 (NtGdiGetGlyphIndicesWInternal) owned by win32k.sys
Entry 0x1081: 0x8d918c14 (NtGdiGetGlyphIndicesW) owned by win32k.sys
Entry 0x1082: 0x8dac91f4 (NtGdiGetFontResourceInfoInternalW) owned by win32k.sys
Entry 0x1083: 0x8d85bc72 (NtGdiGetFontFileInfo) owned by win32k.sys
Entry 0x1084: 0x8dacedda (NtGdiGetFontFileData) owned by win32k.sys
Entry 0x1085: 0x8d8ce7d3 (NtGdiGetFontData) owned by win32k.sys
Entry 0x1086: 0x8dace0a6 (NtGdiGetEudcTimeStampEx) owned by win32k.sys
Entry 0x1087: 0x8d9d0fe1 (NtGdiGetETM) owned by win32k.sys
Entry 0x1088: 0x8d91973e (NtGdiGetDIBitsInternal) owned by win32k.sys
Entry 0x1089: 0x8d9ce93d (NtGdiGetDeviceCapsAll) owned by win32k.sys
Entry 0x108a: 0x8d9d0020 (NtGdiGetDeviceGammaRamp) owned by win32k.sys
Entry 0x108b: 0x8d96fb86 (NtGdiGetDeviceCaps) owned by win32k.sys
Entry 0x108c: 0x8d84b24f (NtGdiGetDCPoint) owned by win32k.sys
Entry 0x108d: 0x8d8f0f9e (NtGdiGetDCObject) owned by win32k.sys
Entry 0x108e: 0x8d8f03e9 (NtGdiGetDCforBitmap) owned by win32k.sys
Entry 0x108f: 0x8d8faca2 (NtGdiGetDCDword) owned by win32k.sys
Entry 0x1090: 0x8d9b3f36 (NtGdiGetCurrentDpiInfo) owned by win32k.sys
Entry 0x1091: 0x8dacafc3 (NtGdiGetCOPPCompatibleOPMInformation) owned by win32k.sys
Entry 0x1092: 0x8dacd02e (NtGdiGetColorSpaceforBitmap) owned by win32k.sys
Entry 0x1093: 0x8dac9069 (NtGdiGetColorAdjustment) owned by win32k.sys
Entry 0x1094: 0x8d852d77 (NtGdiGetCharWidthInfo) owned by win32k.sys
Entry 0x1095: 0x8d81b4ea (NtGdiGetCharWidthW) owned by win32k.sys
Entry 0x1096: 0x8d8d4fb9 (NtGdiGetCharSet) owned by win32k.sys
Entry 0x1097: 0x8dac8be1 (NtGdiGetCharacterPlacementW) owned by win32k.sys
Entry 0x1098: 0x8d8cef72 (NtGdiGetCharABCWidthsW) owned by win32k.sys
Entry 0x1099: 0x8d854ac2 (NtGdiGetCertificateSize) owned by win32k.sys
Entry 0x109a: 0x8d8541b4 (NtGdiGetCertificate) owned by win32k.sys
Entry 0x109b: 0x8d8d60c5 (NtGdiGetBoundsRect) owned by win32k.sys
Entry 0x109c: 0x8dac8b82 (NtGdiGetBitmapDimension) owned by win32k.sys
Entry 0x109d: 0x8d89ec81 (NtGdiGetBitmapBits) owned by win32k.sys
Entry 0x109e: 0x8d8c6d34 (NtGdiGetAppClipBox) owned by win32k.sys
Entry 0x109f: 0x8d9ca7fe (NtGdiGetAndSetDCDword) owned by win32k.sys
Entry 0x10a0: 0x8dabb63a (NtGdiFullscreenControl) owned by win32k.sys
Entry 0x10a1: 0x8d820532 (NtGdiFrameRgn) owned by win32k.sys
Entry 0x10a2: 0x8dac8b27 (NtGdiForceUFIMapping) owned by win32k.sys
Entry 0x10a3: 0x8d94c803 (NtGdiFlush) owned by win32k.sys
Entry 0x10a4: 0x8dac74d6 (NtGdiFlattenPath) owned by win32k.sys
Entry 0x10a5: 0x8d82b0f8 (NtGdiFillRgn) owned by win32k.sys
Entry 0x10a6: 0x8d9bcf60 (NtGdiFillPath) owned by win32k.sys
Entry 0x10a7: 0x8d9351e9 (NtGdiExtTextOutW) owned by win32k.sys
Entry 0x10a8: 0x8d915d39 (NtGdiExtSelectClipRgn) owned by win32k.sys
Entry 0x10a9: 0x8d8f1e4d (NtGdiExtGetObjectW) owned by win32k.sys
Entry 0x10aa: 0x8d9bdf48 (NtGdiExtFloodFill) owned by win32k.sys
Entry 0x10ab: 0x8d9c5740 (NtGdiExtEscape) owned by win32k.sys
Entry 0x10ac: 0x8d933e7b (NtGdiExtCreateRegion) owned by win32k.sys
Entry 0x10ad: 0x8d9d0a10 (NtGdiExtCreatePen) owned by win32k.sys
Entry 0x10ae: 0x8d937141 (NtGdiExcludeClipRect) owned by win32k.sys
Entry 0x10af: 0x8dacdf48 (NtGdiEudcLoadUnloadLink) owned by win32k.sys
Entry 0x10b0: 0x8d84b90a (NtGdiEqualRgn) owned by win32k.sys
Entry 0x10b1: 0x8dacfd3b (NtGdiEnumObjects) owned by win32k.sys
Entry 0x10b2: 0x8d937424 (NtGdiEnumFonts) owned by win32k.sys
Entry 0x10b3: 0x8d9d0132 (NtGdiEndPath) owned by win32k.sys
Entry 0x10b4: 0x8daa997f (NtGdiEndPage) owned by win32k.sys
Entry 0x10b5: 0x8d8a7f67 (NtGdiEndGdiRendering) owned by win32k.sys
Entry 0x10b6: 0x8daa9967 (NtGdiEndDoc) owned by win32k.sys
Entry 0x10b7: 0x8d9af012 (NtGdiEnableEudc) owned by win32k.sys
Entry 0x10b8: 0x8dacca90 (NtGdiEllipse) owned by win32k.sys
Entry 0x10b9: 0x8dac8a25 (NtGdiDrawEscape) owned by win32k.sys
Entry 0x10ba: 0x8d9016f4 (NtGdiDoPalette) owned by win32k.sys
Entry 0x10bb: 0x8daa98c5 (NtGdiDoBanding) owned by win32k.sys
Entry 0x10bc: 0x8daa9aae (NtGdiGetPerBandInfo) owned by win32k.sys
Entry 0x10bd: 0x8d858018 (NtGdiDestroyOPMProtectedOutput) owned by win32k.sys
Entry 0x10be: 0x8dac8999 (NtGdiDescribePixelFormat) owned by win32k.sys
Entry 0x10bf: 0x8d958022 (NtGdiDeleteObjectApp) owned by win32k.sys
Entry 0x10c0: 0x8dacba96 (NtGdiDeleteColorTransform) owned by win32k.sys
Entry 0x10c1: 0x8dacba80 (NtGdiDeleteColorSpace) owned by win32k.sys
Entry 0x10c2: 0x8d9ceab4 (NtGdiDeleteClientObj) owned by win32k.sys
Entry 0x10c3: 0x8daa5035 (NtGdiDxgGenericThunk) owned by win32k.sys
Entry 0x10c4: 0x8daa501c (NtGdiDvpReleaseNotification) owned by win32k.sys
Entry 0x10c5: 0x8daa4cf5 (NtGdiDvpAcquireNotification) owned by win32k.sys
Entry 0x10c6: 0x8daa501c (NtGdiDvpWaitForVideoPortSync) owned by win32k.sys
Entry 0x10c7: 0x8daa4cc3 (NtGdiDvpUpdateVideoPort) owned by win32k.sys
Entry 0x10c8: 0x8daa501c (NtGdiDvpGetVideoSignalStatus) owned by win32k.sys
Entry 0x10c9: 0x8daa501c (NtGdiDvpGetVideoPortConnectInfo) owned by win32k.sys
Entry 0x10ca: 0x8daa501c (NtGdiDvpGetVideoPortOutputFormats) owned by win32k.sys
Entry 0x10cb: 0x8daa501c (NtGdiDvpGetVideoPortLine) owned by win32k.sys
Entry 0x10cc: 0x8daa501c (NtGdiDvpGetVideoPortInputFormats) owned by win32k.sys
Entry 0x10cd: 0x8daa501c (NtGdiDvpGetVideoPortFlipStatus) owned by win32k.sys
Entry 0x10ce: 0x8daa501c (NtGdiDvpGetVideoPortField) owned by win32k.sys
Entry 0x10cf: 0x8daa501c (NtGdiDvpGetVideoPortBandwidth) owned by win32k.sys
Entry 0x10d0: 0x8daa4cc3 (NtGdiDvpFlipVideoPort) owned by win32k.sys
Entry 0x10d1: 0x8daa501c (NtGdiDvpDestroyVideoPort) owned by win32k.sys
Entry 0x10d2: 0x8daa501c (NtGdiDvpCreateVideoPort) owned by win32k.sys
Entry 0x10d3: 0x8daa501c (NtGdiDvpColorControl) owned by win32k.sys
Entry 0x10d4: 0x8daa501c (NtGdiDvpCanCreateVideoPort) owned by win32k.sys
Entry 0x10d5: 0x8daa501c (NtGdiDdWaitForVerticalBlank) owned by win32k.sys
Entry 0x10d6: 0x8daa4cf5 (NtGdiDdUpdateOverlay) owned by win32k.sys
Entry 0x10d7: 0x8daa501c (NtGdiDdUnlockD3D) owned by win32k.sys
Entry 0x10d8: 0x8daa501c (NtGdiDdUnlock) owned by win32k.sys
Entry 0x10d9: 0x8daa5000 (NtGdiDdUnattachSurface) owned by win32k.sys
Entry 0x10da: 0x8daa4cf5 (NtGdiDdSetOverlayPosition) owned by win32k.sys
Entry 0x10db: 0x8daa4cf5 (NtGdiDdCreateSurfaceEx) owned by win32k.sys
Entry 0x10dc: 0x8daa4cf5 (NtGdiDdSetGammaRamp) owned by win32k.sys
Entry 0x10dd: 0x8daa501c (NtGdiDdSetExclusiveMode) owned by win32k.sys
Entry 0x10de: 0x8daa501c (NtGdiDdSetColorKey) owned by win32k.sys
Entry 0x10df: 0x8daa501c (NtGdiDdResetVisrgn) owned by win32k.sys
Entry 0x10e0: 0x8daa501c (NtGdiDdRenderMoComp) owned by win32k.sys
Entry 0x10e1: 0x8daa4faa (NtGdiDdReleaseDC) owned by win32k.sys
Entry 0x10e2: 0x8daa501c (NtGdiDdReenableDirectDrawObject) owned by win32k.sys
Entry 0x10e3: 0x8daa501c (NtGdiDdQueryMoCompStatus) owned by win32k.sys
Entry 0x10e4: 0x8daa4fdc (NtGdiDdQueryDirectDrawObject) owned by win32k.sys
Entry 0x10e5: 0x8daa501c (NtGdiDdLockD3D) owned by win32k.sys
Entry 0x10e6: 0x8daa4cf5 (NtGdiDdLock) owned by win32k.sys
Entry 0x10e7: 0x8daa501c (NtGdiDdGetScanLine) owned by win32k.sys
Entry 0x10e8: 0x8daa501c (NtGdiDdGetMoCompFormats) owned by win32k.sys
Entry 0x10e9: 0x8daa501c (NtGdiDdGetMoCompGuids) owned by win32k.sys
Entry 0x10ea: 0x8daa501c (NtGdiDdGetMoCompBuffInfo) owned by win32k.sys
Entry 0x10eb: 0x8daa501c (NtGdiDdGetInternalMoCompInfo) owned by win32k.sys
Entry 0x10ec: 0x8daa501c (NtGdiDdGetFlipStatus) owned by win32k.sys
Entry 0x10ed: 0x8daa4cf5 (NtGdiDdGetDxHandle) owned by win32k.sys
Entry 0x10ee: 0x8daa501c (NtGdiDdGetDriverInfo) owned by win32k.sys
Entry 0x10ef: 0x8daa501c (NtGdiDdGetDC) owned by win32k.sys
Entry 0x10f0: 0x8daa501c (NtGdiDdGetBltStatus) owned by win32k.sys
Entry 0x10f1: 0x8daa501c (NtGdiDdGetAvailDriverMemory) owned by win32k.sys
Entry 0x10f2: 0x8daa501c (NtGdiDdFlipToGDISurface) owned by win32k.sys
Entry 0x10f3: 0x8daa4f91 (NtGdiDdFlip) owned by win32k.sys
Entry 0x10f4: 0x8daa501c (NtGdiDdEndMoCompFrame) owned by win32k.sys
Entry 0x10f5: 0x8daa4faa (NtGdiDdDestroyD3DBuffer) owned by win32k.sys
Entry 0x10f6: 0x8daa501c (NtGdiDdDestroySurface) owned by win32k.sys
Entry 0x10f7: 0x8daa501c (NtGdiDdDestroyMoComp) owned by win32k.sys
Entry 0x10f8: 0x8daa4faa (NtGdiDdDeleteSurfaceObject) owned by win32k.sys
Entry 0x10f9: 0x8daa4faa (NtGdiDdDeleteDirectDrawObject) owned by win32k.sys
Entry 0x10fa: 0x8daa5035 (NtGdiDdCreateSurfaceObject) owned by win32k.sys
Entry 0x10fb: 0x8daa501c (NtGdiDdCreateMoComp) owned by win32k.sys
Entry 0x10fc: 0x8daa4d2d (NtGdiDdCreateD3DBuffer) owned by win32k.sys
Entry 0x10fd: 0x8daa4d2d (NtGdiDdCreateSurface) owned by win32k.sys
Entry 0x10fe: 0x8daa4faa (NtGdiDdCreateDirectDrawObject) owned by win32k.sys
Entry 0x10ff: 0x8daa501c (NtGdiDdColorControl) owned by win32k.sys
Entry 0x1100: 0x8daa501c (NtGdiDdCanCreateD3DBuffer) owned by win32k.sys
Entry 0x1101: 0x8daa501c (NtGdiDdCanCreateSurface) owned by win32k.sys
Entry 0x1102: 0x8daa4cf5 (NtGdiDdBlt) owned by win32k.sys
Entry 0x1103: 0x8daa501c (NtGdiDdBeginMoCompFrame) owned by win32k.sys
Entry 0x1104: 0x8daa501c (NtGdiDdAttachSurface) owned by win32k.sys
Entry 0x1105: 0x8daa4cf5 (NtGdiDdAlphaBlt) owned by win32k.sys
Entry 0x1106: 0x8daa4cf5 (NtGdiDdAddAttachedSurface) owned by win32k.sys
Entry 0x1107: 0x8daa4faa (NtGdiDdGetDriverState) owned by win32k.sys
Entry 0x1108: 0x8daa4cdc (NtGdiD3dDrawPrimitives2) owned by win32k.sys
Entry 0x1109: 0x8daa4faa (NtGdiD3dValidateTextureStageState) owned by win32k.sys
Entry 0x110a: 0x8daa4faa (NtGdiD3dContextDestroyAll) owned by win32k.sys
Entry 0x110b: 0x8daa4faa (NtGdiD3dContextDestroy) owned by win32k.sys
Entry 0x110c: 0x8daa4cc3 (NtGdiD3dContextCreate) owned by win32k.sys
Entry 0x110d: 0x8d966f45 (NtGdiCreateSolidBrush) owned by win32k.sys
Entry 0x110e: 0x8d9d4fbf (NtGdiCreateServerMetaFile) owned by win32k.sys
Entry 0x110f: 0x8d931c73 (NtGdiCreateRoundRectRgn) owned by win32k.sys
Entry 0x1110: 0x8d900b60 (NtGdiCreateRectRgn) owned by win32k.sys
Entry 0x1111: 0x8d83fc4d (NtGdiCreatePen) owned by win32k.sys
Entry 0x1112: 0x8d92b629 (NtGdiCreatePatternBrushInternal) owned by win32k.sys
Entry 0x1113: 0x8d8e76ce (NtGdiCreatePaletteInternal) owned by win32k.sys
Entry 0x1114: 0x8d8544a0 (NtGdiCreateOPMProtectedOutputs) owned by win32k.sys
Entry 0x1115: 0x8d9cfbc7 (NtGdiCreateMetafileDC) owned by win32k.sys
Entry 0x1116: 0x8daccf8d (NtGdiCreateHatchBrushInternal) owned by win32k.sys
Entry 0x1117: 0x8d84b9cf (NtGdiCreateHalftonePalette) owned by win32k.sys
Entry 0x1118: 0x8dab510a (NtGdiCreateEllipticRgn) owned by win32k.sys
Entry 0x1119: 0x8d99fc4b (NtGdiCreateSessionMappedDIBSection) owned by win32k.sys
Entry 0x111a: 0x8d8c346d (NtGdiCreateDIBSection) owned by win32k.sys
Entry 0x111b: 0x8d8f248e (NtGdiCreateDIBitmapInternal) owned by win32k.sys
Entry 0x111c: 0x8d9d310a (NtGdiCreateDIBBrush) owned by win32k.sys
Entry 0x111d: 0x8d961e85 (NtGdiCreateCompatibleDC) owned by win32k.sys
Entry 0x111e: 0x8d966d79 (NtGdiCreateCompatibleBitmap) owned by win32k.sys
Entry 0x111f: 0x8dacb832 (NtGdiCreateColorTransform) owned by win32k.sys
Entry 0x1120: 0x8dacb7b8 (NtGdiCreateColorSpace) owned by win32k.sys
Entry 0x1121: 0x8d9cdf56 (NtGdiCreateClientObj) owned by win32k.sys
Entry 0x1122: 0x8d81e8a8 (NtGdiCreateBitmapFromDxSurface2) owned by win32k.sys
Entry 0x1123: 0x8dac8973 (NtGdiCreateBitmapFromDxSurface) owned by win32k.sys
Entry 0x1124: 0x8d96619e (NtGdiCreateBitmap) owned by win32k.sys
Entry 0x1125: 0x8dac0075 (NtGdiConvertMetafileRect) owned by win32k.sys
Entry 0x1126: 0x8dacaec0 (NtGdiConfigureOPMProtectedOutput) owned by win32k.sys
Entry 0x1127: 0x8d84b203 (NtGdiComputeXformCoefficients) owned by win32k.sys
Entry 0x1128: 0x8d9c9fc4 (NtGdiCombineTransform) owned by win32k.sys
Entry 0x1129: 0x8d934c44 (NtGdiCombineRgn) owned by win32k.sys
Entry 0x112a: 0x8dacb669 (NtGdiColorCorrectPalette) owned by win32k.sys
Entry 0x112b: 0x8dac8953 (NtGdiClearBrushAttributes) owned by win32k.sys
Entry 0x112c: 0x8d998ab3 (NtGdiClearBitmapAttributes) owned by win32k.sys
Entry 0x112d: 0x8d9bd02b (NtGdiCloseFigure) owned by win32k.sys
Entry 0x112e: 0x8dacb4fb (NtGdiCheckBitmapBits) owned by win32k.sys
Entry 0x112f: 0x8dac88c5 (NtGdiCancelDC) owned by win32k.sys
Entry 0x1130: 0x8d95e943 (NtGdiBitBlt) owned by win32k.sys
Entry 0x1131: 0x8d9cf6c2 (NtGdiBeginPath) owned by win32k.sys
Entry 0x1132: 0x8d8a81eb (NtGdiBeginGdiRendering) owned by win32k.sys
Entry 0x1133: 0x8dad11c2 (NtGdiArcInternal) owned by win32k.sys
Entry 0x1134: 0x8d8ceddc (NtGdiFontIsLinked) owned by win32k.sys
Entry 0x1135: 0x8d8d0d49 (NtGdiAnyLinkedFonts) owned by win32k.sys
Entry 0x1136: 0x8dac887b (NtGdiAngleArc) owned by win32k.sys
Entry 0x1137: 0x8d8c3f48 (NtGdiAlphaBlend) owned by win32k.sys
Entry 0x1138: 0x8daa979b (NtGdiAddRemoteMMInstanceToDC) owned by win32k.sys
Entry 0x1139: 0x8daa9b6f (NtGdiRemoveMergeFont) owned by win32k.sys
Entry 0x113a: 0x8d9d0226 (NtGdiAddFontMemResourceEx) owned by win32k.sys
Entry 0x113b: 0x8dabc72b (NtGdiAddRemoteFontToDC) owned by win32k.sys
Entry 0x113c: 0x8d99d1c0 (NtGdiAddFontResourceW) owned by win32k.sys
Entry 0x113d: 0x8dac7456 (NtGdiAbortPath) owned by win32k.sys
Entry 0x113e: 0x8daa96e6 (NtGdiAbortDoc) owned by win32k.sys
Entry 0x113f: 0x8d84d91a (NtUserDefSetText) owned by win32k.sys
Entry 0x1140: 0x8d8b7c90 (NtUserDeferWindowPosAndBand) owned by win32k.sys
Entry 0x1141: 0x8d89e2f0 (NtUserDdeInitialize) owned by win32k.sys
Entry 0x1142: 0x8d871a9d (NtUserCanBrokerForceForeground) owned by win32k.sys
Entry 0x1143: 0x8d895ffb (NtUserCreateWindowStation) owned by win32k.sys
Entry 0x1144: 0x8d91c594 (NtUserCreateWindowEx) owned by win32k.sys
Entry 0x1145: 0x8d9d0184 (NtUserCreateLocalMemHandle) owned by win32k.sys
Entry 0x1146: 0x8d9d4961 (NtUserCreateInputContext) owned by win32k.sys
Entry 0x1147: 0x8d87c81b (NtUserCreateDesktopEx) owned by win32k.sys
Entry 0x1148: 0x8d84c0ae (NtUserCreateCaret) owned by win32k.sys
Entry 0x1149: 0x8d8a3598 (NtUserCreateAcceleratorTable) owned by win32k.sys
Entry 0x114a: 0x8d9c7d51 (NtUserCountClipboardFormats) owned by win32k.sys
Entry 0x114b: 0x8d8a68ed (NtUserCopyAcceleratorTable) owned by win32k.sys
Entry 0x114c: 0x8d9c873a (NtUserConvertMemHandle) owned by win32k.sys
Entry 0x114d: 0x8d983b17 (NtUserConsoleControl) owned by win32k.sys
Entry 0x114e: 0x8d879bd0 (NtUserCloseWindowStation) owned by win32k.sys
Entry 0x114f: 0x8d8e3528 (NtUserCloseDesktop) owned by win32k.sys
Entry 0x1150: 0x8d83e36a (NtUserCloseClipboard) owned by win32k.sys
Entry 0x1151: 0x8d9b7e49 (NtUserClipCursor) owned by win32k.sys
Entry 0x1152: 0x8d85ec47 (NtUserChildWindowFromPointEx) owned by win32k.sys
Entry 0x1153: 0x8d83a977 (NtUserCheckMenuItem) owned by win32k.sys
Entry 0x1154: 0x8da4f88a (NtUserCheckWindowThreadDesktop) owned by win32k.sys
Entry 0x1155: 0x8d8a0d05 (NtUserDwmValidateWindow) owned by win32k.sys
Entry 0x1156: 0x8da4f6b1 (NtUserCheckAccessForIntegrityLevel) owned by win32k.sys
Entry 0x1157: 0x8da4fbdf (NtUserDisplayConfigSetDeviceInfo) owned by win32k.sys
Entry 0x1158: 0x8d8ab1c7 (NtUserDisplayConfigGetDeviceInfo) owned by win32k.sys
Entry 0x1159: 0x8d8ab519 (NtUserQueryDisplayConfig) owned by win32k.sys
Entry 0x115a: 0x8da541a4 (NtUserSetDisplayConfig) owned by win32k.sys
Entry 0x115b: 0x8d8ab41c (NtUserGetDisplayConfigBufferSizes) owned by win32k.sys
Entry 0x115c: 0x8d8785ac (NtUserChangeDisplaySettings) owned by win32k.sys
Entry 0x115d: 0x8d83c4b5 (NtUserChangeClipboardChain) owned by win32k.sys
Entry 0x115e: 0x8d8f4158 (NtUserCallTwoParam) owned by win32k.sys
Entry 0x115f: 0x8d956535 (NtUserCallOneParam) owned by win32k.sys
Entry 0x1160: 0x8d966f62 (NtUserCallNoParam) owned by win32k.sys
Entry 0x1161: 0x8d983752 (NtUserCallNextHookEx) owned by win32k.sys
Entry 0x1162: 0x8d8de206 (NtUserCallMsgFilter) owned by win32k.sys
Entry 0x1163: 0x8d8e5c44 (NtUserCallHwndParamLock) owned by win32k.sys
Entry 0x1164: 0x8d8d4f16 (NtUserCallHwndParam) owned by win32k.sys
Entry 0x1165: 0x8d8a0529 (NtUserCallHwndOpt) owned by win32k.sys
Entry 0x1166: 0x8d90098b (NtUserCallHwndLock) owned by win32k.sys
Entry 0x1167: 0x8d8e5f06 (NtUserCallHwnd) owned by win32k.sys
Entry 0x1168: 0x8d85be80 (NtUserBuildPropList) owned by win32k.sys
Entry 0x1169: 0x8d89dc68 (NtUserBuildNameList) owned by win32k.sys
Entry 0x116a: 0x8d92b7e8 (NtUserBuildHwndList) owned by win32k.sys
Entry 0x116b: 0x8d8b67a9 (NtUserBuildHimcList) owned by win32k.sys
Entry 0x116c: 0x8d9d4cdd (NtUserBlockInput) owned by win32k.sys
Entry 0x116d: 0x8d83d8d3 (NtUserBitBltSysBmp) owned by win32k.sys
Entry 0x116e: 0x8d929a9e (NtUserBeginPaint) owned by win32k.sys
Entry 0x116f: 0x8d84bc71 (NtUserAttachThreadInput) owned by win32k.sys
Entry 0x1170: 0x8d9384d0 (NtUserAssociateInputContext) owned by win32k.sys
Entry 0x1171: 0x8d9d4f26 (NtUserAlterWindowStyle) owned by win32k.sys
Entry 0x1172: 0x8d83e098 (NtUserAddClipboardFormatListener) owned by win32k.sys
Entry 0x1173: 0x8da4f477 (NtUserActivateKeyboardLayout) owned by win32k.sys
Entry 0x1174: 0x8d863835 (NtUserDelegateCapturePointers) owned by win32k.sys
Entry 0x1175: 0x8d8a51ee (NtUserDelegateInput) owned by win32k.sys
Entry 0x1176: 0x8d9299fc (NtUserDispatchMessage) owned by win32k.sys
Entry 0x1177: 0x8d879fdf (NtUserDisableProcessWindowFiltering) owned by win32k.sys
Entry 0x1178: 0x8d89dbbf (NtUserDisableThreadIme) owned by win32k.sys
Entry 0x1179: 0x8d975838 (NtUserDestroyWindow) owned by win32k.sys
Entry 0x117a: 0x8d8d8348 (NtUserDestroyMenu) owned by win32k.sys
Entry 0x117b: 0x8d9d0ab2 (NtUserDestroyInputContext) owned by win32k.sys
Entry 0x117c: 0x8d8e5fd5 (NtUserDestroyCursor) owned by win32k.sys
Entry 0x117d: 0x8d8a6b90 (NtUserDestroyAcceleratorTable) owned by win32k.sys
Entry 0x117e: 0x8d8e9edc (NtUserDeleteMenu) owned by win32k.sys
Entry 0x117f: 0x8d996a50 (NtUserDoSoundDisconnect) owned by win32k.sys
Entry 0x1180: 0x8d9aeee9 (NtUserDoSoundConnect) owned by win32k.sys
Entry 0x1181: 0x8d8a69c6 (NtUserGhostWindowFromHungWindow) owned by win32k.sys
Entry 0x1182: 0x8da51f2e (NtUserGetWOWClass) owned by win32k.sys
Entry 0x1183: 0x8d8d54ae (NtUserGetWindowPlacement) owned by win32k.sys
Entry 0x1184: 0x8da520be (NtUserGetWindowDisplayAffinity) owned by win32k.sys
Entry 0x1185: 0x8d97d32f (NtUserGetWindowDC) owned by win32k.sys
Entry 0x1186: 0x8d97ef04 (NtUserGetWindowCompositionAttribute) owned by win32k.sys
Entry 0x1187: 0x8da51fc5 (NtUserGetWindowCompositionInfo) owned by win32k.sys
Entry 0x1188: 0x8d97f2f1 (NtUserGetWindowBand) owned by win32k.sys
Entry 0x1189: 0x8d85a362 (NtUserGetUpdateRgn) owned by win32k.sys
Entry 0x118a: 0x8d87f4c0 (NtUserGetUpdateRect) owned by win32k.sys
Entry 0x118b: 0x8da51d8f (NtUserGetUpdatedClipboardFormats) owned by win32k.sys
Entry 0x118c: 0x8da51c43 (NtUserGetTopLevelWindow) owned by win32k.sys
Entry 0x118d: 0x8d97f7ed (NtUserGetTitleBarInfo) owned by win32k.sys
Entry 0x118e: 0x8d965d5d (NtUserGetThreadState) owned by win32k.sys
Entry 0x118f: 0x8d9674ea (NtUserGetThreadDesktop) owned by win32k.sys
Entry 0x1190: 0x8d936ebf (NtUserGetSystemMenu) owned by win32k.sys
Entry 0x1191: 0x8d98499e (NtUserGetScrollBarInfo) owned by win32k.sys
Entry 0x1192: 0x8da51bef (NtUserGetRegisteredRawInputDevices) owned by win32k.sys
Entry 0x1193: 0x8d8727b7 (NtUserGetRawInputDeviceList) owned by win32k.sys
Entry 0x1194: 0x8d8b415f (NtUserGetRawInputDeviceInfo) owned by win32k.sys
Entry 0x1195: 0x8d872122 (NtUserGetRawInputData) owned by win32k.sys
Entry 0x1196: 0x8da51887 (NtUserGetRawInputBuffer) owned by win32k.sys
Entry 0x1197: 0x8d928f37 (NtUserGetProcessWindowStation) owned by win32k.sys
Entry 0x1198: 0x8da517f2 (NtUserGetPriorityClipboardFormat) owned by win32k.sys
Entry 0x1199: 0x8d9d48e9 (NtUserGetOpenClipboardWindow) owned by win32k.sys
Entry 0x119a: 0x8d929135 (NtUserGetObjectInformation) owned by win32k.sys
Entry 0x119b: 0x8da51610 (NtUserGetMouseMovePointsEx) owned by win32k.sys
Entry 0x119c: 0x8d943db2 (NtUserGetMessage) owned by win32k.sys
Entry 0x119d: 0x8d9cf4a0 (NtUserGetMenuItemRect) owned by win32k.sys
Entry 0x119e: 0x8da515ae (NtUserGetMenuIndex) owned by win32k.sys
Entry 0x119f: 0x8d84f416 (NtUserGetMenuBarInfo) owned by win32k.sys
Entry 0x11a0: 0x8da51541 (NtUserGetListBoxInfo) owned by win32k.sys
Entry 0x11a1: 0x8d97f9b4 (NtUserGetKeyState) owned by win32k.sys
Entry 0x11a2: 0x8da513b1 (NtUserGetKeyNameText) owned by win32k.sys
Entry 0x11a3: 0x8d929bba (NtUserGetKeyboardState) owned by win32k.sys
Entry 0x11a4: 0x8d85b721 (NtUserGetKeyboardLayoutName) owned by win32k.sys
Entry 0x11a5: 0x8d8e4143 (NtUserGetKeyboardLayoutList) owned by win32k.sys
Entry 0x11a6: 0x8da512c8 (NtUserGetInternalWindowPos) owned by win32k.sys
Entry 0x11a7: 0x8da511a1 (NtUserGetInputLocaleInfo) owned by win32k.sys
Entry 0x11a8: 0x8d9150bd (NtUserGetImeInfoEx) owned by win32k.sys
Entry 0x11a9: 0x8da510ba (NtUserGetImeHotKey) owned by win32k.sys
Entry 0x11aa: 0x8d9196b6 (NtUserGetIconSize) owned by win32k.sys
Entry 0x11ab: 0x8d9010e3 (NtUserGetIconInfo) owned by win32k.sys
Entry 0x11ac: 0x8d97ce8c (NtUserGetGUIThreadInfo) owned by win32k.sys
Entry 0x11ad: 0x8da50de3 (NtUserGetGuiResources) owned by win32k.sys
Entry 0x11ae: 0x8d972f52 (NtUserGetForegroundWindow) owned by win32k.sys
Entry 0x11af: 0x8d8e6f6c (NtUserGetDoubleClickTime) owned by win32k.sys
Entry 0x11b0: 0x8d92c209 (NtUserGetDesktopID) owned by win32k.sys
Entry 0x11b1: 0x8d937163 (NtUserGetDCEx) owned by win32k.sys
Entry 0x11b2: 0x8d900c9b (NtUserGetDC) owned by win32k.sys
Entry 0x11b3: 0x8d929ff5 (NtUserGetCursorInfo) owned by win32k.sys
Entry 0x11b4: 0x8d82bbad (NtUserGetCursorFrameInfo) owned by win32k.sys
Entry 0x11b5: 0x8d870b3c (NtUserGetCurrentInputMessageSource) owned by win32k.sys
Entry 0x11b6: 0x8da5089c (NtUserGetCIMSSM) owned by win32k.sys
Entry 0x11b7: 0x8d8e4050 (NtUserGetCPD) owned by win32k.sys
Entry 0x11b8: 0x8da50aed (NtUserGetControlColor) owned by win32k.sys
Entry 0x11b9: 0x8d84daae (NtUserGetControlBrush) owned by win32k.sys
Entry 0x11ba: 0x8d820e30 (NtUserGetComboBoxInfo) owned by win32k.sys
Entry 0x11bb: 0x8da50963 (NtUserGetClipCursor) owned by win32k.sys
Entry 0x11bc: 0x8da50ac1 (NtUserGetClipboardViewer) owned by win32k.sys
Entry 0x11bd: 0x8d83e12a (NtUserGetClipboardSequenceNumber) owned by win32k.sys
Entry 0x11be: 0x8d845e93 (NtUserGetClipboardOwner) owned by win32k.sys
Entry 0x11bf: 0x8d84bd22 (NtUserGetClipboardFormatName) owned by win32k.sys
Entry 0x11c0: 0x8d9c7f03 (NtUserGetClipboardData) owned by win32k.sys
Entry 0x11c1: 0x8d973306 (NtUserGetClassName) owned by win32k.sys
Entry 0x11c2: 0x8d927222 (NtUserGetClassInfoEx) owned by win32k.sys
Entry 0x11c3: 0x8d84b799 (NtUserGetCaretPos) owned by win32k.sys
Entry 0x11c4: 0x8d933f35 (NtUserGetCaretBlinkTime) owned by win32k.sys
Entry 0x11c5: 0x8d918e72 (NtUserGetAtomName) owned by win32k.sys
Entry 0x11c6: 0x8d898f85 (NtUserGetAsyncKeyState) owned by win32k.sys
Entry 0x11c7: 0x8da5082d (NtUserGetAppImeLevel) owned by win32k.sys
Entry 0x11c8: 0x8d973177 (NtUserGetAncestor) owned by win32k.sys
Entry 0x11c9: 0x8da5062e (NtUserGetAltTabInfo) owned by win32k.sys
Entry 0x11ca: 0x8da505cf (NtUserFrostCrashedWindow) owned by win32k.sys
Entry 0x11cb: 0x8da504d0 (NtUserFlashWindowEx) owned by win32k.sys
Entry 0x11cc: 0x8d9485ca (NtUserFindWindowEx) owned by win32k.sys
Entry 0x11cd: 0x8d8f765d (NtUserFindExistingCursorIcon) owned by win32k.sys
Entry 0x11ce: 0x8d8d727d (NtUserFillWindow) owned by win32k.sys
Entry 0x11cf: 0x8d9d30c0 (NtUserExcludeUpdateRgn) owned by win32k.sys
Entry 0x11d0: 0x8da50438 (NtUserEvent) owned by win32k.sys
Entry 0x11d1: 0x8d92c1a3 (NtUserEnumDisplaySettings) owned by win32k.sys
Entry 0x11d2: 0x8d8e5259 (NtUserEnumDisplayMonitors) owned by win32k.sys
Entry 0x11d3: 0x8d8e542a (NtUserEnumDisplayDevices) owned by win32k.sys
Entry 0x11d4: 0x8d929949 (NtUserEndPaint) owned by win32k.sys
Entry 0x11d5: 0x8d88a1a1 (NtUserEndMenu) owned by win32k.sys
Entry 0x11d6: 0x8d8b7b95 (NtUserEndDeferWindowPosEx) owned by win32k.sys
Entry 0x11d7: 0x8d9c9ef9 (NtUserEnableScrollBar) owned by win32k.sys
Entry 0x11d8: 0x8d83c651 (NtUserEnableMenuItem) owned by win32k.sys
Entry 0x11d9: 0x8d9c7d91 (NtUserEmptyClipboard) owned by win32k.sys
Entry 0x11da: 0x8da5029c (NtUserDrawMenuBarTemp) owned by win32k.sys
Entry 0x11db: 0x8d8c3e12 (NtUserDrawIconEx) owned by win32k.sys
Entry 0x11dc: 0x8da500bd (NtUserDrawCaptionTemp) owned by win32k.sys
Entry 0x11dd: 0x8da4ffe0 (NtUserDrawCaption) owned by win32k.sys
Entry 0x11de: 0x8da4fef6 (NtUserDrawAnimatedRects) owned by win32k.sys
Entry 0x11df: 0x8da4fe00 (NtUserDragObject) owned by win32k.sys
Entry 0x11e0: 0x8da4fd8d (NtUserDragDetect) owned by win32k.sys
Entry 0x11e1: 0x8d867a8d (NtUserHandleDelegatedInput) owned by win32k.sys
Entry 0x11e2: 0x8da53787 (NtUserRealChildWindowFromPoint) owned by win32k.sys
Entry 0x11e3: 0x8d9734c3 (NtUserQueryWindow) owned by win32k.sys
Entry 0x11e4: 0x8da53704 (NtUserQuerySendMessage) owned by win32k.sys
Entry 0x11e5: 0x8d9179d6 (NtUserQueryInputContext) owned by win32k.sys
Entry 0x11e6: 0x8d99235b (NtUserQueryInformationThread) owned by win32k.sys
Entry 0x11e7: 0x8da536d6 (NtUserQueryBSDRWindow) owned by win32k.sys
Entry 0x11e8: 0x8d82c9c4 (NtUserPerMonitorDPIPhysicalToLogicalPoint) owned by win32k.sys
Entry 0x11e9: 0x8d96a1b2 (NtUserProcessConnect) owned by win32k.sys
Entry 0x11ea: 0x8da535d4 (NtUserPrintWindow) owned by win32k.sys
Entry 0x11eb: 0x8d93b452 (NtUserPostThreadMessage) owned by win32k.sys
Entry 0x11ec: 0x8d97bb74 (NtUserPostMessage) owned by win32k.sys
Entry 0x11ed: 0x8d84a57d (NtUserPhysicalToLogicalPoint) owned by win32k.sys
Entry 0x11ee: 0x8d96e10a (NtUserPeekMessage) owned by win32k.sys
Entry 0x11ef: 0x8da534eb (NtUserPaintMonitor) owned by win32k.sys
Entry 0x11f0: 0x8da53473 (NtUserPaintDesktop) owned by win32k.sys
Entry 0x11f1: 0x8d879c63 (NtUserOpenWindowStation) owned by win32k.sys
Entry 0x11f2: 0x8d9d699c (NtUserOpenThreadDesktop) owned by win32k.sys
Entry 0x11f3: 0x8d8b8f24 (NtUserOpenInputDesktop) owned by win32k.sys
Entry 0x11f4: 0x8d8e5eb0 (NtUserOpenDesktop) owned by win32k.sys
Entry 0x11f5: 0x8d83e1f3 (NtUserOpenClipboard) owned by win32k.sys
Entry 0x11f6: 0x8d8e4b55 (NtUserNotifyWinEvent) owned by win32k.sys
Entry 0x11f7: 0x8d977250 (NtUserNotifyProcessCreate) owned by win32k.sys
Entry 0x11f8: 0x8d917348 (NtUserNotifyIMEStatus) owned by win32k.sys
Entry 0x11f9: 0x8d856680 (NtUserMoveWindow) owned by win32k.sys
Entry 0x11fa: 0x8d82bc42 (NtUserModifyUserStartupInfoFlags) owned by win32k.sys
Entry 0x11fb: 0x8da527f4 (NtUserMNDragOver) owned by win32k.sys
Entry 0x11fc: 0x8da527cb (NtUserMNDragLeave) owned by win32k.sys
Entry 0x11fd: 0x8da533ca (NtUserMinMaximize) owned by win32k.sys
Entry 0x11fe: 0x8d903711 (NtUserMessageCall) owned by win32k.sys
Entry 0x11ff: 0x8da532b5 (NtUserMenuItemFromPoint) owned by win32k.sys
Entry 0x1200: 0x8d87aa85 (NtUserMapVirtualKeyEx) owned by win32k.sys
Entry 0x1201: 0x8d85c413 (NtUserLayoutCompleted) owned by win32k.sys
Entry 0x1202: 0x8d9d3e11 (NtUserLogicalToPerMonitorDPIPhysicalPoint) owned by win32k.sys
Entry 0x1203: 0x8d87f788 (NtUserLogicalToPhysicalPoint) owned by win32k.sys
Entry 0x1204: 0x8d81b438 (NtUserLockWorkStation) owned by win32k.sys
Entry 0x1205: 0x8da5277e (NtUserLockWindowUpdate) owned by win32k.sys
Entry 0x1206: 0x8d89c835 (NtUserLockWindowStation) owned by win32k.sys
Entry 0x1207: 0x8d89bd72 (NtUserLoadKeyboardLayoutEx) owned by win32k.sys
Entry 0x1208: 0x8d93af1f (NtUserKillTimer) owned by win32k.sys
Entry 0x1209: 0x8d8a0d94 (NtUserIsTopLevelWindow) owned by win32k.sys
Entry 0x120a: 0x8d83e150 (NtUserIsClipboardFormatAvailable) owned by win32k.sys
Entry 0x120b: 0x8d8b85b2 (NtUserInvalidateRgn) owned by win32k.sys
Entry 0x120c: 0x8d8e03a4 (NtUserInvalidateRect) owned by win32k.sys
Entry 0x120d: 0x8d9d4601 (NtUserInternalGetWindowIcon) owned by win32k.sys
Entry 0x120e: 0x8d93104d (NtUserInternalGetWindowText) owned by win32k.sys
Entry 0x120f: 0x8da5239b (NtUserInitTask) owned by win32k.sys
Entry 0x1210: 0x8d98a26c (NtUserInitializeClientPfnArrays) owned by win32k.sys
Entry 0x1211: 0x8d98d381 (NtUserInitialize) owned by win32k.sys
Entry 0x1212: 0x8da5230b (NtUserImpersonateDdeClientWindow) owned by win32k.sys
Entry 0x1213: 0x8d851b94 (NtUserHungWindowFromGhostWindow) owned by win32k.sys
Entry 0x1214: 0x8da5224e (NtUserHiliteMenuItem) owned by win32k.sys
Entry 0x1215: 0x8d852e20 (NtUserHideCaret) owned by win32k.sys
Entry 0x1216: 0x8da52169 (NtUserHardErrorControl) owned by win32k.sys
Entry 0x1217: 0x8d96a93b (NtUserRealInternalGetMessage) owned by win32k.sys
Entry 0x1218: 0x8da537c8 (NtUserRealWaitMessageEx) owned by win32k.sys
Entry 0x1219: 0x8d886f52 (NtUserTranslateMessage) owned by win32k.sys
Entry 0x121a: 0x8d8569d7 (NtUserTranslateAccelerator) owned by win32k.sys
Entry 0x121b: 0x8d8518d9 (NtUserPaintMenuBar) owned by win32k.sys
Entry 0x121c: 0x8d97f4a9 (NtUserCalcMenuBar) owned by win32k.sys
Entry 0x121d: 0x8da4f4e8 (NtUserCalculatePopupWindowPosition) owned by win32k.sys
Entry 0x121e: 0x8d826437 (NtUserTrackPopupMenuEx) owned by win32k.sys
Entry 0x121f: 0x8d898237 (NtUserTrackMouseEvent) owned by win32k.sys
Entry 0x1220: 0x8d8712d9 (NtUserToUnicodeEx) owned by win32k.sys
Entry 0x1221: 0x8d93647b (NtUserThunkedMenuItemInfo) owned by win32k.sys
Entry 0x1222: 0x8d83a879 (NtUserThunkedMenuInfo) owned by win32k.sys
Entry 0x1223: 0x8da551dd (NtUserTestForInteractiveUser) owned by win32k.sys
Entry 0x1224: 0x8d85c832 (NtUserSendEventMessage) owned by win32k.sys
Entry 0x1225: 0x8d8fd92a (NtUserSystemParametersInfo) owned by win32k.sys
Entry 0x1226: 0x8d8b00a6 (NtUserSwitchDesktop) owned by win32k.sys
Entry 0x1227: 0x8da551b4 (NtUserSoundSentry) owned by win32k.sys
Entry 0x1228: 0x8d9969d3 (NtUserShutdownReasonDestroy) owned by win32k.sys
Entry 0x1229: 0x8d9a225d (NtUserShutdownBlockReasonQuery) owned by win32k.sys
Entry 0x122a: 0x8d99683b (NtUserShutdownBlockReasonCreate) owned by win32k.sys
Entry 0x122b: 0x8da54dbf (NtUserShowWindowAsync) owned by win32k.sys
Entry 0x122c: 0x8d91a469 (NtUserShowWindow) owned by win32k.sys
Entry 0x122d: 0x8d853163 (NtUserShowScrollBar) owned by win32k.sys
Entry 0x122e: 0x8d852dc9 (NtUserShowCaret) owned by win32k.sys
Entry 0x122f: 0x8d916455 (NtUserSetWinEventHook) owned by win32k.sys
Entry 0x1230: 0x8d9d2f13 (NtUserSetWindowWord) owned by win32k.sys
Entry 0x1231: 0x8d9a8b7f (NtUserSetWindowStationUser) owned by win32k.sys
Entry 0x1232: 0x8d9185f5 (NtUserSetWindowsHookEx) owned by win32k.sys
Entry 0x1233: 0x8da54d0e (NtUserSetWindowsHookAW) owned by win32k.sys
Entry 0x1234: 0x8d9d224e (NtUserSetWindowRgnEx) owned by win32k.sys
Entry 0x1235: 0x8d9313fa (NtUserGetWindowRgnEx) owned by win32k.sys
Entry 0x1236: 0x8d8d4234 (NtUserSetWindowRgn) owned by win32k.sys
Entry 0x1237: 0x8d914b6a (NtUserSetWindowPos) owned by win32k.sys
Entry 0x1238: 0x8d89e723 (NtUserSetWindowPlacement) owned by win32k.sys
Entry 0x1239: 0x8d972b51 (NtUserSetWindowLong) owned by win32k.sys
Entry 0x123a: 0x8d914dbf (NtUserSetWindowFNID) owned by win32k.sys
Entry 0x123b: 0x8da54c88 (NtUserSetWindowDisplayAffinity) owned by win32k.sys
Entry 0x123c: 0x8d8a72e5 (NtUserSetWindowCompositionTransition) owned by win32k.sys
Entry 0x123d: 0x8da552ec (NtUserUpdateDefaultDesktopThumbnail) owned by win32k.sys
Entry 0x123e: 0x8d8e4f8f (NtUserSetWindowCompositionAttribute) owned by win32k.sys
Entry 0x123f: 0x8d8a7a73 (NtUserSetWindowBand) owned by win32k.sys
Entry 0x1240: 0x8da54af8 (NtUserSetProcessUIAccessZorder) owned by win32k.sys
Entry 0x1241: 0x8d8f8375 (NtUserSetProcessDpiAwareness) owned by win32k.sys
Entry 0x1242: 0x8d8fd807 (NtUserSetTimer) owned by win32k.sys
Entry 0x1243: 0x8d84e10e (NtUserSetThreadState) owned by win32k.sys
Entry 0x1244: 0x8da54be7 (NtUserSetThreadLayoutHandles) owned by win32k.sys
Entry 0x1245: 0x8d8e3f25 (NtUserSetThreadDesktop) owned by win32k.sys
Entry 0x1246: 0x8d84c9f4 (NtUserSetThreadInputBlocked) owned by win32k.sys
Entry 0x1247: 0x8da54b87 (NtUserSetSystemTimer) owned by win32k.sys
Entry 0x1248: 0x8d9bd370 (NtUserSetSystemMenu) owned by win32k.sys
Entry 0x1249: 0x8da54b41 (NtUserSetSystemCursor) owned by win32k.sys
Entry 0x124a: 0x8d899144 (NtUserSetSysColors) owned by win32k.sys
Entry 0x124b: 0x8d8a7bd7 (NtUserSetShellWindowEx) owned by win32k.sys
Entry 0x124c: 0x8d8a7e9d (NtUserSetImmersiveBackgroundWindow) owned by win32k.sys
Entry 0x124d: 0x8d98483e (NtUserSetScrollInfo) owned by win32k.sys
Entry 0x124e: 0x8d916028 (NtUserSetProp) owned by win32k.sys
Entry 0x124f: 0x8d96d55a (NtUserGetProp) owned by win32k.sys
Entry 0x1250: 0x8d88ee87 (NtUserSetProcessWindowStation) owned by win32k.sys
Entry 0x1251: 0x8d8a040f (NtUserSetParent) owned by win32k.sys
Entry 0x1252: 0x8da548aa (NtUserSetObjectInformation) owned by win32k.sys
Entry 0x1253: 0x8da547c2 (NtUserSetMenuFlagRtoL) owned by win32k.sys
Entry 0x1254: 0x8d8d8658 (NtUserSetMenuDefaultItem) owned by win32k.sys
Entry 0x1255: 0x8da54770 (NtUserSetMenuContextHelpId) owned by win32k.sys
Entry 0x1256: 0x8d853385 (NtUserSetMenu) owned by win32k.sys
Entry 0x1257: 0x8d84db33 (NtUserSetKeyboardState) owned by win32k.sys
Entry 0x1258: 0x8da54661 (NtUserSetInternalWindowPos) owned by win32k.sys
Entry 0x1259: 0x8d8be462 (NtUserSetInformationThread) owned by win32k.sys
Entry 0x125a: 0x8d917249 (NtUserSetImeOwnerWindow) owned by win32k.sys
Entry 0x125b: 0x8d995d40 (NtUserSetImeInfoEx) owned by win32k.sys
Entry 0x125c: 0x8d89c2b1 (NtUserSetImeHotKey) owned by win32k.sys
Entry 0x125d: 0x8d8cdbb5 (NtUserSetFocus) owned by win32k.sys
Entry 0x125e: 0x8d8f3ae0 (NtUserSetCursorIconData) owned by win32k.sys
Entry 0x125f: 0x8da54143 (NtUserSetCursorContents) owned by win32k.sys
Entry 0x1260: 0x8d8d8561 (NtUserSetCursor) owned by win32k.sys
Entry 0x1261: 0x8d839bae (NtUserSetClipboardViewer) owned by win32k.sys
Entry 0x1262: 0x8d9c7fca (NtUserSetClipboardData) owned by win32k.sys
Entry 0x1263: 0x8da540f8 (NtUserSetClassWord) owned by win32k.sys
Entry 0x1264: 0x8d884380 (NtUserSetClassLong) owned by win32k.sys
Entry 0x1265: 0x8d89f13a (NtUserSetChildWindowNoActivate) owned by win32k.sys
Entry 0x1266: 0x8d85f66c (NtUserSetCapture) owned by win32k.sys
Entry 0x1267: 0x8da53e46 (NtUserSetAppImeLevel) owned by win32k.sys
Entry 0x1268: 0x8d939bec (NtUserSetActiveWindow) owned by win32k.sys
Entry 0x1269: 0x8d87a809 (NtUserSendInput) owned by win32k.sys
Entry 0x126a: 0x8d8f0d2b (NtUserSelectPalette) owned by win32k.sys
Entry 0x126b: 0x8d83d92b (NtUserScrollWindowEx) owned by win32k.sys
Entry 0x126c: 0x8d98544f (NtUserScrollDC) owned by win32k.sys
Entry 0x126d: 0x8d984579 (NtUserSBGetParms) owned by win32k.sys
Entry 0x126e: 0x8da53cfa (NtUserResolveDesktopForWOW) owned by win32k.sys
Entry 0x126f: 0x8d97d23c (NtUserRemoveProp) owned by win32k.sys
Entry 0x1270: 0x8d8d84d3 (NtUserRemoveMenu) owned by win32k.sys
Entry 0x1271: 0x8d83e469 (NtUserRemoveClipboardFormatListener) owned by win32k.sys
Entry 0x1272: 0x8d927129 (NtUserRegisterWindowMessage) owned by win32k.sys
Entry 0x1273: 0x8da53b3b (NtUserRegisterTasklist) owned by win32k.sys
Entry 0x1274: 0x8da538fe (NtUserRegisterServicesProcess) owned by win32k.sys
Entry 0x1275: 0x8d8b5719 (NtUserRegisterRawInputDevices) owned by win32k.sys
Entry 0x1276: 0x8d8b84ea (NtUserRegisterHotKey) owned by win32k.sys
Entry 0x1277: 0x8d9aea12 (NtUserRegisterUserApiHook) owned by win32k.sys
Entry 0x1278: 0x8da53817 (NtUserRegisterErrorReportingDialog) owned by win32k.sys
Entry 0x1279: 0x8d9215ff (NtUserRegisterClassExWOW) owned by win32k.sys
Entry 0x127a: 0x8d8819c7 (NtUserRegisterBSDRWindow) owned by win32k.sys
Entry 0x127b: 0x8d8d4b52 (NtUserRedrawWindow) owned by win32k.sys
Entry 0x127c: 0x8d8b75b6 (NtUserUndelegateInput) owned by win32k.sys
Entry 0x127d: 0x8d87b937 (NtUserGetWindowMinimizeRect) owned by win32k.sys
Entry 0x127e: 0x8d9a0ea4 (NtUserDwmStopRedirection) owned by win32k.sys
Entry 0x127f: 0x8d9a61cb (NtUserDwmStartRedirection) owned by win32k.sys
Entry 0x1280: 0x8d9971d9 (NtUserDwmGetRemoteSessionOcclusionEvent) owned by win32k.sys
Entry 0x1281: 0x8da5038c (NtUserDwmGetRemoteSessionOcclusionState) owned by win32k.sys
Entry 0x1282: 0x8d9d6f53 (NtUserUpdateWindowTransform) owned by win32k.sys
Entry 0x1283: 0x8d8b0c7b (NtUserCheckProcessSession) owned by win32k.sys
Entry 0x1284: 0x8d99b6a2 (NtUserUnregisterSessionPort) owned by win32k.sys
Entry 0x1285: 0x8d9962e5 (NtUserRegisterSessionPort) owned by win32k.sys
Entry 0x1286: 0x8da4fa7e (NtUserCtxDisplayIOCtl) owned by win32k.sys
Entry 0x1287: 0x8da53cac (NtUserRemoteStopScreenUpdates) owned by win32k.sys
Entry 0x1288: 0x8da53c55 (NtUserRemoteRedrawScreen) owned by win32k.sys
Entry 0x1289: 0x8da53bdd (NtUserRemoteRedrawRectangle) owned by win32k.sys
Entry 0x128a: 0x8d99fb4e (NtUserRemoteConnect) owned by win32k.sys
Entry 0x128b: 0x8d935183 (NtUserWaitAvailableMessageEx) owned by win32k.sys
Entry 0x128c: 0x8d87aada (NtUserWindowFromPoint) owned by win32k.sys
Entry 0x128d: 0x8d87aada (NtUserWindowFromPhysicalPoint) owned by win32k.sys
Entry 0x128e: 0x8d8ec6da (NtUserWaitMessage) owned by win32k.sys
Entry 0x128f: 0x8da55700 (NtUserWaitForMsgAndEvent) owned by win32k.sys
Entry 0x1290: 0x8d88a169 (NtUserWaitForInputIdle) owned by win32k.sys
Entry 0x1291: 0x8d856d59 (NtUserVkKeyScanEx) owned by win32k.sys
Entry 0x1292: 0x8d948564 (NtUserValidateTimerCallback) owned by win32k.sys
Entry 0x1293: 0x8d8b8e6e (NtUserValidateRect) owned by win32k.sys
Entry 0x1294: 0x8d8598e4 (NtUserValidateHandleSecure) owned by win32k.sys
Entry 0x1295: 0x8da554cb (NtUserUserHandleGrantAccess) owned by win32k.sys
Entry 0x1296: 0x8d9a6ec4 (NtUserUpdatePerUserSystemParameters) owned by win32k.sys
Entry 0x1297: 0x8d8b902a (NtUserSetLayeredWindowAttributes) owned by win32k.sys
Entry 0x1298: 0x8da5143e (NtUserGetLayeredWindowAttributes) owned by win32k.sys
Entry 0x1299: 0x8d856384 (NtUserUpdateLayeredWindow) owned by win32k.sys
Entry 0x129a: 0x8da55403 (NtUserUpdateInstance) owned by win32k.sys
Entry 0x129b: 0x8d915051 (NtUserUpdateInputContext) owned by win32k.sys
Entry 0x129c: 0x8d881a67 (NtUserUnregisterHotKey) owned by win32k.sys
Entry 0x129d: 0x8da552b7 (NtUserUnregisterUserApiHook) owned by win32k.sys
Entry 0x129e: 0x8d93b629 (NtUserUnregisterClass) owned by win32k.sys
Entry 0x129f: 0x8d8b08b9 (NtUserUnlockWindowStation) owned by win32k.sys
Entry 0x12a0: 0x8da55263 (NtUserUnloadKeyboardLayout) owned by win32k.sys
Entry 0x12a1: 0x8d8e5e26 (NtUserUnhookWinEvent) owned by win32k.sys
Entry 0x12a2: 0x8d93c58d (NtUserUnhookWindowsHookEx) owned by win32k.sys
Entry 0x12a3: 0x8da51c89 (NtUserGetTouchInputInfo) owned by win32k.sys
Entry 0x12a4: 0x8d85e37e (NtUserIsTouchWindow) owned by win32k.sys
Entry 0x12a5: 0x8d8e7c32 (NtUserModifyWindowTouchCapability) owned by win32k.sys
Entry 0x12a6: 0x8dad474f (NtGdiEngStretchBltROP) owned by win32k.sys
Entry 0x12a7: 0x8dad4f3a (NtGdiEngTextOut) owned by win32k.sys
Entry 0x12a8: 0x8dad516b (NtGdiEngTransparentBlt) owned by win32k.sys
Entry 0x12a9: 0x8dad3be0 (NtGdiEngGradientFill) owned by win32k.sys
Entry 0x12aa: 0x8dad2d65 (NtGdiEngAlphaBlend) owned by win32k.sys
Entry 0x12ab: 0x8dad3e3b (NtGdiEngLineTo) owned by win32k.sys
Entry 0x12ac: 0x8dad401d (NtGdiEngPaint) owned by win32k.sys
Entry 0x12ad: 0x8dad4b5b (NtGdiEngStrokeAndFillPath) owned by win32k.sys
Entry 0x12ae: 0x8dad3a74 (NtGdiEngFillPath) owned by win32k.sys
Entry 0x12af: 0x8dad4d4c (NtGdiEngStrokePath) owned by win32k.sys
Entry 0x12b0: 0x8dad3fb5 (NtGdiEngMarkBandingSurface) owned by win32k.sys
Entry 0x12b1: 0x8dad4141 (NtGdiEngPlgBlt) owned by win32k.sys
Entry 0x12b2: 0x8dad4405 (NtGdiEngStretchBlt) owned by win32k.sys
Entry 0x12b3: 0x8dad2f93 (NtGdiEngBitBlt) owned by win32k.sys
Entry 0x12b4: 0x8dad3f6e (NtGdiEngLockSurface) owned by win32k.sys
Entry 0x12b5: 0x8dad5300 (NtGdiEngUnlockSurface) owned by win32k.sys
Entry 0x12b6: 0x8dad3959 (NtGdiEngEraseSurface) owned by win32k.sys
Entry 0x12b7: 0x8dad392c (NtGdiEngDeleteSurface) owned by win32k.sys
Entry 0x12b8: 0x8d9d4e68 (NtGdiEngDeletePalette) owned by win32k.sys
Entry 0x12b9: 0x8dad33f8 (NtGdiEngCopyBits) owned by win32k.sys
Entry 0x12ba: 0x8dad336e (NtGdiEngComputeGlyphSet) owned by win32k.sys
Entry 0x12bb: 0x8d9d23af (NtGdiEngCreatePalette) owned by win32k.sys
Entry 0x12bc: 0x8dad37c9 (NtGdiEngCreateDeviceBitmap) owned by win32k.sys
Entry 0x12bd: 0x8dad380a (NtGdiEngCreateDeviceSurface) owned by win32k.sys
Entry 0x12be: 0x8dad35c0 (NtGdiEngCreateBitmap) owned by win32k.sys
Entry 0x12bf: 0x8dad2f12 (NtGdiEngAssociateSurface) owned by win32k.sys
Entry 0x12c0: 0x8d85b84b (NtUserSetWindowFeedbackSetting) owned by win32k.sys
Entry 0x12c1: 0x8d8a7621 (NtUserRegisterEdgy) owned by win32k.sys
Entry 0x12c2: 0x8d85e6b3 (NtUserGetWindowFeedbackSetting) owned by win32k.sys
Entry 0x12c3: 0x8d8637ef (NtUserHidePointerContactVisualization) owned by win32k.sys
Entry 0x12c4: 0x8d8e7cbc (NtUserGetTouchValidationStatus) owned by win32k.sys
Entry 0x12c5: 0x8d846379 (NtUserInitializeTouchInjection) owned by win32k.sys
Entry 0x12c6: 0x8d847e61 (NtUserInjectTouchInput) owned by win32k.sys
Entry 0x12c7: 0x8d8e3ffc (NtUserRegisterTouchHitTestingWindow) owned by win32k.sys
Entry 0x12c8: 0x8da54542 (NtUserSetDisplayMapping) owned by win32k.sys
Entry 0x12c9: 0x8da53ebf (NtUserSetCalibrationData) owned by win32k.sys
Entry 0x12ca: 0x8da5170f (NtUserGetPhysicalDeviceRect) owned by win32k.sys
Entry 0x12cb: 0x8da53b8d (NtUserRegisterTouchPadCapable) owned by win32k.sys
Entry 0x12cc: 0x8d8651a6 (NtUserGetRawPointerDeviceData) owned by win32k.sys
Entry 0x12cd: 0x8d85c5d7 (NtUserGetPointerDeviceCursors) owned by win32k.sys
Entry 0x12ce: 0x8d8e65fa (NtUserGetPointerDeviceRects) owned by win32k.sys
Entry 0x12cf: 0x8d8e7302 (NtUserRegisterPointerDeviceNotifications) owned by win32k.sys
Entry 0x12d0: 0x8d861341 (NtUserGetPointerDeviceProperties) owned by win32k.sys
Entry 0x12d1: 0x8d8610e9 (NtUserGetPointerDevice) owned by win32k.sys
Entry 0x12d2: 0x8d8e67bf (NtUserGetPointerDevices) owned by win32k.sys
Entry 0x12d3: 0x8da503b4 (NtUserEnableTouchPad) owned by win32k.sys
Entry 0x12d4: 0x8d9d4848 (NtUserGetPrecisionTouchPadConfiguration) owned by win32k.sys
Entry 0x12d5: 0x8da549a2 (NtUserSetPrecisionTouchPadConfiguration) owned by win32k.sys
Entry 0x12d6: 0x8d85f16b (NtUserPromotePointer) owned by win32k.sys
Entry 0x12d7: 0x8da4fb6d (NtUserDiscardPointerFrameMessages) owned by win32k.sys
Entry 0x12d8: 0x8da53851 (NtUserRegisterPointerInputTarget) owned by win32k.sys
Entry 0x12d9: 0x8d9c8b9f (NtUserGetPointerInputTransform) owned by win32k.sys
Entry 0x12da: 0x8d86e9d8 (NtUserGetPointerInfoList) owned by win32k.sys
Entry 0x12db: 0x8d85f0a5 (NtUserGetPointerCursorId) owned by win32k.sys
Entry 0x12dc: 0x8d85feff (NtUserGetPointerType) owned by win32k.sys
Entry 0x12dd: 0x8d85ee30 (NtUserGetGestureConfig) owned by win32k.sys
Entry 0x12de: 0x8d8e6c16 (NtUserSetGestureConfig) owned by win32k.sys
Entry 0x12df: 0x8da50ba4 (NtUserGetGestureExtArgs) owned by win32k.sys
Entry 0x12e0: 0x8da50c9e (NtUserGetGestureInfo) owned by win32k.sys
Entry 0x12e1: 0x8da524b6 (NtUserInjectGesture) owned by win32k.sys
Entry 0x12e2: 0x8d916bcb (NtUserChangeWindowMessageFilterEx) owned by win32k.sys
Entry 0x12e3: 0x8dad66ba (NtGdiXLATEOBJ_hGetColorTransform) owned by win32k.sys
Entry 0x12e4: 0x8dad670f (NtGdiXLATEOBJ_iXlate) owned by win32k.sys
Entry 0x12e5: 0x8dad6608 (NtGdiXLATEOBJ_cGetPalette) owned by win32k.sys
Entry 0x12e6: 0x8dad388c (NtGdiEngDeleteClip) owned by win32k.sys
Entry 0x12e7: 0x8dad3783 (NtGdiEngCreateClip) owned by win32k.sys
Entry 0x12e8: 0x8dad38dc (NtGdiEngDeletePath) owned by win32k.sys
Entry 0x12e9: 0x8dad2d1a (NtGdiCLIPOBJ_ppoGetPath) owned by win32k.sys
Entry 0x12ea: 0x8dad2c84 (NtGdiCLIPOBJ_cEnumStart) owned by win32k.sys
Entry 0x12eb: 0x8dad2b9a (NtGdiCLIPOBJ_bEnum) owned by win32k.sys
Entry 0x12ec: 0x8dad29a9 (NtGdiBRUSHOBJ_hGetColorTransform) owned by win32k.sys
Entry 0x12ed: 0x8dad2a57 (NtGdiBRUSHOBJ_pvGetRbrush) owned by win32k.sys
Entry 0x12ee: 0x8dad29fe (NtGdiBRUSHOBJ_pvAllocRbrush) owned by win32k.sys
Entry 0x12ef: 0x8dad2aad (NtGdiBRUSHOBJ_ulGetBrushColor) owned by win32k.sys
Entry 0x12f0: 0x8dad6552 (NtGdiXFORMOBJ_iGetXform) owned by win32k.sys
Entry 0x12f1: 0x8dad63fa (NtGdiXFORMOBJ_bApplyXform) owned by win32k.sys
Entry 0x12f2: 0x8dad55d9 (NtGdiFONTOBJ_pQueryGlyphAttrs) owned by win32k.sys
Entry 0x12f3: 0x8dad56ec (NtGdiFONTOBJ_pfdg) owned by win32k.sys
Entry 0x12f4: 0x8dad57e0 (NtGdiFONTOBJ_pifi) owned by win32k.sys
Entry 0x12f5: 0x8dad5417 (NtGdiFONTOBJ_cGetGlyphs) owned by win32k.sys
Entry 0x12f6: 0x8dad59d3 (NtGdiFONTOBJ_pxoGetXform) owned by win32k.sys
Entry 0x12f7: 0x8dad5a1e (NtGdiFONTOBJ_vGetInfo) owned by win32k.sys
Entry 0x12f8: 0x8dad534c (NtGdiFONTOBJ_cGetAllGlyphHandles) owned by win32k.sys
Entry 0x12f9: 0x8dad5903 (NtGdiFONTOBJ_pvTrueTypeFontFile) owned by win32k.sys
Entry 0x12fa: 0x8dad6292 (NtGdiSTROBJ_dwGetCodePage) owned by win32k.sys
Entry 0x12fb: 0x8dad62e4 (NtGdiSTROBJ_vEnumStart) owned by win32k.sys
Entry 0x12fc: 0x8dad61b4 (NtGdiSTROBJ_bGetAdvanceWidths) owned by win32k.sys
Entry 0x12fd: 0x8dad6196 (NtGdiSTROBJ_bEnumPositionsOnly) owned by win32k.sys
Entry 0x12fe: 0x8dad6178 (NtGdiSTROBJ_bEnum) owned by win32k.sys
Entry 0x12ff: 0x8dad5dad (NtGdiPATHOBJ_bEnumClipLines) owned by win32k.sys
Entry 0x1300: 0x8dad5fbf (NtGdiPATHOBJ_vEnumStartClipLines) owned by win32k.sys
Entry 0x1301: 0x8dad5f30 (NtGdiPATHOBJ_vEnumStart) owned by win32k.sys
Entry 0x1302: 0x8dad5c46 (NtGdiPATHOBJ_bEnum) owned by win32k.sys
Entry 0x1303: 0x8dad60e0 (NtGdiPATHOBJ_vGetBounds) owned by win32k.sys
Entry 0x1304: 0x8dad32fa (NtGdiEngCheckAbort) owned by win32k.sys
Entry 0x1305: 0x8dad5b01 (NtGdiGetDhpdev) owned by win32k.sys
Entry 0x1306: 0x8dad5ba4 (NtGdiHT_Get8BPPMaskPalette) owned by win32k.sys
Entry 0x1307: 0x8dad5b38 (NtGdiHT_Get8BPPFormatPalette) owned by win32k.sys
Entry 0x1308: 0x8dac0307 (NtGdiUpdateTransform) owned by win32k.sys
Entry 0x1309: 0x8dad6362 (NtGdiUMPDEngFreeUserMem) owned by win32k.sys
Entry 0x130a: 0x8dad2900 (NtGdiBRUSHOBJ_DeleteRbrush) owned by win32k.sys
Entry 0x130b: 0x8d9c99d7 (NtGdiSetPUMPDOBJ) owned by win32k.sys
Entry 0x130c: 0x8dad633f (NtGdiSetUMPDSandboxState) owned by win32k.sys
Entry 0x130d: 0x8d983415 (NtGdiDrawStream) owned by win32k.sys
Entry 0x130e: 0x8d934c54 (NtGdiHLSurfSetInformation) owned by win32k.sys
Entry 0x130f: 0x8d93183b (NtGdiHLSurfGetInformation) owned by win32k.sys
Entry 0x1310: 0x8dac8b19 (NtGdiDwmCreatedBitmapRemotingOutput) owned by win32k.sys
Entry 0x1311: 0x8d855069 (NtGdiDdDDIGetScanLine) owned by win32k.sys
Entry 0x1312: 0x8daa23e9 (NtGdiDdDDIReleaseProcessVidPnSourceOwners) owned by win32k.sys
Entry 0x1313: 0x8daa225f (NtGdiDdDDIGetProcessSchedulingPriorityClass) owned by win32k.sys
Entry 0x1314: 0x8d9a5a61 (NtGdiDdDDISetProcessSchedulingPriorityClass) owned by win32k.sys
Entry 0x1315: 0x8d84a01c (NtGdiDdDDIGetContextSchedulingPriority) owned by win32k.sys
Entry 0x1316: 0x8d873926 (NtGdiDdDDISetContextSchedulingPriority) owned by win32k.sys
Entry 0x1317: 0x8d8bdcf8 (NtGdiDdDDIDestroyDCFromMemory) owned by win32k.sys
Entry 0x1318: 0x8d8baad2 (NtGdiDdDDICreateDCFromMemory) owned by win32k.sys
Entry 0x1319: 0x8d94c9a6 (NtGdiDdDDIGetDeviceState) owned by win32k.sys
Entry 0x131a: 0x8d9d5371 (NtGdiDdDDISetGammaRamp) owned by win32k.sys
Entry 0x131b: 0x8d870b2b (NtGdiDdDDIWaitForVerticalBlankEvent) owned by win32k.sys
Entry 0x131c: 0x8daa21e0 (NtGdiDdDDIDestroyOverlay) owned by win32k.sys
Entry 0x131d: 0x8daa21f1 (NtGdiDdDDIFlipOverlay) owned by win32k.sys
Entry 0x131e: 0x8daa243b (NtGdiDdDDIUpdateOverlay) owned by win32k.sys
Entry 0x131f: 0x8daa21b6 (NtGdiDdDDICreateOverlay) owned by win32k.sys
Entry 0x1320: 0x8daa4d46 (NtGdiDdDDIGetPresentQueueEvent) owned by win32k.sys
Entry 0x1321: 0x8daa2246 (NtGdiDdDDIGetPresentHistory) owned by win32k.sys
Entry 0x1322: 0x8d898490 (NtGdiDdDDISetVidPnSourceOwner1) owned by win32k.sys
Entry 0x1323: 0x8d8887f8 (NtGdiDdDDISetVidPnSourceOwner) owned by win32k.sys
Entry 0x1324: 0x8daa23b6 (NtGdiDdDDIQueryStatistics) owned by win32k.sys
Entry 0x1325: 0x8d8ab83e (NtGdiDdDDIEscape) owned by win32k.sys
Entry 0x1326: 0x8d9d5382 (NtGdiDdDDIGetSharedPrimaryHandle) owned by win32k.sys
Entry 0x1327: 0x8d8b5901 (NtGdiDdDDICloseAdapter) owned by win32k.sys
Entry 0x1328: 0x8d8b0be7 (NtGdiDdDDIOpenAdapterFromLuid) owned by win32k.sys
Entry 0x1329: 0x8d8ab38a (NtGdiDdDDIEnumAdapters) owned by win32k.sys
Entry 0x132a: 0x8d8abda1 (NtGdiDdDDIOpenAdapterFromHdc) owned by win32k.sys
Entry 0x132b: 0x8d873937 (NtGdiDdDDIOpenAdapterFromDeviceName) owned by win32k.sys
Entry 0x132c: 0x8d92a2ad (NtGdiDdDDIRender) owned by win32k.sys
Entry 0x132d: 0x8d950afe (NtGdiDdDDIPresent) owned by win32k.sys
Entry 0x132e: 0x8daa2224 (NtGdiDdDDIGetMultisampleMethodList) owned by win32k.sys
Entry 0x132f: 0x8d89877c (NtGdiDdDDISetDisplayMode) owned by win32k.sys
Entry 0x1330: 0x8d8b0a4a (NtGdiDdDDIGetDisplayModeList) owned by win32k.sys
Entry 0x1331: 0x8d8d3746 (NtGdiDdDDIUnlock) owned by win32k.sys
Entry 0x1332: 0x8d8e4b44 (NtGdiDdDDILock) owned by win32k.sys
Entry 0x1333: 0x8d94e5e8 (NtGdiDdDDIQueryAdapterInfo) owned by win32k.sys
Entry 0x1334: 0x8daa2270 (NtGdiDdDDIGetRuntimeData) owned by win32k.sys
Entry 0x1335: 0x8d8ade71 (NtGdiDdDDISignalSynchronizationObject) owned by win32k.sys
Entry 0x1336: 0x8d8adfe2 (NtGdiDdDDIWaitForSynchronizationObject) owned by win32k.sys
Entry 0x1337: 0x8d8959fa (NtGdiDdDDIDestroySynchronizationObject) owned by win32k.sys
Entry 0x1338: 0x8d849fe9 (NtGdiDdDDIOpenSynchronizationObject) owned by win32k.sys
Entry 0x1339: 0x8d8ae21d (NtGdiDdDDICreateSynchronizationObject) owned by win32k.sys
Entry 0x133a: 0x8d8b7648 (NtGdiDdDDIDestroyContext) owned by win32k.sys
Entry 0x133b: 0x8d8ab8aa (NtGdiDdDDICreateContext) owned by win32k.sys
Entry 0x133c: 0x8d8b5da7 (NtGdiDdDDIDestroyDevice) owned by win32k.sys
Entry 0x133d: 0x8d8ab899 (NtGdiDdDDICreateDevice) owned by win32k.sys
Entry 0x133e: 0x8d87bf57 (NtGdiDdDDIQueryAllocationResidency) owned by win32k.sys
Entry 0x133f: 0x8daa23fa (NtGdiDdDDISetAllocationPriority) owned by win32k.sys
Entry 0x1340: 0x8d939d1a (NtGdiDdDDIDestroyAllocation) owned by win32k.sys
Entry 0x1341: 0x8d8ad52a (NtGdiDdDDIOpenResourceFromNtHandle) owned by win32k.sys
Entry 0x1342: 0x8d8755af (NtGdiDdDDIOpenSyncObjectFromNtHandle) owned by win32k.sys
Entry 0x1343: 0x8d935711 (NtGdiDdDDIOpenResource) owned by win32k.sys
Entry 0x1344: 0x8daa233f (NtGdiDdDDIOpenNtHandleFromName) owned by win32k.sys
Entry 0x1345: 0x8d8a9e91 (NtGdiDdDDIShareObjects) owned by win32k.sys
Entry 0x1346: 0x8d8ad411 (NtGdiDdDDIQueryResourceInfoFromNtHandle) owned by win32k.sys
Entry 0x1347: 0x8d935700 (NtGdiDdDDIQueryResourceInfo) owned by win32k.sys
Entry 0x1348: 0x8d92ad8d (NtGdiDdDDICreateAllocation) owned by win32k.sys
Entry 0x1349: 0x8daa2394 (NtGdiDdDDIOutputDuplReleaseFrame) owned by win32k.sys
Entry 0x134a: 0x8daa4dcb (NtGdiDdDDIQueryRemoteVidPnSourceFromGdiDisplayName) owned by win32k.sys
Entry 0x134b: 0x8daa2383 (NtGdiDdDDIOutputDuplPresent) owned by win32k.sys
Entry 0x134c: 0x8daa23c7 (NtGdiDdDDIReleaseKeyedMutex2) owned by win32k.sys
Entry 0x134d: 0x8d849ffa (NtGdiDdDDIAcquireKeyedMutex2) owned by win32k.sys
Entry 0x134e: 0x8d849fd8 (NtGdiDdDDIOpenKeyedMutex2) owned by win32k.sys
Entry 0x134f: 0x8d849fc7 (NtGdiDdDDICreateKeyedMutex2) owned by win32k.sys
Entry 0x1350: 0x8daa2372 (NtGdiDdDDIOutputDuplGetPointerShapeData) owned by win32k.sys
Entry 0x1351: 0x8daa2361 (NtGdiDdDDIOutputDuplGetMetaData) owned by win32k.sys
Entry 0x1352: 0x8daa2350 (NtGdiDdDDIOutputDuplGetFrameInfo) owned by win32k.sys
Entry 0x1353: 0x8daa21c7 (NtGdiDdDDIDestroyOutputDupl) owned by win32k.sys
Entry 0x1354: 0x8daa20f2 (NtGdiDdDDICreateOutputDupl) owned by win32k.sys
Entry 0x1355: 0x8d875a7e (NtGdiDdDDIReclaimAllocations) owned by win32k.sys
Entry 0x1356: 0x8d876dfd (NtGdiDdDDIOfferAllocations) owned by win32k.sys
Entry 0x1357: 0x8daa2071 (NtGdiDdDDICheckSharedResourceAccess) owned by win32k.sys
Entry 0x1358: 0x8d9514b6 (NtGdiDdDDICheckVidPnExclusiveOwnership) owned by win32k.sys
Entry 0x1359: 0x8daa2235 (NtGdiDdDDIGetOverlayState) owned by win32k.sys
Entry 0x135a: 0x8d8aa4a5 (NtGdiDdDDIConfigureSharedResource) owned by win32k.sys
Entry 0x135b: 0x8daa23d8 (NtGdiDdDDIReleaseKeyedMutex) owned by win32k.sys
Entry 0x135c: 0x8daa203e (NtGdiDdDDIAcquireKeyedMutex) owned by win32k.sys
Entry 0x135d: 0x8d84a00b (NtGdiDdDDIDestroyKeyedMutex) owned by win32k.sys
Entry 0x135e: 0x8daa232e (NtGdiDdDDIOpenKeyedMutex) owned by win32k.sys
Entry 0x135f: 0x8daa20e1 (NtGdiDdDDICreateKeyedMutex) owned by win32k.sys
Entry 0x1360: 0x8daa4f10 (NtGdiDdDDISharedPrimaryUnLockNotification) owned by win32k.sys
Entry 0x1361: 0x8daa4e9b (NtGdiDdDDISharedPrimaryLockNotification) owned by win32k.sys
Entry 0x1362: 0x8daa240b (NtGdiDdDDISetDisplayPrivateDriverFormat) owned by win32k.sys
Entry 0x1363: 0x8d87345a (NtGdiDdDDICheckExclusiveOwnership) owned by win32k.sys
Entry 0x1364: 0x8d9514c7 (NtGdiDdDDICheckMonitorPowerState) owned by win32k.sys
Entry 0x1365: 0x8daa244c (NtGdiDdDDIWaitForIdle) owned by win32k.sys
Entry 0x1366: 0x8d8ae0f0 (NtGdiDdDDICheckOcclusion) owned by win32k.sys
Entry 0x1367: 0x8daa2292 (NtGdiDdDDIInvalidateActiveVidPn) owned by win32k.sys
Entry 0x1368: 0x8d9d640e (NtGdiDdDDIPollDisplayChildren) owned by win32k.sys
Entry 0x1369: 0x8d8755c0 (NtGdiDdDDISetQueuedLimit) owned by win32k.sys
Entry 0x136a: 0x8d8755f9 (NtGdiDdDDIPinDirectFlipResources) owned by win32k.sys
Entry 0x136b: 0x8d877ef0 (NtGdiDdDDIUnpinDirectFlipResources) owned by win32k.sys
Entry 0x136c: 0x8d9514a5 (NtGdiDdDDIWaitForVerticalBlankEvent2) owned by win32k.sys
Entry 0x136d: 0x8d81c305 (NtGdiDdDDISetContextInProcessSchedulingPriority) owned by win32k.sys
Entry 0x136e: 0x8daa2213 (NtGdiDdDDIGetContextInProcessSchedulingPriority) owned by win32k.sys
Entry 0x136f: 0x8daa2281 (NtGdiDdDDIGetSharedResourceAdapterLuid) owned by win32k.sys
Entry 0x1370: 0x8daa242a (NtGdiDdDDISetStereoEnabled) owned by win32k.sys
Entry 0x1371: 0x8daa23a5 (NtGdiDdDDIPresentMultiPlaneOverlay) owned by win32k.sys
Entry 0x1372: 0x8daa2060 (NtGdiDdDDICheckMultiPlaneOverlaySupport) owned by win32k.sys
Entry 0x1373: 0x8daa2202 (NtGdiDdDDIGetCachedHybridQueryValue) owned by win32k.sys
Entry 0x1374: 0x8daa204f (NtGdiDdDDICacheHybridQueryValue) owned by win32k.sys
Entry 0x1375: 0x8daa22a3 (NtGdiDdDDINetDispGetNextChunkInfo) owned by win32k.sys
Entry 0x1376: 0x8daa22c5 (NtGdiDdDDINetDispQueryMiracastDisplayDeviceSupport) owned by win32k.sys
Entry 0x1377: 0x8daa22d6 (NtGdiDdDDINetDispStartMiracastDisplayDevice) owned by win32k.sys
Entry 0x1378: 0x8daa2302 (NtGdiDdDDINetDispStopMiracastDisplayDevice) owned by win32k.sys
Entry 0x1379: 0x8daa22b4 (NtGdiDdDDINetDispQueryMiracastDisplayDeviceStatus) owned by win32k.sys
Entry 0x137a: 0x8dacf7f4 (NtGdiMakeObjectUnXferable) owned by win32k.sys
Entry 0x137b: 0x8dacf85f (NtGdiMakeObjectXferable) owned by win32k.sys
Entry 0x137c: 0x8dad7a43 (NtGdiDestroyPhysicalMonitor) owned by win32k.sys
Entry 0x137d: 0x8dad7a53 (NtGdiGetPhysicalMonitorDescription) owned by win32k.sys
Entry 0x137e: 0x8dad7ad5 (NtGdiGetPhysicalMonitors) owned by win32k.sys
Entry 0x137f: 0x8d9cd541 (NtGdiGetNumberOfPhysicalMonitors) owned by win32k.sys
Entry 0x1380: 0x8dad7932 (NtGdiDDCCIGetTimingReport) owned by win32k.sys
Entry 0x1381: 0x8dad78ba (NtGdiDDCCIGetCapabilitiesString) owned by win32k.sys
Entry 0x1382: 0x8dad78d9 (NtGdiDDCCIGetCapabilitiesStringLength) owned by win32k.sys
Entry 0x1383: 0x8dad7a23 (NtGdiDDCCISaveCurrentSettings) owned by win32k.sys
Entry 0x1384: 0x8dad7a33 (NtGdiDDCCISetVCPFeature) owned by win32k.sys
Entry 0x1385: 0x8dad7997 (NtGdiDDCCIGetVCPFeature) owned by win32k.sys
Entry 0x1386: 0x8daa4ff5 (NtGdiDdQueryVisRgnUniqueness) owned by win32k.sys
Entry 0x1387: 0x8daa4f78 (NtGdiDdDestroyFullscreenSprite) owned by win32k.sys
Entry 0x1388: 0x8daa4fc3 (NtGdiDdNotifyFullscreenSpriteUpdate) owned by win32k.sys
Entry 0x1389: 0x8daa4d0e (NtGdiDdCreateFullscreenSprite) owned by win32k.sys
Entry 0x138a: 0x8da54d67 (NtUserShowSystemCursor) owned by win32k.sys
Entry 0x138b: 0x8da5480c (NtUserSetMirrorRendering) owned by win32k.sys
Entry 0x138c: 0x8da52912 (NtUserMagGetContextInformation) owned by win32k.sys
Entry 0x138d: 0x8da52c97 (NtUserMagSetContextInformation) owned by win32k.sys
Entry 0x138e: 0x8da528a2 (NtUserMagControl) owned by win32k.sys
Entry 0x138f: 0x8da54e5b (NtUserSlicerControl) owned by win32k.sys
Entry 0x1390: 0x8d8740a3 (NtUserHwndSetRedirectionInfo) owned by win32k.sys
Entry 0x1391: 0x8d874665 (NtUserHwndQueryRedirectionInfo) owned by win32k.sys
Entry 0x1392: 0x8d8a9f76 (NtCreateCompositionSurfaceHandle) owned by win32k.sys
Entry 0x1393: 0x8d8ace2c (NtValidateCompositionSurfaceHandle) owned by win32k.sys
Entry 0x1394: 0x8d8aa1ae (NtBindCompositionSurface) owned by win32k.sys
Entry 0x1395: 0x8d8b62fc (NtUnBindCompositionSurface) owned by win32k.sys
Entry 0x1396: 0x8d8acfa3 (NtQueryCompositionSurfaceBinding) owned by win32k.sys
Entry 0x1397: 0x8d9d7081 (NtNotifyPresentToCompositionSurface) owned by win32k.sys
Entry 0x1398: 0x8d855784 (NtQueryCompositionSurfaceStatistics) owned by win32k.sys
Entry 0x1399: 0x8da96f33 (NtOpenCompositionSurfaceSectionInfo) owned by win32k.sys
Entry 0x139a: 0x8d8ad10e (NtOpenCompositionSurfaceSwapChainHandleInfo) owned by win32k.sys
Entry 0x139b: 0x8d8aceb9 (NtQueryCompositionSurfaceRenderingRealization) owned by win32k.sys
Entry 0x139c: 0x8d8ad5ff (NtOpenCompositionSurfaceDirtyRegion) owned by win32k.sys
Entry 0x139d: 0x8d877e44 (NtSetCompositionSurfaceOutOfFrameDirectFlipNotification) owned by win32k.sys
Entry 0x139e: 0x8d87777b (NtSetCompositionSurfaceStatistics) owned by win32k.sys
Entry 0x139f: 0x8d8b61c0 (NtSetCompositionSurfaceBufferCompositionMode) owned by win32k.sys
Entry 0x13a0: 0x8d877c21 (NtSetCompositionSurfaceIndependentFlipInfo) owned by win32k.sys
Entry 0x13a1: 0x8d9d246b (NtCreateCompositionInputSink) owned by win32k.sys
Entry 0x13a2: 0x8d9c95b3 (NtDuplicateCompositionInputSink) owned by win32k.sys
Entry 0x13a3: 0x8d9c920c (NtQueryCompositionInputSink) owned by win32k.sys
Entry 0x13a4: 0x8d9c9309 (NtQueryCompositionInputSinkLuid) owned by win32k.sys
Entry 0x13a5: 0x8d9c93bb (NtUpdateInputSinkTransforms) owned by win32k.sys
Entry 0x13a6: 0x8d897a39 (NtCompositionInputThread) owned by win32k.sys
Entry 0x13a7: 0x8d9d6679 (NtTokenManagerOpenSection) owned by win32k.sys
Entry 0x13a8: 0x8d9b1f31 (NtTokenManagerOpenEvent) owned by win32k.sys
Entry 0x13a9: 0x8d897a91 (NtTokenManagerThread) owned by win32k.sys
Entry 0x13aa: 0x8d87719d (NtTokenManagerGetOutOfFrameDirectFlipSurfaceUpdates) owned by win32k.sys
Entry 0x13ab: 0x8d87773b (NtTokenManagerDeleteOutstandingDirectFlipTokens) owned by win32k.sys
Entry 0x13ac: 0x8d9b5a93 (NtTokenManagerCreateCompositionTokenHandle) owned by win32k.sys
Entry 0x13ad: 0x8d94d6e6 (NtDCompositionBeginFrame) owned by win32k.sys
Entry 0x13ae: 0x8d94df43 (NtDCompositionConfirmFrame) owned by win32k.sys
Entry 0x13af: 0x8d9514ea (NtDCompositionRetireFrame) owned by win32k.sys
Entry 0x13b0: 0x8d94e791 (NtDCompositionDiscardFrame) owned by win32k.sys
Entry 0x13b1: 0x8d94ca91 (NtDCompositionGetFrameSurfaceUpdates) owned by win32k.sys
Entry 0x13b2: 0x8d94cf8a (NtDCompositionGetFrameLegacyTokens) owned by win32k.sys
Entry 0x13b3: 0x8d99c51d (NtDCompositionDestroyConnection) owned by win32k.sys
Entry 0x13b4: 0x8d94e33f (NtDCompositionGetConnectionBatch) owned by win32k.sys
Entry 0x13b5: 0x8d8bcd04 (NtDCompositionGetFrameStatistics) owned by win32k.sys
Entry 0x13b6: 0x8d8bdefd (NtDCompositionGetDeletedResources) owned by win32k.sys
Entry 0x13b7: 0x8d8bdc5c (NtDCompositionSetResourceDeletedNotificationTag) owned by win32k.sys
Entry 0x13b8: 0x8d9af7db (NtDCompositionCreateConnection) owned by win32k.sys
Entry 0x13b9: 0x8d8b72cb (NtDCompositionDestroyChannel) owned by win32k.sys
Entry 0x13ba: 0x8d8b6ccf (NtDCompositionReleaseAllResources) owned by win32k.sys
Entry 0x13bb: 0x8d97ca34 (NtDCompositionSubmitDWMBatch) owned by win32k.sys
Entry 0x13bc: 0x8d8b98e6 (NtDCompositionCommitChannel) owned by win32k.sys
Entry 0x13bd: 0x8d85be40 (NtDCompositionWaitForChannel) owned by win32k.sys
Entry 0x13be: 0x8d8a58d8 (NtDCompositionSetChannelCommitCompletionEvent) owned by win32k.sys
Entry 0x13bf: 0x8d8ae4e1 (NtDCompositionTelemetryTouchInteractionBegin) owned by win32k.sys
Entry 0x13c0: 0x8d8aea53 (NtDCompositionTelemetryTouchInteractionUpdate) owned by win32k.sys
Entry 0x13c1: 0x8d8ae962 (NtDCompositionTelemetryTouchInteractionEnd) owned by win32k.sys
Entry 0x13c2: 0x8d8ae76b (NtDCompositionTelemetrySetApplicationId) owned by win32k.sys
Entry 0x13c3: 0x8d8ae22e (NtDCompositionTelemetryAnimationScenarioBegin) owned by win32k.sys
Entry 0x13c4: 0x8d8ae39e (NtDCompositionTelemetryAnimationScenarioReference) owned by win32k.sys
Entry 0x13c5: 0x8d8ae815 (NtDCompositionTelemetryAnimationScenarioUnreference) owned by win32k.sys
Entry 0x13c6: 0x8d8b9b8c (NtDCompositionCurrentBatchId) owned by win32k.sys
Entry 0x13c7: 0x8d8b9e9d (NtDCompositionReleaseResource) owned by win32k.sys
Entry 0x13c8: 0x8d8b6956 (NtDCompositionRemoveCrossDeviceVisualChild) owned by win32k.sys
Entry 0x13c9: 0x8d8bc217 (NtDCompositionRemoveVisualChild) owned by win32k.sys
Entry 0x13ca: 0x8d8b5cb3 (NtDCompositionAddCrossDeviceVisualChild) owned by win32k.sys
Entry 0x13cb: 0x8d8b5d5d (NtDCompositionAddVisualChild) owned by win32k.sys
Entry 0x13cc: 0x8da9607c (NtDCompositionReplaceVisualChildren) owned by win32k.sys
Entry 0x13cd: 0x8d8adb7c (NtDCompositionSetResourceAnimationProperty) owned by win32k.sys
Entry 0x13ce: 0x8d8bb616 (NtDCompositionSetResourceReferenceArrayProperty) owned by win32k.sys
Entry 0x13cf: 0x8d8bb0ed (NtDCompositionSetResourceReferenceProperty) owned by win32k.sys
Entry 0x13d0: 0x8d8bb397 (NtDCompositionSetResourceBufferProperty) owned by win32k.sys
Entry 0x13d1: 0x8d8ba902 (NtDCompositionSetResourceIntegerProperty) owned by win32k.sys
Entry 0x13d2: 0x8d8bbfad (NtDCompositionSetResourceFloatProperty) owned by win32k.sys
Entry 0x13d3: 0x8d9c90ca (NtDCompositionSetResourceHandleProperty) owned by win32k.sys
Entry 0x13d4: 0x8d8a9c96 (NtDCompositionCreateResource) owned by win32k.sys
Entry 0x13d5: 0x8d8a5143 (NtDCompositionOpenSharedResource) owned by win32k.sys
Entry 0x13d6: 0x8d84a3ad (NtDCompositionOpenSharedResourceHandle) owned by win32k.sys
Entry 0x13d7: 0x8d9b1d8f (NtDCompositionCreateDwmChannel) owned by win32k.sys
Entry 0x13d8: 0x8d8ac0e9 (NtDCompositionCreateChannel) owned by win32k.sys
Entry 0x13d9: 0x8d8bcbd2 (NtDCompositionSynchronize) owned by win32k.sys
Entry 0x13da: 0x8da9605e (NtDCompositionDwmSyncFlush) owned by win32k.sys
Entry 0x13db: 0x8d8a6229 (NtDCompositionReferenceSharedResourceOnDwmChannel) owned by win32k.sys
Entry 0x13dc: 0x8d873b85 (NtDCompositionSignalGpuFence) owned by win32k.sys
Entry 0x13dd: 0x8d8acc7d (NtDCompositionCreateAndBindSharedSection) owned by win32k.sys
Entry 0x13de: 0x8d81c09f (NtDCompositionSetDebugCounter) owned by win32k.sys
Entry 0x13df: 0x8da9606f (NtDCompositionGetChannels) owned by win32k.sys
Entry 0x13e0: 0x8da95f25 (NtDCompositionConnectPipe) owned by win32k.sys
Entry 0x13e1: 0x8d9ce125 (NtDCompositionRegisterThumbnailVisual) owned by win32k.sys
Entry 0x13e2: 0x8da95f34 (NtDCompositionDuplicateHandleToProcess) owned by win32k.sys
Entry 0x13e3: 0x8d8b6e94 (NtUserDestroyDCompositionHwndTarget) owned by win32k.sys
Entry 0x13e4: 0x8d8a576d (NtUserCreateDCompositionHwndTarget) owned by win32k.sys
Entry 0x13e5: 0x8da55734 (NtUserWaitForRedirectionStartComplete) owned by win32k.sys
Entry 0x13e6: 0x8d9a6a1a (NtUserSignalRedirectionStartComplete) owned by win32k.sys
Entry 0x13e7: 0x8d8b3efd (NtUserSetActiveProcess) owned by win32k.sys
Entry 0x13e8: 0x8d9d4482 (NtUserGetDisplayAutoRotationPreferencesByProcessId) owned by win32k.sys
Entry 0x13e9: 0x8d84a20d (NtUserGetDisplayAutoRotationPreferences) owned by win32k.sys
Entry 0x13ea: 0x8d84a8e2 (NtUserSetDisplayAutoRotationPreferences) owned by win32k.sys
Entry 0x13eb: 0x8d85af4a (NtUserSetAutoRotation) owned by win32k.sys
Entry 0x13ec: 0x8d85ca55 (NtUserGetAutoRotationState) owned by win32k.sys
Entry 0x13ed: 0x8d85ad5b (NtUserAutoRotateScreen) owned by win32k.sys
Entry 0x13ee: 0x8d8a7ddd (NtUserAcquireIAMKey) owned by win32k.sys
Entry 0x13ef: 0x8d8a7263 (NtUserSetActivationFilter) owned by win32k.sys
Entry 0x13f0: 0x8d85a0c7 (NtUserSetFallbackForeground) owned by win32k.sys
Entry 0x13f1: 0x8d8a798a (NtUserSetBrokeredForeground) owned by win32k.sys
Entry 0x13f2: 0x8d84c808 (NtUserDisableImmersiveOwner) owned by win32k.sys
Entry 0x13f3: 0x8da4f903 (NtUserClearForeground) owned by win32k.sys
Entry 0x13f4: 0x8d8ade82 (NtUserEnableIAMAccess) owned by win32k.sys
Entry 0x13f5: 0x8d968fa1 (NtUserGetProcessUIContextInformation) owned by win32k.sys
Entry 0x13f6: 0x8da54a9d (NtUserSetProcessRestrictionExemption) owned by win32k.sys
Entry 0x13f7: 0x8d85b687 (NtUserEnableMouseInPointer) owned by win32k.sys
Entry 0x13f8: 0x8da5268e (NtUserIsMouseInPointerEnabled) owned by win32k.sys
Entry 0x13f9: 0x8da53678 (NtUserPromoteMouseInPointer) owned by win32k.sys
Entry 0x13fa: 0x8d827945 (NtUserAutoPromoteMouseInPointer) owned by win32k.sys
Entry 0x13fb: 0x8d8aeeb0 (NtUserEnableMouseInputForCursorSuppression) owned by win32k.sys
Entry 0x13fc: 0x8da526bc (NtUserIsMouseInputEnabled) owned by win32k.sys
Entry 0x13fd: 0x8d85c90e (NtUserInternalClipCursor) owned by win32k.sys
Entry 0x13fe: 0x8da4f7d4 (NtUserCheckProcessForClipboardAccess) owned by win32k.sys
Entry 0x13ff: 0x8da50a0c (NtUserGetClipboardAccessToken) owned by win32k.sys
Entry 0x1400: 0x8d81c203 (NtUserGetQueueEventStatus) owned by win32k.sys
Entry 0x1401: 0x8da4f952 (NtUserCompositionInputSinkLuidFromPoint) owned by win32k.sys
Entry 0x1402: 0x8d9d1f89 (NtUserUpdateWindowInputSinkHints) owned by win32k.sys
Entry 0x1403: 0x8d84a6eb (NtUserTransformPoint) owned by win32k.sys
Entry 0x1404: 0x8d851ca8 (NtUserTransformRect) owned by win32k.sys
Entry 0x1405: 0x8da50ee9 (NtUserGetHimetricScaleFactorFromPixelLocation) owned by win32k.sys
Entry 0x1406: 0x8d85cc8b (NtUserGetProcessDpiAwareness) owned by win32k.sys
Entry 0x1407: 0x8d89dfb8 (NtUserGetDpiForMonitor) owned by win32k.sys
Entry 0x1408: 0x8d86819e (NtUserReportInertia) owned by win32k.sys
Entry 0x1409: 0x8da526f0 (NtUserLinkDpiCursor) owned by win32k.sys
Entry 0x140a: 0x8d8492be (NtUserGetCursorDims) owned by win32k.sys
Entry 0x140b: 0x8d9d47a8 (NtUserGetOwnerTransformedMonitorRect) owned by win32k.sys
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment