System/Kernel
*evil-winrm* ps c:\Users\s.smith\Documents> systeminfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
*evil-winrm* ps c:\Users\s.smith\Documents> Get-ComputerInfo
An error -2147024882 was encountered while subscribing to a Group Policy change notification.
at line:1 char:1
+ Get-ComputerInfo
+ ~~~~~~~~~~~~~~~~
+ categoryinfo : NotSpecified: (:) [Get-ComputerInfo], CimException
+ fullyqualifiederrorid : Microsoft.Management.Infrastructure.CimException,Microsoft.PowerShell.Commands.GetComputerInfoCommandNetworks
*Evil-WinRM* PS C:\Users\s.smith\Documents> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : CASC-DC1
Primary Dns Suffix . . . . . . . : cascade.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : cascade.local
Ethernet adapter Local Area Connection 4:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
Physical Address. . . . . . . . . : 00-50-56-B9-67-55
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : dead:beef::e8dc:7157:1983:a2bd(Preferred)
Link-local IPv6 Address . . . . . : fe80::e8dc:7157:1983:a2bd%15(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.10.182(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f330%15
10.10.10.2
DNS Servers . . . . . . . . . . . : 1.1.1.1
8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{603B363A-A965-4463-A4D0-A8850F844E1E}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes*Evil-WinRM* PS C:\Users\s.smith\Documents> arp -a
Interface: 10.10.10.182 --- 0xf
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-f3-30 dynamic
10.10.10.175 00-50-56-b9-b9-81 dynamic
10.10.10.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static*Evil-WinRM* PS C:\Users\s.smith\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 532
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 784
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 532
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 532
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 784
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 532
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 532
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 532
TCP 0.0.0.0:5722 0.0.0.0:0 LISTENING 1364
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 1304
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 416
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 868
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 532
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 532
TCP 0.0.0.0:49158 0.0.0.0:0 LISTENING 532
TCP 0.0.0.0:49165 0.0.0.0:0 LISTENING 516
TCP 0.0.0.0:49170 0.0.0.0:0 LISTENING 1440
TCP 10.10.10.182:53 0.0.0.0:0 LISTENING 1440
TCP 10.10.10.182:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 1440
TCP [::]:88 [::]:0 LISTENING 532
TCP [::]:135 [::]:0 LISTENING 784
TCP [::]:389 [::]:0 LISTENING 532
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 532
TCP [::]:593 [::]:0 LISTENING 784
TCP [::]:636 [::]:0 LISTENING 532
TCP [::]:3268 [::]:0 LISTENING 532
TCP [::]:3269 [::]:0 LISTENING 532
TCP [::]:5722 [::]:0 LISTENING 1364
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 1304
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 416
TCP [::]:49153 [::]:0 LISTENING 868
TCP [::]:49154 [::]:0 LISTENING 924
TCP [::]:49155 [::]:0 LISTENING 532
TCP [::]:49157 [::]:0 LISTENING 532
TCP [::]:49158 [::]:0 LISTENING 532
TCP [::]:49165 [::]:0 LISTENING 516
TCP [::]:49170 [::]:0 LISTENING 1440
TCP [::1]:53 [::]:0 LISTENING 1440
TCP [dead:beef::e8dc:7157:1983:a2bd]:53 [::]:0 LISTENING 1440
TCP [fe80::e8dc:7157:1983:a2bd%15]:53 [::]:0 LISTENING 14400.0.0.0:5722; (PID 1364)
Users & Groups
*evil-winrm* ps c:\Users\s.smith\Documents> net users
User accounts for \\
-------------------------------------------------------------------------------
a.turnbull administrator arksvc
b.hanson BackupSvc CascGuest
d.burman e.crowe i.croft
j.allen j.goodhand j.wakefield
krbtgt r.thompson s.hickson
s.smith util
The command completed with one or more errors.*evil-winrm* ps c:\Users\s.smith\Documents> net localgroup
net.exe : System error 1312 has occurred.
+ categoryinfo : NotSpecified: (System error 1312 has occurred.:String) [], RemoteException
+ fullyqualifiederrorid : NativeCommandError
A specified logon session does not exist. It may already have been terminated.
*evil-winrm* ps c:\Users\s.smith\Documents> net groups
Group Accounts for \\
-------------------------------------------------------------------------------
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.Processes
*Evil-WinRM* PS C:\Users\s.smith\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
33 5 1016 3140 0.02 2808 0 conhost
502 11 1984 4540 328 0 csrss
72 8 8688 7560 428 1 csrss
295 30 14848 20976 1364 0 dfsrs
129 15 2912 7196 1672 0 dfssvc
202 16 4268 11724 2128 0 dllhost
160 25 7384 8740 1440 0 dns
0 0 0 24 0 0 Idle
103 14 3356 5840 1512 0 ismserv
166 23 9120 16452 860 1 LogonUI
1661 237 35648 35700 532 0 lsass
143 7 2432 4276 540 0 lsm
257 40 51016 46928 1304 0 Microsoft.ActiveDirectory.WebServices
151 18 3416 8444 2268 0 msdtc
251 15 6152 11588 516 0 services
30 1 452 1260 244 0 smss
297 22 7096 13460 1272 0 spoolsv
172 9 3296 9656 2956 0 sppsvc
456 35 12468 18764 272 0 svchost
361 14 3944 10400 700 0 svchost
228 19 3664 8532 784 0 svchost
299 16 9788 13152 868 0 svchost
867 40 18308 33320 924 0 svchost
617 28 7212 14744 968 0 svchost
296 33 10504 13636 992 0 svchost
74 7 1632 5272 1012 0 svchost
146 12 4268 7748 1392 0 svchost
49 4 1052 3480 1600 0 svchost
516 0 128 304 4 0 System
142 16 2632 8940 2020 0 vds
295 21 8068 16208 1624 0 vmtoolsd
80 10 1516 4716 416 0 wininit
78 6 1492 4616 480 1 winlogon
777 29 54920 71892 1.20 348 0 wsmprovhostspoolsv
Tasks
*evil-winrm* ps c:\Users\s.smith\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
The term 'Get-ScheduledTask' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
at line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ categoryinfo : ObjectNotFound: (Get-ScheduledTask:String) [], CommandNotFoundException
+ fullyqualifiederrorid : CommandNotFoundException
*evil-winrm* ps c:\Users\s.smith\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level"
| findstr /v /i "system32"
folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management Disabled
AD RMS Rights Policy Template Management N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
consolidator 6/26/2023 12:00:00 PM Could not start
kernelceiptask 6/29/2023 3:30:00 AM Ready
usbceip 6/27/2023 1:30:00 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
serverceipassistant 6/27/2023 4:14:19 PM Could not start
serverroleusagecollector 6/26/2023 8:45:41 PM Could not start
TaskName Next Run Time Status
======================================== ====================== ===============
scheduleddefrag 6/28/2023 2:22:32 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CorruptionDetector N/A Ready
DecompressionFailureDetector N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Server Manager Performance Monitor Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
analyzesystem 6/27/2023 12:05:11 PM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ractask 6/26/2023 9:03:57 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CleanupOldPerfLogs N/A Ready
ServerManager N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Collection Disabled
Configuration N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
IpAddressConflict1 N/A Ready
IpAddressConflict2 N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
synchronizetime 7/2/2023 1:00:00 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
QueueReporting N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A ReadyFirewall & AV
*Evil-WinRM* PS C:\Users\s.smith\Documents> cmd /c netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
593 TCP Disable Inbound Block RPC HTTP EMAP
ICMP configuration for Domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 8 Allow inbound echo request
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable Yes Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
593 TCP Disable Inbound Block RPC HTTP EMAP
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 8 Allow inbound echo request
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .Firewall is partially enabled; (593 Block Inbound RPC HTTP EMAP)
*Evil-WinRM* PS C:\Users\s.smith\Documents> Get-MpComputerStatus
The term 'Get-MpComputerStatus' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Get-MpComputerStatus
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-MpComputerStatus:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\s.smith\Documents> Get-MpPreference | Select-Object -Property ExclusionPath
The term 'Get-MpPreference' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Get-MpPreference | Select-Object -Property ExclusionPath
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-MpPreference:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundExceptionSession Architecture
*evil-winrm* ps c:\Users\s.smith\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\s.smith\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework
Volume in drive C has no label.
Volume Serial Number is CF98-2F06
Directory of C:\Windows\Microsoft.NET\Framework
01/27/2020 12:48 AM <DIR> .
01/27/2020 12:48 AM <DIR> ..
01/27/2020 12:47 AM <DIR> v1.0.3705
07/14/2009 04:20 AM <DIR> v1.1.4322
01/27/2020 12:48 AM <DIR> v2.0.50727
01/09/2020 04:28 PM <DIR> v3.0
01/27/2020 12:47 AM <DIR> v3.5
11/08/2021 04:55 PM <DIR> v4.0.30319
0 File(s) 0 bytes
8 Dir(s) 6,646,943,744 bytes free
*Evil-WinRM* PS C:\Users\s.smith\Documents> cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
*Evil-WinRM* PS C:\Users\s.smith\Documents> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
WMIInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
HttpNamespaceReservationInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727
Install REG_DWORD 0x1
Version REG_SZ 2.0.50727.5420
Increment REG_SZ 5420
SP REG_DWORD 0x2
CBS REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1028
MSI REG_DWORD 0x1
Install REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1029
Install REG_DWORD 0x1
OCM REG_DWORD 0x1
MSI REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1030
MSI REG_DWORD 0x1
Install REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1031
OCM REG_DWORD 0x1
MSI REG_DWORD 0x1
Install REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1032
OCM REG_DWORD 0x1
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1033
Version REG_SZ 2.0.50727.5420
CBS REG_DWORD 0x1
Increment REG_SZ 5420
SP REG_DWORD 0x2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1035
Install REG_DWORD 0x1
OCM REG_DWORD 0x1
MSI REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1036
MSI REG_DWORD 0x1
Install REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1038
OCM REG_DWORD 0x1
MSI REG_DWORD 0x1
Install REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1040
MSI REG_DWORD 0x1
Install REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1041
MSI REG_DWORD 0x1
Install REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1042
MSI REG_DWORD 0x1
Install REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1043
OCM REG_DWORD 0x1
MSI REG_DWORD 0x1
Install REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1044
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1045
OCM REG_DWORD 0x1
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1046
OCM REG_DWORD 0x1
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1049
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1053
OCM REG_DWORD 0x1
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1055
OCM REG_DWORD 0x1
MSI REG_DWORD 0x1
Install REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\2052
OCM REG_DWORD 0x1
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\2070
Install REG_DWORD 0x1
OCM REG_DWORD 0x1
MSI REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\3076
OCM REG_DWORD 0x1
MSI REG_DWORD 0x1
Install REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\3082
OCM REG_DWORD 0x1
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0
Version REG_SZ 3.0.30729.5420
CBS REG_DWORD 0x1
Increment REG_SZ 5420
Install REG_DWORD 0x1
SP REG_DWORD 0x2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Servicing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Servicing\Windows Workflow Foundation
SPIndex REG_DWORD 0x0
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
SP REG_DWORD 0x2
SPName REG_SZ SP2
Hotfix REG_SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup
Version REG_SZ 3.0.30729.5420
InstallSuccess REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup\1033
Version REG_SZ 3.0.30729.5420
CBS REG_DWORD 0x1
Increment REG_SZ 5420
InstallSuccess REG_DWORD 0x1
Install REG_DWORD 0x1
SP REG_DWORD 0x2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup\Windows Communication Foundation
Version REG_SZ 3.0.4506.5420
RuntimeInstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\
InstallSuccess REG_DWORD 0x1
ReferenceInstallPath REG_SZ C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup\Windows Presentation Foundation
(Default) REG_SZ WPF v3.0.6920.5011
Version REG_SZ 3.0.6920.5011
WPFCommonAssembliesPathx64 REG_SZ C:\Windows\System32\
InstallRoot REG_SZ C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\
InstallSuccess REG_DWORD 0x1
WPFReferenceAssembliesPathx64 REG_SZ C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
ProductVersion REG_SZ 3.0.6920.5011
WPFNonReferenceAssembliesPathx64 REG_SZ C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup\Windows Workflow Foundation
(Default) REG_SZ Windows Workflow Foundation
InstallDir REG_SZ C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
MajorBuildNum REG_SZ 4203
FileVersion REG_SZ 3.0.4203.5420
InstallSuccess REG_DWORD 0x1
ProductVersion REG_SZ 3.0.0.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.5
Version REG_SZ 3.5.30729.5420
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v3.5\
SP REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.5\1033
Version REG_SZ 3.5.30729.5420
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
SP REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
Version REG_SZ 4.5.51209
TargetVersion REG_SZ 4.0.0
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
Servicing REG_DWORD 0x0
Release REG_DWORD 0x5cbf5
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
Version REG_SZ 4.5.51209
TargetVersion REG_SZ 4.0.0
Install REG_DWORD 0x1
Servicing REG_DWORD 0x0
Release REG_DWORD 0x5cbf5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
Version REG_SZ 4.5.51209
TargetVersion REG_SZ 4.0.0
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
Servicing REG_DWORD 0x0
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x5cbf5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
Version REG_SZ 4.5.51209
TargetVersion REG_SZ 4.0.0
Install REG_DWORD 0x1
Servicing REG_DWORD 0x0
Release REG_DWORD 0x5cbf5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Version REG_SZ 4.0.0.0
Install REG_DWORD 0x1.NET 4.5.51209