System/Kernel
PS C:\Program Files (x86)\H2\service> cmd /c ver
Microsoft Windows [Version 10.0.18363.836]
PS C:\Program Files (x86)\H2\service> systeminfo ; Get-ComputerInfo
Host Name: JACKO
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18363 N/A Build 18363
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: tony
Registered Organization:
Product ID: 00331-10000-00001-AA266
Original Install Date: 4/22/2020, 4:11:40 AM
System Boot Time: 8/2/2024, 12:57:26 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2650 Mhz
BIOS Version: VMware, Inc. VMW71.00V.21100432.B64.2301110304, 1/11/2023
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 56 MB
Virtual Memory: Max Size: 4,067 MB
Virtual Memory: Available: 1,578 MB
Virtual Memory: In Use: 2,489 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 9 Hotfix(s) Installed.
[01]: KB4552931
[02]: KB4497165
[03]: KB4513661
[04]: KB4516115
[05]: KB4517245
[06]: KB4521863
[07]: KB4537759
[08]: KB4552152
[09]: KB4556799
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 192.168.236.66
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
WindowsBuildLabEx : 18362.1.amd64fre.19h1_release.190318-1202
WindowsCurrentVersion : 6.3
WindowsEditionId : Enterprise
WindowsInstallationType : Client
WindowsInstallDateFromRegistry : 1/1/1970 12:00:00 AM
WindowsProductId :
WindowsProductName : Windows 10 Enterprise
WindowsRegisteredOrganization :
WindowsRegisteredOwner : tony
WindowsSystemRoot : C:\Windows
WindowsVersion : 1909
BiosCharacteristics : {4, 7, 9, 11...}
BiosBIOSVersion : {INTEL - 6040000, VMW71.00V.21100432.B64.2301110304,
VMware, Inc. - 10000}
BiosBuildNumber :
BiosCaption : VMW71.00V.21100432.B64.2301110304
BiosCodeSet :
BiosCurrentLanguage :
BiosDescription : VMW71.00V.21100432.B64.2301110304
BiosEmbeddedControllerMajorVersion : 255
BiosEmbeddedControllerMinorVersion : 255
BiosFirmwareType : Uefi
BiosIdentificationCode :
BiosInstallableLanguages :
BiosInstallDate :
BiosLanguageEdition :
BiosListOfLanguages :
BiosManufacturer : VMware, Inc.
BiosName : VMW71.00V.21100432.B64.2301110304
BiosOtherTargetOS :
BiosPrimaryBIOS : True
BiosReleaseDate : 1/10/2023 4:00:00 PM
BiosSeralNumber : VMware-42 1e 9f b2 b3 0d 33 5d-b1 20 ba ac 93 d7 99 d6
BiosSMBIOSBIOSVersion : VMW71.00V.21100432.B64.2301110304
BiosSMBIOSMajorVersion : 2
BiosSMBIOSMinorVersion : 7
BiosSMBIOSPresent : True
BiosSoftwareElementState : Running
BiosStatus : OK
BiosSystemBiosMajorVersion : 255
BiosSystemBiosMinorVersion : 255
BiosTargetOperatingSystem : 0
BiosVersion : INTEL - 6040000
CsAdminPasswordStatus : Enabled
CsAutomaticManagedPagefile : True
CsAutomaticResetBootOption : True
CsAutomaticResetCapability : True
CsBootOptionOnLimit : DoNotReboot
CsBootOptionOnWatchDog : DoNotReboot
CsBootROMSupported : True
CsBootStatus : {0, 0, 0, 33...}
CsBootupState : Normal boot
CsCaption : JACKO
CsChassisBootupState : Safe
CsChassisSKUNumber :
CsCurrentTimeZone : -420
CsDaylightInEffect : True
CsDescription : AT/AT COMPATIBLE
CsDNSHostName : jacko
CsDomain : WORKGROUP
CsDomainRole : StandaloneWorkstation
CsEnableDaylightSavingsTime : True
CsFrontPanelResetStatus : Unknown
CsHypervisorPresent : True
CsInfraredSupported : False
CsInitialLoadInfo :
CsInstallDate :
CsKeyboardPasswordStatus : Unknown
CsLastLoadInfo :
CsManufacturer : VMware, Inc.
CsModel : VMware7,1
CsName : JACKO
CsNetworkAdapters : {Ethernet0}
CsNetworkServerModeEnabled : True
CsNumberOfLogicalProcessors : 1
CsNumberOfProcessors : 1
CsProcessors : {AMD EPYC 7413 24-Core Processor }
CsOEMStringArray : {[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7],
Welcome to the Virtual Machine}
CsPartOfDomain : False
CsPauseAfterReset : 3932100000
CsPCSystemType : Desktop
CsPCSystemTypeEx : Desktop
CsPowerManagementCapabilities :
CsPowerManagementSupported :
CsPowerOnPasswordStatus : Disabled
CsPowerState : Unknown
CsPowerSupplyState : Safe
CsPrimaryOwnerContact :
CsPrimaryOwnerName : tony
CsResetCapability : Other
CsResetCount : -1
CsResetLimit : -1
CsRoles : {LM_Workstation, LM_Server, NT}
CsStatus : OK
CsSupportContactDescription :
CsSystemFamily :
CsSystemSKUNumber :
CsSystemType : x64-based PC
CsThermalState : Safe
CsTotalPhysicalMemory : 2146459648
CsPhyicallyInstalledMemory : 2097152
CsUserName :
CsWakeUpType : PowerSwitch
CsWorkgroup : WORKGROUP
OsName : Microsoft Windows 10 Pro
OsType : WINNT
OsOperatingSystemSKU : 48
OsVersion : 10.0.18363
OsCSDVersion :
OsBuildNumber : 18363
OsHotFixes : {KB4552931, KB4497165, KB4513661, KB4516115...}
OsBootDevice : \Device\HarddiskVolume2
OsSystemDevice : \Device\HarddiskVolume4
OsSystemDirectory : C:\Windows\system32
OsSystemDrive : C:
OsWindowsDirectory : C:\Windows
OsCountryCode : 1
OsCurrentTimeZone : -420
OsLocaleID : 0409
OsLocale : en-US
OsLocalDateTime : 3/22/2025 3:28:16 PM
OsLastBootUpTime : 8/2/2024 12:57:26 PM
OsUptime : 232.02:30:22.3301287
OsBuildType : Multiprocessor Free
OsCodeSet : 1252
OsDataExecutionPreventionAvailable : True
OsDataExecutionPrevention32BitApplications : True
OsDataExecutionPreventionDrivers : True
OsDataExecutionPreventionSupportPolicy : OptIn
OsDebug : False
OsDistributed : False
OsEncryptionLevel : 256
OsForegroundApplicationBoost : Maximum
OsTotalVisibleMemorySize : 2096152
OsFreePhysicalMemory : 52712
OsTotalVirtualMemorySize : 4165048
OsFreeVirtualMemory : 1594052
OsInUseVirtualMemory : 2570996
OsTotalSwapSpaceSize :
OsSizeStoredInPagingFiles : 2068896
OsFreeSpaceInPagingFiles : 1981424
OsPagingFiles : {C:\pagefile.sys}
OsHardwareAbstractionLayer : 10.0.18362.752
OsInstallDate : 4/22/2020 4:11:40 AM
OsManufacturer : Microsoft Corporation
OsMaxNumberOfProcesses : 4294967295
OsMaxProcessMemorySize : 137438953344
OsMuiLanguages : {en-US}
OsNumberOfLicensedUsers :
OsNumberOfProcesses : 57
OsNumberOfUsers : 5
OsOrganization :
OsArchitecture : 64-bit
OsLanguage : en-US
OsProductSuites : {TerminalServicesSingleSession}
OsOtherTypeDescription :
OsPAEEnabled :
OsPortableOperatingSystem : False
OsPrimary : True
OsProductType : WorkStation
OsRegisteredUser : tony
OsSerialNumber : 00331-10000-00001-AA266
OsServicePackMajorVersion : 0
OsServicePackMinorVersion : 0
OsStatus : OK
OsSuites : {TerminalServices, TerminalServicesSingleSession}
OsServerLevel :
KeyboardLayout : en-US
TimeZone : (UTC-08:00) Pacific Time (US & Canada)
LogonServer :
PowerPlatformRole : Desktop
HyperVisorPresent : True
HyperVRequirementDataExecutionPreventionAvailable :
HyperVRequirementSecondLevelAddressTranslation :
HyperVRequirementVirtualizationFirmwareEnabled :
HyperVRequirementVMMonitorModeExtensions :
DeviceGuardSmartStatus : Off
DeviceGuardRequiredSecurityProperties :
DeviceGuardAvailableSecurityProperties :
DeviceGuardSecurityServicesConfigured :
DeviceGuardSecurityServicesRunning :
DeviceGuardCodeIntegrityPolicyEnforcementStatus :
DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus : Microsoft Windows [Version 10.0.18363.836]OS Name: Microsoft Windows 10 ProRegistered Owner: tonySystem Type: x64-based PCProcessor(s): 1 Processor(s) Installed.Hotfix(s): 9 Hotfix(s) Installed.[01]: KB4552931[02]: KB4497165[03]: KB4513661[04]: KB4516115[05]: KB4517245[06]: KB4521863[07]: KB4537759[08]: KB4552152[09]: KB4556799
Networks
PS C:\Program Files (x86)\H2\service> ipconfig /all ; arp -a ; print route
Windows IP Configuration
Host Name . . . . . . . . . . . . : jacko
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-9E-B7-7D
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.236.66(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.236.254
DNS Servers . . . . . . . . . . . : 192.168.236.254
NetBIOS over Tcpip. . . . . . . . : Enabled
Interface: 192.168.236.66 --- 0xa
Internet Address Physical Address Type
192.168.236.254 00-50-56-9e-fc-4d dynamic
192.168.236.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Unable to initialize device PRNPS C:\Program Files (x86)\H2\service> netstat -ano | Select-String LIST
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 792
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 348
TCP 0.0.0.0:8082 0.0.0.0:0 LISTENING 2100
TCP 0.0.0.0:9092 0.0.0.0:0 LISTENING 2100
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 568
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 468
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 276
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 932
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 1628
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 560
TCP 127.0.0.1:32000 0.0.0.0:0 LISTENING 1940
TCP 192.168.236.66:139 0.0.0.0:0 LISTENING 4
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 792
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:8082 [::]:0 LISTENING 2100
TCP [::]:9092 [::]:0 LISTENING 2100
TCP [::]:49664 [::]:0 LISTENING 568
TCP [::]:49665 [::]:0 LISTENING 468
TCP [::]:49666 [::]:0 LISTENING 276
TCP [::]:49667 [::]:0 LISTENING 932
TCP [::]:49668 [::]:0 LISTENING 1628
TCP [::]:49669 [::]:0 LISTENING 560127.0.0.1:32000
Users & Groups
PS C:\Program Files (x86)\H2\service> net users ; ls C:\Users
User accounts for \\JACKO
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
tony WDAGUtilityAccount
The command completed successfully.
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/2/2024 12:59 PM Administrator
d-r--- 4/22/2020 4:22 AM Public
d----- 8/2/2024 12:57 PM tony PS C:\Program Files (x86)\H2\service> net localgroup ; net group /DOMAIN
Aliases for \\JACKO
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Remote Management Users
*Replicator
*System Managed Accounts Group
*Users
The command completed successfully.
The request will be processed at a domain controller for domain WORKGROUP.
System error 1355 has occurred.
The specified domain either does not exist or could not be contacted.Processes
PS C:\Program Files (x86)\H2\service> cmd /c tasklist /svc ; ps
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
Registry 68 N/A
smss.exe 300 N/A
csrss.exe 400 N/A
wininit.exe 468 N/A
csrss.exe 476 N/A
winlogon.exe 536 N/A
services.exe 560 N/A
lsass.exe 568 KeyIso, SamSs
svchost.exe 680 BrokerInfrastructure, DcomLaunch, LSM,
PlugPlay, Power, SystemEventsBroker
fontdrvhost.exe 688 N/A
fontdrvhost.exe 696 N/A
svchost.exe 792 RpcEptMapper, RpcSs
dwm.exe 876 N/A
svchost.exe 932 BITS, DsmSvc, IKEEXT, iphlpsvc,
LanmanServer, ProfSvc, Schedule, SENS,
ShellHWDetection, Themes, UserManager,
UsoSvc, Winmgmt, WpnService
svchost.exe 948 CoreMessagingRegistrar, DPS
svchost.exe 1008 AudioEndpointBuilder, DsSvc, NcbService,
Netman, PcaSvc, StorSvc, SysMain, TrkWks
svchost.exe 276 Dhcp, EventLog, lmhosts, TimeBrokerSvc
svchost.exe 348 CDPSvc, DispBrokerDesktopSvc, EventSystem,
FontCache, netprofm, nsi, SstpSvc,
WdiServiceHost
svchost.exe 856 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
Memory Compression 1216 N/A
svchost.exe 1324 Audiosrv
svchost.exe 1400 DusmSvc
svchost.exe 1408 Wcmsvc
svchost.exe 1504 BFE, mpssvc
svchost.exe 1628 PolicyAgent
svchost.exe 1704 AppHostSvc
svchost.exe 1716 DiagTrack
FJTWSVIC.exe 1744 FJTWSVIC
VGAuthService.exe 1856 VGAuthService
vmtoolsd.exe 1872 VMTools
wrapper.exe 1940 H2DatabaseService
svchost.exe 1952 W3SVC, WAS
svchost.exe 1424 RasMan
java.exe 2100 N/A
conhost.exe 2128 N/A
dllhost.exe 2504 COMSysApp
LogonUI.exe 2804 N/A
msdtc.exe 2936 MSDTC
WmiPrvSE.exe 1772 N/A
svchost.exe 3232 N/A
SgrmBroker.exe 3708 SgrmBroker
svchost.exe 3804 wscsvc
svchost.exe 3876 StateRepository
SearchIndexer.exe 4080 WSearch
svchost.exe 3492 InstallService
svchost.exe 3044 W32Time
svchost.exe 3024 WbioSrvc
shell.exe 2224 N/A
nc.exe 1880 N/A
conhost.exe 2060 N/A
cmd.exe 360 N/A
powershell.exe 2056 N/A
cmd.exe 664 N/A
tasklist.exe 924 N/A
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
104 6 2732 16 0.05 360 0 cmd
120 7 6148 816 0.02 2060 0 conhost
132 8 6280 16 0.02 2128 0 conhost
401 14 1528 1128 400 0 csrss
167 10 1456 72 476 1 csrss
255 14 3824 504 2504 0 dllhost
654 23 17852 7676 876 1 dwm
101 8 1080 188 1744 0 FJTWSVIC
32 5 1460 0 688 1 fontdrvhost
32 5 1360 0 696 0 fontdrvhost
0 0 60 8 0 0 Idle
444 28 147964 50732 11.75 2100 0 java
596 33 15156 11936 2804 1 LogonUI
901 21 4524 3812 568 0 lsass
0 0 464 41272 1216 0 Memory Compression
221 13 3020 0 2936 0 msdtc
143 9 1220 388 0.03 1880 0 nc
589 39 45048 33680 2.00 2056 0 powershell
0 12 2172 11168 68 0 Registry
684 35 16436 1792 4080 0 SearchIndexer
333 10 3336 2744 560 0 services
89 6 2580 2980 3708 0 SgrmBroker
79 7 1600328 1596900 4,408.53 2224 0 shell
53 3 1164 0 300 0 smss
493 17 11280 4272 276 0 svchost
861 34 9400 3824 348 0 svchost
616 18 6376 3848 680 0 svchost
635 16 3804 4384 792 0 svchost
1086 1399 52248 3272 856 0 svchost
1692 61 28456 15996 932 0 svchost
348 18 14252 6744 948 0 svchost
602 32 53540 25856 1008 0 svchost
191 10 1812 1148 1324 0 svchost
126 9 1516 448 1400 0 svchost
355 13 2212 236 1408 0 svchost
378 23 3268 1224 1424 0 svchost
411 32 7888 4112 1504 0 svchost
166 12 1660 1044 1628 0 svchost
173 11 3920 1236 1704 0 svchost
484 24 13816 3916 1716 0 svchost
227 14 4388 772 1952 0 svchost
207 12 2548 1344 3024 0 svchost
206 12 1724 496 3044 0 svchost
216 14 2016 1344 3232 0 svchost
233 14 3860 1784 3492 0 svchost
216 12 2316 2124 3804 0 svchost
151 9 3896 1316 3876 0 svchost
1337 0 196 104 4 0 System
173 12 3168 0 1856 0 VGAuthService
400 22 9772 6792 1872 0 vmtoolsd
156 11 1320 0 468 0 wininit
239 12 2636 0 536 1 winlogon
387 17 9712 9344 1772 0 WmiPrvSE
141 10 1496 548 0.03 1940 0 wrapper FJTWSVIC.exe
Tasks
PS C:\Program Files (x86)\H2\service> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
TaskName TaskPath State
-------- -------- -----
OneDrive Standalone Update Task-S-1-5-21-3761179474-3535027177-3462755717-1001 \ ReadyServices
PS C:\Program Files (x86)\H2\service> wmic service where "State='Running'" get Name,PathName,StartName | Out-String -Stream | Where-Object { $_ -match 'S' -and $_ -notmatch 'C:\Windows\System32' } | Select-Object -First 100
Name PathName StartName
AppHostSvc C:\Windows\system32\svchost.exe -k apphost localSystem
AudioEndpointBuilder C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
Audiosrv C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p NT AUTHORITY\LocalService
BFE C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p NT AUTHORITY\LocalService
BITS C:\Windows\System32\svchost.exe -k netsvcs -p LocalSystem
BrokerInfrastructure C:\Windows\system32\svchost.exe -k DcomLaunch -p LocalSystem
CDPSvc C:\Windows\system32\svchost.exe -k LocalService -p NT AUTHORITY\LocalService
COMSysApp C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} LocalSystem
CoreMessagingRegistrar C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p NT AUTHORITY\LocalService
CryptSvc C:\Windows\system32\svchost.exe -k NetworkService -p NT Authority\NetworkService
DcomLaunch C:\Windows\system32\svchost.exe -k DcomLaunch -p LocalSystem
Dhcp C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p NT Authority\LocalService
DiagTrack C:\Windows\System32\svchost.exe -k utcsvc -p LocalSystem
DispBrokerDesktopSvc C:\Windows\system32\svchost.exe -k LocalService -p NT AUTHORITY\LocalService
Dnscache C:\Windows\system32\svchost.exe -k NetworkService -p NT AUTHORITY\NetworkService
DPS C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p NT AUTHORITY\LocalService
DsmSvc C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
DsSvc C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
DusmSvc C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p NT Authority\LocalService
EventLog C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p NT AUTHORITY\LocalService
EventSystem C:\Windows\system32\svchost.exe -k LocalService -p NT AUTHORITY\LocalService
FJTWSVIC C:\Windows\twain_32\Fjicube\FJTWSVIC.exe LocalSystem
FontCache C:\Windows\system32\svchost.exe -k LocalService -p NT AUTHORITY\LocalService
H2DatabaseService "C:\Program Files (x86)\H2\service\wrapper.exe" -s "C:\Program Files (x86)\H2\service\wrapper.conf" .\tony
IKEEXT C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
InstallService C:\Windows\System32\svchost.exe -k netsvcs -p LocalSystem
iphlpsvc C:\Windows\System32\svchost.exe -k NetSvcs -p LocalSystem
KeyIso C:\Windows\system32\lsass.exe LocalSystem
LanmanServer C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
LanmanWorkstation C:\Windows\System32\svchost.exe -k NetworkService -p NT AUTHORITY\NetworkService
lmhosts C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p NT AUTHORITY\LocalService
LSM
mpssvc C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p NT Authority\LocalService
MSDTC C:\Windows\System32\msdtc.exe NT AUTHORITY\NetworkService
NcbService C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
Netman C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
netprofm C:\Windows\System32\svchost.exe -k LocalService -p NT AUTHORITY\LocalService
NlaSvc C:\Windows\System32\svchost.exe -k NetworkService -p NT AUTHORITY\NetworkService
nsi C:\Windows\system32\svchost.exe -k LocalService -p NT Authority\LocalService
PcaSvc C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
PlugPlay C:\Windows\system32\svchost.exe -k DcomLaunch -p LocalSystem
PolicyAgent C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p NT Authority\NetworkService
Power C:\Windows\system32\svchost.exe -k DcomLaunch -p LocalSystem
ProfSvc C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
RasMan C:\Windows\System32\svchost.exe -k netsvcs localSystem
RpcEptMapper C:\Windows\system32\svchost.exe -k RPCSS -p NT AUTHORITY\NetworkService
RpcSs C:\Windows\system32\svchost.exe -k rpcss -p NT AUTHORITY\NetworkService
SamSs C:\Windows\system32\lsass.exe LocalSystem
Schedule C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
SENS C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
SgrmBroker C:\Windows\system32\SgrmBroker.exe LocalSystem
ShellHWDetection C:\Windows\System32\svchost.exe -k netsvcs -p LocalSystem
SstpSvc C:\Windows\system32\svchost.exe -k LocalService -p NT Authority\LocalService
StateRepository C:\Windows\system32\svchost.exe -k appmodel -p LocalSystem
StorSvc C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
SysMain C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
SystemEventsBroker C:\Windows\system32\svchost.exe -k DcomLaunch -p LocalSystem
Themes C:\Windows\System32\svchost.exe -k netsvcs -p LocalSystem
TimeBrokerSvc C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p NT AUTHORITY\LocalService
TrkWks C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
UserManager C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
UsoSvc C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
VGAuthService "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" LocalSystem
VMTools "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" LocalSystem
W32Time C:\Windows\system32\svchost.exe -k LocalService NT AUTHORITY\LocalService
W3SVC C:\Windows\system32\svchost.exe -k iissvcs localSystem
WAS C:\Windows\system32\svchost.exe -k iissvcs localSystem
WbioSrvc C:\Windows\system32\svchost.exe -k WbioSvcGroup LocalSystem
Wcmsvc C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p NT Authority\LocalService
WdiServiceHost C:\Windows\System32\svchost.exe -k LocalService -p NT AUTHORITY\LocalService
Winmgmt C:\Windows\system32\svchost.exe -k netsvcs -p localSystem
WpnService C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
wscsvc C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p NT AUTHORITY\LocalService
WSearch C:\Windows\system32\SearchIndexer.exe /Embedding LocalSystem FJTWSVIC C:\Windows\twain_32\Fjicube\FJTWSVIC.exe LocalSystem
Installed Programs
PS C:\Program Files (x86)\H2\service> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty DisplayName -ErrorAction SilentlyContinue | Where-Object { $_ } | Sort-Object -UniqueN/A
Firewall & AV
PS C:\Program Files (x86)\H2\service> netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .Firewall is disabled
PS C:\Program Files (x86)\H2\service> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Get-MpComputerStatus : A general error occurred that is not covered by a more specific error code.
At line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_MpComputerStatus:ROOT\Microsoft\...pComputerStatus) [Get-MpComputerS
tatus], CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Get-MpComputerStatus
ExclusionPath
-------------
{C:\, D:\, E:\, F:\...}Session Architecture
PS C:\Program Files (x86)\H2\service> [Environment]::Is64BitProcess
FalseThe current session is 32bit
Installed .NET Frameworks
PS C:\Program Files (x86)\H2\service> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is AC2F-6399
Directory of C:\Windows\Microsoft.NET\Framework
04/24/2020 03:13 AM <DIR> .
04/24/2020 03:13 AM <DIR> ..
03/18/2019 09:52 PM <DIR> v1.0.3705
03/18/2019 09:52 PM <DIR> v1.1.4322
03/18/2019 09:52 PM <DIR> v2.0.50727
03/22/2025 05:20 PM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 4,864,225,280 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework\v4.0.30319\
Release REG_DWORD 0x80ea8
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.03752
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x80ea8
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.03752
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework\v4.0.30319\
Release REG_DWORD 0x80ea8
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.03752
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x80ea8
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.03752
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.8.03752