System/Kernel
*Evil-WinRM* PS C:\Users\anirudh\Documents> cmd /c ver
Microsoft Windows [Version 10.0.17763.2300]
*Evil-WinRM* PS C:\Users\anirudh\Documents> systeminfo ; Get-ComputerInfo
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~.
At line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 5/28/2021 10:52:51 AM
WindowsProductId : 00429-70000-00000-AA958
WindowsProductName : Windows Server 2019 Standard
WindowsRegisteredOrganization :
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 1809
OsServerLevel : FullServer
TimeZone : (UTC-08:00) Pacific Time (US & Canada)
LogonServer : \\DC
PowerPlatformRole : Desktop
DeviceGuardSmartStatus : OffMicrosoft Windows [Version 10.0.17763.2300]WindowsProductName : Windows Server 2019 StandardOsServerLevel : FullServerPowerPlatformRole : Desktop
Networks
*Evil-WinRM* PS C:\Users\anirudh\Documents> ipconfig /all ; arp -a ; print route
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC
Primary Dns Suffix . . . . . . . : vault.offsec
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : vault.offsec
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-9E-CC-71
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.187.172(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.187.254
DNS Servers . . . . . . . . . . . : 192.168.187.254
NetBIOS over Tcpip. . . . . . . . : Enabled
Interface: 192.168.187.172 --- 0x7
Internet Address Physical Address Type
192.168.187.254 00-50-56-9e-ad-80 dynamic
192.168.187.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Unable to initialize device PRN*Evil-WinRM* PS C:\Users\anirudh\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 904
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 904
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 60
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2636
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 508
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 848
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 1256
TCP 0.0.0.0:49675 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49676 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49681 0.0.0.0:0 LISTENING 2592
TCP 0.0.0.0:49686 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:49708 0.0.0.0:0 LISTENING 2700
TCP 0.0.0.0:49842 0.0.0.0:0 LISTENING 2676
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2700
TCP 192.168.187.172:53 0.0.0.0:0 LISTENING 2700
TCP 192.168.187.172:139 0.0.0.0:0 LISTENING 4
TCP [::]:88 [::]:0 LISTENING 648
TCP [::]:135 [::]:0 LISTENING 904
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 648
TCP [::]:593 [::]:0 LISTENING 904
TCP [::]:3389 [::]:0 LISTENING 60
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 2636
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 508
TCP [::]:49665 [::]:0 LISTENING 848
TCP [::]:49666 [::]:0 LISTENING 648
TCP [::]:49668 [::]:0 LISTENING 1256
TCP [::]:49675 [::]:0 LISTENING 648
TCP [::]:49676 [::]:0 LISTENING 648
TCP [::]:49681 [::]:0 LISTENING 2592
TCP [::]:49686 [::]:0 LISTENING 640
TCP [::]:49708 [::]:0 LISTENING 2700
TCP [::]:49842 [::]:0 LISTENING 2676
TCP [::1]:53 [::]:0 LISTENING 2700Users & Groups
*Evil-WinRM* PS C:\Users\anirudh\Documents> net users ; ls C:\Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator anirudh Guest
krbtgt
The command completed with one or more errors.
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/28/2021 3:53 AM Administrator
d----- 11/19/2021 1:12 AM anirudh
d-r--- 5/28/2021 3:53 AM Public*Evil-WinRM* PS C:\Users\anirudh\Documents> net localgroup ; net group /DOMAIN
Aliases for \\DC
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.Processes
*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-WmiObject Win32_Process | % { $s = (Get-CimInstance Win32_Service | ? { $_.ProcessId -eq $_.ProcessId }).Name -join ", "; $u = $_.GetOwner(); [PSCustomObject]@{ Name = $_.Name; PID = $_.ProcessId; User = "$($u.Domain)$($u.User)"; Services = $s } } | ft -AutoSize
Access denied
At line:1 char:1
+ Get-WmiObject Win32_Process | % { $s = (Get-CimInstance Win32_Service ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
*Evil-WinRM* PS C:\Users\anirudh\Documents> cmd /c tasklist /svc ; ps
cmd.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
150 9 6644 12484 0.02 5084 0 conhost
323 14 2308 5408 396 0 csrss
240 12 2236 5256 500 1 csrss
361 15 3532 15184 0.14 3872 1 ctfmon
411 33 16184 23516 2676 0 dfsrs
183 12 2392 7900 2752 0 dfssvc
255 14 3976 7660 3124 0 dllhost
5354 3697 68544 12784 2700 0 dns
584 26 27456 41024 1000 1 dwm
629 36 11540 41940 0.19 3016 1 explorer
1467 55 21940 39344 3.11 4324 1 explorer
564 35 11696 42940 0.22 4464 1 explorer
48 6 1516 4608 2500 0 fontdrvhost
48 7 1804 5324 2504 1 fontdrvhost
0 0 56 8 0 0 Idle
141 12 2276 6032 2732 0 ismserv
1726 155 71628 69228 648 0 lsass
734 31 36840 22660 2636 0 Microsoft.ActiveDirectory.WebServices
225 13 3224 10656 3568 0 msdtc
612 84 192920 100004 2848 0 MsMpEng
0 38 5784 107252 88 0 Registry
225 11 2196 12628 0.06 2796 1 RuntimeBroker
147 8 1640 7844 0.02 4768 1 RuntimeBroker
317 17 19588 10640 0.42 4864 1 RuntimeBroker
676 33 19900 4960 0.45 4696 1 SearchUI
426 13 4740 12176 640 0 services
689 28 15048 4216 0.22 4596 1 ShellExperienceHost
439 17 4820 10344 0.17 2128 1 sihost
53 3 504 1208 280 0 smss
473 23 5888 17144 2592 0 spoolsv
502 18 4148 13128 60 0 svchost
869 32 9248 14464 312 0 svchost
209 12 1668 7484 340 0 svchost
757 46 9620 25812 496 0 svchost
619 34 14936 25384 704 0 svchost
673 21 15992 24348 848 0 svchost
854 23 6224 23488 856 0 svchost
803 21 5308 12272 904 0 svchost
402 32 9944 19008 1124 0 svchost
1711 55 29276 47268 1256 0 svchost
313 12 2180 9220 1360 0 svchost
185 10 4316 13508 1376 0 svchost
195 9 1528 6812 1524 0 svchost
164 10 2184 7960 2004 0 svchost
435 20 6184 22124 0.16 2216 1 svchost
213 11 2324 8708 2348 0 svchost
374 16 10192 14620 2628 0 svchost
583 23 17264 22776 2668 0 svchost
1700 0 196 144 4 0 System
178 11 3544 8488 0.03 1136 1 taskhostw
179 11 2104 11296 0.06 1456 1 taskhostw
296 16 12212 9452 2060 0 taskhostw
203 60 747932 649704 4388 0 TiWorker
138 8 1788 4440 3912 0 TrustedInstaller
216 16 2368 10732 2220 0 vds
171 12 3224 10772 2812 0 VGAuthService
144 8 1692 7108 2820 0 vm3dservice
138 9 1816 7632 3008 1 vm3dservice
261 18 5296 17528 0.03 1016 1 vmtoolsd
383 22 9880 22368 2840 0 vmtoolsd
173 11 1500 7068 508 0 wininit
281 12 2672 12936 556 1 winlogon
141 8 1352 4012 2440 0 WmiApSrv
392 20 9656 19384 3092 0 WmiPrvSE
1427 34 79564 108116 0.86 144 0 wsmprovhost
1642 29 77620 96848 0.47 2012 0 wsmprovhost 473 23 5888 17144 2592 0 spoolsv
Tasks
*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
*Evil-WinRM* PS C:\Users\anirudh\Documents> cmd /c schtasks /QUERY /FO TABLE
cmd.exe : Access is denied.
+ CategoryInfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandErrorServices
*Evil-WinRM* PS C:\Users\anirudh\Documents> wmic service where "State='Running'" get Name,PathName,StartName | Out-String -Stream | Where-Object { $_ -match 'S' -and $_ -notmatch 'C:\Windows\System32' } | Select-Object -First 100
WMIC.exe : ERROR:
+ CategoryInfo : NotSpecified: (ERROR::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\anirudh\Documents> net start
net.exe : System error 5 has occurred.
+ CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
Access denied
At line:1 char:1
+ Get-CimInstance -ClassName win32_service | Select Name,State,PathName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (root\cimv2:win32_service:String) [Get-CimInstance], CimException
+ FullyQualifiedErrorId : HRESULT 0x80041003,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
*Evil-WinRM* PS C:\Users\anirudh\Documents> services
Path Privileges Service
---- ---------- -------
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe True ADWS
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe True PerfHost
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" True VGAuthService
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" True VMTools
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\NisSrv.exe" True WdNisSvc
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\MsMpEng.exe" True WinDefend
"C:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvc Installed Programs
*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty DisplayName -ErrorAction SilentlyContinue | Where-Object { $_ } | Sort-Object -Unique
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.24.28127
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.24.28127
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.24.28127
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.24.28127
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.24.28127
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.24.28127
VMware Tools
Windows 10 Update Assistant
*Evil-WinRM* PS C:\Users\anirudh\Documents> ls "C:\Program Files" ; ls "C:\Program Files (x86)"
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/28/2021 6:05 AM Common Files
d----- 9/1/2021 9:04 AM internet explorer
d----- 5/28/2021 6:06 AM VMware
d-r--- 5/28/2021 4:32 AM Windows Defender
d----- 11/18/2021 11:12 PM Windows Defender Advanced Threat Protection
d----- 7/15/2021 12:28 PM Windows Mail
d----- 5/28/2021 4:21 AM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 5/28/2021 4:21 AM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM Windows Security
d----- 9/15/2018 12:19 AM WindowsPowerShell
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/15/2018 12:28 AM Common Files
d----- 9/1/2021 9:04 AM Internet Explorer
d----- 9/15/2018 12:19 AM Microsoft.NET
d----- 5/28/2021 4:21 AM Windows Defender
d----- 7/15/2021 12:28 PM Windows Mail
d----- 5/28/2021 4:21 AM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 5/28/2021 4:21 AM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM WindowsPowerShellFirewall & AV
*Evil-WinRM* PS C:\Users\anirudh\Documents> netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable No Remote Desktop
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
5985 TCP Enable Inbound WinRM-HTTP
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
Enable No Remote Desktop
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
5985 TCP Enable Inbound WinRM-HTTP
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .5985 TCP Enable Inbound WinRM-HTTP
*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatus
Cannot connect to CIM server. Access denied
At line:1 char:24
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpPreferenceSession Architecture
*Evil-WinRM* PS C:\Users\anirudh\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\anirudh\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is 5C30-DCD7
Directory of C:\Windows\Microsoft.NET\Framework
09/15/2018 12:19 AM <DIR> .
09/15/2018 12:19 AM <DIR> ..
09/15/2018 12:19 AM <DIR> v1.0.3705
09/15/2018 12:19 AM <DIR> v1.1.4322
09/15/2018 12:19 AM <DIR> v2.0.50727
05/01/2025 12:20 PM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 4,205,051,904 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.7.03190